Bump version to 2026.2.1

doc/api/resources/orders.rst

@@ -1719,56 +1719,6 @@ List of all order positions
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
 
-.. http:get:: /api/v1/organizers/(organizer)/orderpositions/
-
-   Returns a list of all order positions within all events of a given organizer (with sufficient access permissions).
-
-   The supported query parameters and output format of this endpoint are almost identical to those of the list endpoint
-   within an event.
-   The only changes are that responses also contain the ``event`` attribute in each result and that the 'pdf_data'
-   parameter is not supported.
-
-   **Example request**:
-
-   .. sourcecode:: http
-
-      GET /api/v1/organizers/bigevents/orderpositions/ HTTP/1.1
-      Host: pretix.eu
-      Accept: application/json, text/javascript
-
-   **Example response**:
-
-   .. sourcecode:: http
-
-      HTTP/1.1 200 OK
-      Vary: Accept
-      Content-Type: application/json
-      X-Page-Generated: 2017-12-01T10:00:00Z
-
-      {
-        "count": 1,
-        "next": null,
-        "previous": null,
-        "results": [
-          {
-            "id:": 23442
-            "event": "sampleconf",
-            "order": "ABC12",
-            "positionid": 1,
-            "canceled": false,
-            "item": 1345,
-            ...
-          }
-        ]
-      }
-
-   :param organizer: The ``slug`` field of the organizer to fetch
-   :statuscode 200: no error
-   :statuscode 401: Authentication failure
-   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
-
-
-
 Fetching individual positions
 -----------------------------
 

src/pretix/__init__.py

@@ -19,4 +19,4 @@
 # You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
 # <https://www.gnu.org/licenses/>.
 #
-__version__ = "2026.3.0.dev0"
+__version__ = "2026.2.1"

src/pretix/api/serializers/order.py

@@ -636,14 +636,6 @@ class OrderPositionSerializer(I18nAwareModelSerializer):
         return entry
 
 
-class OrganizerOrderPositionSerializer(OrderPositionSerializer):
-    event = SlugRelatedField(slug_field='slug', read_only=True)
-
-    class Meta(OrderPositionSerializer.Meta):
-        fields = OrderPositionSerializer.Meta.fields + ('event',)
-        read_only_fields = OrderPositionSerializer.Meta.read_only_fields + ('event',)
-
-
 class RequireAttentionField(serializers.Field):
     def to_representation(self, instance: OrderPosition):
         return instance.require_checkin_attention

src/pretix/api/serializers/organizer.py

@@ -365,10 +365,9 @@ class TeamInviteSerializer(serializers.ModelSerializer):
     def _send_invite(self, instance):
         mail(
             instance.email,
-            _('Account invitation'),
+            _('pretix account invitation'),
             'pretixcontrol/email/invitation.txt',
             {
-                'instance': settings.PRETIX_INSTANCE_NAME,
                 'user': self,
                 'organizer': self.context['organizer'].name,
                 'team': instance.team.name,

src/pretix/api/urls.py

@@ -67,7 +67,6 @@ orga_router.register(r'invoices', order.InvoiceViewSet)
 orga_router.register(r'scheduled_exports', exporters.ScheduledOrganizerExportViewSet)
 orga_router.register(r'exporters', exporters.OrganizerExportersViewSet, basename='exporters')
 orga_router.register(r'transactions', order.OrganizerTransactionViewSet)
-orga_router.register(r'orderpositions', order.OrganizerOrderPositionViewSet, basename='orderpositions')
 
 team_router = routers.DefaultRouter()
 team_router.register(r'members', organizer.TeamMemberViewSet)
@@ -84,7 +83,7 @@ event_router.register(r'discounts', discount.DiscountViewSet)
 event_router.register(r'quotas', item.QuotaViewSet)
 event_router.register(r'vouchers', voucher.VoucherViewSet)
 event_router.register(r'orders', order.EventOrderViewSet)
-event_router.register(r'orderpositions', order.EventOrderPositionViewSet)
+event_router.register(r'orderpositions', order.OrderPositionViewSet)
 event_router.register(r'transactions', order.TransactionViewSet)
 event_router.register(r'invoices', order.InvoiceViewSet)
 event_router.register(r'revokedsecrets', order.RevokedSecretViewSet, basename='revokedsecrets')

src/pretix/api/views/checkin.py

@@ -1121,7 +1121,7 @@ class CheckinViewSet(viewsets.ReadOnlyModelViewSet):
     permission = 'can_view_orders'
 
     def get_queryset(self):
-        qs = Checkin.all.filter().select_related(
+        qs = Checkin.all.filter(list__event=self.request.event).select_related(
             "position",
             "device",
         )

src/pretix/api/views/order.py

@@ -57,10 +57,9 @@ from pretix.api.serializers.order import (
     BlockedTicketSecretSerializer, InvoiceSerializer, OrderCreateSerializer,
     OrderPaymentCreateSerializer, OrderPaymentSerializer,
     OrderPositionSerializer, OrderRefundCreateSerializer,
-    OrderRefundSerializer, OrderSerializer, OrganizerOrderPositionSerializer,
-    OrganizerTransactionSerializer, PriceCalcSerializer, PrintLogSerializer,
-    RevokedTicketSecretSerializer, SimulatedOrderSerializer,
-    TransactionSerializer,
+    OrderRefundSerializer, OrderSerializer, OrganizerTransactionSerializer,
+    PriceCalcSerializer, PrintLogSerializer, RevokedTicketSecretSerializer,
+    SimulatedOrderSerializer, TransactionSerializer,
 )
 from pretix.api.serializers.orderchange import (
     BlockNameSerializer, OrderChangeOperationSerializer,
@@ -1066,7 +1065,8 @@ with scopes_disabled():
             }
 
 
-class OrderPositionViewSetMixin:
+class OrderPositionViewSet(viewsets.ModelViewSet):
+    serializer_class = OrderPositionSerializer
     queryset = OrderPosition.all.none()
     filter_backends = (DjangoFilterBackend, RichOrderingFilter)
     ordering = ('order__datetime', 'positionid')
@@ -1087,7 +1087,8 @@ class OrderPositionViewSetMixin:
 
     def get_serializer_context(self):
         ctx = super().get_serializer_context()
-        ctx['pdf_data'] = False
+        ctx['event'] = self.request.event
+        ctx['pdf_data'] = self.request.query_params.get('pdf_data', 'false').lower() == 'true'
         ctx['check_quotas'] = self.request.query_params.get('check_quotas', 'true').lower() == 'true'
         return ctx
 
@@ -1096,8 +1097,9 @@ class OrderPositionViewSetMixin:
             qs = OrderPosition.all
         else:
             qs = OrderPosition.objects
-        qs = qs.filter(order__event__organizer=self.request.organizer)
-        if self.request.query_params.get('pdf_data', 'false').lower() == 'true' and getattr(self.request, 'event', None):
+
+        qs = qs.filter(order__event=self.request.event)
+        if self.request.query_params.get('pdf_data', 'false').lower() == 'true':
             prefetch_related_objects([self.request.organizer], 'meta_properties')
             prefetch_related_objects(
                 [self.request.event],
@@ -1152,9 +1154,9 @@ class OrderPositionViewSetMixin:
             qs = qs.prefetch_related(
                 Prefetch('checkins', queryset=Checkin.objects.select_related("device")),
                 Prefetch('print_logs', queryset=PrintLog.objects.select_related('device')),
-                'answers', 'answers__options', 'answers__question', 'order__event', 'order__event__organizer'
+                'answers', 'answers__options', 'answers__question',
             ).select_related(
-                'item', 'order', 'seat'
+                'item', 'order', 'order__event', 'order__event__organizer', 'seat'
             )
         return qs
 
@@ -1166,45 +1168,6 @@ class OrderPositionViewSetMixin:
                 return prov
         raise NotFound('Unknown output provider.')
 
-
-class OrganizerOrderPositionViewSet(OrderPositionViewSetMixin, viewsets.ReadOnlyModelViewSet):
-    serializer_class = OrganizerOrderPositionSerializer
-
-    def get_queryset(self):
-        qs = super().get_queryset()
-
-        perm = self.permission if self.request.method in SAFE_METHODS else self.write_permission
-
-        if isinstance(self.request.auth, (TeamAPIToken, Device)):
-            auth_obj = self.request.auth
-        elif self.request.user.is_authenticated:
-            auth_obj = self.request.user
-        else:
-            raise PermissionDenied("Unknown authentication scheme")
-
-        qs = qs.filter(
-            order__event__in=auth_obj.get_events_with_permission(perm, request=self.request).filter(
-                organizer=self.request.organizer
-            )
-        )
-
-        return qs
-
-
-class EventOrderPositionViewSet(OrderPositionViewSetMixin, viewsets.ModelViewSet):
-    serializer_class = OrderPositionSerializer
-
-    def get_serializer_context(self):
-        ctx = super().get_serializer_context()
-        ctx['event'] = self.request.event
-        ctx['pdf_data'] = self.request.query_params.get('pdf_data', 'false').lower() == 'true'
-        return ctx
-
-    def get_queryset(self):
-        qs = super().get_queryset()
-        qs = qs.filter(order__event=self.request.event)
-        return qs
-
     @action(detail=True, methods=['POST'], url_name='price_calc')
     def price_calc(self, request, *args, **kwargs):
         """

src/pretix/base/datasync/datasync.py

@@ -216,10 +216,7 @@ class OutboundSyncProvider:
 
             try:
                 mapped_objects = self.sync_order(sq.order)
-                actions_taken = [res and res.sync_info.get("action", "") for res_list in mapped_objects.values() for res in res_list]
-                should_write_logentry = any(action not in (None, "nothing_to_do") for action in actions_taken)
-                logger.info('Synced order %s to %s, actions: %r, log: %r', sq.order.code, sq.sync_provider, actions_taken, should_write_logentry)
-                if should_write_logentry:
+                if not all(all(not res or res.sync_info.get("action", "") == "nothing_to_do" for res in res_list) for res_list in mapped_objects.values()):
                     sq.order.log_action("pretix.event.order.data_sync.success", {
                         "provider": self.identifier,
                         "objects": {
@@ -240,7 +237,7 @@ class OutboundSyncProvider:
                     sq.set_sync_error("exceeded", e.messages, e.full_message)
                 else:
                     logger.info(
-                        f"Could not sync order {sq.order.code} to {sq.sync_provider} "
+                        f"Could not sync order {sq.order.code} to {type(self).__name__} "
                         f"(transient error, attempt #{sq.failed_attempts}, next {sq.not_before})",
                         exc_info=True,
                     )

src/pretix/base/models/auth.py

@@ -346,8 +346,7 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
             {
                 'user': self,
                 'messages': msg,
-                'url': build_absolute_uri('control:user.settings'),
-                'instance': settings.PRETIX_INSTANCE_NAME,
+                'url': build_absolute_uri('control:user.settings')
             },
             event=None,
             user=self,
@@ -392,7 +391,6 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
                 'user': self,
                 'reason': msg,
                 'code': code,
-                'instance': settings.PRETIX_INSTANCE_NAME,
             },
             event=None,
             user=self,
@@ -432,7 +430,6 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
         mail(
             self.email, _('Password recovery'), 'pretixcontrol/email/forgot.txt',
             {
-                'instance': settings.PRETIX_INSTANCE_NAME,
                 'user': self,
                 'url': (build_absolute_uri('control:auth.forgot.recover')
                         + '?id=%d&token=%s' % (self.id, default_token_generator.make_token(self)))

src/pretix/base/models/datasync.py

@@ -86,7 +86,7 @@ class OrderSyncQueue(models.Model):
 
     def set_sync_error(self, failure_mode, messages, full_message):
         logger.exception(
-            f"Could not sync order {self.order.code} to {self.sync_provider} ({failure_mode})"
+            f"Could not sync order {self.order.code} to {type(self).__name__} ({failure_mode})"
         )
         self.order.log_action(f"pretix.event.order.data_sync.failed.{failure_mode}", {
             "provider": self.sync_provider,

src/pretix/base/services/shredder.py

@@ -176,7 +176,6 @@ def shred(self, event: Event, fileid: str, confirm_code: str, user: int=None, lo
                 _('Data shredding completed'),
                 'pretixbase/email/shred_completed.txt',
                 {
-                    'instance': settings.PRETIX_INSTANCE_NAME,
                     'user': user,
                     'organizer': event.organizer.name,
                     'event': str(event.name),

src/pretix/base/templates/pretixbase/email/shred_completed.txt

@@ -13,5 +13,5 @@ Start time: {{ start_time }} (new data added after this time might not have been
 
 Best regards,
 
-Your {{ instance }} team
+Your pretix team
 {% endblocktrans %}

src/pretix/base/templatetags/anonymize_email.py

@@ -1,34 +0,0 @@
-#
-# This file is part of pretix (Community Edition).
-#
-# Copyright (C) 2014-2020  Raphael Michel and contributors
-# Copyright (C) 2020-today pretix GmbH and contributors
-#
-# This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General
-# Public License as published by the Free Software Foundation in version 3 of the License.
-#
-# ADDITIONAL TERMS APPLY: Pursuant to Section 7 of the GNU Affero General Public License, additional terms are
-# applicable granting you additional permissions and placing additional restrictions on your usage of this software.
-# Please refer to the pretix LICENSE file to obtain the full terms applicable to this work. If you did not receive
-# this file, see <https://pretix.eu/about/en/license>.
-#
-# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
-# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
-# details.
-#
-# You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
-# <https://www.gnu.org/licenses/>.
-#
-from django import template
-from django.utils.html import mark_safe
-
-register = template.Library()
-
-
-@register.filter("anon_email")
-def anon_email(value):
-    """Replaces @ with [at] and . with [dot] for anonymization."""
-    if not isinstance(value, str):
-        return value
-    value = value.replace("@", "[at]").replace(".", "[dot]")
-    return mark_safe(''.join(['&#{0};'.format(ord(char)) for char in value]))

src/pretix/control/templates/pretixcontrol/email/confirmation_code.txt

@@ -9,5 +9,5 @@ Please do never give this code to another person. Our support team will never as
 If this code was not requested by you, please contact us immediately.
 
 Best regards,
-Your {{ instance }} team
+Your pretix team
 {% endblocktrans %}

src/pretix/control/templates/pretixcontrol/email/forgot.txt

@@ -5,5 +5,5 @@ you requested a new password. Please go to the following page to reset your pass
 {{ url }}
 
 Best regards,  
-Your {{ instance }} team
-{% endblocktrans %}
+Your pretix team
+{% endblocktrans %}

src/pretix/control/templates/pretixcontrol/email/invitation.txt

@@ -1,6 +1,6 @@
 {% load i18n %}{% blocktrans with url=url|safe %}Hello,
 
-you have been invited to a team on {{ instance }}, a platform to perform event
+you have been invited to a team on pretix, a platform to perform event
 ticket sales.
 
 Organizer: {{ organizer }}
@@ -13,5 +13,5 @@ If you do not want to join, you can safely ignore or delete this email.
 
 Best regards,  
 
-Your {{ instance }} team
+Your pretix team
 {% endblocktrans %}

src/pretix/control/templates/pretixcontrol/email/security_notice.txt

@@ -1,6 +1,6 @@
 {% load i18n %}{% blocktrans with url=url|safe messages=messages|safe %}Hello,
 
-this is to inform you that the account information of your {{ instance }} account has been
+this is to inform you that the account information of your pretix account has been
 changed. In particular, the following changes have been performed:
 
 {{ messages }}
@@ -12,5 +12,5 @@ You can review and change your account settings here:
 {{ url }}
 
 Best regards,  
-Your {{ instance }} team
+Your pretix team
 {% endblocktrans %}

src/pretix/control/views/organizer.py

@@ -1039,10 +1039,9 @@ class TeamMemberView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin,
     def _send_invite(self, instance):
         mail(
             instance.email,
-            _('Account invitation'),
+            _('pretix account invitation'),
             'pretixcontrol/email/invitation.txt',
             {
-                'instance': settings.PRETIX_INSTANCE_NAME,
                 'user': self,
                 'organizer': self.request.organizer.name,
                 'team': instance.team.name,

src/pretix/plugins/paypal2/payment.py

@@ -802,37 +802,31 @@ class PaypalMethod(BasePaymentProvider):
                             all_captures_completed = False
                         else:
                             any_captures = True
-
-            # Payment has at least one capture, but it is not yet completed
-            if any_captures and not all_captures_completed:
+            if not (any_captures and all_captures_completed):
                 messages.warning(request, _('PayPal has not yet approved the payment. We will inform you as '
                                             'soon as the payment completed.'))
                 payment.info = json.dumps(pp_captured_order.dict())
                 payment.state = OrderPayment.PAYMENT_STATE_PENDING
                 payment.save()
                 return
-            # Payment has at least one capture and all captures are completed
-            elif any_captures and all_captures_completed:
-                if pp_captured_order.status != 'COMPLETED':
-                    payment.fail(info=pp_captured_order.dict())
-                    logger.error('Invalid state: %s' % repr(pp_captured_order.dict()))
-                    raise PaymentException(
-                        _('We were unable to process your payment. See below for details on how to proceed.')
-                    )
 
-                if payment.state == OrderPayment.PAYMENT_STATE_CONFIRMED:
-                    logger.warning('PayPal success event even though order is already marked as paid')
-                    return
+            if pp_captured_order.status != 'COMPLETED':
+                payment.fail(info=pp_captured_order.dict())
+                logger.error('Invalid state: %s' % repr(pp_captured_order.dict()))
+                raise PaymentException(
+                    _('We were unable to process your payment. See below for details on how to proceed.')
+                )
 
-                try:
-                    payment.info = json.dumps(pp_captured_order.dict())
-                    payment.save(update_fields=['info'])
-                    payment.confirm()
-                except Quota.QuotaExceededException as e:
-                    raise PaymentException(str(e))
-            # Payment has not any captures yet - so it's probably in created status
-            else:
+            if payment.state == OrderPayment.PAYMENT_STATE_CONFIRMED:
+                logger.warning('PayPal success event even though order is already marked as paid')
                 return
+
+            try:
+                payment.info = json.dumps(pp_captured_order.dict())
+                payment.save(update_fields=['info'])
+                payment.confirm()
+            except Quota.QuotaExceededException as e:
+                raise PaymentException(str(e))
         finally:
             if 'payment_paypal_oid' in request.session:
                 del request.session['payment_paypal_oid']
@@ -842,7 +836,7 @@ class PaypalMethod(BasePaymentProvider):
         try:
             if (
                     payment.info
-                    and payment.info_data['purchase_units'][0]['payments']['captures'][0]['status'] == 'PENDING'
+                    and payment.info_data['purchase_units'][0]['payments']['captures'][0]['status'] == 'pending'
             ):
                 retry = False
         except (KeyError, IndexError):

src/pretix/presale/templates/pretixpresale/event/base.html

@@ -6,7 +6,6 @@
 {% load eventurl %}
 {% load safelink %}
 {% load rich_text %}
-{% load anonymize_email %}
 {% block thetitle %}
     {% if messages %}
         {{ messages|join:" " }} :: 
@@ -220,7 +219,7 @@
 {% endblock %}
 {% block footernav %}
     {% if request.event.settings.contact_mail %}
-        <li><a href="{{ 'mailto:'|add:request.event.settings.contact_mail|anon_email }}" target="_blank" rel="noopener">{% trans "Contact" %}</a></li>
+        <li><a href="mailto:{{ request.event.settings.contact_mail }}" target="_blank" rel="noopener">{% trans "Contact" %}</a></li>
     {% endif %}
     {% if request.event.settings.privacy_url %}
         <li><a href="{% safelink request.event.settings.privacy_url %}" target="_blank" rel="noopener">{% trans "Privacy policy" %}</a></li>

src/pretix/presale/templates/pretixpresale/fragment_js.html

@@ -21,5 +21,4 @@
     <script type="text/javascript" src="{% static "pretixpresale/js/ui/cart.js" %}"></script>
     <script type="text/javascript" src="{% static "pretixpresale/js/ui/iframe.js" %}"></script>
     <script type="text/javascript" src="{% static "pretixbase/js/addressform.js" %}"></script>
-    <script type="text/javascript" src="{% static "pretixbase/js/deanonymize_email.js" %}"></script>
 {% endcompress %}

src/pretix/presale/templates/pretixpresale/organizers/base.html

@@ -5,7 +5,6 @@
 {% load thumb %}
 {% load eventurl %}
 {% load safelink %}
-{% load anonymize_email %}
 {% block thetitle %}
     {% block title %}{% endblock %}{% if url_name != "organizer.index" %} :: {% endif %}{{ organizer.name }}
 {% endblock %}
@@ -98,7 +97,7 @@
 {% endblock %}
 {% block footernav %}
     {% if not request.event and request.organizer.settings.contact_mail %}
-        <li><a href="{{ 'mailto:'|add:request.organizer.settings.contact_mail|anon_email }}" target="_blank" rel="noopener">{% trans "Contact" %}</a></li>
+        <li><a href="mailto:{{ request.organizer.settings.contact_mail }}" target="_blank" rel="noopener">{% trans "Contact" %}</a></li>
     {% endif %}
     {% if not request.event and request.organizer.settings.privacy_url %}
         <li><a href="{% safelink request.organizer.settings.privacy_url %}" target="_blank" rel="noopener">{% trans "Privacy policy" %}</a></li>

src/pretix/static/pretixbase/js/deanonymize_email.js

@@ -1,7 +0,0 @@
-document.addEventListener('DOMContentLoaded', function() {
-    document.querySelectorAll('a[href^="mailto:"]').forEach(function(link) {
-        // Replace [at] with @ and the [dot] with . in both the href and the displayed text (if needed)
-        link.href = link.href.replace('[at]', '@').replace('[dot]', '.');
-        link.textContent = link.textContent.replace('[at]', '@').replace('[dot]', '.');
-    });
-});

src/tests/api/test_orders.py

@@ -34,7 +34,7 @@ from stripe import error
 from tests.plugins.stripe.test_checkout import apple_domain_create
 from tests.plugins.stripe.test_provider import MockedCharge
 
-from pretix.base.models import InvoiceAddress, Order, OrderPosition, Team
+from pretix.base.models import InvoiceAddress, Order, OrderPosition
 from pretix.base.models.orders import OrderFee, OrderPayment, OrderRefund
 
 
@@ -180,41 +180,6 @@ def order2(event2, item2):
         return o
 
 
-@pytest.fixture
-@scopes_disabled()
-def team2(organizer, event2):
-    team2 = Team.objects.create(
-        organizer=organizer,
-        name="Test-Team 2",
-        can_change_teams=True,
-        can_manage_gift_cards=True,
-        can_change_items=True,
-        can_create_events=True,
-        can_change_event_settings=True,
-        can_change_vouchers=True,
-        can_view_vouchers=True,
-        can_change_orders=True,
-        can_manage_customers=True,
-        can_manage_reusable_media=True,
-        can_change_organizer_settings=True,
-
-    )
-    team2.limit_events.add(event2)
-    team2.save()
-    return team2
-
-
-@pytest.fixture
-@scopes_disabled()
-def limited_token_client(client, team2):
-    team2.can_view_orders = True
-    team2.can_view_vouchers = True
-    team2.save()
-    t = team2.tokens.create(name='Foo')
-    client.credentials(HTTP_AUTHORIZATION='Token ' + t.token)
-    return client
-
-
 TEST_ORDERPOSITION_RES = {
     "id": 1,
     "order": "FOO",
@@ -1022,64 +987,8 @@ def test_refund_cancel(token_client, organizer, event, order):
     assert resp.status_code == 400
 
 
-@pytest.mark.parametrize(
-    "endpoint_template, response_code",
-    [('/api/v1/organizers/{}/events/{}/orderpositions/', 403), ('/api/v1/organizers/{}/orderpositions/', 200)]
-)
 @pytest.mark.django_db
-def test_orderposition_list_limited_read(
-        endpoint_template, response_code, limited_token_client, organizer, device, event, order, item, subevent, subevent2, question
-):
-    endpoint = endpoint_template.format(organizer.slug, event.slug)
-
-    i2 = copy.copy(item)
-    i2.pk = None
-    i2.save()
-    with scopes_disabled():
-        var = item.variations.create(value="Children")
-        res = copy.copy(TEST_ORDERPOSITION_RES)
-        op = order.positions.first()
-        op.variation = var
-        op.save()
-        res["id"] = op.pk
-        res["item"] = item.pk
-        res["variation"] = var.pk
-        res["answers"][0]["question"] = question.pk
-        res["print_logs"][0]["id"] = op.print_logs.first().pk
-        res["print_logs"][0]["device_id"] = device.device_id
-
-    resp = limited_token_client.get(endpoint)
-    assert resp.status_code == response_code
-    if response_code == 200:
-        assert resp.json() == {'count': 0, 'next': None, 'previous': None, 'results': []}
-    else:
-        assert resp.json() == {'detail': 'You do not have permission to perform this action.'}
-
-
-@pytest.mark.parametrize(
-    ("endpoint_template", "endpoint_type"),
-    [
-        ('/api/v1/organizers/{}/events/{}/orderpositions/', "event"),
-        ('/api/v1/organizers/{}/orderpositions/', "organizer")
-    ],
-)
-@pytest.mark.django_db
-def test_orderposition_list(
-        endpoint_template,
-        endpoint_type,
-        token_client,
-        organizer,
-        device,
-        event,
-        order,
-        item,
-        subevent,
-        subevent2,
-        question,
-        django_assert_num_queries
-):
-    endpoint = endpoint_template.format(organizer.slug, event.slug)
-
+def test_orderposition_list(token_client, organizer, device, event, order, item, subevent, subevent2, question, django_assert_num_queries):
     i2 = copy.copy(item)
     i2.pk = None
     i2.save()
@@ -1096,64 +1005,88 @@ def test_orderposition_list(
         res["answers"][0]["question"] = question.pk
         res["print_logs"][0]["id"] = op.print_logs.first().pk
         res["print_logs"][0]["device_id"] = device.device_id
-        if endpoint_type == "organizer":
-            res["event"] = event.slug
 
-    resp = token_client.get(endpoint)
+    resp = token_client.get('/api/v1/organizers/{}/events/{}/orderpositions/'.format(organizer.slug, event.slug))
     assert resp.status_code == 200
     assert [res] == resp.data['results']
 
-    resp = token_client.get(endpoint + '?order__status=n')
+    resp = token_client.get(
+        '/api/v1/organizers/{}/events/{}/orderpositions/?order__status=n'.format(organizer.slug, event.slug))
     assert [res] == resp.data['results']
-    resp = token_client.get(endpoint + '?order__status=p')
+    resp = token_client.get(
+        '/api/v1/organizers/{}/events/{}/orderpositions/?order__status=p'.format(organizer.slug, event.slug))
     assert [] == resp.data['results']
 
-    resp = token_client.get(endpoint + '?item={}'.format(item.pk))
+    resp = token_client.get(
+        '/api/v1/organizers/{}/events/{}/orderpositions/?item={}'.format(organizer.slug, event.slug, item.pk))
     assert [res] == resp.data['results']
-    resp = token_client.get(endpoint + '?item__in={},{}'.format(item.pk, i2.pk))
+    resp = token_client.get(
+        '/api/v1/organizers/{}/events/{}/orderpositions/?item__in={},{}'.format(
+            organizer.slug, event.slug, item.pk, i2.pk
+        ))
     assert [res] == resp.data['results']
-    resp = token_client.get(endpoint + '?item={}'.format(i2.pk))
+    resp = token_client.get(
+        '/api/v1/organizers/{}/events/{}/orderpositions/?item={}'.format(organizer.slug, event.slug, i2.pk))
     assert [] == resp.data['results']
 
-    resp = token_client.get(endpoint + '?variation={}'.format(var.pk))
+    resp = token_client.get(
+        '/api/v1/organizers/{}/events/{}/orderpositions/?variation={}'.format(organizer.slug, event.slug, var.pk))
     assert [res] == resp.data['results']
-    resp = token_client.get(endpoint + '?variation={}'.format(var2.pk))
+    resp = token_client.get(
+        '/api/v1/organizers/{}/events/{}/orderpositions/?variation={}'.format(organizer.slug, event.slug, var2.pk))
     assert [] == resp.data['results']
 
-    resp = token_client.get(endpoint + '?attendee_name=Peter')
+    resp = token_client.get(
+        '/api/v1/organizers/{}/events/{}/orderpositions/?attendee_name=Peter'.format(organizer.slug, event.slug))
     assert [res] == resp.data['results']
-    resp = token_client.get(endpoint + '?attendee_name=peter')
+    resp = token_client.get(
+        '/api/v1/organizers/{}/events/{}/orderpositions/?attendee_name=peter'.format(organizer.slug, event.slug))
     assert [res] == resp.data['results']
-    resp = token_client.get(endpoint + '?attendee_name=Mark')
+    resp = token_client.get(
+        '/api/v1/organizers/{}/events/{}/orderpositions/?attendee_name=Mark'.format(organizer.slug, event.slug))
     assert [] == resp.data['results']
 
-    resp = token_client.get(endpoint + '?secret=z3fsn8jyufm5kpk768q69gkbyr5f4h6w')
+    resp = token_client.get(
+        '/api/v1/organizers/{}/events/{}/orderpositions/?secret=z3fsn8jyufm5kpk768q69gkbyr5f4h6w'.format(
+            organizer.slug, event.slug))
     assert [res] == resp.data['results']
-    resp = token_client.get(endpoint + '?secret=abc123')
+    resp = token_client.get(
+        '/api/v1/organizers/{}/events/{}/orderpositions/?secret=abc123'.format(organizer.slug, event.slug))
     assert [] == resp.data['results']
 
-    resp = token_client.get(endpoint + '?pseudonymization_id=ABCDEFGHKL')
+    resp = token_client.get(
+        '/api/v1/organizers/{}/events/{}/orderpositions/?pseudonymization_id=ABCDEFGHKL'.format(
+            organizer.slug, event.slug))
     assert [res] == resp.data['results']
-    resp = token_client.get(endpoint + '?pseudonymization_id=FOO')
+    resp = token_client.get(
+        '/api/v1/organizers/{}/events/{}/orderpositions/?pseudonymization_id=FOO'.format(organizer.slug, event.slug))
     assert [] == resp.data['results']
 
-    resp = token_client.get(endpoint + '?search=FO')
+    resp = token_client.get(
+        '/api/v1/organizers/{}/events/{}/orderpositions/?search=FO'.format(organizer.slug, event.slug))
     assert [res] == resp.data['results']
-    resp = token_client.get(endpoint + '?search=z3fsn8j')
+    resp = token_client.get(
+        '/api/v1/organizers/{}/events/{}/orderpositions/?search=z3fsn8j'.format(organizer.slug, event.slug))
     assert [res] == resp.data['results']
-    resp = token_client.get(endpoint + '?search=Peter')
+    resp = token_client.get(
+        '/api/v1/organizers/{}/events/{}/orderpositions/?search=Peter'.format(organizer.slug, event.slug))
     assert [res] == resp.data['results']
-    resp = token_client.get(endpoint + '?search=5f4h6w')
+    resp = token_client.get(
+        '/api/v1/organizers/{}/events/{}/orderpositions/?search=5f4h6w'.format(organizer.slug, event.slug))
     assert [] == resp.data['results']
 
-    resp = token_client.get(endpoint + '?order=FOO')
+    resp = token_client.get(
+        '/api/v1/organizers/{}/events/{}/orderpositions/?order=FOO'.format(organizer.slug, event.slug))
     assert [res] == resp.data['results']
-    resp = token_client.get(endpoint + '?order=BAR')
+    resp = token_client.get(
+        '/api/v1/organizers/{}/events/{}/orderpositions/?order=BAR'.format(organizer.slug, event.slug))
     assert [] == resp.data['results']
 
-    resp = token_client.get(endpoint + '?has_checkin=false')
+    resp = token_client.get(
+        '/api/v1/organizers/{}/events/{}/orderpositions/?has_checkin=false'.format(organizer.slug, event.slug))
     assert [res] == resp.data['results']
-    resp = token_client.get(endpoint + '?has_checkin=true')
+    resp = token_client.get(
+        '/api/v1/organizers/{}/events/{}/orderpositions/?has_checkin=true'.format(organizer.slug, event.slug))
     assert [] == resp.data['results']
 
     with scopes_disabled():
@@ -1170,28 +1103,33 @@ def test_orderposition_list(
         'gate': None,
         'type': 'entry'
     }]
-    if '/events/' in endpoint:
-        with django_assert_num_queries(18):
-            resp = token_client.get(endpoint + '?has_checkin=true')
-    else:
-        with django_assert_num_queries(17):
-            resp = token_client.get(endpoint + '?has_checkin=true')
+    with django_assert_num_queries(16):
+        resp = token_client.get(
+            '/api/v1/organizers/{}/events/{}/orderpositions/?has_checkin=true'.format(organizer.slug, event.slug)
+        )
     assert [res] == resp.data['results']
 
     op.subevent = subevent
     op.save()
     res['subevent'] = subevent.pk
 
-    resp = token_client.get(endpoint + '?subevent={}'.format(subevent.pk))
+    resp = token_client.get(
+        '/api/v1/organizers/{}/events/{}/orderpositions/?subevent={}'.format(organizer.slug, event.slug, subevent.pk))
     assert [res] == resp.data['results']
-    resp = token_client.get(endpoint + '?subevent__in={},{}'.format(subevent.pk, subevent2.pk))
+    resp = token_client.get(
+        '/api/v1/organizers/{}/events/{}/orderpositions/?subevent__in={},{}'.format(organizer.slug, event.slug,
+                                                                                    subevent.pk, subevent2.pk))
     assert [res] == resp.data['results']
-    resp = token_client.get(endpoint + '?subevent={}'.format(subevent.pk + 1))
+    resp = token_client.get(
+        '/api/v1/organizers/{}/events/{}/orderpositions/?subevent={}'.format(organizer.slug, event.slug,
+                                                                             subevent.pk + 1))
     assert [] == resp.data['results']
 
-    resp = token_client.get(endpoint + '?include_canceled_positions=false')
+    resp = token_client.get(
+        '/api/v1/organizers/{}/events/{}/orderpositions/?include_canceled_positions=false'.format(organizer.slug, event.slug))
     assert len(resp.data['results']) == 1
-    resp = token_client.get(endpoint + '?include_canceled_positions=true')
+    resp = token_client.get(
+        '/api/v1/organizers/{}/events/{}/orderpositions/?include_canceled_positions=true'.format(organizer.slug, event.slug))
     assert len(resp.data['results']) == 2