Show invoice_dirty status on order details page (Z#23230731)

* setup vite and integrate fully with django

- vite starts with `python manage.py runserver`
- add templatetags to simply load vite hmr and entry points
- add eslint (recheck rules)
- enable non-strict ts

* better syntax for cors header setting

* migrate checkin rules editor to vue3

- move constants to a module
- move reading from and writing to non-vue html to django interop module
- switch to composition api and script setup sfc with pug
- use optional chaining operators a lot to simplify code

* migrate webcheckin plugin to vite+vue3

- migrate vue sfcs to script setup and pug
- move fetch calls into a api.ts module
- move common formatting and i18n strings into module

* fix migration error

* first draft migrating widget to vue3/vite

* first couple widget e2e tests

courtesy of claude
most of the tests don't work yet

* test file is not actually used

* drop widget_ prefix from e2e test fixtures

* add test for complete widget journey for simple event

* switch timezone in e2e tests to Europe/Berlin

* make dates in e2e tests relative

* migrate widget bugfix #5886

* start testing event series widget

* working vite widget setup for prod (untested), local dev (with or without dev server) and pytests, with flags for running the old version or the vite version

* simplify e2e test iframe check

* less flaky e2e tests

* top level await in iife build mode is not supported, so let's do import.meta.glob instead (we just need the build step not to see await, the code doesn't actually ever get loaded because it's DEV only)

* fix inconsistencies from automatic migration

* Allow gradual rollout of new vite-based widget by adding urls to an allowlist that gets checked against the "Origin" http header of request fetching the widget js

* add e2e tests for widget button, testing empty cart, adding specific items, and subevents

* remove janky claude testts again

* resolve migration TODOs: properly refocus parent on navigations

* use `npm run dev:control` for the vite dev server for admin components

* upgrade npm dependencies

* fix js linter errors

* fix python linter errors

* build all control vue components

* add new js config files to check-manifest ignore

* working prod build

acutal serving of built assets not tested yet

* fix templatetag paths to match what's in the vite mantifest

* add missing quotes around 'unsafe-eval' cors value

* remove now unused old vue2 tooling

* try fixing e2e test ci

* fix flake8 error

* check if vite build artefacts are in the wheel

* add license headers

* remove dom manipilation code necessary for `div.pretix-widget-compat` to work. No longer needed for vue3

* remove superfluous `createElement` calls

They might have been there because of IE, which is no longer relevant

* make widget dev mode parametizable through query params and document the usage and those params

* fix rst syntax

* remove migration todos file

Co-authored-by: luelista <mira@teamwiki.de>

* rearrange dockerfile commands for smaller image, thanks @luelista

* Update .gitignore, adding .vite

Co-authored-by: luelista <mira@teamwiki.de>

* add eslint CI

* make vue dev work in plugins

* fix docker build

* rebuild vite setup to support static prod plugins and dynamic hmr plugin development

* use toml for vite plugin config instead of standalone json file

* Add widget changes from #6047, #6149

* Allow buttons to reuse cart (Z#23226853)

* Always keep cart of buttons with items set

* widget: handle cart if not same-site (#6149)

---------

Co-authored-by: luelista <mira@teamwiki.de>
Co-authored-by: Kara Engelhardt <engelhardt@pretix.eu>

.dockerignore

@@ -1,5 +1,6 @@
 doc/
 env/
+node_modules/
 res/
 local/
 .git/

.editorconfig

@@ -0,0 +1,5 @@
+[*.{js,jsx,ts,tsx,vue}]
+indent_style = tab
+indent_size = 2
+trim_trailing_whitespace = true
+insert_final_newline = true

.github/workflows/build.yml

@@ -24,7 +24,7 @@ jobs:
     name: Packaging
     strategy:
       matrix:
-        python-version: ["3.11"]
+        python-version: ["3.13"]
     steps:
       - uses: actions/checkout@v4
       - name: Set up Python ${{ matrix.python-version }}
@@ -46,4 +46,7 @@ jobs:
       - name: Run build
         run: python -m build
       - name: Check files
-        run: unzip -l dist/pretix*whl | grep node_modules || exit 1
+        run: |
+          for pat in 'static.dist/vite/widget/widget.js' 'static.dist/vite/control/assets/checkinrules/main-' 'static.dist/vite/control/assets/webcheckin/main-'; do
+            unzip -l dist/pretix*whl | grep -q "$pat" || { echo "Missing: $pat"; exit 1; }
+          done

.github/workflows/strings.yml

@@ -24,10 +24,10 @@ jobs:
     name: Check gettext syntax
     steps:
       - uses: actions/checkout@v4
-      - name: Set up Python 3.11
+      - name: Set up Python 3.13
         uses: actions/setup-python@v5
         with:
-          python-version: 3.11
+          python-version: 3.13
       - uses: actions/cache@v4
         with:
           path: ~/.cache/pip
@@ -49,10 +49,10 @@ jobs:
     name: Spellcheck
     steps:
       - uses: actions/checkout@v4
-      - name: Set up Python 3.11
+      - name: Set up Python 3.13
         uses: actions/setup-python@v5
         with:
-          python-version: 3.11
+          python-version: 3.13
       - uses: actions/cache@v4
         with:
           path: ~/.cache/pip

.github/workflows/style-js.yml

@@ -0,0 +1,43 @@
+name: JS Code Style
+
+on:
+  push:
+    branches: [ master ]
+    paths:
+      - 'src/pretix/static/pretixpresale/widget/**'
+      - 'src/pretix/static/pretixcontrol/js/ui/checkinrules/**'
+      - 'src/pretix/plugins/webcheckin/**'
+      - 'eslint.config.mjs'
+      - 'package.json'
+      - 'package-lock.json'
+  pull_request:
+    branches: [ master ]
+    paths:
+      - 'src/pretix/static/pretixpresale/widget/**'
+      - 'src/pretix/static/pretixcontrol/js/ui/checkinrules/**'
+      - 'src/pretix/plugins/webcheckin/**'
+      - 'eslint.config.mjs'
+      - 'package.json'
+      - 'package-lock.json'
+
+permissions:
+  contents: read
+
+env:
+  FORCE_COLOR: 1
+
+jobs:
+  eslint:
+    name: eslint
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Node.js 24
+        uses: actions/setup-node@v4
+        with:
+          node-version: 24
+          cache: npm
+      - name: Install Dependencies
+        run: npm ci
+      - name: Run ESLint
+        run: npm run lint:eslint

.github/workflows/style.yml

@@ -24,10 +24,10 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v4
-      - name: Set up Python 3.11
+      - name: Set up Python 3.13
         uses: actions/setup-python@v5
         with:
-          python-version: 3.11
+          python-version: 3.13
       - uses: actions/cache@v4
         with:
           path: ~/.cache/pip
@@ -44,10 +44,10 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v4
-      - name: Set up Python 3.11
+      - name: Set up Python 3.13
         uses: actions/setup-python@v5
         with:
-          python-version: 3.11
+          python-version: 3.13
       - uses: actions/cache@v4
         with:
           path: ~/.cache/pip
@@ -64,10 +64,10 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v4
-      - name: Set up Python 3.11
+      - name: Set up Python 3.13
         uses: actions/setup-python@v5
         with:
-          python-version: 3.11
+          python-version: 3.13
       - name: Install Dependencies
         run: pip3 install licenseheaders
       - name: Run licenseheaders

.github/workflows/tests.yml

@@ -23,13 +23,15 @@ jobs:
     name: Tests
     strategy:
       matrix:
-        python-version: ["3.10", "3.11", "3.13"]
+        python-version: ["3.11", "3.13", "3.14"]
         database: [sqlite, postgres]
         exclude:
           - database: sqlite
             python-version: "3.10"
           - database: sqlite
             python-version: "3.11"
+          - database: sqlite
+            python-version: "3.12"
     services:
       postgres:
         image: postgres:15
@@ -70,7 +72,7 @@ jobs:
         run: make all compress
       - name: Run tests
         working-directory: ./src
-        run: PRETIX_CONFIG_FILE=tests/ci_${{ matrix.database }}.cfg py.test -n 3 -p no:sugar --cov=./ --cov-report=xml tests --maxfail=100
+        run: PRETIX_CONFIG_FILE=tests/ci_${{ matrix.database }}.cfg py.test -n 3 -p no:sugar --cov=./ --cov-report=xml tests --ignore=tests/e2e --maxfail=100
       - name: Run concurrency tests
         working-directory: ./src
         run: PRETIX_CONFIG_FILE=tests/ci_${{ matrix.database }}.cfg py.test tests/concurrency_tests/ --reuse-db
@@ -81,4 +83,47 @@ jobs:
           file: src/coverage.xml
           token: ${{ secrets.CODECOV_TOKEN }}
           fail_ci_if_error: false
-        if: matrix.database == 'postgres' && matrix.python-version == '3.11'
+        if: matrix.database == 'postgres' && matrix.python-version == '3.13'
+  e2e:
+    runs-on: ubuntu-22.04
+    name: E2E Tests
+    services:
+      postgres:
+        image: postgres:15
+        env:
+          POSTGRES_PASSWORD: postgres
+          POSTGRES_DB: pretix
+        options: >-
+          --health-cmd "pg_isready -U postgres -d pretix"
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+        ports:
+          - 5432:5432
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+      - uses: actions/cache@v4
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-
+      - name: Install system dependencies
+        run: sudo apt update && sudo apt install -y gettext
+      - name: Install Python dependencies
+        run: pip3 install uv && uv pip install --system -e ".[dev]" psycopg2-binary
+      - name: Install JS dependencies
+        working-directory: ./src
+        run: make npminstall
+      - name: Compile
+        working-directory: ./src
+        run: make all compress
+      - name: Install Playwright browsers
+        run: npx playwright install
+      - name: Run E2E tests
+        working-directory: ./src
+        run: PRETIX_CONFIG_FILE=tests/ci_postgres.cfg py.test tests/e2e/ -v --maxfail=10

.gitignore

@@ -24,5 +24,7 @@ local/
 .project
 .pydevproject
 .DS_Store
+node_modules/
+.vite/
 
 

.prettierignore

@@ -0,0 +1 @@
+/*

CONTRIBUTING.md

@@ -1,11 +1,16 @@
 Contributing to pretix
 ======================
 
-Hey there and welcome to pretix!
+Welcome to pretix, we are happy that you would like to contribute.
+Before you do so, please make sure to read the following documents:
 
-* We've got a contributors guide in [our documentation](https://docs.pretix.eu/dev/development/contribution/) together with notes on the [development setup](https://docs.pretix.eu/dev/development/setup.html).
+- [Contribution workflow](https://docs.pretix.eu/dev/development/contribution/general.html)
+- [AI-assisted contribution policy](https://docs.pretix.eu/dev/development/contribution/ai.html)
+- [Coding style and quality](https://docs.pretix.eu/dev/development/contribution/style.html)
+- [Development setup](https://docs.pretix.eu/dev/development/setup.html)
+- [Code of Conduct](https://docs.pretix.eu/dev/development/contribution/codeofconduct.html)
 
-* Please note that we have a [Code of Conduct](https://docs.pretix.eu/dev/development/contribution/codeofconduct.html) in place that applies to all project contributions, including issues, pull requests, etc.
-
-* Before we can accept a PR from you we'll need you to sign [our CLA](https://pretix.eu/about/en/cla). You can find more information about the how and why in our [License FAQ](https://docs.pretix.eu/trust/licensing/faq/) and in our [license change blog post](https://pretix.eu/about/en/blog/20210412-license/).
+Before we can accept your first PR we'll need you to sign [our **Contributor License Agreement** (CLA)](https://pretix.eu/about/en/cla).
+You can find more information about the how and why in our [License FAQ](https://docs.pretix.eu/trust/licensing/faq/) and in our [license change blog post](https://pretix.eu/about/en/blog/20210412-license/).
 
+**Before contributing new functionality, always open a discussion first.**

Dockerfile

@@ -1,6 +1,7 @@
-FROM python:3.11-bookworm
+FROM python:3.13-trixie
 
-RUN apt-get update && \
+RUN curl -fsSL https://deb.nodesource.com/setup_22.x | bash - && \
+    apt-get update && \
     apt-get install -y --no-install-recommends \
             build-essential \
             gettext \
@@ -21,8 +22,7 @@ RUN apt-get update && \
             libmaxminddb0 \
             libmaxminddb-dev \
             zlib1g-dev \
-            nodejs  \
-            npm && \
+            nodejs && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/* && \
     dpkg-reconfigure locales &&  \
@@ -31,6 +31,7 @@ RUN apt-get update && \
     mkdir /etc/pretix && \
     mkdir /data && \
     useradd -ms /bin/bash -d /pretix -u 15371 pretixuser && \
+    chmod 0755 /pretix && \
     echo 'pretixuser ALL=(ALL) NOPASSWD:SETENV: /usr/bin/supervisord' >> /etc/sudoers && \
     mkdir /static && \
     mkdir /etc/supervisord
@@ -49,6 +50,10 @@ COPY deployment/docker/production_settings.py /pretix/src/production_settings.py
 COPY pyproject.toml /pretix/pyproject.toml
 COPY _build /pretix/_build
 COPY src /pretix/src
+COPY package.json /pretix/package.json
+COPY package-lock.json /pretix/package-lock.json
+COPY tsconfig.json /pretix/tsconfig.json
+COPY vite.config.ts /pretix/vite.config.ts
 
 RUN pip3 install -U \
         pip \

MANIFEST.in

@@ -48,3 +48,8 @@ recursive-include src Makefile
 recursive-exclude doc *
 recursive-exclude deployment *
 recursive-exclude res *
+
+include package.json
+include package-lock.json
+include tsconfig.json
+include vite.config.ts

doc/api/deviceauth.rst

@@ -197,10 +197,11 @@ Permissions & security profiles
 
 Device authentication is currently hardcoded to grant the following permissions:
 
-* View event meta data and products etc.
-* View orders
-* Change orders
-* Manage gift cards
+* Read event meta data and products etc.
+* Read and write orders
+* Read and write gift cards
+* Read and write reusable media
+* Read vouchers
 
 Devices cannot change events or products and cannot access vouchers.
 

doc/api/resources/devices.rst

@@ -30,7 +30,7 @@ software_brand                        string                     Device software
 software_version                      string                     Device software version (read-only)
 created                               datetime                   Creation time
 initialized                           datetime                   Time of initialization (or ``null``)
-initialization_token                  string                     Token for initialization
+initialization_token                  string                     Token for initialization (field invisible without write permission)
 revoked                               boolean                    Whether this device no longer has access
 security_profile                      string                     The name of a supported security profile restricting API access
 ===================================== ========================== =======================================================

doc/api/resources/events.rst

@@ -65,8 +65,6 @@ Endpoints
 
    Returns a list of all events within a given organizer the authenticated user/token has access to.
 
-   Permission required: "Can change event settings"
-
    **Example request**:
 
    .. sourcecode:: http
@@ -161,8 +159,6 @@ Endpoints
 
    Returns information on one event, identified by its slug.
 
-   Permission required: "Can change event settings"
-
    **Example request**:
 
    .. sourcecode:: http
@@ -234,8 +230,6 @@ Endpoints
    Please note that events cannot be created as 'live' using this endpoint. Quotas and payment must be added to the
    event before sales can go live.
 
-   Permission required: "Can create events"
-
    **Example request**:
 
    .. sourcecode:: http
@@ -338,8 +332,6 @@ Endpoints
    Please note that you can only copy from events under the same organizer this way. Use the ``clone_from`` parameter
    when creating a new event for this instead.
 
-   Permission required: "Can create events"
-
    **Example request**:
 
    .. sourcecode:: http
@@ -433,8 +425,6 @@ Endpoints
 
    Updates an event
 
-   Permission required: "Can change event settings"
-
    **Example request**:
 
    .. sourcecode:: http
@@ -510,8 +500,6 @@ Endpoints
 
    Delete an event. Note that events with orders cannot be deleted to ensure data integrity.
 
-   Permission required: "Can change event settings"
-
    **Example request**:
 
    .. sourcecode:: http
@@ -561,8 +549,6 @@ organizer level.
 
    Get current values of event settings.
 
-   Permission required: "Can change event settings" (Exception: with device auth, *some* settings can always be *read*.)
-
    **Example request**:
 
    .. sourcecode:: http
@@ -615,6 +601,8 @@ organizer level.
 
    Updates event settings. Note that ``PUT`` is not allowed here, only ``PATCH``.
 
+   Permission "Can change event settings" is always required. Some keys require additional permissions.
+
     .. warning::
 
        Settings can be stored at different levels in pretix. If a value is not set on event level, a default setting

doc/api/resources/item_program_times.rst

@@ -16,6 +16,7 @@ Field                                 Type                       Description
 id                                    integer                    Internal ID of the program time
 start                                 datetime                   The start date time for this program time slot.
 end                                   datetime                   The end date time for this program time slot.
+location                              multi-lingual string       The program time slot's location (or ``null``)
 ===================================== ========================== =======================================================
 
 .. versionchanged:: TODO
@@ -54,17 +55,20 @@ Endpoints
             {
                "id": 2,
                "start": "2025-08-14T22:00:00Z",
-               "end": "2025-08-15T00:00:00Z"
+               "end": "2025-08-15T00:00:00Z",
+               "location": null
             },
             {
                "id": 3,
                "start": "2025-08-12T22:00:00Z",
-               "end": "2025-08-13T22:00:00Z"
+               "end": "2025-08-13T22:00:00Z",
+               "location": null
             },
             {
                "id": 14,
                "start": "2025-08-15T22:00:00Z",
-               "end": "2025-08-17T22:00:00Z"
+               "end": "2025-08-17T22:00:00Z",
+               "location": null
             }
         ]
       }
@@ -99,7 +103,8 @@ Endpoints
       {
          "id": 1,
          "start": "2025-08-15T22:00:00Z",
-         "end": "2025-10-27T23:00:00Z"
+         "end": "2025-10-27T23:00:00Z",
+         "location": null
       }
 
    :param organizer: The ``slug`` field of the organizer to fetch
@@ -125,7 +130,8 @@ Endpoints
 
       {
         "start": "2025-08-15T10:00:00Z",
-        "end": "2025-08-15T22:00:00Z"
+        "end": "2025-08-15T22:00:00Z",
+        "location": null
       }
 
    **Example response**:
@@ -139,7 +145,8 @@ Endpoints
       {
         "id": 17,
         "start": "2025-08-15T10:00:00Z",
-        "end": "2025-08-15T22:00:00Z"
+        "end": "2025-08-15T22:00:00Z",
+        "location": null
       }
 
    :param organizer: The ``slug`` field of the organizer of the event/item to create a program time for

doc/api/resources/orders.rst

@@ -117,6 +117,8 @@ cancellation_date                     datetime                   Time of order c
                                                                  reliable for orders that have been cancelled,
                                                                  reactivated and cancelled again.
 plugin_data                           object                     Additional data added by plugins.
+use_gift_cards                        list of strings            List of unique gift card secrets that are used to pay
+                                                                 for this order.
 ===================================== ========================== =======================================================
 
 
@@ -156,6 +158,10 @@ plugin_data                           object                     Additional data
 
    The ``tax_rounding_mode`` attribute has been added.
 
+.. versionchanged:: 2026.03
+
+   The ``use_gift_cards`` attribute has been added.
+
 .. _order-position-resource:
 
 Order position resource
@@ -987,8 +993,6 @@ Creating orders
 
        * does not support file upload questions
 
-       * does not support redeeming gift cards
-
        * does not support or validate memberships
 
 
@@ -1095,6 +1099,14 @@ Creating orders
      whether these emails are enabled for certain sales channels. If set to ``null``, behavior will be controlled by pretix'
      settings based on the sales channels (added in pretix 4.7). Defaults to ``false``.
      Used to be ``send_mail`` before pretix 3.14.
+   * ``use_gift_cards`` (optional) The provided gift cards will be used to pay for this order. They will be debited and
+     all the necessary payment records for these transactions will be created. The gift cards will be used in sequence to
+     pay for the order. Processing of the gift cards stops as soon as the order is payed for. All gift card transactions
+     are listed under ``payments`` in the response.
+     This option can only be used with orders that are in the pending state.
+     The ``use_gift_cards`` attribute can not be combined with ``payment_info`` and ``payment_provider`` fields. If the
+     order isn't completely paid after its creation with ``use_gift_cards``, then a subsequent request to the payment
+     endpoint is needed.
 
    If you want to use add-on products, you need to set the ``positionid`` fields of all positions manually
    to incrementing integers starting with ``1``. Then, you can reference one of these
@@ -1719,6 +1731,56 @@ List of all order positions
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
 
+.. http:get:: /api/v1/organizers/(organizer)/orderpositions/
+
+   Returns a list of all order positions within all events of a given organizer (with sufficient access permissions).
+
+   The supported query parameters and output format of this endpoint are almost identical to those of the list endpoint
+   within an event.
+   The only changes are that responses also contain the ``event`` attribute in each result and that the 'pdf_data'
+   parameter is not supported.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/orderpositions/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+      X-Page-Generated: 2017-12-01T10:00:00Z
+
+      {
+        "count": 1,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id:": 23442
+            "event": "sampleconf",
+            "order": "ABC12",
+            "positionid": 1,
+            "canceled": false,
+            "item": 1345,
+            ...
+          }
+        ]
+      }
+
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+
+
+
 Fetching individual positions
 -----------------------------
 

doc/api/resources/organizers.rst

@@ -110,8 +110,6 @@ Endpoints
 
    Updates an organizer. Currently only the ``plugins`` field may be updated.
 
-   Permission required: "Can change organizer settings"
-
    **Example request**:
 
    .. sourcecode:: http
@@ -172,8 +170,6 @@ information about the properties.
 
    Get current values of organizer settings.
 
-   Permission required: "Can change organizer settings"
-
    **Example request**:
 
    .. sourcecode:: http

doc/api/resources/reusablemedia.rst

@@ -154,7 +154,7 @@ Endpoints
 .. http:post:: /api/v1/organizers/(organizer)/reusablemedia/lookup/
 
    Look up a new reusable medium by its identifier. In some cases, this might lead to the automatic creation of a new
-   medium behind the scenes.
+   medium behind the scenes, therefore this endpoint requires write permissions.
 
    This endpoint, and this endpoint only, might return media from a different organizer if there is a cross-acceptance
    agreement. In this case, only linked gift cards will be returned, no order position or customer records,

doc/api/resources/subevents.rst

@@ -154,8 +154,6 @@ Endpoints
 
    Creates a new subevent.
 
-   Permission required: "Can create events"
-
    **Example request**:
 
    .. sourcecode:: http
@@ -300,8 +298,6 @@ Endpoints
    provide all fields of the resource, other fields will be reset to default. With ``PATCH``, you only need to provide
    the fields that you want to change.
 
-   Permission required: "Can change event settings"
-
    **Example request**:
 
    .. sourcecode:: http
@@ -373,8 +369,6 @@ Endpoints
 
    Delete a sub-event. Note that events with orders cannot be deleted to ensure data integrity.
 
-   Permission required: "Can change event settings"
-
    **Example request**:
 
    .. sourcecode:: http

doc/api/resources/teams.rst

@@ -24,21 +24,58 @@ all_events                            boolean                    Whether this te
 limit_events                          list                       List of event slugs this team has access to
 require_2fa                           boolean                    Whether members of this team are required to use
                                                                  two-factor authentication
-can_create_events                     boolean
-can_change_teams                      boolean
-can_change_organizer_settings         boolean
-can_manage_customers                  boolean
-can_manage_reusable_media             boolean
-can_manage_gift_cards                 boolean
-can_change_event_settings             boolean
-can_change_items                      boolean
-can_view_orders                       boolean
-can_change_orders                     boolean
-can_view_vouchers                     boolean
-can_change_vouchers                   boolean
-can_checkin_orders                    boolean
+all_event_permissions                 bool                       Whether members of this team are granted all event-level
+                                                                 permissions, including future additions
+limit_event_permissions               list of strings            The event-level permissions team members are granted
+all_organizer_permissions             bool                       Whether members of this team are granted all organizer-level
+                                                                 permissions, including future additions
+all_organizer_permissions             list of strings            The organizer-level permissions team members are granted
+can_create_events                     boolean                    **DEPRECATED**. Legacy interface, use ``limit_organizer_permissions``.
+can_change_teams                      boolean                    **DEPRECATED**. Legacy interface, use ``limit_organizer_permissions``.
+can_change_organizer_settings         boolean                    **DEPRECATED**. Legacy interface, use ``limit_organizer_permissions``.
+can_manage_customers                  boolean                    **DEPRECATED**. Legacy interface, use ``limit_organizer_permissions``.
+can_manage_reusable_media             boolean                    **DEPRECATED**. Legacy interface, use ``limit_organizer_permissions``.
+can_manage_gift_cards                 boolean                    **DEPRECATED**. Legacy interface, use ``limit_organizer_permissions``.
+can_change_event_settings             boolean                    **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
+can_change_items                      boolean                    **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
+can_view_orders                       boolean                    **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
+can_change_orders                     boolean                    **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
+can_view_vouchers                     boolean                    **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
+can_change_vouchers                   boolean                    **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
+can_checkin_orders                    boolean                    **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
 ===================================== ========================== =======================================================
 
+Possible values for ``limit_organizer_permissions`` defined in the core pretix system (plugins might add more)::
+
+    organizer.events:create
+    organizer.settings.general:write
+    organizer.teams:write
+    organizer.seatingplans:write
+    organizer.giftcards:read
+    organizer.giftcards:write
+    organizer.customers:read
+    organizer.customers:write
+    organizer.reusablemedia:read
+    organizer.reusablemedia:write
+    organizer.devices:read
+    organizer.devices:write
+    organizer.outgoingmails:read
+
+Possible values for ``limit_event_permissions`` defined in the core pretix system (plugins might add more)::
+
+    event.settings.general:write
+    event.settings.payment:write
+    event.settings.tax:write
+    event.settings.invoicing:write
+    event.subevents:write
+    event.items:write
+    event.orders:read
+    event.orders:write
+    event.orders:checkin
+    event.vouchers:read
+    event.vouchers:write
+    event:cancel
+
 Team member resource
 --------------------
 
@@ -121,6 +158,10 @@ Team endpoints
             "all_events": true,
             "limit_events": [],
             "require_2fa": true,
+            "all_event_permissions": true,
+            "limit_event_permissions": [],
+            "all_organizer_permissions": true,
+            "limit_organizer_permissions": [],
             "can_create_events": true,
             ...
           }
@@ -159,6 +200,10 @@ Team endpoints
         "all_events": true,
         "limit_events": [],
         "require_2fa": true,
+        "all_event_permissions": true,
+        "limit_event_permissions": [],
+        "all_organizer_permissions": true,
+        "limit_organizer_permissions": [],
         "can_create_events": true,
         ...
       }
@@ -187,7 +232,10 @@ Team endpoints
         "all_events": true,
         "limit_events": [],
         "require_2fa": true,
-        "can_create_events": true,
+        "all_event_permissions": true,
+        "limit_event_permissions": [],
+        "all_organizer_permissions": true,
+        "limit_organizer_permissions": [],
         ...
       }
 
@@ -205,6 +253,10 @@ Team endpoints
         "all_events": true,
         "limit_events": [],
         "require_2fa": true,
+        "all_event_permissions": true,
+        "limit_event_permissions": [],
+        "all_organizer_permissions": true,
+        "limit_organizer_permissions": [],
         "can_create_events": true,
         ...
       }
@@ -232,7 +284,8 @@ Team endpoints
       Content-Length: 94
 
       {
-        "can_create_events": true
+        "all_organizer_permissions": false,
+        "limit_organizer_permissions": ["organizer.events:create"]
       }
 
    **Example response**:
@@ -249,6 +302,10 @@ Team endpoints
         "all_events": true,
         "limit_events": [],
         "require_2fa": true,
+        "all_event_permissions": true,
+        "limit_event_permissions": [],
+        "all_organizer_permissions": false,
+        "limit_organizer_permissions": ["organizer.events:create"],
         "can_create_events": true,
         ...
       }

doc/development/api/customview.rst

@@ -55,12 +55,12 @@ your views:
     )
 
     class AdminView(EventPermissionRequiredMixin, View):
-        permission = 'can_view_orders'
+        permission = 'event.orders:read'
 
         ...
 
 
-    @event_permission_required('can_view_orders')
+    @event_permission_required('event.orders:read')
     def admin_view(request, organizer, event):
         ...
 
@@ -78,7 +78,7 @@ event-related views, there is also a signal that allows you to add the view to t
     @receiver(nav_event, dispatch_uid='friends_tickets_nav')
     def navbar_info(sender, request, **kwargs):
         url = resolve(request.path_info)
-        if not request.user.has_event_permission(request.organizer, request.event, 'can_change_vouchers'):
+        if not request.user.has_event_permission(request.organizer, request.event, 'event.vouchers:read'):
             return []
         return [{
             'label': _('My plugin view'),
@@ -118,7 +118,7 @@ for good integration. If you just want to display a form, you could do it like t
 
     class MySettingsView(EventSettingsViewMixin, EventSettingsFormView):
         model = Event
-        permission = 'can_change_settings'
+        permission = 'event.settings.general:write'
         form_class = MySettingsForm
         template_name = 'my_plugin/settings.html'
 
@@ -204,13 +204,13 @@ In case of ``orga_router`` and ``event_router``, permission checking is done for
 in the control panel. However, you need to make sure on your own only to return the correct subset of data! ``request
 .event`` and ``request.organizer`` are available as usual.
 
-To require a special permission like ``can_view_orders``, you do not need to inherit from a special ViewSet base
+To require a special permission like ``event.orders:read``, you do not need to inherit from a special ViewSet base
 class, you can just set the ``permission`` attribute on your viewset:
 
 .. code-block:: python
 
     class MyViewSet(ModelViewSet):
-        permission = 'can_view_orders'
+        permission = 'event.orders:read'
         ...
 
 If you want to check the permission only for some methods of your viewset, you have to do it yourself. Note here that
@@ -220,7 +220,7 @@ following:
 .. code-block:: python
 
     perm_holder = (request.auth if isinstance(request.auth, TeamAPIToken) else request.user)
-    if perm_holder.has_event_permission(request.event.organizer, request.event, 'can_view_orders'):
+    if perm_holder.has_event_permission(request.event.organizer, request.event, 'event.orders:read'):
         ...
 
 

doc/development/api/exporter.rst

@@ -80,8 +80,24 @@ The exporter class
 
    .. autoattribute:: category
 
+   .. autoattribute:: feature
+
    .. autoattribute:: export_form_fields
 
+   .. autoattribute:: repeatable_read
+
    .. automethod:: render
 
       This is an abstract method, you **must** override this!
+
+   .. automethod:: available_for_user
+
+   .. automethod:: get_required_event_permission
+
+On organizer level, by default exporters are expected to handle on a *set of events* and the system will automatically
+add a form field that allows the selection of events, limited to events the user has correct permissions for. If this
+does not fit your organizer, because it is not related to events, you should **also** inherit from the following class:
+
+.. class:: pretix.base.exporter.OrganizerLevelExportMixin
+
+   .. automethod:: get_required_organizer_permission

doc/development/api/general.rst

@@ -14,7 +14,8 @@ Core
    :members: periodic_task, event_live_issues, event_copy_data, email_filter, register_notification_types, notification,
       item_copy_data, register_sales_channel_types, register_global_settings, quota_availability, global_email_filter,
       register_ticket_secret_generators, gift_card_transaction_display,
-      register_text_placeholders, register_mail_placeholders, device_info_updated
+      register_text_placeholders, register_mail_placeholders, device_info_updated,
+      register_event_permission_groups, register_organizer_permission_groups
 
 Order events
 """"""""""""

doc/development/contribution/ai.rst

@@ -0,0 +1,24 @@
+.. _`aipolicy`:
+
+AI-assisted contribution policy
+===============================
+
+pretix is maintained by humans.
+Every discussion, issue, and pull request is read and reviewed by humans (and sometimes machines, too).
+We ask you to respect the time and effort put in by these humans by not sending low-effort, unqualified work, since it puts the burden of validation on the maintainer.
+
+Therefore, the pretix project has strict rules for AI usage:
+
+- **All AI usage in any form must be disclosed.** You must state the tool you used (e.g. Claude Code, Cursor, Amp) along with the extent that the work was AI-assisted.
+
+- **The human-in-the-loop must fully understand all code.** If you can't explain what your changes do and how they interact with the greater system without the aid of AI tools, do not contribute to this project.
+
+- **Issues and discussions can use AI assistance but must have a full human-in-the-loop.** This means that any content generated with AI must have been reviewed and edited by a human before submission. AI is very good at being overly verbose and including noise that distracts from the main point. Humans must do their research and trim this down.
+
+- **No AI-generated media is allowed (art, images, videos, audio, etc.).** Text and code are the only acceptable AI-generated content, per the other rules in this policy.
+
+- **Bad AI drivers will be excluded from the project.** People who produce bad contributions that are clearly AI (slop) will be blocked from our organization without warning.
+
+This policy was inspired by the `ghostty project`_.
+
+.. _ghostty project: https://github.com/ghostty-org/ghostty/blob/main/AI_POLICY.md

doc/development/contribution/general.rst

@@ -1,23 +1,39 @@
-General remarks
-===============
+Contribution workflow
+=====================
 
 You are interested in contributing to pretix? That is awesome!
 
 If you’re new to contributing to open source software, don’t be afraid. We’ll happily review your code and give you
-constructive and friendly feedback on your changes.
+constructive and friendly feedback on your changes. Every contribution should go through the following steps.
 
-First of all, you'll need pretix running locally on your machine. Head over to :ref:`devsetup` to learn how to do this.
+Discussion & Design
+-------------------
+
+pretix is a large and mature project with more of a decade of history and hopefully many more decades to come.
+Keeping pretix in good shape over long timeframes is first and foremost a fight against complexity.
+With every additional feature, complexity grows, and both features and complexity are hard to remove.
+
+Even if you are doing the initial work of the contribution, accepting the contribution is not free for us.
+Not only will we need to maintain the feature, but every feature adds cost to the maintenance of every other feature it interacts with, and every feature adds effort for users to understand how pretix works.
+Therefore, we must carefully select what features we add, based on how well they fit the system in general and of how much use they will be to our larger user base.
+
+We strongly ask you to **create a discussion on GitHub for every new feature idea** outlining the use case and the proposed implementation design.
+Pull requests without prior discussion will likely just be closed.
+
+For bug fixes and very minor changes, you can skip this step and open a PR right away.
+
+Development
+-----------
+
+To develop your contribution, you'll need pretix running locally on your machine. Head over to :ref:`devsetup` to learn how to do this.
 If you run into any problems on your way, please do not hesitate to ask us anytime!
 
-Please note that we bound ourselves to a :ref:`coc` that applies to all communication around the project. You can be
-assured that we will not tolerate any form of harassment.
+While developing, please have a look at our :ref:`aipolicy` and our guidelines on :ref:`codestyle`.
 
 Sending a patch
 ---------------
 
-If you improved pretix in any way, we'd be very happy if you contribute it
-back to the main code base! The easiest way to do so is to `create a pull request`_
-on our `GitHub repository`_.
+Once you have a first draft of your changes, please `create a pull request`_ on our `GitHub repository`_.
 
 We recommend that you create a feature branch for every issue you work on so the changes can
 be reviewed individually.
@@ -25,14 +41,17 @@ Please use the test suite to check whether your changes break any existing featu
 the code style checks to confirm you are consistent with pretix's coding style. You'll
 find instructions on this in the :ref:`checksandtests` section of the development setup guide.
 
-We automatically run the tests and the code style check on every pull request on Travis CI and we won’t
+We automatically run the tests and the code style check on every pull request through GitHub Actions and we won’t
 accept any pull requests without all tests passing. However, if you don't find out *why* they are not passing,
 just send the pull request and tell us – we'll be glad to help.
 
 If you add a new feature, please include appropriate documentation into your patch. If you fix a bug,
 please include a regression test, i.e. a test that fails without your changes and passes after applying your changes.
 
-Again: If you get stuck, do not hesitate to contact any of us, or Raphael personally at mail@raphaelmichel.de.
+Again: If you get stuck, do not hesitate to contact us through GitHub discussions.
+
+Please note that we bound ourselves to a :ref:`coc` that applies to all communication around the project. You can be
+assured that we will not tolerate any form of harassment.
 
 .. _create a pull request: https://help.github.com/articles/creating-a-pull-request/
 .. _GitHub repository: https://github.com/pretix/pretix

doc/development/contribution/index.rst

@@ -6,4 +6,5 @@ Contributing to pretix
 
    general
    style
+   ai
    codeofconduct

doc/development/contribution/style.rst

@@ -1,5 +1,7 @@
 .. spelling:word-list:: Rebase rebasing
 
+.. _`codestyle`:
+
 Coding style and quality
 ========================
 
@@ -28,8 +30,6 @@ Code
 Commits and Pull Requests
 -------------------------
 
-
-
 Most commits should start as pull requests, therefore this applies to the titles of pull requests as well since
 the pull request title will become the commit message on merge. We prefer merging with GitHub's "Squash and merge"
 feature if the PR contains multiple commits that do not carry value to keep. If there is value in keeping the
@@ -86,7 +86,7 @@ individual commits, we use "Rebase and merge" instead. Merge commits should be a
 .. _PEP 8: https://legacy.python.org/dev/peps/pep-0008/
 .. _flake8: https://pypi.python.org/pypi/flake8
 .. _Django Coding Style: https://docs.djangoproject.com/en/dev/internals/contributing/writing-code/coding-style/
-.. _translation: https://docs.djangoproject.com/en/1.11/topics/i18n/translation/
-.. _class-based views: https://docs.djangoproject.com/en/1.11/topics/class-based-views/
+.. _translation: https://docs.djangoproject.com/en/6.0/topics/i18n/translation/
+.. _class-based views: https://docs.djangoproject.com/en/6.0/topics/class-based-views/
 .. _pytest-style: https://docs.pytest.org/en/latest/assert.html
 .. _fixtures: https://docs.pytest.org/en/latest/fixture.html

doc/development/implementation/logging.rst

@@ -196,7 +196,7 @@ A simple implementation could look like this:
 .. code-block:: python
 
     class MyNotificationType(NotificationType):
-        required_permission = "can_view_orders"
+        required_permission = "event.orders:read"
         action_type = "pretix.event.order.paid"
         verbose_name = _("Order has been paid")
 

doc/development/implementation/permissions.rst

@@ -2,7 +2,7 @@ Permissions
 ===========
 
 pretix uses a fine-grained permission system to control who is allowed to control what parts of the system.
-The central concept here is the concept of *Teams*. You can read more on `configuring teams and permissions <user-teams>`_
+The central concept here is the concept of *Teams*. You can read more on `configuring teams and permissions`_
 and the :class:`pretix.base.models.Team` model in the respective parts of the documentation. The basic digest is:
 An organizer account can have any number of teams, and any number of users can be part of a team. A team can be
 assigned a set of permissions and connected to some or all of the events of the organizer.
@@ -25,8 +25,8 @@ permission level to access a view:
 
 
     class MyOrgaView(OrganizerPermissionRequiredMixin, View):
-        permission = 'can_change_organizer_settings'
-        # Only users with the permission ``can_change_organizer_settings`` on
+        permission = 'organizer.settings.general:write'
+        # Only users with the permission ``organizer.settings.general:write`` on
         # this organizer can access this
 
 
@@ -35,9 +35,9 @@ permission level to access a view:
         # Only users with *any* permission on this organizer can access this
 
 
-    @organizer_permission_required('can_change_organizer_settings')
+    @organizer_permission_required('organizer.settings.general:write')
     def my_orga_view(request, organizer, **kwargs):
-        # Only users with the permission ``can_change_organizer_settings`` on
+        # Only users with the permission ``organizer.settings.general:write`` on
         # this organizer can access this
 
 
@@ -56,8 +56,8 @@ Of course, the same is available on event level:
 
 
     class MyEventView(EventPermissionRequiredMixin, View):
-        permission = 'can_change_event_settings'
-        # Only users with the permission ``can_change_event_settings`` on
+        permission = 'event.settings.general:write'
+        # Only users with the permission ``event.settings.general:write`` on
         # this event can access this
 
 
@@ -65,13 +65,16 @@ Of course, the same is available on event level:
         permission = None
         # Only users with *any* permission on this event can access this
 
+    class MyThirdEventView(EventPermissionRequiredMixin, View):
+        permission = AnyPermissionOf('event.settings.payment:write', 'event.settings.general:write')
+        # Only users with at least one of the specified permissions on this event
+        # can access this
 
-    @event_permission_required('can_change_event_settings')
+    @event_permission_required('event.settings.general:write')
     def my_event_view(request, organizer, **kwargs):
-        # Only users with the permission ``can_change_event_settings`` on
+        # Only users with the permission ``event.settings.general:write`` on
         # this event can access this
 
-
     @event_permission_required()
     def my_other_event_view(request, organizer, **kwargs):
         # Only users with *any* permission on this event can access this
@@ -121,7 +124,7 @@ When creating your own ``viewset`` using Django REST framework, you just need to
 and pretix will check it automatically for you::
 
     class MyModelViewSet(viewsets.ReadOnlyModelViewSet):
-        permission = 'can_view_orders'
+        permission = 'event.orders:read'
 
 Checking permission in code
 ---------------------------
@@ -136,12 +139,12 @@ Return all users that are in any team that is connected to this event::
 
 Return all users that are in a team with a specific permission for this event::
 
-    >>> event.get_users_with_permission('can_change_event_settings')
+    >>> event.get_users_with_permission('event.orders:read')
     <QuerySet: …>
 
 Determine if a user has a certain permission for a specific event::
 
-    >>> user.has_event_permission(organizer, event, 'can_change_event_settings', request=request)
+    >>> user.has_event_permission(organizer, event, 'event.orders:read', request=request)
     True
 
 Determine if a user has any permission for a specific event::
@@ -153,27 +156,27 @@ In the two previous commands, the ``request`` argument is optional, but required
 
 The same method exists for organizer-level permissions::
 
-    >>> user.has_organizer_permission(organizer, 'can_change_event_settings', request=request)
+    >>> user.has_organizer_permission(organizer, 'event.orders:read', request=request)
     True
 
 Sometimes, it might be more useful to get the set of permissions at once::
 
     >>> user.get_event_permission_set(organizer, event)
-    {'can_change_event_settings', 'can_view_orders', 'can_change_orders'}
+    {'event.settings.general:write', 'event.orders:read', 'event.orders:write'}
 
     >>> user.get_organizer_permission_set(organizer, event)
-    {'can_change_organizer_settings', 'can_create_events'}
+    {'organizer.settings.general:write', 'organizer.events:create'}
 
 Within a view on the ``/control`` subpath, the results of these two methods are already available in the
 ``request.eventpermset`` and ``request.orgapermset`` properties. This makes it convenient to query them in templates::
 
-    {% if "can_change_orders" in request.eventpermset %}
+    {% if "event.orders:write" in request.eventpermset %}
         …
     {% endif %}
 
 You can also do the reverse to get any events a user has access to::
 
-    >>> user.get_events_with_permission('can_change_event_settings', request=request)
+    >>> user.get_events_with_permission('event.settings.general:write', request=request)
     <QuerySet: …>
 
     >>> user.get_events_with_any_permission(request=request)
@@ -195,3 +198,53 @@ staff mode is active. You can check if a user is in staff mode using their sessi
 Staff mode has a hard time limit and during staff mode, a middleware will log all requests made by that user. Later,
 the user is able to also save a message to comment on what they did in their administrative session. This feature is
 intended to help compliance with data protection rules as imposed e.g. by GDPR.
+
+Adding permissions
+------------------
+
+Plugins can add permissions through the ``register_event_permission_groups`` and ``register_organizer_permission_groups``.
+We recommend to use this only for very significant permissions, as the system will become less usable with too many
+permission levels, also because the team page will show all permission options, even those of disabled plugins.
+
+To register your permissions, you need to register a **permission group** (often representing an area of functionality
+or a key model). Below that group, there are **actions**, which represent the actual permissions. Permissions will be
+generated as ``<group_name>:<action>``. Then, you need to define **options** which are the valid combinations of the
+actions that should be possible to select for a team. This two-step mechanism exists to provide a better user experience
+and avoid useless combinations like "write but not read".
+
+Example::
+
+    @receiver(register_event_permission_groups)
+    def register_plugin_event_permissions(sender, **kwargs):
+        return [
+            PermissionGroup(
+                name="pretix_myplugin.resource",
+                label=_("Resources"),
+                actions=["read", "write"],
+                options=[
+                    PermissionOption(actions=tuple(), label=_("No access")),
+                    PermissionOption(actions=("read",), label=_("View")),
+                    PermissionOption(actions=("read", "write"), label=_("View and change")),
+                ],
+                help_text=_("Some help text")
+            ),
+        ]
+
+
+    @receiver(register_organizer_permission_groups)
+    def register_plugin_organizer_permissions(sender, **kwargs):
+        return [
+            PermissionGroup(
+                name="pretix_myplugin.resource",
+                label=_("Resources"),
+                actions=["read", "write"],
+                options=[
+                    PermissionOption(actions=tuple(), label=_("No access")),
+                    PermissionOption(actions=("read",), label=_("View")),
+                    PermissionOption(actions=("read", "write"), label=_("View and change")),
+                ],
+                help_text=_("Some help text")
+            ),
+        ]
+
+.. _configuring teams and permissions: https://docs.pretix.eu/guides/teams/

doc/development/setup.rst

@@ -110,6 +110,56 @@ process::
 
 However, beware that code changes will not auto-reload within Celery.
 
+Running the local development server will also automatically start a vite dev server for all control vue components.
+
+Run the widget development server
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+To locally develop the presale widget you need to start a separate vite dev server using::
+
+    npm run dev:widget
+
+You can control the org, event and much more via query parameters like this::
+
+    http://localhost:5180/?org=testorg&event=testevent
+
+The following query parameters are supported:
+
+.. list-table::
+   :header-rows: 1
+   :widths: 20 20 60
+
+   * - Parameter
+     - Default
+     - Description
+   * - ``org``
+     - ``testorg``
+     - Organization slug
+   * - ``event``
+     - ``testevent``
+     - Event slug
+   * - ``host``
+     - ``http://localhost:8000``
+     - Backend host URL
+   * - ``type``
+     - ``widget``
+     - Element type: ``widget`` or ``button``
+   * - ``mode``
+     - ``dev``
+     - ``dev`` loads the Vite dev source, ``prod`` loads the built ``v2.{lang}.js``
+   * - ``lang``
+     - ``de``
+     - Language code for the prod script
+   * - ``button-text``
+     - ``Buy tickets!``
+     - Text content for the button (only used when ``type=button``)
+
+Any other query parameter is passed through as an attribute on the widget/button element.
+For example, ``?skip-ssl-check&list-type=calendar&items=123`` adds those attributes directly.
+
+
+
+
 .. _`checksandtests`:
 
 Code checks and unit tests

eslint.config.mjs

@@ -0,0 +1,108 @@
+import { defineConfig, globalIgnores } from 'eslint/config'
+import globals from 'globals'
+import js from '@eslint/js'
+import ts from 'typescript-eslint'
+import stylistic from '@stylistic/eslint-plugin'
+import vue from 'eslint-plugin-vue'
+import vuePug from 'eslint-plugin-vue-pug'
+
+const ignores = globalIgnores([
+	'**/node_modules',
+	'**/dist'
+])
+
+export default defineConfig([
+	ignores,
+	...ts.config(
+		js.configs.recommended,
+		ts.configs.recommended
+	),
+	stylistic.configs.customize({
+		indent: 'tab',
+		braceStyle: '1tbs',
+		quoteProps: 'as-needed'
+	}),
+	...vue.configs['flat/recommended'],
+	...vuePug.configs['flat/recommended'],
+	{
+		languageOptions: {
+			globals: {
+				...globals.browser,
+				...globals.node,
+				localStorage: false,
+				$: 'readonly',
+				$$: 'readonly',
+				$ref: 'readonly',
+				$computed: 'readonly',
+			},
+			parserOptions: {
+				parser: '@typescript-eslint/parser'
+			}
+		},
+
+		rules: {
+			'no-debugger': 'off',
+			curly: 0,
+			'no-return-assign': 0,
+			'no-console': 'off',
+			'vue/require-default-prop': 0,
+			'vue/require-v-for-key': 0,
+			'vue/valid-v-for': 'warn',
+			'vue/no-reserved-keys': 0,
+			'vue/no-setup-props-destructure': 0,
+			'vue/multi-word-component-names': 0,
+			'vue/max-attributes-per-line': 0,
+			'vue/attribute-hyphenation': ['warn', 'never'],
+			'vue/v-on-event-hyphenation': ['warn', 'never'],
+			'import/first': 0,
+			'@typescript-eslint/ban-ts-comment': 0,
+			'@typescript-eslint/no-explicit-any': 0,
+			'no-use-before-define': 'off',
+			'no-var': 'error',
+
+			'@typescript-eslint/no-use-before-define': ['error', {
+				typedefs: false,
+				functions: false,
+			}],
+
+			'@typescript-eslint/no-unused-vars': ['error', {
+				args: 'all',
+				argsIgnorePattern: '^_',
+				caughtErrors: 'all',
+				caughtErrorsIgnorePattern: '^_',
+				destructuredArrayIgnorePattern: '^_',
+				varsIgnorePattern: '^_',
+				ignoreRestSiblings: true
+			}],
+
+			'@stylistic/comma-dangle': 0,
+			'@stylistic/space-before-function-paren': ['error', 'always'],
+			'@stylistic/max-statements-per-line': ['error', { max: 1, ignoredNodes: ['BreakStatement'] }],
+			'@stylistic/member-delimiter-style': 0,
+			'@stylistic/arrow-parens': 0,
+			'@stylistic/generator-star-spacing': 0,
+			'@stylistic/yield-star-spacing': ['error', 'after'],
+		},
+	},
+	{
+		files: [
+			'src/pretix/static/pretixcontrol/js/ui/checkinrules/**/*.vue',
+			'src/pretix/plugins/webcheckin/**/*.vue',
+		],
+		languageOptions: {
+			globals: {
+				moment: 'readonly',
+			},
+		},
+	},
+	{
+		files: [
+			'src/pretix/static/pretixpresale/widget/**/*.{ts,vue}',
+		],
+		languageOptions: {
+			globals: {
+				LANG: 'readonly',
+			},
+		},
+	},
+])

package.json

@@ -0,0 +1,52 @@
+{
+  "name": "pretix",
+  "version": "1.0.0",
+  "description": "",
+  "homepage": "https://github.com/pretix/pretix#readme",
+  "bugs": {
+    "url": "https://github.com/pretix/pretix/issues"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/pretix/pretix.git"
+  },
+  "license": "SEE LICENSE IN LICENSE",
+  "author": "",
+  "type": "module",
+  "main": "index.js",
+  "directories": {
+    "doc": "doc"
+  },
+  "scripts": {
+    "dev:control": "vite",
+    "dev:widget": "vite src/pretix/static/pretixpresale/widget",
+    "build": "npm run build:control -s && npm run build:widget -s",
+    "build:control": "vite build",
+    "build:widget": "vite build src/pretix/static/pretixpresale/widget",
+    "lint:eslint": "eslint src/pretix/static/pretixpresale/widget src/pretix/static/pretixcontrol/js/ui/checkinrules src/pretix/plugins/webcheckin",
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "dependencies": {
+    "vue": "^3.5.30"
+  },
+  "devDependencies": {
+    "@eslint/js": "^10.0.1",
+    "@stylistic/eslint-plugin": "^5.10.0",
+    "@types/jquery": "^3.5.33",
+    "@types/moment": "^2.11.29",
+    "@types/node": "^25.5.0",
+    "@vitejs/plugin-vue": "^6.0.5",
+    "@vue/eslint-config-typescript": "^14.7.0",
+    "@vue/language-plugin-pug": "^3.2.5",
+    "eslint": "^10.0.3",
+    "eslint-plugin-vue": "^10.8.0",
+    "eslint-plugin-vue-pug": "^1.0.0-alpha.5",
+    "globals": "^17.4.0",
+    "pug": "^3.0.3",
+    "sass-embedded": "^1.98.0",
+    "smol-toml": "^1.6.1",
+    "stylus": "^0.64.0",
+    "typescript-eslint": "^8.57.0",
+    "vite": "^8.0.0"
+  }
+}

pyproject.toml

@@ -3,7 +3,7 @@ name = "pretix"
 dynamic = ["version"]
 description = "Reinventing presales, one ticket at a time"
 readme = "README.rst"
-requires-python = ">=3.10"
+requires-python = ">=3.11"
 license = {file = "LICENSE"}
 keywords = ["tickets", "web", "shop", "ecommerce"]
 authors = [
@@ -19,10 +19,11 @@ classifiers = [
   "Topic :: Internet :: WWW/HTTP :: Dynamic Content",
   "Environment :: Web Environment",
   "License :: OSI Approved :: GNU Affero General Public License v3",
-  "Programming Language :: Python :: 3.9",
-  "Programming Language :: Python :: 3.10",
   "Programming Language :: Python :: 3.11",
-  "Framework :: Django :: 4.2",
+  "Programming Language :: Python :: 3.12",
+  "Programming Language :: Python :: 3.13",
+  "Programming Language :: Python :: 3.14",
+  "Framework :: Django :: 5.2",
 ]
 
 dependencies = [
@@ -32,11 +33,11 @@ dependencies = [
   "bleach==6.3.*",
   "celery==5.6.*",
   "chardet==5.2.*",
-  "cryptography>=44.0.0",
+  "cryptography>=47.0.0",
   "css-inline==0.20.*",
-  "defusedcsv>=1.1.0",
+  "defusedcsv>=3.0.0",
   "dnspython==2.*",
-  "Django[argon2]==4.2.*,>=4.2.26",
+  "Django[argon2]==5.2.*",
   "django-bootstrap3==26.1",
   "django-compressor==4.6.0",
   "django-countries==8.2.*",
@@ -54,12 +55,12 @@ dependencies = [
   "django-phonenumber-field==8.4.*",
   "django-redis==6.0.*",
   "django-scopes==2.0.*",
-  "django-statici18n==2.6.*",
+  "django-statici18n==2.7.*",
   "djangorestframework==3.16.*",
   "dnspython==2.8.*",
   "drf_ujson2==1.7.*",
   "geoip2==5.*",
-  "importlib_metadata==8.*",  # Polyfill, we can probably drop this once we require Python 3.10+
+  "importlib_metadata==9.*",  # Polyfill, we can probably drop this once we require Python 3.10+
   "isoweek",
   "jsonschema",
   "kombu==5.6.*",
@@ -73,11 +74,11 @@ dependencies = [
   "packaging",
   "paypalrestsdk==1.13.*",
   "paypal-checkout-serversdk==1.0.*",
-  "PyJWT==2.11.*",
+  "PyJWT==2.12.*",
   "phonenumberslite==9.0.*",
-  "Pillow==12.1.*",
+  "Pillow==12.2.*",
   "pretix-plugin-build",
-  "protobuf==6.33.*",
+  "protobuf==7.34.*",
   "psycopg2-binary",
   "pycountry",
   "pycparser==3.0",
@@ -89,14 +90,14 @@ dependencies = [
   "pytz-deprecation-shim==0.1.*",
   "pyuca",
   "qrcode==8.2",
-  "redis==7.1.*",
+  "redis==7.4.*",
   "reportlab==4.4.*",
   "requests==2.32.*",
-  "sentry-sdk==2.53.*",
+  "sentry-sdk==2.58.*",
   "sepaxml==2.7.*",
   "stripe==7.9.*",
   "text-unidecode==1.*",
-  "tlds>=2020041600",
+  "tlds>=2026041800",
   "tqdm==4.*",
   "ua-parser==1.0.*",
   "vobject==0.9.*",
@@ -116,13 +117,14 @@ dev = [
   "isort==8.0.*",
   "pep8-naming==0.15.*",
   "potypo",
-  "pytest-asyncio>=0.24",
+  "pytest-asyncio>=1.3.0",
   "pytest-cache",
   "pytest-cov",
   "pytest-django==4.*",
   "pytest-mock==3.15.*",
   "pytest-sugar",
   "pytest-xdist==3.8.*",
+  "pytest-playwright",
   "pytest==9.0.*",
   "responses",
 ]

setup.cfg

@@ -37,4 +37,9 @@ ignore =
     CONTRIBUTING.md
     Dockerfile
     SECURITY.md
+    eslint.config.mjs
+    package-lock.json
+    package.json
+    tsconfig.json
+    vite.config.js
 

src/Makefile

@@ -9,10 +9,10 @@ localegen:
 	./manage.py makemessages --keep-pot --ignore "pretix/static/npm_dir/*" $(LNGS)
 	./manage.py makemessages --keep-pot -d djangojs --ignore "pretix/static/npm_dir/*" --ignore "pretix/helpers/*" --ignore "pretix/static/jsi18n/*" --ignore "pretix/static/jsi18n/*" --ignore "pretix/static.dist/*" --ignore "data/*" --ignore "pretix/static/rrule/*" --ignore "build/*" $(LNGS)
 
-staticfiles: jsi18n
+staticfiles: npminstall npmbuild jsi18n
 	./manage.py collectstatic --noinput
 
-compress: npminstall
+compress:
 	./manage.py compress
 
 jsi18n: localecompile
@@ -25,8 +25,8 @@ coverage:
 	coverage run -m py.test
 
 npminstall:
-	# keep this in sync with pretix/_build.py!
-	mkdir -p pretix/static.dist/node_prefix/
-	cp -r pretix/static/npm_dir/* pretix/static.dist/node_prefix/
-	npm ci --prefix=pretix/static.dist/node_prefix
+	npm ci
+
+npmbuild:
+	npm run build
 

src/pretix/__init__.py

@@ -19,4 +19,4 @@
 # You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
 # <https://www.gnu.org/licenses/>.
 #
-__version__ = "2026.2.0.dev0"
+__version__ = "2026.5.0.dev0"

src/pretix/_base_settings.py

@@ -37,9 +37,11 @@ INSTALLED_APPS = [
     'django.contrib.contenttypes',
     'django.contrib.sessions',
     'django.contrib.messages',
-    'django.contrib.staticfiles',
     'django.contrib.humanize',
+    # pretix needs to go before staticfiles
+    # so we can override the runserver command
     'pretix.base',
+    'django.contrib.staticfiles',
     'pretix.control',
     'pretix.presale',
     'pretix.multidomain',
@@ -243,7 +245,6 @@ STORAGES = {
 
 COMPRESS_PRECOMPILERS = (
     ('text/x-scss', 'django_libsass.SassCompiler'),
-    ('text/vue', 'pretix.helpers.compressor.VueCompiler'),
 )
 
 COMPRESS_OFFLINE_CONTEXT = {

src/pretix/_build.py

@@ -21,13 +21,13 @@
 #
 
 import os
-import shutil
 import subprocess
 
 from setuptools.command.build import build
 from setuptools.command.build_ext import build_ext
 
 here = os.path.abspath(os.path.dirname(__file__))
+project_root = os.path.abspath(os.path.join(here, '..', '..'))
 npm_installed = False
 
 
@@ -35,14 +35,14 @@ def npm_install():
     global npm_installed
 
     if not npm_installed:
-        # keep this in sync with Makefile!
-        node_prefix = os.path.join(here, 'static.dist', 'node_prefix')
-        os.makedirs(node_prefix, exist_ok=True)
-        shutil.copytree(os.path.join(here, 'static', 'npm_dir'), node_prefix, dirs_exist_ok=True)
-        subprocess.check_call('npm ci', shell=True, cwd=node_prefix)
+        subprocess.check_call('npm ci', shell=True, cwd=project_root)
         npm_installed = True
 
 
+def npm_build():
+    subprocess.check_call('npm run build', shell=True, cwd=project_root)
+
+
 class CustomBuild(build):
     def run(self):
         if "src" not in os.listdir(".") or "pretix" not in os.listdir("src"):
@@ -62,6 +62,7 @@ class CustomBuild(build):
         settings.COMPRESS_OFFLINE = True
 
         npm_install()
+        npm_build()
         management.call_command('compilemessages', verbosity=1)
         management.call_command('compilejsi18n', verbosity=1)
         management.call_command('collectstatic', verbosity=1, interactive=False)

src/pretix/_build_settings.py

@@ -47,3 +47,5 @@ HAS_MEMCACHED = False
 HAS_CELERY = False
 HAS_GEOIP = False
 SENTRY_ENABLED = False
+VITE_DEV_MODE = False
+VITE_IGNORE = False

src/pretix/api/auth/permission.py

@@ -36,7 +36,9 @@ from rest_framework.permissions import SAFE_METHODS, BasePermission
 
 from pretix.api.models import OAuthAccessToken
 from pretix.base.models import Device, Event, User
-from pretix.base.models.auth import SuperuserPermissionSet
+from pretix.base.models.auth import (
+    EventPermissionSet, OrganizerPermissionSet, SuperuserPermissionSet,
+)
 from pretix.base.models.organizer import TeamAPIToken
 from pretix.helpers.security import (
     Session2FASetupRequired, SessionInvalid, SessionPasswordChangeRequired,
@@ -85,7 +87,7 @@ class EventPermission(BasePermission):
             if isinstance(perm_holder, User) and perm_holder.has_active_staff_session(request.session.session_key):
                 request.eventpermset = SuperuserPermissionSet()
             else:
-                request.eventpermset = perm_holder.get_event_permission_set(request.organizer, request.event)
+                request.eventpermset = EventPermissionSet(perm_holder.get_event_permission_set(request.organizer, request.event))
 
             if isinstance(required_permission, (list, tuple)):
                 if not any(p in request.eventpermset for p in required_permission):
@@ -100,7 +102,7 @@ class EventPermission(BasePermission):
             if isinstance(perm_holder, User) and perm_holder.has_active_staff_session(request.session.session_key):
                 request.orgapermset = SuperuserPermissionSet()
             else:
-                request.orgapermset = perm_holder.get_organizer_permission_set(request.organizer)
+                request.orgapermset = OrganizerPermissionSet(perm_holder.get_organizer_permission_set(request.organizer))
 
             if isinstance(required_permission, (list, tuple)):
                 if not any(p in request.eventpermset for p in required_permission):
@@ -124,12 +126,12 @@ class EventCRUDPermission(EventPermission):
     def has_permission(self, request, view):
         if not super(EventCRUDPermission, self).has_permission(request, view):
             return False
-        elif view.action == 'create' and 'can_create_events' not in request.orgapermset:
+        elif view.action == 'create' and 'organizer.events:create' not in request.orgapermset:
             return False
-        elif view.action == 'destroy' and 'can_change_event_settings' not in request.eventpermset:
+        elif view.action == 'destroy' and 'event.settings.general:write' not in request.eventpermset:
             return False
         elif view.action in ['update', 'partial_update'] \
-                and 'can_change_event_settings' not in request.eventpermset:
+                and 'event.settings.general:write' not in request.eventpermset:
             return False
 
         return True

src/pretix/api/serializers/event.py

@@ -300,7 +300,7 @@ class EventSerializer(SalesChannelMigrationMixin, I18nAwareModelSerializer):
     def ignored_meta_properties(self):
         perm_holder = (self.context['request'].auth if isinstance(self.context['request'].auth, (Device, TeamAPIToken))
                        else self.context['request'].user)
-        if perm_holder.has_organizer_permission(self.context['request'].organizer, 'can_change_organizer_settings', request=self.context['request']):
+        if perm_holder.has_organizer_permission(self.context['request'].organizer, 'organizer.settings.general:write', request=self.context['request']):
             return []
         return [k for k, p in self.meta_properties.items() if p.protected]
 
@@ -445,7 +445,7 @@ class CloneEventSerializer(EventSerializer):
         date_admission = validated_data.pop('date_admission', None)
         new_event = super().create({**validated_data, 'plugins': None})
 
-        event = Event.objects.filter(slug=self.context['event'], organizer=self.context['organizer'].pk).first()
+        event = self.context['event']
         new_event.copy_data_from(event, skip_meta_data='meta_data' in validated_data)
 
         if plugins is not None:
@@ -561,7 +561,7 @@ class SubEventSerializer(I18nAwareModelSerializer):
     def ignored_meta_properties(self):
         perm_holder = (self.context['request'].auth if isinstance(self.context['request'].auth, (Device, TeamAPIToken))
                        else self.context['request'].user)
-        if perm_holder.has_organizer_permission(self.context['request'].organizer, 'can_change_organizer_settings', request=self.context['request']):
+        if perm_holder.has_organizer_permission(self.context['request'].organizer, 'organizer.settings.general:write', request=self.context['request']):
             return []
         return [k for k, p in self.meta_properties.items() if p.protected]
 
@@ -707,7 +707,10 @@ class TaxRuleSerializer(CountryFieldMixin, I18nAwareModelSerializer):
 
 
 class EventSettingsSerializer(SettingsSerializer):
+    default_write_permission = 'event.settings.general:write'
     default_fields = [
+        # These are readable for all users with access to the events, therefore secrets stored in the settings store
+        # should not be included!
         'imprint_url',
         'checkout_email_helptext',
         'presale_has_ended_text',
@@ -1080,16 +1083,16 @@ class SeatSerializer(I18nAwareModelSerializer):
 
     def prefetch_expanded_data(self, items, request, expand_fields):
         if 'orderposition' in expand_fields:
-            if 'can_view_orders' not in request.eventpermset:
-                raise PermissionDenied('can_view_orders permission required for expand=orderposition')
+            if 'event.orders:read' not in request.eventpermset:
+                raise PermissionDenied('event.orders:read permission required for expand=orderposition')
             prefetch_by_id(items, OrderPosition.objects.prefetch_related('order'), 'orderposition_id', 'orderposition')
         if 'cartposition' in expand_fields:
-            if 'can_view_orders' not in request.eventpermset:
-                raise PermissionDenied('can_view_orders permission required for expand=cartposition')
+            if 'event.orders:read' not in request.eventpermset:
+                raise PermissionDenied('event.orders:read permission required for expand=cartposition')
             prefetch_by_id(items, CartPosition.objects, 'cartposition_id', 'cartposition')
         if 'voucher' in expand_fields:
-            if 'can_view_vouchers' not in request.eventpermset:
-                raise PermissionDenied('can_view_vouchers permission required for expand=voucher')
+            if 'event.vouchers:read' not in request.eventpermset:
+                raise PermissionDenied('event.vouchers:read permission required for expand=voucher')
             prefetch_by_id(items, Voucher.objects, 'voucher_id', 'voucher')
 
     def __init__(self, instance, *args, **kwargs):

src/pretix/api/serializers/exporters.py

@@ -27,7 +27,9 @@ from rest_framework.exceptions import ValidationError
 
 from pretix.api.serializers.forms import form_field_to_serializer_field
 from pretix.base.exporter import OrganizerLevelExportMixin
-from pretix.base.models import ScheduledEventExport, ScheduledOrganizerExport
+from pretix.base.models import (
+    Event, ScheduledEventExport, ScheduledOrganizerExport,
+)
 from pretix.base.timeframes import SerializerDateFrameField
 
 
@@ -54,20 +56,29 @@ class ExporterSerializer(serializers.Serializer):
 
 class JobRunSerializer(serializers.Serializer):
     def __init__(self, *args, **kwargs):
-        ex = kwargs.pop('exporter')
-        events = kwargs.pop('events', None)
+        ex = self.ex = kwargs.pop('exporter')
         super().__init__(*args, **kwargs)
-        if events is not None and not isinstance(ex, OrganizerLevelExportMixin):
-            self.fields["events"] = serializers.SlugRelatedField(
-                queryset=events,
+        if ex.is_multievent and not isinstance(ex, OrganizerLevelExportMixin):
+            self.fields["all_events"] = serializers.BooleanField(
                 required=False,
-                allow_empty=False,
+            )
+            self.fields["events"] = serializers.SlugRelatedField(
+                queryset=ex.events,
+                required=False,
+                allow_empty=True,
                 slug_field='slug',
                 many=True
             )
         for k, v in ex.export_form_fields.items():
             self.fields[k] = form_field_to_serializer_field(v)
 
+    def to_representation(self, instance):
+        # Translate between events as a list of slugs (API) and list of ints (database)
+        if self.ex.is_multievent and not isinstance(self.ex, OrganizerLevelExportMixin) and "events" in instance and isinstance(instance["events"], list):
+            instance["events"] = [e for e in self.ex.events.filter(pk__in=instance["events"])]
+        instance = super().to_representation(instance)
+        return instance
+
     def to_internal_value(self, data):
         if isinstance(data, QueryDict):
             data = data.copy()
@@ -95,6 +106,14 @@ class JobRunSerializer(serializers.Serializer):
                 data[fk] = f'{d_from.isoformat() if d_from else ""}/{d_to.isoformat() if d_to else ""}'
 
         data = super().to_internal_value(data)
+
+        # Translate between events as a list of slugs (API) and list of ints (database)
+        if self.ex.is_multievent and not isinstance(self.ex, OrganizerLevelExportMixin) and "events" in data and isinstance(data["events"], list):
+            if data["events"] and isinstance(data["events"][0], Event):
+                data["events"] = [e.pk for e in data["events"]]
+            elif data["events"] and isinstance(data["events"][0], str):
+                data["events"] = [e.pk for e in self.ex.events.filter(slug__in=data["events"]).only("pk")]
+
         return data
 
     def is_valid(self, raise_exception=False):
@@ -131,13 +150,20 @@ class ScheduledExportSerializer(serializers.ModelSerializer):
             exporter = self.context['exporters'].get(identifier)
             if exporter:
                 try:
-                    JobRunSerializer(exporter=exporter).to_internal_value(attrs["export_form_data"])
+                    attrs["export_form_data"] = JobRunSerializer(exporter=exporter).to_internal_value(attrs["export_form_data"])
                 except ValidationError as e:
                     raise ValidationError({"export_form_data": e.detail})
             else:
                 raise ValidationError({"export_identifier": ["Unknown exporter."]})
         return attrs
 
+    def to_representation(self, instance):
+        repr = super().to_representation(instance)
+        exporter = self.context['exporters'].get(instance.export_identifier)
+        if exporter:
+            repr["export_form_data"] = JobRunSerializer(exporter=exporter).to_representation(repr["export_form_data"])
+        return repr
+
     def validate_mail_additional_recipients(self, value):
         d = value.replace(' ', '')
         if len(d.split(',')) > 25:

src/pretix/api/serializers/fields.py

@@ -115,10 +115,10 @@ class PluginsField(serializers.Field):
 
     def to_representation(self, obj):
         from pretix.base.plugins import get_all_plugins
-
+        active_plugins = set(obj.get_plugins())
         return sorted([
             p.module for p in get_all_plugins()
-            if not p.name.startswith('.') and getattr(p, 'visible', True) and p.module in obj.get_plugins()
+            if not p.name.startswith('.') and getattr(p, 'visible', True) and p.module in active_plugins
         ])
 
     def to_internal_value(self, data):

src/pretix/api/serializers/forms.py

@@ -65,8 +65,9 @@ def form_field_to_serializer_field(field):
         if isinstance(field, m_from):
             return m_to(
                 required=field.required,
-                allow_null=not field.required,
+                allow_null=not field.required and not isinstance(field, forms.BooleanField),
                 validators=field.validators,
+                initial=field.initial,
                 **{kwarg: getattr(field, kwarg, None) for kwarg in m_kwargs}
             )
 

src/pretix/api/serializers/item.py

@@ -191,7 +191,7 @@ class InlineItemAddOnSerializer(serializers.ModelSerializer):
 class InlineItemProgramTimeSerializer(serializers.ModelSerializer):
     class Meta:
         model = ItemProgramTime
-        fields = ('start', 'end')
+        fields = ('start', 'end', 'location')
 
 
 class ItemBundleSerializer(serializers.ModelSerializer):
@@ -222,7 +222,7 @@ class ItemBundleSerializer(serializers.ModelSerializer):
 class ItemProgramTimeSerializer(serializers.ModelSerializer):
     class Meta:
         model = ItemProgramTime
-        fields = ('id', 'start', 'end')
+        fields = ('id', 'start', 'end', 'location')
 
     def validate(self, data):
         data = super().validate(data)

src/pretix/api/serializers/media.py

@@ -24,14 +24,16 @@ from decimal import Decimal
 
 from django.utils.translation import gettext_lazy as _
 from rest_framework import serializers
-from rest_framework.exceptions import ValidationError
+from rest_framework.exceptions import PermissionDenied, ValidationError
 
 from pretix.api.serializers.i18n import I18nAwareModelSerializer
 from pretix.api.serializers.order import OrderPositionSerializer
 from pretix.api.serializers.organizer import (
     CustomerSerializer, GiftCardSerializer,
 )
-from pretix.base.models import Order, OrderPosition, ReusableMedium
+from pretix.base.models import (
+    Device, Order, OrderPosition, ReusableMedium, TeamAPIToken,
+)
 
 logger = logging.getLogger(__name__)
 
@@ -66,6 +68,9 @@ class ReusableMediaSerializer(I18nAwareModelSerializer):
         super().__init__(*args, **kwargs)
 
         if 'linked_giftcard' in self.context['request'].query_params.getlist('expand'):
+            if not self.context["can_read_giftcards"]:
+                raise PermissionDenied("No permission to access gift card details.")
+
             self.fields['linked_giftcard'] = NestedGiftCardSerializer(read_only=True, context=self.context)
             if 'linked_giftcard.owner_ticket' in self.context['request'].query_params.getlist('expand'):
                 self.fields['linked_giftcard'].fields['owner_ticket'] = NestedOrderPositionSerializer(read_only=True, context=self.context)
@@ -77,6 +82,7 @@ class ReusableMediaSerializer(I18nAwareModelSerializer):
             )
 
         if 'linked_orderposition' in self.context['request'].query_params.getlist('expand'):
+            # Permission Check performed in to_representation
             self.fields['linked_orderposition'] = NestedOrderPositionSerializer(read_only=True)
         else:
             self.fields['linked_orderposition'] = serializers.PrimaryKeyRelatedField(
@@ -86,6 +92,9 @@ class ReusableMediaSerializer(I18nAwareModelSerializer):
             )
 
         if 'customer' in self.context['request'].query_params.getlist('expand'):
+            if not self.context["can_read_customers"]:
+                raise PermissionDenied("No permission to access customer details.")
+
             self.fields['customer'] = CustomerSerializer(read_only=True)
         else:
             self.fields['customer'] = serializers.SlugRelatedField(
@@ -109,6 +118,27 @@ class ReusableMediaSerializer(I18nAwareModelSerializer):
                 )
         return data
 
+    def to_representation(self, instance):
+        r = super().to_representation(instance)
+        request = self.context.get('request')
+        # late permission evaluations for checks that depend on the actual linked events
+        expand_nested = self.context['request'].query_params.getlist('expand')
+        perm_holder = request.auth if isinstance(request.auth, (Device, TeamAPIToken)) else request.user
+        if 'linked_orderposition' in expand_nested:
+            if instance.linked_orderposition is not None:
+                event = instance.linked_orderposition.order.event
+                if not perm_holder.has_event_permission(event.organizer, event, 'event.orders:read', request):
+                    r['linked_orderposition'] = {'id': instance.linked_orderposition.id}
+
+        if 'linked_giftcard.owner_ticket' in expand_nested:
+            gc = instance.linked_giftcard
+            if gc is not None and gc.owner_ticket is not None:
+                event = gc.owner_ticket.order.event
+                if not perm_holder.has_event_permission(event.organizer, event, 'event.orders:read', request):
+                    r['linked_giftcard']['owner_ticket'] = {'id': instance.linked_giftcard.owner_ticket.id}
+
+        return r
+
     class Meta:
         model = ReusableMedium
         fields = (

src/pretix/api/serializers/order.py

@@ -19,6 +19,7 @@
 # You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
 # <https://www.gnu.org/licenses/>.
 #
+import json
 import logging
 import os
 from collections import Counter, defaultdict
@@ -52,7 +53,7 @@ from pretix.base.decimal import round_decimal
 from pretix.base.i18n import language
 from pretix.base.invoicing.transmission import get_transmission_types
 from pretix.base.models import (
-    CachedFile, Checkin, Customer, Device, Invoice, InvoiceAddress,
+    CachedFile, Checkin, Customer, Device, GiftCard, Invoice, InvoiceAddress,
     InvoiceLine, Item, ItemVariation, Order, OrderPosition, Question,
     QuestionAnswer, ReusableMedium, SalesChannel, Seat, SubEvent, TaxRule,
     Voucher,
@@ -61,6 +62,7 @@ from pretix.base.models.orders import (
     BlockedTicketSecret, CartPosition, OrderFee, OrderPayment, OrderRefund,
     PrintLog, RevokedTicketSecret, Transaction,
 )
+from pretix.base.payment import GiftCardPayment, PaymentException
 from pretix.base.pdf import get_images, get_variables
 from pretix.base.services.cart import error_messages
 from pretix.base.services.locking import LOCK_TRUST_WINDOW, lock_objects
@@ -613,7 +615,7 @@ class OrderPositionSerializer(I18nAwareModelSerializer):
             # /events/…/checkinlists/…/positions/
             # We're unable to check this on this level if we're on /checkinrpc/, in which case we rely on the view
             # layer to not set pdf_data=true in the first place.
-            request and hasattr(request, 'eventpermset') and 'can_view_orders' not in request.eventpermset
+            request and hasattr(request, 'eventpermset') and 'event.orders:read' not in request.eventpermset
         )
         if ('pdf_data' in self.context and not self.context['pdf_data']) or pdf_data_forbidden:
             self.fields.pop('pdf_data', None)
@@ -636,6 +638,14 @@ class OrderPositionSerializer(I18nAwareModelSerializer):
         return entry
 
 
+class OrganizerOrderPositionSerializer(OrderPositionSerializer):
+    event = SlugRelatedField(slug_field='slug', read_only=True)
+
+    class Meta(OrderPositionSerializer.Meta):
+        fields = OrderPositionSerializer.Meta.fields + ('event',)
+        read_only_fields = OrderPositionSerializer.Meta.read_only_fields + ('event',)
+
+
 class RequireAttentionField(serializers.Field):
     def to_representation(self, instance: OrderPosition):
         return instance.require_checkin_attention
@@ -759,7 +769,11 @@ class PaymentDetailsField(serializers.Field):
         pp = value.payment_provider
         if not pp:
             return {}
-        return pp.api_payment_details(value)
+        try:
+            return pp.api_payment_details(value)
+        except Exception:
+            logger.exception("Failed to retrieve payment_details")
+            return {}
 
 
 class OrderPaymentSerializer(I18nAwareModelSerializer):
@@ -1191,6 +1205,7 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
     )
     tax_rounding_mode = serializers.ChoiceField(choices=ROUNDING_MODES, allow_null=True, required=False,)
     locale = serializers.ChoiceField(choices=[], required=False, allow_null=True)
+    use_gift_cards = serializers.ListField(child=serializers.CharField(required=False), required=False)
 
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
@@ -1206,7 +1221,7 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
         fields = ('code', 'status', 'testmode', 'email', 'phone', 'locale', 'payment_provider', 'fees', 'comment', 'sales_channel',
                   'invoice_address', 'positions', 'checkin_attention', 'checkin_text', 'payment_info', 'payment_date',
                   'consume_carts', 'force', 'send_email', 'simulate', 'customer', 'custom_followup_at',
-                  'require_approval', 'valid_if_pending', 'expires', 'api_meta', 'tax_rounding_mode')
+                  'require_approval', 'valid_if_pending', 'expires', 'api_meta', 'tax_rounding_mode', 'use_gift_cards')
 
     def validate_payment_provider(self, pp):
         if pp is None:
@@ -1215,6 +1230,18 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
             raise ValidationError('The given payment provider is not known.')
         return pp
 
+    def validate_payment_info(self, info):
+        if info:
+            try:
+                obj = json.loads(info)
+            except ValueError:
+                raise ValidationError('payment_info must be valid JSON.')
+
+            if not isinstance(obj, dict):
+                # only objects are allowed
+                raise ValidationError('payment_info must be a JSON object.')
+        return info
+
     def validate_expires(self, expires):
         if expires < now():
             raise ValidationError('Expiration date must be in the future.')
@@ -1289,6 +1316,14 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
         payment_date = validated_data.pop('payment_date', now())
         force = validated_data.pop('force', False)
         simulate = validated_data.pop('simulate', False)
+        gift_card_secrets = validated_data.pop('use_gift_cards') if 'use_gift_cards' in validated_data else []
+
+        if (payment_provider is not None or payment_info != '{}') and len(gift_card_secrets) > 0:
+            raise ValidationError({"use_gift_cards": ['The attribute use_gift_cards is not compatible with payment_provider or payment_info']})
+        if validated_data.get('status') != Order.STATUS_PENDING and len(gift_card_secrets) > 0:
+            raise ValidationError({"use_gift_cards": ['The attribute use_gift_cards is only supported for orders that are created as pending']})
+        if len(set(gift_card_secrets)) != len(gift_card_secrets):
+            raise ValidationError({"use_gift_cards": ['Multiple copies of the same gift card secret are not allowed']})
 
         if not validated_data.get("sales_channel"):
             validated_data["sales_channel"] = self.context['event'].organizer.sales_channels.get(identifier="web")
@@ -1381,6 +1416,7 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
         qa = QuotaAvailability()
         qa.queue(*[q for q, d in quota_diff_for_locking.items() if d > 0])
         qa.compute()
+        v_avail = {}
 
         # These are not technically correct as diff use due to the time offset applied above, so let's prevent accidental
         # use further down
@@ -1410,11 +1446,13 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
 
                 voucher_usage[v] += 1
                 if voucher_usage[v] > 0:
-                    redeemed_in_carts = CartPosition.objects.filter(
-                        Q(voucher=pos_data['voucher']) & Q(event=self.context['event']) & Q(expires__gte=now_dt)
-                    ).exclude(pk__in=[cp.pk for cp in delete_cps])
-                    v_avail = v.max_usages - v.redeemed - redeemed_in_carts.count()
-                    if v_avail < voucher_usage[v]:
+                    if v not in v_avail:
+                        v.refresh_from_db(fields=['redeemed'])
+                        redeemed_in_carts = CartPosition.objects.filter(
+                            Q(voucher=v) & Q(event=self.context['event']) & Q(expires__gte=now_dt)
+                        ).exclude(pk__in=[cp.pk for cp in delete_cps])
+                        v_avail[v] = v.max_usages - v.redeemed - redeemed_in_carts.count()
+                    if v_avail[v] < voucher_usage[v]:
                         errs[i]['voucher'] = [
                             'The voucher has already been used the maximum number of times.'
                         ]
@@ -1773,6 +1811,45 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
         if order.total != Decimal('0.00') and order.event.currency == "XXX":
             raise ValidationError('Paid products not supported without a valid currency.')
 
+        for gift_card_secret in gift_card_secrets:
+            try:
+                if order.status != Order.STATUS_PAID:
+                    gift_card_payment_provider = GiftCardPayment(event=order.event)
+
+                    gc = order.event.organizer.accepted_gift_cards.get(
+                        secret=gift_card_secret
+                    )
+
+                    payment = order.payments.create(
+                        amount=min(order.pending_sum, gc.value),
+                        provider=gift_card_payment_provider.identifier,
+                        info_data={
+                            'gift_card': gc.pk,
+                            'gift_card_secret': gc.secret,
+                            'retry': True
+                        },
+                        state=OrderPayment.PAYMENT_STATE_CREATED
+                    )
+                    gift_card_payment_provider.execute_payment(request=None, payment=payment, is_early_special_case=True)
+
+                    if order.pending_sum <= Decimal('0.00'):
+                        order.status = Order.STATUS_PAID
+
+            except PaymentException:
+                pass
+
+            except GiftCard.DoesNotExist as e:
+                payment = order.payments.create(
+                    amount=order.pending_sum,
+                    provider=GiftCardPayment.identifier,
+                    info_data={
+                        'gift_card_secret': gift_card_secret,
+                    },
+                    state=OrderPayment.PAYMENT_STATE_CREATED
+                )
+                payment.fail(info={**payment.info_data, 'error': str(e)},
+                             send_mail=False)
+
         if order.total == Decimal('0.00') and validated_data.get('status') != Order.STATUS_PAID and not validated_data.get('require_approval'):
             order.status = Order.STATUS_PAID
             order.save()

src/pretix/api/serializers/organizer.py

@@ -45,12 +45,19 @@ from pretix.base.models import (
     SalesChannel, SeatingPlan, Team, TeamAPIToken, TeamInvite, User,
 )
 from pretix.base.models.seating import SeatingPlanLayoutValidator
+from pretix.base.permissions import (
+    get_all_event_permission_groups, get_all_organizer_permission_groups,
+)
 from pretix.base.plugins import (
     PLUGIN_LEVEL_EVENT, PLUGIN_LEVEL_EVENT_ORGANIZER_HYBRID,
     PLUGIN_LEVEL_ORGANIZER,
 )
 from pretix.base.services.mail import mail
 from pretix.base.settings import validate_organizer_settings
+from pretix.helpers.permission_migration import (
+    OLD_TO_NEW_EVENT_COMPAT, OLD_TO_NEW_EVENT_MIGRATION,
+    OLD_TO_NEW_ORGANIZER_COMPAT, OLD_TO_NEW_ORGANIZER_MIGRATION,
+)
 from pretix.helpers.urls import build_absolute_uri as build_global_uri
 from pretix.multidomain.urlreverse import build_absolute_uri
 
@@ -279,6 +286,19 @@ class GiftCardSerializer(I18nAwareModelSerializer):
                 )
         return data
 
+    def to_representation(self, instance):
+        r = super().to_representation(instance)
+        request = self.context.get('request')
+        # late permission evaluations for checks that depend on the actual linked events
+        if 'owner_ticket' in self.context['request'].query_params.getlist('expand'):
+            owner_ticket = instance.owner_ticket
+            if owner_ticket:
+                event = owner_ticket.order.event
+                perm_holder = request.auth if isinstance(request.auth, (Device, TeamAPIToken)) else request.user
+                if not perm_holder.has_event_permission(event.organizer, event, 'event.orders:read', request):
+                    r['owner_ticket'] = {'id': instance.owner_ticket.id}
+        return r
+
     class Meta:
         model = GiftCard
         fields = ('id', 'secret', 'issuance', 'value', 'currency', 'testmode', 'expires', 'conditions', 'owner_ticket',
@@ -306,23 +326,128 @@ class EventSlugField(serializers.SlugRelatedField):
         return self.context['organizer'].events.all()
 
 
+class PermissionMultipleChoiceField(serializers.MultipleChoiceField):
+    def to_internal_value(self, data):
+        return {
+            p: True for p in super().to_internal_value(data)
+        }
+
+    def to_representation(self, value):
+        return [p for p, v in value.items() if v]
+
+
 class TeamSerializer(serializers.ModelSerializer):
     limit_events = EventSlugField(slug_field='slug', many=True)
+    limit_event_permissions = PermissionMultipleChoiceField(choices=[], required=False, allow_null=False, allow_empty=True)
+    limit_organizer_permissions = PermissionMultipleChoiceField(choices=[], required=False, allow_null=False, allow_empty=True)
+
+    # Legacy fields, handled in to_representation and validate
+    can_change_event_settings = serializers.BooleanField(required=False, write_only=True)
+    can_change_items = serializers.BooleanField(required=False, write_only=True)
+    can_view_orders = serializers.BooleanField(required=False, write_only=True)
+    can_change_orders = serializers.BooleanField(required=False, write_only=True)
+    can_checkin_orders = serializers.BooleanField(required=False, write_only=True)
+    can_view_vouchers = serializers.BooleanField(required=False, write_only=True)
+    can_change_vouchers = serializers.BooleanField(required=False, write_only=True)
+    can_create_events = serializers.BooleanField(required=False, write_only=True)
+    can_change_organizer_settings = serializers.BooleanField(required=False, write_only=True)
+    can_change_teams = serializers.BooleanField(required=False, write_only=True)
+    can_manage_gift_cards = serializers.BooleanField(required=False, write_only=True)
+    can_manage_customers = serializers.BooleanField(required=False, write_only=True)
+    can_manage_reusable_media = serializers.BooleanField(required=False, write_only=True)
 
     class Meta:
         model = Team
         fields = (
-            'id', 'name', 'require_2fa', 'all_events', 'limit_events', 'can_create_events', 'can_change_teams',
-            'can_change_organizer_settings', 'can_manage_gift_cards', 'can_change_event_settings',
-            'can_change_items', 'can_view_orders', 'can_change_orders', 'can_view_vouchers',
-            'can_change_vouchers', 'can_checkin_orders', 'can_manage_customers', 'can_manage_reusable_media'
+            'id', 'name', 'require_2fa', 'all_events', 'limit_events', 'all_event_permissions', 'limit_event_permissions',
+            'all_organizer_permissions', 'limit_organizer_permissions', 'can_change_event_settings',
+            'can_change_items', 'can_view_orders', 'can_change_orders', 'can_checkin_orders', 'can_view_vouchers',
+            'can_change_vouchers', 'can_create_events', 'can_change_organizer_settings', 'can_change_teams',
+            'can_manage_gift_cards', 'can_manage_customers', 'can_manage_reusable_media'
         )
 
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+
+        event_perms_flattened = []
+        organizer_perms_flattened = []
+        for pg in get_all_event_permission_groups().values():
+            for action in pg.actions:
+                event_perms_flattened.append(f"{pg.name}:{action}")
+        for pg in get_all_organizer_permission_groups().values():
+            for action in pg.actions:
+                organizer_perms_flattened.append(f"{pg.name}:{action}")
+
+        self.fields['limit_event_permissions'].choices = [(p, p) for p in event_perms_flattened]
+        self.fields['limit_organizer_permissions'].choices = [(p, p) for p in organizer_perms_flattened]
+
+    def to_representation(self, instance):
+        r = super().to_representation(instance)
+        for old, new in OLD_TO_NEW_EVENT_COMPAT.items():
+            r[old] = instance.all_event_permissions or all(instance.limit_event_permissions.get(n) for n in new)
+        for old, new in OLD_TO_NEW_ORGANIZER_COMPAT.items():
+            r[old] = instance.all_organizer_permissions or all(instance.limit_organizer_permissions.get(n) for n in new)
+        return r
+
     def validate(self, data):
+        old_data_set = any(k.startswith("can_") for k in data)
+        new_data_set = any(k in data for k in [
+            "all_event_permissions", "limit_event_permissions", "all_organizer_permissions", "limit_organizer_permissions"
+        ])
+        if old_data_set and new_data_set:
+            raise ValidationError("You cannot set deprecated and current permission attributes at the same time.")
+
         full_data = self.to_internal_value(self.to_representation(self.instance)) if self.instance else {}
         full_data.update(data)
+
+        if new_data_set:
+            if full_data.get('limit_event_permissions') and full_data.get('all_event_permissions'):
+                raise ValidationError('Do not set both limit_event_permissions and all_event_permissions.')
+            if full_data.get('limit_organizer_permissions') and full_data.get('all_organizer_permissions'):
+                raise ValidationError('Do not set both limit_organizer_permissions and all_organizer_permissions.')
+
+        if old_data_set:
+            # Migrate with same logic as in migration 0297_pluggable_permissions
+            if all(full_data.get(k) is True for k in OLD_TO_NEW_EVENT_MIGRATION.keys() if k != "can_checkin_orders"):
+                data["all_event_permissions"] = True
+                data["limit_event_permissions"] = {}
+            else:
+                data["all_event_permissions"] = False
+                data["limit_event_permissions"] = {}
+                for k, v in OLD_TO_NEW_EVENT_MIGRATION.items():
+                    if full_data.get(k) is True:
+                        data["limit_event_permissions"].update({kk: True for kk in v})
+            if all(full_data.get(k) is True for k in OLD_TO_NEW_ORGANIZER_MIGRATION.keys() if k != "can_checkin_orders"):
+                data["all_organizer_permissions"] = True
+                data["limit_organizer_permissions"] = {}
+            else:
+                data["all_organizer_permissions"] = False
+                data["limit_organizer_permissions"] = {}
+                for k, v in OLD_TO_NEW_ORGANIZER_MIGRATION.items():
+                    if full_data.get(k) is True:
+                        data["limit_organizer_permissions"].update({kk: True for kk in v})
+
         if full_data.get('limit_events') and full_data.get('all_events'):
             raise ValidationError('Do not set both limit_events and all_events.')
+
+        full_data.update(data)
+        for pg in get_all_event_permission_groups().values():
+            requested = ",".join(sorted(
+                a for a in pg.actions if self.instance and full_data["limit_event_permissions"].get(f"{pg.name}:{a}")
+            ))
+            if requested not in (",".join(sorted(opt.actions)) for opt in pg.options):
+                possible = '\' or \''.join(','.join(opt.actions) for opt in pg.options)
+                raise ValidationError(f"For permission group {pg.name}, the valid combinations of actions are "
+                                      f"'{possible}' but you tried to set '{requested}'.")
+        for pg in get_all_organizer_permission_groups().values():
+            requested = ",".join(sorted(
+                a for a in pg.actions if self.instance and full_data["limit_organizer_permissions"].get(f"{pg.name}:{a}")
+            ))
+            if requested not in (",".join(sorted(opt.actions)) for opt in pg.options):
+                possible = '\' or \''.join(','.join(opt.actions) for opt in pg.options)
+                raise ValidationError(f"For permission group {pg.name}, the valid combinations of actions are "
+                                      f"'{possible}' but you tried to set '{requested}'.")
+
         return data
 
 
@@ -339,7 +464,7 @@ class DeviceSerializer(serializers.ModelSerializer):
     created = serializers.DateTimeField(read_only=True)
     revoked = serializers.BooleanField(read_only=True)
     initialized = serializers.DateTimeField(read_only=True)
-    initialization_token = serializers.DateTimeField(read_only=True)
+    initialization_token = serializers.CharField(read_only=True)
     security_profile = serializers.ChoiceField(choices=[], required=False, default="full")
 
     class Meta:
@@ -353,6 +478,8 @@ class DeviceSerializer(serializers.ModelSerializer):
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
         self.fields['security_profile'].choices = [(k, v.verbose_name) for k, v in get_all_security_profiles().items()]
+        if not self.context['can_see_tokens']:
+            del self.fields['initialization_token']
 
 
 class TeamInviteSerializer(serializers.ModelSerializer):
@@ -365,9 +492,10 @@ class TeamInviteSerializer(serializers.ModelSerializer):
     def _send_invite(self, instance):
         mail(
             instance.email,
-            _('pretix account invitation'),
+            _('Account invitation'),
             'pretixcontrol/email/invitation.txt',
             {
+                'instance': settings.PRETIX_INSTANCE_NAME,
                 'user': self,
                 'organizer': self.context['organizer'].name,
                 'team': instance.team.name,
@@ -436,7 +564,10 @@ class TeamMemberSerializer(serializers.ModelSerializer):
 
 
 class OrganizerSettingsSerializer(SettingsSerializer):
+    default_write_permission = 'organizer.settings.general:write'
     default_fields = [
+        # These are readable for all users with access to the events, therefore secrets stored in the settings store
+        # should not be included!
         'customer_accounts',
         'customer_accounts_native',
         'customer_accounts_link_by_email',

src/pretix/api/serializers/settings.py

@@ -37,6 +37,8 @@ logger = logging.getLogger(__name__)
 class SettingsSerializer(serializers.Serializer):
     default_fields = []
     readonly_fields = []
+    default_write_permission = 'organizer.settings.general:write'
+    write_permission_required = {}
 
     def __init__(self, *args, **kwargs):
         self.changed_data = []
@@ -58,9 +60,17 @@ class SettingsSerializer(serializers.Serializer):
             f._label = str(form_kwargs.get('label', fname))
             f._help_text = str(form_kwargs.get('help_text'))
             f.parent = self
+
+            self.write_permission_required[fname] = DEFAULTS[fname].get('write_permission', self.default_write_permission)
+
             self.fields[fname] = f
 
     def validate(self, attrs):
+        for k in attrs.keys():
+            p = self.write_permission_required.get(k, self.default_write_permission)
+            if p not in self.context["permissions"]:
+                raise ValidationError({k: f"Setting this field requires permission {p}"})
+
         return {k: v for k, v in attrs.items() if k not in self.readonly_fields}
 
     def update(self, instance: HierarkeyProxy, validated_data):

src/pretix/api/urls.py

@@ -67,6 +67,7 @@ orga_router.register(r'invoices', order.InvoiceViewSet)
 orga_router.register(r'scheduled_exports', exporters.ScheduledOrganizerExportViewSet)
 orga_router.register(r'exporters', exporters.OrganizerExportersViewSet, basename='exporters')
 orga_router.register(r'transactions', order.OrganizerTransactionViewSet)
+orga_router.register(r'orderpositions', order.OrganizerOrderPositionViewSet, basename='orderpositions')
 
 team_router = routers.DefaultRouter()
 team_router.register(r'members', organizer.TeamMemberViewSet)
@@ -83,7 +84,7 @@ event_router.register(r'discounts', discount.DiscountViewSet)
 event_router.register(r'quotas', item.QuotaViewSet)
 event_router.register(r'vouchers', voucher.VoucherViewSet)
 event_router.register(r'orders', order.EventOrderViewSet)
-event_router.register(r'orderpositions', order.OrderPositionViewSet)
+event_router.register(r'orderpositions', order.EventOrderPositionViewSet)
 event_router.register(r'transactions', order.TransactionViewSet)
 event_router.register(r'invoices', order.InvoiceViewSet)
 event_router.register(r'revokedsecrets', order.RevokedSecretViewSet, basename='revokedsecrets')

src/pretix/api/views/cart.py

@@ -52,8 +52,8 @@ class CartPositionViewSet(CreateModelMixin, DestroyModelMixin, viewsets.ReadOnly
     ordering = ('datetime',)
     ordering_fields = ('datetime', 'cart_id')
     lookup_field = 'id'
-    permission = 'can_view_orders'
-    write_permission = 'can_change_orders'
+    permission = 'event.orders:read'
+    write_permission = 'event.orders:write'
 
     def get_queryset(self):
         return CartPosition.objects.filter(

src/pretix/api/views/checkin.py

@@ -67,6 +67,7 @@ from pretix.base.models import (
     Question, ReusableMedium, RevokedTicketSecret, TeamAPIToken,
 )
 from pretix.base.models.orders import PrintLog
+from pretix.base.permissions import AnyPermissionOf
 from pretix.base.services.checkin import (
     CheckInError, RequiredQuestionsError, SQLLogic, perform_checkin,
 )
@@ -118,11 +119,11 @@ class CheckinListViewSet(viewsets.ModelViewSet):
 
     def _get_permission_name(self, request):
         if request.path.endswith('/failed_checkins/'):
-            return 'can_checkin_orders', 'can_change_orders'
+            return 'event.orders:checkin', 'event.orders:write'
         elif request.method in SAFE_METHODS:
-            return 'can_view_orders', 'can_checkin_orders',
+            return 'event.orders:read', 'event.orders:checkin',
         else:
-            return 'can_change_event_settings'
+            return 'event.settings.general:write'
 
     def get_queryset(self):
         qs = self.request.event.checkin_lists.prefetch_related(
@@ -474,7 +475,7 @@ def _redeem_process(*, checkinlists, raw_barcode, answers_data, datetime, force,
             'event': op.order.event,
             'pdf_data': pdf_data and (
                 user if user and user.is_authenticated else auth
-            ).has_event_permission(request.organizer, event, 'can_view_orders', request),
+            ).has_event_permission(request.organizer, event, 'event.orders:read', request),
         }
 
     common_checkin_args = dict(
@@ -839,8 +840,8 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
     }
 
     filterset_class = CheckinOrderPositionFilter
-    permission = ('can_view_orders', 'can_checkin_orders')
-    write_permission = ('can_change_orders', 'can_checkin_orders')
+    permission = AnyPermissionOf('event.orders:read', 'event.orders:checkin')
+    write_permission = AnyPermissionOf('event.orders:write', 'event.orders:checkin')
 
     def get_serializer_context(self):
         ctx = super().get_serializer_context()
@@ -871,7 +872,7 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
             expand=self.request.query_params.getlist('expand'),
         )
 
-        if 'pk' not in self.request.resolver_match.kwargs and 'can_view_orders' not in self.request.eventpermset \
+        if 'pk' not in self.request.resolver_match.kwargs and 'event.orders:read' not in self.request.eventpermset \
                 and len(self.request.query_params.get('search', '')) < 3:
             qs = qs.none()
 
@@ -920,9 +921,9 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
 class CheckinRPCRedeemView(views.APIView):
     def post(self, request, *args, **kwargs):
         if isinstance(self.request.auth, (TeamAPIToken, Device)):
-            events = self.request.auth.get_events_with_permission(('can_change_orders', 'can_checkin_orders'))
+            events = self.request.auth.get_events_with_permission(('event.orders:write', 'event.orders:checkin'))
         elif self.request.user.is_authenticated:
-            events = self.request.user.get_events_with_permission(('can_change_orders', 'can_checkin_orders'), self.request).filter(
+            events = self.request.user.get_events_with_permission(('event.orders:write', 'event.orders:checkin'), self.request).filter(
                 organizer=self.request.organizer
             )
         else:
@@ -990,9 +991,9 @@ class CheckinRPCSearchView(ListAPIView):
     @cached_property
     def lists(self):
         if isinstance(self.request.auth, (TeamAPIToken, Device)):
-            events = self.request.auth.get_events_with_permission(('can_view_orders', 'can_checkin_orders'))
+            events = self.request.auth.get_events_with_permission(('event.orders:read', 'event.orders:checkin'))
         elif self.request.user.is_authenticated:
-            events = self.request.user.get_events_with_permission(('can_view_orders', 'can_checkin_orders'), self.request).filter(
+            events = self.request.user.get_events_with_permission(('event.orders:read', 'event.orders:checkin'), self.request).filter(
                 organizer=self.request.organizer
             )
         else:
@@ -1009,9 +1010,9 @@ class CheckinRPCSearchView(ListAPIView):
     @cached_property
     def has_full_access_permission(self):
         if isinstance(self.request.auth, (TeamAPIToken, Device)):
-            events = self.request.auth.get_events_with_permission('can_view_orders')
+            events = self.request.auth.get_events_with_permission('event.orders:read')
         elif self.request.user.is_authenticated:
-            events = self.request.user.get_events_with_permission('can_view_orders', self.request).filter(
+            events = self.request.user.get_events_with_permission('event.orders:read', self.request).filter(
                 organizer=self.request.organizer
             )
         else:
@@ -1038,9 +1039,9 @@ class CheckinRPCSearchView(ListAPIView):
 class CheckinRPCAnnulView(views.APIView):
     def post(self, request, *args, **kwargs):
         if isinstance(self.request.auth, (TeamAPIToken, Device)):
-            events = self.request.auth.get_events_with_permission(('can_change_orders', 'can_checkin_orders'))
+            events = self.request.auth.get_events_with_permission(('event.orders:write', 'event.orders:checkin'))
         elif self.request.user.is_authenticated:
-            events = self.request.user.get_events_with_permission(('can_change_orders', 'can_checkin_orders'), self.request).filter(
+            events = self.request.user.get_events_with_permission(('event.orders:write', 'event.orders:checkin'), self.request).filter(
                 organizer=self.request.organizer
             )
         else:
@@ -1118,10 +1119,10 @@ class CheckinViewSet(viewsets.ReadOnlyModelViewSet):
     filterset_class = CheckinFilter
     ordering = ('created', 'id')
     ordering_fields = ('created', 'datetime', 'id',)
-    permission = 'can_view_orders'
+    permission = 'event.orders:read'
 
     def get_queryset(self):
-        qs = Checkin.all.filter().select_related(
+        qs = Checkin.all.filter(list__event=self.request.event).select_related(
             "position",
             "device",
         )

src/pretix/api/views/discount.py

@@ -57,7 +57,7 @@ class DiscountViewSet(ConditionalListView, viewsets.ModelViewSet):
     ordering_fields = ('id', 'position')
     ordering = ('position', 'id')
     permission = None
-    write_permission = 'can_change_items'
+    write_permission = 'event.items:write'
 
     def get_queryset(self):
         return self.request.event.discounts.prefetch_related(

src/pretix/api/views/event.py

@@ -281,6 +281,11 @@ class EventViewSet(viewsets.ModelViewSet):
         new_event = serializer.save(organizer=self.request.organizer)
 
         if copy_from:
+            perm_holder = (self.request.auth if isinstance(self.request.auth, (Device, TeamAPIToken))
+                           else self.request.user)
+            if not copy_from.allow_copy_data(self.request.organizer, perm_holder):
+                raise PermissionDenied("Not sufficient permission on source event to copy")
+
             new_event.copy_data_from(copy_from, skip_meta_data='meta_data' in serializer.validated_data)
 
             if plugins is not None:
@@ -341,15 +346,24 @@ class CloneEventViewSet(viewsets.ModelViewSet):
     lookup_field = 'slug'
     lookup_url_kwarg = 'event'
     http_method_names = ['post']
-    write_permission = 'can_create_events'
+    write_permission = 'event.settings.general:write'
 
     def get_serializer_context(self):
         ctx = super().get_serializer_context()
-        ctx['event'] = self.kwargs['event']
+        ctx['event'] = Event.objects.get(slug=self.kwargs['event'], organizer=self.request.organizer)
         ctx['organizer'] = self.request.organizer
         return ctx
 
     def perform_create(self, serializer):
+        # Weird edge case: Requires settings permission on the event (to read) but also on the organizer (two write)
+        perm_holder = (self.request.auth if isinstance(self.request.auth, (Device, TeamAPIToken))
+                       else self.request.user)
+        if not perm_holder.has_organizer_permission(self.request.organizer, "organizer.events:create", request=self.request):
+            raise PermissionDenied("No permission to create events")
+
+        if not serializer.context['event'].allow_copy_data(self.request.organizer, perm_holder):
+            raise PermissionDenied("Not sufficient permission on source event to copy")
+
         serializer.save(organizer=self.request.organizer)
 
         serializer.instance.log_action(
@@ -426,7 +440,7 @@ with scopes_disabled():
 class SubEventViewSet(ConditionalListView, viewsets.ModelViewSet):
     serializer_class = SubEventSerializer
     queryset = SubEvent.objects.none()
-    write_permission = 'can_change_event_settings'
+    write_permission = 'event.subevents:write'
     filter_backends = (DjangoFilterBackend, TotalOrderingFilter)
     ordering = ('date_from',)
     ordering_fields = ('id', 'date_from', 'last_modified')
@@ -546,7 +560,7 @@ class SubEventViewSet(ConditionalListView, viewsets.ModelViewSet):
 class TaxRuleViewSet(ConditionalListView, viewsets.ModelViewSet):
     serializer_class = TaxRuleSerializer
     queryset = TaxRule.objects.none()
-    write_permission = 'can_change_event_settings'
+    write_permission = 'event.settings.tax:write'
 
     def get_queryset(self):
         return self.request.event.tax_rules.all()
@@ -589,7 +603,7 @@ class TaxRuleViewSet(ConditionalListView, viewsets.ModelViewSet):
 class ItemMetaPropertiesViewSet(viewsets.ModelViewSet):
     serializer_class = ItemMetaPropertiesSerializer
     queryset = ItemMetaProperty.objects.none()
-    write_permission = 'can_change_event_settings'
+    write_permission = 'event.settings.general:write'
 
     def get_queryset(self):
         qs = self.request.event.item_meta_properties.all()
@@ -636,19 +650,18 @@ class ItemMetaPropertiesViewSet(viewsets.ModelViewSet):
 
 class EventSettingsView(views.APIView):
     permission = None
-    write_permission = 'can_change_event_settings'
+    write_permission = 'event.settings.general:write'
 
     def get(self, request, *args, **kwargs):
         if isinstance(request.auth, Device):
             s = DeviceEventSettingsSerializer(instance=request.event.settings, event=request.event, context={
-                'request': request
-            })
-        elif 'can_change_event_settings' in request.eventpermset:
-            s = EventSettingsSerializer(instance=request.event.settings, event=request.event, context={
-                'request': request
+                'request': request, 'permissions': request.eventpermset
             })
         else:
-            raise PermissionDenied()
+            s = EventSettingsSerializer(instance=request.event.settings, event=request.event, context={
+                'request': request, 'permissions': request.eventpermset,
+            })
+
         if 'explain' in request.GET:
             return Response({
                 fname: {
@@ -662,7 +675,7 @@ class EventSettingsView(views.APIView):
 
     def patch(self, request, *wargs, **kwargs):
         s = EventSettingsSerializer(instance=request.event.settings, data=request.data, partial=True,
-                                    event=request.event, context={'request': request})
+                                    event=request.event, context={'request': request, 'permissions': request.eventpermset})
         s.is_valid(raise_exception=True)
         with transaction.atomic():
             s.save()
@@ -674,7 +687,7 @@ class EventSettingsView(views.APIView):
                 )
         s = EventSettingsSerializer(
             instance=request.event.settings, event=request.event, context={
-                'request': request
+                'request': request, 'permissions': request.eventpermset
             })
         return Response(s.data)
 
@@ -701,7 +714,7 @@ class SeatFilter(FilterSet):
 class SeatViewSet(ConditionalListView, viewsets.ModelViewSet):
     serializer_class = SeatSerializer
     queryset = Seat.objects.none()
-    write_permission = 'can_change_event_settings'
+    write_permission = 'event.settings.general:write'
     filter_backends = (DjangoFilterBackend, )
     filterset_class = SeatFilter
 

src/pretix/api/views/exporters.py

@@ -40,12 +40,12 @@ from pretix.api.serializers.exporters import (
 )
 from pretix.base.exporter import OrganizerLevelExportMixin
 from pretix.base.models import (
-    CachedFile, Device, Event, ScheduledEventExport, ScheduledOrganizerExport,
+    CachedFile, Device, ScheduledEventExport, ScheduledOrganizerExport,
     TeamAPIToken,
 )
-from pretix.base.services.export import export, multiexport
-from pretix.base.signals import (
-    register_data_exporters, register_multievent_data_exporters,
+from pretix.base.models.organizer import TeamQuerySet
+from pretix.base.services.export import (
+    export, init_event_exporters, init_organizer_exporters, multiexport,
 )
 from pretix.helpers.http import ChunkBasedFileResponse
 
@@ -111,7 +111,7 @@ class ExportersMixin:
     @action(detail=True, methods=['POST'])
     def run(self, *args, **kwargs):
         instance = self.get_object()
-        serializer = JobRunSerializer(exporter=instance, data=self.request.data, **self.get_serializer_kwargs())
+        serializer = JobRunSerializer(exporter=instance, data=self.request.data)
         serializer.is_valid(raise_exception=True)
 
         cf = CachedFile(web_download=True)
@@ -136,27 +136,34 @@ class ExportersMixin:
 
 
 class EventExportersViewSet(ExportersMixin, viewsets.ViewSet):
-    permission = 'can_view_orders'
-
-    def get_serializer_kwargs(self):
-        return {}
+    permission = None
 
     @cached_property
     def exporters(self):
+        raw_exporters = list(init_event_exporters(
+            event=self.request.event,
+            user=self.request.user if self.request.user and self.request.user.is_authenticated else None,
+            token=self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None,
+            device=self.request.auth if isinstance(self.request.auth, Device) else None,
+            request=self.request,
+        ))
         exporters = []
-        responses = register_data_exporters.send(self.request.event)
-        raw_exporters = [response(self.request.event, self.request.organizer) for r, response in responses if response]
-        raw_exporters = [
-            ex for ex in raw_exporters
-            if ex.available_for_user(self.request.user if self.request.user and self.request.user.is_authenticated else None)
-        ]
         for ex in sorted(raw_exporters, key=lambda ex: str(ex.verbose_name)):
             ex._serializer = JobRunSerializer(exporter=ex)
             exporters.append(ex)
         return exporters
 
     def do_export(self, cf, instance, data):
-        return export.apply_async(args=(self.request.event.id, str(cf.id), instance.identifier, data))
+        return export.apply_async(args=(
+            self.request.event.id,
+        ), kwargs={
+            'user': self.request.user.pk if self.request.user and self.request.user.is_authenticated else None,
+            'token': self.request.auth.pk if isinstance(self.request.auth, TeamAPIToken) else None,
+            'device': self.request.auth.pk if isinstance(self.request.auth, Device) else None,
+            'fileid': str(cf.id),
+            'provider': instance.identifier,
+            'form_data': data,
+        })
 
 
 class OrganizerExportersViewSet(ExportersMixin, viewsets.ViewSet):
@@ -164,47 +171,23 @@ class OrganizerExportersViewSet(ExportersMixin, viewsets.ViewSet):
 
     @cached_property
     def exporters(self):
+        raw_exporters = list(init_organizer_exporters(
+            organizer=self.request.organizer,
+            user=self.request.user if self.request.user and self.request.user.is_authenticated else None,
+            token=self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None,
+            device=self.request.auth if isinstance(self.request.auth, Device) else None,
+            request=self.request,
+        ))
         exporters = []
-        if isinstance(self.request.auth, (Device, TeamAPIToken)):
-            perm_holder = self.request.auth
-        else:
-            perm_holder = self.request.user
-        events = perm_holder.get_events_with_permission('can_view_orders', request=self.request).filter(
-            organizer=self.request.organizer
-        )
-        responses = register_multievent_data_exporters.send(self.request.organizer)
-        raw_exporters = [
-            response(Event.objects.none() if issubclass(response, OrganizerLevelExportMixin) else events, self.request.organizer)
-            for r, response in responses
-            if response
-        ]
-        raw_exporters = [
-            ex for ex in raw_exporters
-            if (
-                not isinstance(ex, OrganizerLevelExportMixin) or
-                perm_holder.has_organizer_permission(self.request.organizer, ex.organizer_required_permission, self.request)
-            ) and ex.available_for_user(self.request.user if self.request.user and self.request.user.is_authenticated else None)
-        ]
         for ex in sorted(raw_exporters, key=lambda ex: str(ex.verbose_name)):
-            ex._serializer = JobRunSerializer(exporter=ex, events=events)
+            ex._serializer = JobRunSerializer(exporter=ex)
             exporters.append(ex)
         return exporters
 
-    def get_serializer_kwargs(self):
-        if isinstance(self.request.auth, (Device, TeamAPIToken)):
-            perm_holder = self.request.auth
-        else:
-            perm_holder = self.request.user
-        return {
-            'events': perm_holder.get_events_with_permission('can_view_orders', request=self.request).filter(
-                organizer=self.request.organizer
-            )
-        }
-
     def do_export(self, cf, instance, data):
         return multiexport.apply_async(kwargs={
             'organizer': self.request.organizer.id,
-            'user': self.request.user.id if self.request.user.is_authenticated else None,
+            'user': self.request.user.id if self.request.user and self.request.user.is_authenticated else None,
             'token': self.request.auth.pk if isinstance(self.request.auth, TeamAPIToken) else None,
             'device': self.request.auth.pk if isinstance(self.request.auth, Device) else None,
             'fileid': str(cf.id),
@@ -222,11 +205,11 @@ class ScheduledExportersViewSet(viewsets.ModelViewSet):
 class ScheduledEventExportViewSet(ScheduledExportersViewSet):
     serializer_class = ScheduledEventExportSerializer
     queryset = ScheduledEventExport.objects.none()
-    permission = 'can_view_orders'
+    permission = None
 
     def get_queryset(self):
         perm_holder = self.request.auth if isinstance(self.request.auth, (TeamAPIToken, Device)) else self.request.user
-        if not perm_holder.has_event_permission(self.request.organizer, self.request.event, 'can_change_event_settings',
+        if not perm_holder.has_event_permission(self.request.organizer, self.request.event, 'event.settings.general:write',
                                                 request=self.request):
             if self.request.user.is_authenticated:
                 qs = self.request.event.scheduled_exports.filter(owner=self.request.user)
@@ -258,11 +241,28 @@ class ScheduledEventExportViewSet(ScheduledExportersViewSet):
 
     @cached_property
     def exporters(self):
-        responses = register_data_exporters.send(self.request.event)
-        exporters = [response(self.request.event, self.request.organizer) for r, response in responses if response]
+        exporters = list(init_event_exporters(
+            event=self.request.event,
+            user=self.request.user if self.request.user and self.request.user.is_authenticated else None,
+            token=self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None,
+            device=self.request.auth if isinstance(self.request.auth, Device) else None,
+            request=self.request,
+        ))
         return {e.identifier: e for e in exporters}
 
     def perform_update(self, serializer):
+        if not self.request.user.is_authenticated or self.request.user != serializer.instance.owner:
+            # This is to prevent a possible privilege escalation where user A creates a scheduled export and
+            # user B has settings permission (= they can see the export configuration), but not enough permission
+            # to run the export themselves. Without this check, user B could modify the export and add themselves
+            # as a recipient. Thereby, user B would gain access to data they can't have.
+            exporter = self.exporters.get(serializer.instance.export_identifier)
+            if not exporter:
+                raise PermissionDenied("No access to exporter.")
+            perm_holder = self.request.auth if isinstance(self.request.auth, (TeamAPIToken, Device)) else self.request.user
+            if not perm_holder.has_event_permission(self.request.organizer, self.request.event, exporter.get_required_event_permission()):
+                raise PermissionDenied("No permission to edit exports you could not run.")
+
         serializer.save(event=self.request.event)
         serializer.instance.compute_next_run()
         serializer.instance.error_counter = 0
@@ -291,7 +291,7 @@ class ScheduledOrganizerExportViewSet(ScheduledExportersViewSet):
 
     def get_queryset(self):
         perm_holder = self.request.auth if isinstance(self.request.auth, (TeamAPIToken, Device)) else self.request.user
-        if not perm_holder.has_organizer_permission(self.request.organizer, 'can_change_organizer_settings',
+        if not perm_holder.has_organizer_permission(self.request.organizer, 'organizer.settings.general:write',
                                                     request=self.request):
             if self.request.user.is_authenticated:
                 qs = self.request.organizer.scheduled_exports.filter(owner=self.request.user)
@@ -321,26 +321,55 @@ class ScheduledOrganizerExportViewSet(ScheduledExportersViewSet):
         ctx['exporters'] = self.exporters
         return ctx
 
-    @cached_property
-    def events(self):
-        if isinstance(self.request.auth, (TeamAPIToken, Device)):
-            return self.request.auth.get_events_with_permission('can_view_orders')
-        elif self.request.user.is_authenticated:
-            return self.request.user.get_events_with_permission('can_view_orders', self.request).filter(
-                organizer=self.request.organizer
-            )
-
     @cached_property
     def exporters(self):
-        responses = register_multievent_data_exporters.send(self.request.organizer)
-        exporters = [
-            response(Event.objects.none() if issubclass(response, OrganizerLevelExportMixin) else self.events,
-                     self.request.organizer)
-            for r, response in responses if response
-        ]
+        exporters = list(init_organizer_exporters(
+            organizer=self.request.organizer,
+            user=self.request.user if self.request.user and self.request.user.is_authenticated else None,
+            token=self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None,
+            device=self.request.auth if isinstance(self.request.auth, Device) else None,
+            request=self.request,
+        ))
         return {e.identifier: e for e in exporters}
 
     def perform_update(self, serializer):
+        if not self.request.user.is_authenticated or self.request.user != serializer.instance.owner:
+            # This is to prevent a possible privilege escalation where user A creates a scheduled export and
+            # user B has settings permission (= they can see the export configuration), but not enough permission
+            # to run the export themselves. Without this check, user B could modify the export and add themselves
+            # as a recipient. Thereby, user B would gain access to data they can't have.
+            exporter = self.exporters.get(serializer.instance.export_identifier)
+            if not exporter:
+                raise PermissionDenied("No access to exporter.")
+            perm_holder = (self.request.auth if isinstance(self.request.auth, (Device, TeamAPIToken))
+                           else self.request.user)
+            if isinstance(exporter, OrganizerLevelExportMixin):
+                if not perm_holder.has_organizer_permission(
+                        self.request.organizer, exporter.get_required_organizer_permission(), request=self.request,
+                ):
+                    raise PermissionDenied("No permission to edit exports you could not run.")
+            else:
+                if serializer.instance.export_form_data.get("all_events", False):
+                    if isinstance(self.request.auth, Device):
+                        if not self.request.auth.all_events:
+                            raise PermissionDenied("No permission to edit exports you could not run.")
+                    elif isinstance(self.request.auth, TeamAPIToken):
+                        if not self.request.auth.team.all_events:
+                            raise PermissionDenied("No permission to edit exports you could not run.")
+                    elif self.request.user.is_authenticated:
+                        if not self.request.user.teams.filter(
+                                TeamQuerySet.event_permission_q(exporter.get_required_event_permission()),
+                                all_events=True,
+                        ).exists():
+                            raise PermissionDenied("No permission to edit exports you could not run.")
+                else:
+                    events_selected = serializer.instance.export_form_data.get("events", [])
+                    events_permission = set(perm_holder.get_events_with_permission(
+                        exporter.get_required_event_permission(), request=self.request
+                    ).values_list("pk", flat=True))
+                    if not all(e in events_permission for e in events_selected):
+                        raise PermissionDenied("No permission to edit exports you could not run.")
+
         serializer.save(organizer=self.request.organizer)
         serializer.instance.compute_next_run()
         serializer.instance.error_counter = 0

src/pretix/api/views/item.py

@@ -99,7 +99,7 @@ class ItemViewSet(ConditionalListView, viewsets.ModelViewSet):
     ordering = ('position', 'id')
     filterset_class = ItemFilter
     permission = None
-    write_permission = 'can_change_items'
+    write_permission = 'event.items:write'
 
     def get_queryset(self):
         return self.request.event.items.select_related('tax_rule').prefetch_related(
@@ -163,7 +163,7 @@ class ItemVariationViewSet(viewsets.ModelViewSet):
     ordering_fields = ('id', 'position')
     ordering = ('id',)
     permission = None
-    write_permission = 'can_change_items'
+    write_permission = 'event.items:write'
 
     @cached_property
     def item(self):
@@ -234,7 +234,7 @@ class ItemBundleViewSet(viewsets.ModelViewSet):
     ordering_fields = ('id',)
     ordering = ('id',)
     permission = None
-    write_permission = 'can_change_items'
+    write_permission = 'event.items:write'
 
     @cached_property
     def item(self):
@@ -286,7 +286,7 @@ class ItemProgramTimeViewSet(viewsets.ModelViewSet):
     ordering_fields = ('id',)
     ordering = ('id',)
     permission = None
-    write_permission = 'can_change_items'
+    write_permission = 'event.items:write'
 
     @cached_property
     def item(self):
@@ -339,7 +339,7 @@ class ItemAddOnViewSet(viewsets.ModelViewSet):
     ordering_fields = ('id', 'position')
     ordering = ('id',)
     permission = None
-    write_permission = 'can_change_items'
+    write_permission = 'event.items:write'
 
     @cached_property
     def item(self):
@@ -398,7 +398,7 @@ class ItemCategoryViewSet(ConditionalListView, viewsets.ModelViewSet):
     ordering_fields = ('id', 'position')
     ordering = ('position', 'id')
     permission = None
-    write_permission = 'can_change_items'
+    write_permission = 'event.items:write'
 
     def get_queryset(self):
         return self.request.event.categories.all()
@@ -453,7 +453,7 @@ class QuestionViewSet(ConditionalListView, viewsets.ModelViewSet):
     ordering_fields = ('id', 'position')
     ordering = ('position', 'id')
     permission = None
-    write_permission = 'can_change_items'
+    write_permission = 'event.items:write'
 
     def get_queryset(self):
         return self.request.event.questions.prefetch_related('options').all()
@@ -497,7 +497,7 @@ class QuestionOptionViewSet(viewsets.ModelViewSet):
     ordering_fields = ('id', 'position')
     ordering = ('position',)
     permission = None
-    write_permission = 'can_change_items'
+    write_permission = 'event.items:write'
 
     def get_queryset(self):
         q = get_object_or_404(Question, pk=self.kwargs['question'], event=self.request.event)
@@ -564,7 +564,7 @@ class QuotaViewSet(ConditionalListView, viewsets.ModelViewSet):
     ordering_fields = ('id', 'size')
     ordering = ('id',)
     permission = None
-    write_permission = 'can_change_items'
+    write_permission = 'event.items:write'
 
     def get_queryset(self):
         return self.request.event.quotas.select_related('subevent').prefetch_related('items', 'variations').all()

src/pretix/api/views/media.py

@@ -62,8 +62,8 @@ with scopes_disabled():
 class ReusableMediaViewSet(viewsets.ModelViewSet):
     serializer_class = ReusableMediaSerializer
     queryset = ReusableMedium.objects.none()
-    permission = 'can_manage_reusable_media'
-    write_permission = 'can_manage_reusable_media'
+    permission = 'organizer.reusablemedia:read'
+    write_permission = 'organizer.reusablemedia:write'
     filter_backends = (DjangoFilterBackend, OrderingFilter)
     ordering = ('-updated', '-id')
     ordering_fields = ('created', 'updated', 'identifier', 'type', 'id')
@@ -95,6 +95,8 @@ class ReusableMediaViewSet(viewsets.ModelViewSet):
     def get_serializer_context(self):
         ctx = super().get_serializer_context()
         ctx['organizer'] = self.request.organizer
+        ctx['can_read_giftcards'] = 'organizer.giftcards:read' in self.request.orgapermset
+        ctx['can_read_customers'] = 'organizer.customers:read' in self.request.orgapermset
         return ctx
 
     @transaction.atomic()

src/pretix/api/views/order.py

@@ -57,9 +57,10 @@ from pretix.api.serializers.order import (
     BlockedTicketSecretSerializer, InvoiceSerializer, OrderCreateSerializer,
     OrderPaymentCreateSerializer, OrderPaymentSerializer,
     OrderPositionSerializer, OrderRefundCreateSerializer,
-    OrderRefundSerializer, OrderSerializer, OrganizerTransactionSerializer,
-    PriceCalcSerializer, PrintLogSerializer, RevokedTicketSecretSerializer,
-    SimulatedOrderSerializer, TransactionSerializer,
+    OrderRefundSerializer, OrderSerializer, OrganizerOrderPositionSerializer,
+    OrganizerTransactionSerializer, PriceCalcSerializer, PrintLogSerializer,
+    RevokedTicketSecretSerializer, SimulatedOrderSerializer,
+    TransactionSerializer,
 )
 from pretix.api.serializers.orderchange import (
     BlockNameSerializer, OrderChangeOperationSerializer,
@@ -316,7 +317,7 @@ class OrderViewSetMixin:
 
 class OrganizerOrderViewSet(OrderViewSetMixin, viewsets.ReadOnlyModelViewSet):
     def get_base_queryset(self):
-        perm = "can_view_orders" if self.request.method in SAFE_METHODS else "can_change_orders"
+        perm = "event.orders:read" if self.request.method in SAFE_METHODS else "event.orders:write"
         if isinstance(self.request.auth, (TeamAPIToken, Device)):
             return Order.objects.filter(
                 event__organizer=self.request.organizer,
@@ -337,8 +338,8 @@ class OrganizerOrderViewSet(OrderViewSetMixin, viewsets.ReadOnlyModelViewSet):
 
 
 class EventOrderViewSet(OrderViewSetMixin, viewsets.ModelViewSet):
-    permission = 'can_view_orders'
-    write_permission = 'can_change_orders'
+    permission = 'event.orders:read'
+    write_permission = 'event.orders:write'
 
     def get_serializer_context(self):
         ctx = super().get_serializer_context()
@@ -380,12 +381,15 @@ class EventOrderViewSet(OrderViewSetMixin, viewsets.ModelViewSet):
                 resp = HttpResponse(ct.file.file.read(), content_type='text/uri-list')
                 return resp
             else:
-                resp = FileResponse(ct.file.file, content_type=ct.type)
-                resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}{}"'.format(
-                    self.request.event.slug.upper(), order.code,
-                    provider.identifier, ct.extension
+                return FileResponse(
+                    ct.file.file,
+                    filename='{}-{}-{}{}'.format(
+                        self.request.event.slug.upper(), order.code,
+                        provider.identifier, ct.extension
+                    ),
+                    as_attachment=True,
+                    content_type=ct.type
                 )
-                return resp
 
     @action(detail=True, methods=['POST'])
     def mark_paid(self, request, **kwargs):
@@ -1065,15 +1069,12 @@ with scopes_disabled():
             }
 
 
-class OrderPositionViewSet(viewsets.ModelViewSet):
-    serializer_class = OrderPositionSerializer
+class OrderPositionViewSetMixin:
     queryset = OrderPosition.all.none()
     filter_backends = (DjangoFilterBackend, RichOrderingFilter)
     ordering = ('order__datetime', 'positionid')
     ordering_fields = ('order__code', 'order__datetime', 'positionid', 'attendee_name', 'order__status',)
     filterset_class = OrderPositionFilter
-    permission = 'can_view_orders'
-    write_permission = 'can_change_orders'
     ordering_custom = {
         'attendee_name': {
             '_order': F('display_name').asc(nulls_first=True),
@@ -1087,8 +1088,7 @@ class OrderPositionViewSet(viewsets.ModelViewSet):
 
     def get_serializer_context(self):
         ctx = super().get_serializer_context()
-        ctx['event'] = self.request.event
-        ctx['pdf_data'] = self.request.query_params.get('pdf_data', 'false').lower() == 'true'
+        ctx['pdf_data'] = False
         ctx['check_quotas'] = self.request.query_params.get('check_quotas', 'true').lower() == 'true'
         return ctx
 
@@ -1097,9 +1097,8 @@ class OrderPositionViewSet(viewsets.ModelViewSet):
             qs = OrderPosition.all
         else:
             qs = OrderPosition.objects
-
-        qs = qs.filter(order__event=self.request.event)
-        if self.request.query_params.get('pdf_data', 'false').lower() == 'true':
+        qs = qs.filter(order__event__organizer=self.request.organizer)
+        if self.request.query_params.get('pdf_data', 'false').lower() == 'true' and getattr(self.request, 'event', None):
             prefetch_related_objects([self.request.organizer], 'meta_properties')
             prefetch_related_objects(
                 [self.request.event],
@@ -1154,9 +1153,9 @@ class OrderPositionViewSet(viewsets.ModelViewSet):
             qs = qs.prefetch_related(
                 Prefetch('checkins', queryset=Checkin.objects.select_related("device")),
                 Prefetch('print_logs', queryset=PrintLog.objects.select_related('device')),
-                'answers', 'answers__options', 'answers__question',
+                'answers', 'answers__options', 'answers__question', 'order__event', 'order__event__organizer'
             ).select_related(
-                'item', 'order', 'order__event', 'order__event__organizer', 'seat'
+                'item', 'order', 'seat'
             )
         return qs
 
@@ -1168,6 +1167,49 @@ class OrderPositionViewSet(viewsets.ModelViewSet):
                 return prov
         raise NotFound('Unknown output provider.')
 
+
+class OrganizerOrderPositionViewSet(OrderPositionViewSetMixin, viewsets.ReadOnlyModelViewSet):
+    serializer_class = OrganizerOrderPositionSerializer
+    permission = None
+    write_permission = None
+
+    def get_queryset(self):
+        qs = super().get_queryset()
+
+        perm = "event.orders:read" if self.request.method in SAFE_METHODS else "event.orders:write"
+
+        if isinstance(self.request.auth, (TeamAPIToken, Device)):
+            auth_obj = self.request.auth
+        elif self.request.user.is_authenticated:
+            auth_obj = self.request.user
+        else:
+            raise PermissionDenied("Unknown authentication scheme")
+
+        qs = qs.filter(
+            order__event__in=auth_obj.get_events_with_permission(perm, request=self.request).filter(
+                organizer=self.request.organizer
+            )
+        )
+
+        return qs
+
+
+class EventOrderPositionViewSet(OrderPositionViewSetMixin, viewsets.ModelViewSet):
+    serializer_class = OrderPositionSerializer
+    permission = 'event.orders:read'
+    write_permission = 'event.orders:write'
+
+    def get_serializer_context(self):
+        ctx = super().get_serializer_context()
+        ctx['event'] = self.request.event
+        ctx['pdf_data'] = self.request.query_params.get('pdf_data', 'false').lower() == 'true'
+        return ctx
+
+    def get_queryset(self):
+        qs = super().get_queryset()
+        qs = qs.filter(order__event=self.request.event)
+        return qs
+
     @action(detail=True, methods=['POST'], url_name='price_calc')
     def price_calc(self, request, *args, **kwargs):
         """
@@ -1264,14 +1306,17 @@ class OrderPositionViewSet(viewsets.ModelViewSet):
             raise NotFound()
 
         ftype, ignored = mimetypes.guess_type(answer.file.name)
-        resp = FileResponse(answer.file, content_type=ftype or 'application/binary')
-        resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}-{}"'.format(
-            self.request.event.slug.upper(),
-            pos.order.code,
-            pos.positionid,
-            os.path.basename(answer.file.name).split('.', 1)[1]
+        return FileResponse(
+            answer.file,
+            filename='{}-{}-{}-{}'.format(
+                self.request.event.slug.upper(),
+                pos.order.code,
+                pos.positionid,
+                os.path.basename(answer.file.name).split('.', 1)[1]
+            ),
+            as_attachment=True,
+            content_type=ftype or 'application/binary'
         )
-        return resp
 
     @action(detail=True, url_name="printlog", url_path="printlog", methods=["POST"])
     def printlog(self, request, **kwargs):
@@ -1326,15 +1371,18 @@ class OrderPositionViewSet(viewsets.ModelViewSet):
             if hasattr(image_file, 'seek'):
                 image_file.seek(0)
 
-        resp = FileResponse(image_file, content_type=ftype or 'application/binary')
-        resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}-{}.{}"'.format(
-            self.request.event.slug.upper(),
-            pos.order.code,
-            pos.positionid,
-            key,
-            extension,
+        return FileResponse(
+            image_file,
+            filename='{}-{}-{}-{}.{}'.format(
+                self.request.event.slug.upper(),
+                pos.order.code,
+                pos.positionid,
+                key,
+                extension,
+            ),
+            as_attachment=True,
+            content_type=ftype or 'application/binary'
         )
-        return resp
 
     @action(detail=True, url_name='download', url_path='download/(?P<output>[^/]+)')
     def download(self, request, output, **kwargs):
@@ -1360,12 +1408,15 @@ class OrderPositionViewSet(viewsets.ModelViewSet):
                 resp = HttpResponse(ct.file.file.read(), content_type='text/uri-list')
                 return resp
             else:
-                resp = FileResponse(ct.file.file, content_type=ct.type)
-                resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}-{}{}"'.format(
-                    self.request.event.slug.upper(), pos.order.code, pos.positionid,
-                    provider.identifier, ct.extension
+                return FileResponse(
+                    ct.file.file,
+                    filename='{}-{}-{}-{}{}'.format(
+                        self.request.event.slug.upper(), pos.order.code, pos.positionid,
+                        provider.identifier, ct.extension
+                    ),
+                    as_attachment=True,
+                    content_type=ct.type
                 )
-                return resp
 
     @action(detail=True, methods=['POST'])
     def regenerate_secrets(self, request, **kwargs):
@@ -1574,8 +1625,8 @@ class OrderPositionViewSet(viewsets.ModelViewSet):
 class PaymentViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
     serializer_class = OrderPaymentSerializer
     queryset = OrderPayment.objects.none()
-    permission = 'can_view_orders'
-    write_permission = 'can_change_orders'
+    permission = 'event.orders:read'
+    write_permission = 'event.orders:write'
     lookup_field = 'local_id'
 
     def get_serializer_context(self):
@@ -1747,8 +1798,8 @@ class PaymentViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
 class RefundViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
     serializer_class = OrderRefundSerializer
     queryset = OrderRefund.objects.none()
-    permission = 'can_view_orders'
-    write_permission = 'can_change_orders'
+    permission = 'event.orders:read'
+    write_permission = 'event.orders:write'
     lookup_field = 'local_id'
 
     def get_queryset(self):
@@ -1905,13 +1956,18 @@ class InvoiceViewSet(viewsets.ReadOnlyModelViewSet):
     ordering = ('nr',)
     ordering_fields = ('nr', 'date')
     filterset_class = InvoiceFilter
-    permission = 'can_view_orders'
     lookup_url_kwarg = 'number'
     lookup_field = 'nr'
-    write_permission = 'can_change_orders'
+
+    def _get_permission_name(self, request):
+        if 'event' in request.resolver_match.kwargs:
+            if request.method not in SAFE_METHODS:
+                return "event.orders:write"
+            return "event.orders:read"
+        return None  # org-level is handled by event__in check
 
     def get_queryset(self):
-        perm = "can_view_orders" if self.request.method in SAFE_METHODS else "can_change_orders"
+        perm = "event.orders:read" if self.request.method in SAFE_METHODS else "event.orders:write"
         if getattr(self.request, 'event', None):
             qs = self.request.event.invoices
         elif isinstance(self.request.auth, (TeamAPIToken, Device)):
@@ -1942,9 +1998,12 @@ class InvoiceViewSet(viewsets.ReadOnlyModelViewSet):
         if not invoice.file:
             raise RetryException()
 
-        resp = FileResponse(invoice.file.file, content_type='application/pdf')
-        resp['Content-Disposition'] = 'attachment; filename="{}.pdf"'.format(invoice.number)
-        return resp
+        return FileResponse(
+            invoice.file.file,
+            filename='{}.pdf'.format(invoice.number),
+            as_attachment=True,
+            content_type='application/pdf'
+        )
 
     @action(detail=True, methods=['POST'])
     def transmit(self, request, **kwargs):
@@ -2052,8 +2111,8 @@ class RevokedSecretViewSet(viewsets.ReadOnlyModelViewSet):
     ordering = ('-created',)
     ordering_fields = ('created', 'secret')
     filterset_class = RevokedSecretFilter
-    permission = 'can_view_orders'
-    write_permission = 'can_change_orders'
+    permission = 'event.orders:read'
+    write_permission = 'event.orders:write'
 
     def get_queryset(self):
         return RevokedTicketSecret.objects.filter(event=self.request.event)
@@ -2074,8 +2133,8 @@ class BlockedSecretViewSet(viewsets.ReadOnlyModelViewSet):
     filter_backends = (DjangoFilterBackend, TotalOrderingFilter)
     ordering = ('-updated', '-pk')
     filterset_class = BlockedSecretFilter
-    permission = 'can_view_orders'
-    write_permission = 'can_change_orders'
+    permission = 'event.orders:read'
+    write_permission = 'event.orders:write'
 
     def get_queryset(self):
         return BlockedTicketSecret.objects.filter(event=self.request.event)
@@ -2110,7 +2169,7 @@ class TransactionViewSet(viewsets.ReadOnlyModelViewSet):
     ordering = ('datetime', 'pk')
     ordering_fields = ('datetime', 'created', 'id',)
     filterset_class = TransactionFilter
-    permission = 'can_view_orders'
+    permission = 'event.orders:read'
 
     def get_queryset(self):
         return Transaction.objects.filter(order__event=self.request.event).select_related("order")
@@ -2127,11 +2186,11 @@ class OrganizerTransactionViewSet(TransactionViewSet):
 
         if isinstance(self.request.auth, (TeamAPIToken, Device)):
             qs = qs.filter(
-                order__event__in=self.request.auth.get_events_with_permission("can_view_orders"),
+                order__event__in=self.request.auth.get_events_with_permission("event.orders:read"),
             )
         elif self.request.user.is_authenticated:
             qs = qs.filter(
-                order__event__in=self.request.user.get_events_with_permission("can_view_orders", request=self.request)
+                order__event__in=self.request.user.get_events_with_permission("event.orders:read", request=self.request)
             )
         else:
             raise PermissionDenied("Unknown authentication scheme")

src/pretix/api/views/organizer.py

@@ -70,7 +70,7 @@ class OrganizerViewSet(mixins.UpdateModelMixin, viewsets.ReadOnlyModelViewSet):
     filter_backends = (TotalOrderingFilter,)
     ordering = ('slug',)
     ordering_fields = ('name', 'slug')
-    write_permission = "can_change_organizer_settings"
+    write_permission = "organizer.settings.general:write"
 
     def get_queryset(self):
         if self.request.user.is_authenticated:
@@ -154,8 +154,8 @@ class OrganizerViewSet(mixins.UpdateModelMixin, viewsets.ReadOnlyModelViewSet):
 class SeatingPlanViewSet(viewsets.ModelViewSet):
     serializer_class = SeatingPlanSerializer
     queryset = SeatingPlan.objects.none()
-    permission = 'can_change_organizer_settings'
-    write_permission = 'can_change_organizer_settings'
+    permission = None
+    write_permission = 'organizer.seatingplans:write'
 
     def get_queryset(self):
         return self.request.organizer.seating_plans.order_by('name')
@@ -221,8 +221,8 @@ with scopes_disabled():
 class GiftCardViewSet(viewsets.ModelViewSet):
     serializer_class = GiftCardSerializer
     queryset = GiftCard.objects.none()
-    permission = 'can_manage_gift_cards'
-    write_permission = 'can_manage_gift_cards'
+    permission = 'organizer.giftcards:read'
+    write_permission = 'organizer.giftcards:write'
     filter_backends = (DjangoFilterBackend,)
     filterset_class = GiftCardFilter
 
@@ -344,8 +344,8 @@ class GiftCardViewSet(viewsets.ModelViewSet):
 class GiftCardTransactionViewSet(viewsets.ReadOnlyModelViewSet):
     serializer_class = GiftCardTransactionSerializer
     queryset = GiftCardTransaction.objects.none()
-    permission = 'can_manage_gift_cards'
-    write_permission = 'can_manage_gift_cards'
+    permission = 'organizer.giftcards:read'
+    write_permission = 'organizer.giftcards:write'
 
     @cached_property
     def giftcard(self):
@@ -362,8 +362,8 @@ class GiftCardTransactionViewSet(viewsets.ReadOnlyModelViewSet):
 class TeamViewSet(viewsets.ModelViewSet):
     serializer_class = TeamSerializer
     queryset = Team.objects.none()
-    permission = 'can_change_teams'
-    write_permission = 'can_change_teams'
+    permission = 'organizer.teams:write'
+    write_permission = 'organizer.teams:write'
 
     def get_queryset(self):
         return self.request.organizer.teams.order_by('pk')
@@ -402,8 +402,8 @@ class TeamViewSet(viewsets.ModelViewSet):
 class TeamMemberViewSet(DestroyModelMixin, viewsets.ReadOnlyModelViewSet):
     serializer_class = TeamMemberSerializer
     queryset = User.objects.none()
-    permission = 'can_change_teams'
-    write_permission = 'can_change_teams'
+    permission = 'organizer.teams:write'
+    write_permission = 'organizer.teams:write'
 
     @cached_property
     def team(self):
@@ -431,8 +431,8 @@ class TeamMemberViewSet(DestroyModelMixin, viewsets.ReadOnlyModelViewSet):
 class TeamInviteViewSet(CreateModelMixin, DestroyModelMixin, viewsets.ReadOnlyModelViewSet):
     serializer_class = TeamInviteSerializer
     queryset = TeamInvite.objects.none()
-    permission = 'can_change_teams'
-    write_permission = 'can_change_teams'
+    permission = 'organizer.teams:write'
+    write_permission = 'organizer.teams:write'
 
     @cached_property
     def team(self):
@@ -468,8 +468,8 @@ class TeamInviteViewSet(CreateModelMixin, DestroyModelMixin, viewsets.ReadOnlyMo
 class TeamAPITokenViewSet(CreateModelMixin, DestroyModelMixin, viewsets.ReadOnlyModelViewSet):
     serializer_class = TeamAPITokenSerializer
     queryset = TeamAPIToken.objects.none()
-    permission = 'can_change_teams'
-    write_permission = 'can_change_teams'
+    permission = 'organizer.teams:write'
+    write_permission = 'organizer.teams:write'
 
     @cached_property
     def team(self):
@@ -532,8 +532,8 @@ class DeviceViewSet(mixins.CreateModelMixin,
                     GenericViewSet):
     serializer_class = DeviceSerializer
     queryset = Device.objects.none()
-    permission = 'can_change_organizer_settings'
-    write_permission = 'can_change_organizer_settings'
+    permission = 'organizer.devices:read'
+    write_permission = 'organizer.devices:write'
     lookup_field = 'device_id'
 
     def get_queryset(self):
@@ -542,6 +542,9 @@ class DeviceViewSet(mixins.CreateModelMixin,
     def get_serializer_context(self):
         ctx = super().get_serializer_context()
         ctx['organizer'] = self.request.organizer
+        ctx['can_see_tokens'] = (
+            self.request.user if self.request.user and self.request.user.is_authenticated else self.request.auth
+        ).has_organizer_permission(self.request.organizer, 'organizer.devices:write', request=self.request)
         return ctx
 
     @transaction.atomic()
@@ -568,11 +571,11 @@ class DeviceViewSet(mixins.CreateModelMixin,
 
 class OrganizerSettingsView(views.APIView):
     permission = None
-    write_permission = 'can_change_organizer_settings'
+    write_permission = 'organizer.settings.general:write'
 
     def get(self, request, *args, **kwargs):
         s = OrganizerSettingsSerializer(instance=request.organizer.settings, organizer=request.organizer, context={
-            'request': request
+            'request': request, 'permissions': request.orgapermset
         })
         if 'explain' in request.GET:
             return Response({
@@ -589,7 +592,7 @@ class OrganizerSettingsView(views.APIView):
         s = OrganizerSettingsSerializer(
             instance=request.organizer.settings, data=request.data, partial=True,
             organizer=request.organizer, context={
-                'request': request
+                'request': request, 'permissions': request.orgapermset
             }
         )
         s.is_valid(raise_exception=True)
@@ -601,7 +604,7 @@ class OrganizerSettingsView(views.APIView):
                 }
             )
         s = OrganizerSettingsSerializer(instance=request.organizer.settings, organizer=request.organizer, context={
-            'request': request
+            'request': request, 'permissions': request.orgapermset
         })
         return Response(s.data)
 
@@ -618,7 +621,8 @@ with scopes_disabled():
 class CustomerViewSet(viewsets.ModelViewSet):
     serializer_class = CustomerSerializer
     queryset = Customer.objects.none()
-    permission = 'can_manage_customers'
+    permission = 'organizer.customers:read'
+    write_permission = 'organizer.customers:write'
     lookup_field = 'identifier'
     filter_backends = (DjangoFilterBackend,)
     filterset_class = CustomerFilter
@@ -678,7 +682,7 @@ class CustomerViewSet(viewsets.ModelViewSet):
 class MembershipTypeViewSet(viewsets.ModelViewSet):
     serializer_class = MembershipTypeSerializer
     queryset = MembershipType.objects.none()
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
 
     def get_queryset(self):
         qs = self.request.organizer.membership_types.all()
@@ -735,7 +739,8 @@ with scopes_disabled():
 class MembershipViewSet(viewsets.ModelViewSet):
     serializer_class = MembershipSerializer
     queryset = Membership.objects.none()
-    permission = 'can_manage_customers'
+    permission = 'organizer.customers:read'
+    write_permission = 'organizer.customers:write'
     filter_backends = (DjangoFilterBackend,)
     filterset_class = MembershipFilter
 
@@ -785,8 +790,8 @@ with scopes_disabled():
 class SalesChannelViewSet(viewsets.ModelViewSet):
     serializer_class = SalesChannelSerializer
     queryset = SalesChannel.objects.none()
-    permission = 'can_change_organizer_settings'
-    write_permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
+    write_permission = 'organizer.settings.general:write'
     filter_backends = (DjangoFilterBackend,)
     filterset_class = SalesChannelFilter
     lookup_field = 'identifier'

src/pretix/api/views/shredders.py

@@ -204,7 +204,7 @@ class ShreddersMixin:
 
 
 class EventShreddersViewSet(ShreddersMixin, viewsets.ViewSet):
-    permission = 'can_change_orders'
+    permission = 'event.orders:write'
 
     def get_serializer_kwargs(self):
         return {}

src/pretix/api/views/voucher.py

@@ -62,8 +62,8 @@ class VoucherViewSet(viewsets.ModelViewSet):
     ordering = ('id',)
     ordering_fields = ('id', 'code', 'max_usages', 'valid_until', 'value')
     filterset_class = VoucherFilter
-    permission = 'can_view_vouchers'
-    write_permission = 'can_change_vouchers'
+    permission = 'event.vouchers:read'
+    write_permission = 'event.vouchers:write'
 
     @scopes_disabled()  # we have an event check here, and we can save some performance on subqueries
     def get_queryset(self):

src/pretix/api/views/waitinglist.py

@@ -51,8 +51,8 @@ class WaitingListViewSet(viewsets.ModelViewSet):
     ordering = ('created', 'pk',)
     ordering_fields = ('id', 'created', 'email', 'item')
     filterset_class = WaitingListFilter
-    permission = 'can_view_orders'
-    write_permission = 'can_change_orders'
+    permission = 'event.orders:read'
+    write_permission = 'event.orders:write'
 
     def get_queryset(self):
         return self.request.event.waitinglistentries.all()

src/pretix/api/views/webhooks.py

@@ -35,8 +35,8 @@ class WebhookFilter(FilterSet):
 class WebHookViewSet(viewsets.ModelViewSet):
     serializer_class = WebHookSerializer
     queryset = WebHook.objects.none()
-    permission = 'can_change_organizer_settings'
-    write_permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
+    write_permission = 'organizer.settings.general:write'
     filter_backends = (DjangoFilterBackend,)
     filterset_class = WebhookFilter
 

src/pretix/api/webhooks.py

@@ -183,6 +183,7 @@ class ParametrizedGiftcardWebhookEvent(ParametrizedWebhookEvent):
         return {
             'notification_id': logentry.pk,
             'issuer_id': logentry.organizer_id,
+            'issuer_slug': logentry.organizer.slug,
             'giftcard': giftcard.pk,
             'action': logentry.action_type,
         }
@@ -197,6 +198,7 @@ class ParametrizedGiftcardTransactionWebhookEvent(ParametrizedWebhookEvent):
         return {
             'notification_id': logentry.pk,
             'issuer_id': logentry.organizer_id,
+            'issuer_slug': logentry.organizer.slug,
             'acceptor_id': logentry.parsed_data.get('acceptor_id'),
             'acceptor_slug': logentry.parsed_data.get('acceptor_slug'),
             'giftcard': giftcard.pk,

src/pretix/base/auth.py

@@ -224,7 +224,7 @@ class HistoryPasswordValidator:
         ).delete()
 
 
-def has_event_access_permission(request, permission='can_change_event_settings'):
+def has_event_access_permission(request, permission='event.settings.general:write'):
     return (
         request.user.is_authenticated and
         request.user.has_event_permission(request.organizer, request.event, permission, request=request)

src/pretix/base/datasync/datasync.py

@@ -216,7 +216,10 @@ class OutboundSyncProvider:
 
             try:
                 mapped_objects = self.sync_order(sq.order)
-                if not all(all(not res or res.sync_info.get("action", "") == "nothing_to_do" for res in res_list) for res_list in mapped_objects.values()):
+                actions_taken = [res and res.sync_info.get("action", "") for res_list in mapped_objects.values() for res in res_list]
+                should_write_logentry = any(action not in (None, "nothing_to_do") for action in actions_taken)
+                logger.info('Synced order %s to %s, actions: %r, log: %r', sq.order.code, sq.sync_provider, actions_taken, should_write_logentry)
+                if should_write_logentry:
                     sq.order.log_action("pretix.event.order.data_sync.success", {
                         "provider": self.identifier,
                         "objects": {
@@ -237,7 +240,7 @@ class OutboundSyncProvider:
                     sq.set_sync_error("exceeded", e.messages, e.full_message)
                 else:
                     logger.info(
-                        f"Could not sync order {sq.order.code} to {type(self).__name__} "
+                        f"Could not sync order {sq.order.code} to {sq.sync_provider} "
                         f"(transient error, attempt #{sq.failed_attempts}, next {sq.not_before})",
                         exc_info=True,
                     )

src/pretix/base/email.py

@@ -19,7 +19,10 @@
 # You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
 # <https://www.gnu.org/licenses/>.
 #
+import ipaddress
 import logging
+import smtplib
+import socket
 from itertools import groupby
 from smtplib import SMTPResponseException
 from typing import TypeVar
@@ -237,3 +240,80 @@ def base_renderers(sender, **kwargs):
 
 def get_email_context(**kwargs):
     return PlaceholderContext(**kwargs).render_all()
+
+
+def create_connection(address, timeout=socket.getdefaulttimeout(),
+                      source_address=None, *, all_errors=False):
+    # Taken from the python stdlib, extended with a check for local ips
+
+    host, port = address
+    exceptions = []
+    for res in socket.getaddrinfo(host, port, 0, socket.SOCK_STREAM):
+        af, socktype, proto, canonname, sa = res
+
+        if not getattr(settings, "MAIL_CUSTOM_SMTP_ALLOW_PRIVATE_NETWORKS", False):
+            ip_addr = ipaddress.ip_address(sa[0])
+            if ip_addr.is_multicast:
+                raise socket.error(f"Request to multicast address {sa[0]} blocked")
+            if ip_addr.is_loopback or ip_addr.is_link_local:
+                raise socket.error(f"Request to local address {sa[0]} blocked")
+            if ip_addr.is_private:
+                raise socket.error(f"Request to private address {sa[0]} blocked")
+
+        sock = None
+        try:
+            sock = socket.socket(af, socktype, proto)
+            if timeout is not socket.getdefaulttimeout():
+                sock.settimeout(timeout)
+            if source_address:
+                sock.bind(source_address)
+            sock.connect(sa)
+            # Break explicitly a reference cycle
+            exceptions.clear()
+            return sock
+
+        except socket.error as exc:
+            if not all_errors:
+                exceptions.clear()  # raise only the last error
+            exceptions.append(exc)
+            if sock is not None:
+                sock.close()
+
+    if len(exceptions):
+        try:
+            if not all_errors:
+                raise exceptions[0]
+            raise ExceptionGroup("create_connection failed", exceptions)
+        finally:
+            # Break explicitly a reference cycle
+            exceptions.clear()
+    else:
+        raise socket.error("getaddrinfo returns an empty list")
+
+
+class CheckPrivateNetworkMixin:
+    # _get_socket taken 1:1 from smtplib, just with a call to our own create_connection
+    def _get_socket(self, host, port, timeout):
+        # This makes it simpler for SMTP_SSL to use the SMTP connect code
+        # and just alter the socket connection bit.
+        if timeout is not None and not timeout:
+            raise ValueError('Non-blocking socket (timeout=0) is not supported')
+        if self.debuglevel > 0:
+            self._print_debug('connect: to', (host, port), self.source_address)
+        return create_connection((host, port), timeout, self.source_address)
+
+
+class SMTP(CheckPrivateNetworkMixin, smtplib.SMTP):
+    pass
+
+
+# SMTP used here instead of mixin, because smtp.SMTP_SSL._get_socket calls super()._get_socket and then wraps this socket
+# super()._get_socket needs to be our version from the mixin
+class SMTP_SSL(smtplib.SMTP_SSL, SMTP):  # noqa: N801
+    pass
+
+
+class CheckPrivateNetworkSmtpBackend(EmailBackend):
+    @property
+    def connection_class(self):
+        return SMTP_SSL if self.use_ssl else SMTP

src/pretix/base/exporter.py

@@ -47,6 +47,7 @@ from django.utils.formats import localize
 from django.utils.translation import gettext, gettext_lazy as _
 
 from pretix.base.models import Event
+from pretix.base.models.auth import PermissionHolder
 from pretix.helpers.safe_openpyxl import (  # NOQA: backwards compatibility for plugins using excel_safe
     SafeWorkbook, remove_invalid_excel_chars as excel_safe,
 )
@@ -59,11 +60,20 @@ class BaseExporter:
     This is the base class for all data exporters
     """
 
-    def __init__(self, event, organizer, progress_callback=lambda v: None):
+    def __init__(self, event, organizer, permission_holder: PermissionHolder=None, progress_callback=lambda v: None):
+        """
+        :param event: Event context, can also be a queryset of events for multi-event exports
+        :param organizer: Organizer context
+        :param user: The user who triggered the export (or None).
+        :param token: The API token that triggered the export (or None).
+        :param device: The device that triggered the export (or None)
+        :param progress_callback: Callback function with progress
+        """
         self.event = event
         self.organizer = organizer
         self.progress_callback = progress_callback
         self.is_multievent = isinstance(event, QuerySet)
+        self.permission_holder = permission_holder
         if isinstance(event, QuerySet):
             self.events = event
             self.event = None
@@ -73,6 +83,9 @@ class BaseExporter:
             self.events = Event.objects.filter(pk=event.pk)
             self.timezone = event.timezone
 
+        if hasattr(self, 'organizer_required_permission'):
+            raise TypeError("Deprecated attribute organizer_required_permission no longer supported.")
+
     def __str__(self):
         return self.identifier
 
@@ -176,15 +189,30 @@ class BaseExporter:
         """
         return True
 
+    @classmethod
+    def get_required_event_permission(cls) -> Optional[str]:
+        """
+        The permission level required to use this exporter for events. For multi-event-exports, this will be used
+        to limit the selection of events. Will be ignored if the ``OrganizerLevelExportMixin`` mixin is used.
+        The default implementation returns ``"event.orders:read"``.
+        """
+        return 'event.orders:read'
+
 
 class OrganizerLevelExportMixin:
-    @property
-    def organizer_required_permission(self) -> str:
+    @classmethod
+    def get_required_event_permission(cls):
+        raise TypeError("required_event_permission may not be called on OrganizerLevelExportMixin")
+
+    @classmethod
+    def get_required_organizer_permission(cls) -> Optional[str]:
         """
-        The permission level required to use this exporter. Only useful for organizer-level exports,
-        not for event-level exports.
+        The permission level required to use this exporter. Must be set for organizer-level exports. Set to `None` to
+        allow everyone with any access to the organizer.
+
+        ``get_required_event_permission`` will be ignored on this class.
         """
-        return 'can_view_orders'
+        raise NotImplementedError()
 
 
 class ListExporter(BaseExporter):

src/pretix/base/exporters/customers.py

@@ -47,10 +47,13 @@ from ..signals import register_multievent_data_exporters
 class CustomerListExporter(OrganizerLevelExportMixin, ListExporter):
     identifier = 'customerlist'
     verbose_name = gettext_lazy('Customer accounts')
-    organizer_required_permission = 'can_manage_customers'
     category = pgettext_lazy('export_category', 'Customer accounts')
     description = gettext_lazy('Download a spreadsheet of all currently registered customer accounts.')
 
+    @classmethod
+    def get_required_organizer_permission(cls) -> str:
+        return 'organizer.customers:write'
+
     @property
     def additional_form_fields(self):
         return OrderedDict(

src/pretix/base/exporters/orderlist.py

@@ -271,7 +271,7 @@ class OrderListExporter(MultiSheetListExporter):
 
         qs = self._date_filter(qs, form_data, rel='')
 
-        if form_data['paid_only']:
+        if form_data.get('paid_only'):
             qs = qs.filter(status=Order.STATUS_PAID)
         return qs
 
@@ -315,8 +315,9 @@ class OrderListExporter(MultiSheetListExporter):
             for id, vn in payment_methods:
                 headers.append(_('Paid by {method}').format(method=vn))
 
-        # get meta_data labels from first cached event
-        headers += next(iter(self.event_object_cache.values())).meta_data.keys()
+        if self.event_object_cache:
+            # get meta_data labels from first cached event if any
+            headers += next(iter(self.event_object_cache.values())).meta_data.keys()
         yield headers
 
         full_fee_sum_cache = {
@@ -457,7 +458,7 @@ class OrderListExporter(MultiSheetListExporter):
         ).annotate(
             payment_providers=Subquery(p_providers, output_field=CharField()),
         ).select_related('order', 'order__invoice_address', 'order__customer', 'tax_rule')
-        if form_data['paid_only']:
+        if form_data.get('paid_only'):
             qs = qs.filter(order__status=Order.STATUS_PAID, canceled=False)
 
         if form_data.get('items'):
@@ -503,8 +504,9 @@ class OrderListExporter(MultiSheetListExporter):
         headers.append(_('External customer ID'))
         headers.append(_('Payment providers'))
 
-        # get meta_data labels from first cached event
-        headers += next(iter(self.event_object_cache.values())).meta_data.keys()
+        if self.event_object_cache:
+            # get meta_data labels from first cached event if any
+            headers += next(iter(self.event_object_cache.values())).meta_data.keys()
         yield headers
 
         yield self.ProgressSetTotal(total=qs.count())
@@ -560,7 +562,7 @@ class OrderListExporter(MultiSheetListExporter):
         qs = OrderPosition.all.filter(
             order__event__in=self.events,
         )
-        if form_data['paid_only']:
+        if form_data.get('paid_only'):
             qs = qs.filter(order__status=Order.STATUS_PAID, canceled=False)
 
         if form_data.get('items'):
@@ -707,9 +709,9 @@ class OrderListExporter(MultiSheetListExporter):
             _('Position order link')
         ]
 
-        # get meta_data labels from first cached event
-        meta_data_labels = next(iter(self.event_object_cache.values())).meta_data.keys()
         if has_subevents:
+            # get meta_data labels from first cached event
+            meta_data_labels = next(iter(self.event_object_cache.values())).meta_data.keys()
             headers += meta_data_labels
         yield headers
 
@@ -1101,13 +1103,25 @@ class PaymentListExporter(ListExporter):
     def iterate_list(self, form_data):
         provider_names = dict(get_all_payment_providers())
 
+        i_numbers = Invoice.objects.filter(
+            order=OuterRef('order_id'),
+        ).values('order').annotate(
+            m=GroupConcat('full_invoice_no', delimiter=', ')
+        ).values(
+            'm'
+        ).order_by()
+
         payments = OrderPayment.objects.filter(
             order__event__in=self.events,
             state__in=form_data.get('payment_states', [])
+        ).annotate(
+            order_invoice_numbers=Subquery(i_numbers, output_field=CharField()),
         ).select_related('order').prefetch_related('order__event').order_by('created')
         refunds = OrderRefund.objects.filter(
             order__event__in=self.events,
             state__in=form_data.get('refund_states', [])
+        ).annotate(
+            order_invoice_numbers=Subquery(i_numbers, output_field=CharField()),
         ).select_related('order').prefetch_related('order__event').order_by('created')
 
         if form_data.get('end_date_range'):
@@ -1133,6 +1147,7 @@ class PaymentListExporter(ListExporter):
         headers = [
             _('Event slug'), _('Order'), _('Payment ID'), _('Creation date'), _('Completion date'), _('Status'),
             _('Status code'), _('Amount'), _('Payment method'), _('Comment'), _('Matching ID'), _('Payment details'),
+            _('Invoice numbers'),
         ]
         yield headers
 
@@ -1170,6 +1185,7 @@ class PaymentListExporter(ListExporter):
                 obj.comment if isinstance(obj, OrderRefund) else "",
                 matching_id,
                 payment_details,
+                obj.order_invoice_numbers,
             ]
             yield row
 
@@ -1237,11 +1253,14 @@ class QuotaListExporter(ListExporter):
 class GiftcardTransactionListExporter(OrganizerLevelExportMixin, ListExporter):
     identifier = 'giftcardtransactionlist'
     verbose_name = gettext_lazy('Gift card transactions')
-    organizer_required_permission = 'can_manage_gift_cards'
     category = pgettext_lazy('export_category', 'Gift cards')
     description = gettext_lazy('Download a spreadsheet of all gift card transactions.')
     repeatable_read = False
 
+    @classmethod
+    def get_required_organizer_permission(cls) -> str:
+        return 'organizer.giftcards:read'
+
     @property
     def additional_form_fields(self):
         d = [
@@ -1344,10 +1363,13 @@ class GiftcardRedemptionListExporter(ListExporter):
 class GiftcardListExporter(OrganizerLevelExportMixin, ListExporter):
     identifier = 'giftcardlist'
     verbose_name = gettext_lazy('Gift cards')
-    organizer_required_permission = 'can_manage_gift_cards'
     category = pgettext_lazy('export_category', 'Gift cards')
     description = gettext_lazy('Download a spreadsheet of all gift cards including their current value.')
 
+    @classmethod
+    def get_required_organizer_permission(cls) -> str:
+        return 'organizer.giftcards:read'
+
     @property
     def additional_form_fields(self):
         return OrderedDict(

src/pretix/base/exporters/reusablemedia.py

@@ -36,6 +36,10 @@ class ReusableMediaExporter(OrganizerLevelExportMixin, ListExporter):
     description = _('Download a spread sheet with the data of all reusable medias on your account.')
     repeatable_read = False
 
+    @classmethod
+    def get_required_organizer_permission(cls) -> str:
+        return "organizer.reusablemedia:read"
+
     def iterate_list(self, form_data):
         media = ReusableMedium.objects.filter(
             organizer=self.organizer,

src/pretix/base/forms/auth.py

@@ -196,8 +196,7 @@ class RegistrationForm(forms.Form):
     def clean_password(self):
         password1 = self.cleaned_data.get('password', '')
         user = User(email=self.cleaned_data.get('email'))
-        if validate_password(password1, user=user) is not None:
-            raise forms.ValidationError(_(password_validators_help_texts()), code='pw_invalid')
+        validate_password(password1, user=user)
         return password1
 
     def clean_email(self):

src/pretix/base/forms/questions.py

@@ -45,7 +45,6 @@ import pycountry
 from django import forms
 from django.conf import settings
 from django.contrib import messages
-from django.contrib.gis.geoip2 import GeoIP2
 from django.core.exceptions import ValidationError
 from django.core.files.uploadedfile import SimpleUploadedFile
 from django.core.validators import (
@@ -91,7 +90,7 @@ from pretix.base.settings import (
     COUNTRIES_WITH_STATE_IN_ADDRESS, COUNTRY_STATE_LABEL,
     PERSON_NAME_SALUTATIONS, PERSON_NAME_SCHEMES, PERSON_NAME_TITLE_GROUPS,
 )
-from pretix.base.templatetags.rich_text import rich_text
+from pretix.base.templatetags.rich_text import URL_RE, rich_text
 from pretix.base.timemachine import time_machine_now
 from pretix.control.forms import (
     ExtFileField, ExtValidationMixin, SizeValidationMixin, SplitDateTimeField,
@@ -102,6 +101,7 @@ from pretix.helpers.countries import (
 from pretix.helpers.escapejson import escapejson_attr
 from pretix.helpers.http import get_client_ip
 from pretix.helpers.i18n import get_format_without_seconds
+from pretix.helpers.security import get_geoip
 from pretix.presale.signals import question_form_fields
 
 logger = logging.getLogger(__name__)
@@ -227,9 +227,15 @@ class NamePartsFormField(forms.MultiValueField):
                     # bots.
                     r'^[^$€/%§{}<>~]*$',
                     message=_('Please do not use special characters in names.')
+                ),
+                RegexValidator(
+                    URL_RE,
+                    inverse_match=True,
+                    message=_('Please do not use special characters in names.')
                 )
             ]
         }
+        self.max_length = defaults['max_length']
         self.scheme_name = kwargs.pop('scheme')
         self.titles = kwargs.pop('titles')
         self.scheme = PERSON_NAME_SCHEMES.get(self.scheme_name)
@@ -287,7 +293,7 @@ class NamePartsFormField(forms.MultiValueField):
         if self.require_all_fields and not all(v for v in value):
             raise forms.ValidationError(self.error_messages['incomplete'], code='required')
 
-        if sum(len(v) for v in value.values() if v) > 250:
+        if sum(len(v) for v in value.values() if v) > (self.max_length or 250):
             raise forms.ValidationError(_('Please enter a shorter name.'), code='max_length')
 
         if value.get("salutation") == "empty":
@@ -393,7 +399,7 @@ class WrappedPhoneNumberPrefixWidget(PhoneNumberPrefixWidget):
 
 def guess_country_from_request(request, event):
     if settings.HAS_GEOIP:
-        g = GeoIP2()
+        g = get_geoip()
         try:
             res = g.country(get_client_ip(request))
             if res['country_code'] and len(res['country_code']) == 2:
@@ -1415,6 +1421,7 @@ class BaseInvoiceAddressForm(forms.ModelForm):
                     if not data.get(r):
                         raise ValidationError({r: _("This field is required for the selected type of invoice transmission.")})
 
+                transmission_type.validate_invoice_address_data(data)
                 self.instance.transmission_type = transmission_type.identifier
                 self.instance.transmission_info = transmission_type.form_data_to_transmission_info(data)
             elif transmission_type.is_exclusive(self.event, data.get("country"), data.get("is_business")):

src/pretix/base/forms/widgets.py

@@ -42,6 +42,8 @@ from django.utils.html import escape
 from django.utils.timezone import get_current_timezone, now
 from django.utils.translation import gettext_lazy as _
 
+from pretix.helpers.format import PlainHtmlAlternativeString
+
 
 def replace_arabic_numbers(inp):
     if not isinstance(inp, str):
@@ -61,11 +63,18 @@ def replace_arabic_numbers(inp):
     return inp.translate(table)
 
 
+def format_placeholder_help_text(placeholder_name, sample_value):
+    if isinstance(sample_value, PlainHtmlAlternativeString):
+        sample_value = sample_value.plain
+    title = (_("Sample: %s") % sample_value) if sample_value else ""
+    return ('<button type="button" class="content-placeholder" title="%s">{%s}</button>' % (escape(title), escape(placeholder_name)))
+
+
 def format_placeholders_help_text(placeholders, event=None):
     placeholders = [(k, v.render_sample(event) if event else v) for k, v in placeholders.items()]
     placeholders.sort(key=lambda x: x[0])
     phs = [
-        '<button type="button" class="content-placeholder" title="%s">{%s}</button>' % (escape(_("Sample: %s") % v) if v else "", escape(k))
+        format_placeholder_help_text(k, v)
         for k, v in placeholders
     ]
     return _('Available placeholders: {list}').format(

src/pretix/base/invoicing/email.py

@@ -33,8 +33,7 @@ from pretix.base.invoicing.transmission import (
     transmission_types,
 )
 from pretix.base.models import Invoice, InvoiceAddress
-from pretix.base.services.mail import mail, render_mail
-from pretix.helpers.format import format_map
+from pretix.base.services.mail import mail
 
 
 @transmission_types.new()
@@ -134,9 +133,7 @@ class EmailTransmissionProvider(TransmissionProvider):
             subject = invoice.order.event.settings.get('mail_subject_order_invoice', as_type=LazyI18nString)
 
             # Do not set to completed because that is done by the email sending task
-            subject = format_map(subject, context)
-            email_content = render_mail(template, context)
-            mail(
+            outgoing_mail = mail(
                 [recipient],
                 subject,
                 template,
@@ -151,19 +148,10 @@ class EmailTransmissionProvider(TransmissionProvider):
                 plain_text_only=True,
                 no_order_links=True,
             )
-            invoice.order.log_action(
-                'pretix.event.order.email.invoice',
-                user=None,
-                auth=None,
-                data={
-                    'subject': subject,
-                    'message': email_content,
-                    'position': None,
-                    'recipient': recipient,
-                    'invoices': [invoice.pk],
-                    'attach_tickets': False,
-                    'attach_ical': False,
-                    'attach_other_files': [],
-                    'attach_cached_files': [],
-                }
-            )
+            if outgoing_mail:
+                invoice.order.log_action(
+                    'pretix.event.order.email.invoice',
+                    user=None,
+                    auth=None,
+                    data=outgoing_mail.log_data()
+                )

src/pretix/base/invoicing/pdf.py

@@ -148,6 +148,10 @@ class NumberedCanvas(Canvas):
         self.restoreState()
 
 
+class InvoiceNotReadyException(Exception):
+    pass
+
+
 class BaseInvoiceRenderer:
     """
     This is the base class for all invoice renderers.
@@ -1156,7 +1160,7 @@ class Modern1Renderer(ClassicInvoiceRenderer):
         return stylesheet
 
     def _draw_invoice_from(self, canvas):
-        if not self.invoice.invoice_from:
+        if not self.invoice.address_invoice_from:
             return
         c = [
             self._clean_text(l)

src/pretix/base/invoicing/peppol.py

@@ -204,6 +204,12 @@ class PeppolTransmissionType(TransmissionType):
         }
         return base | {"transmission_peppol_participant_id"}
 
+    def validate_invoice_address_data(self, address_data: dict):
+        # Special case Belgium: If a Belgian business ID is used as Peppol ID, it should match the VAT ID
+        if address_data.get("transmission_peppol_participant_id").startswith("0208:") and address_data.get("vat_id"):
+            if address_data["vat_id"].removeprefix("BE") != address_data["transmission_peppol_participant_id"].removeprefix("0208:"):
+                raise ValidationError({"transmission_peppol_participant_id": _("The Peppol participant ID does not match your VAT ID.")})
+
     def pdf_watermark(self) -> str:
         return pgettext("peppol_invoice", "Visual copy")
 

src/pretix/base/invoicing/transmission.py

@@ -24,7 +24,7 @@ from typing import Optional
 from django.utils.translation import gettext_lazy as _
 from django_countries.fields import Country
 
-from pretix.base.models import Invoice, InvoiceAddress
+from pretix.base.models import Invoice
 from pretix.base.signals import EventPluginRegistry, Registry
 
 
@@ -89,7 +89,7 @@ class TransmissionType:
     def invoice_address_form_fields_visible(self, country: Country, is_business: bool) -> set:
         return set(self.invoice_address_form_fields.keys())
 
-    def validate_address(self, ia: InvoiceAddress):
+    def validate_invoice_address_data(self, address_data: dict):
         pass
 
     @property

src/pretix/base/management/commands/makemigrations.py

@@ -36,8 +36,9 @@ from django.core.management.commands.makemigrations import Command as Parent
 
 from ._migrations import monkeypatch_migrations
 
-monkeypatch_migrations()
-
 
 class Command(Parent):
-    pass
+
+    def handle(self, *args, **kwargs):
+        monkeypatch_migrations()
+        return super().handle(*args, **kwargs)

src/pretix/base/management/commands/runperiodic.py

@@ -64,7 +64,7 @@ class Command(BaseCommand):
         if not periodic_task.receivers or periodic_task.sender_receivers_cache.get(self) is NO_RECEIVERS:
             return
 
-        for receiver in periodic_task._live_receivers(self):
+        for receiver in periodic_task._live_receivers(self)[0]:
             name = f'{receiver.__module__}.{receiver.__name__}'
             if options['list_tasks']:
                 print(name)

src/pretix/base/management/commands/runserver.py

@@ -0,0 +1,59 @@
+#
+# This file is part of pretix (Community Edition).
+#
+# Copyright (C) 2014-2020  Raphael Michel and contributors
+# Copyright (C) 2020-today pretix GmbH and contributors
+#
+# This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General
+# Public License as published by the Free Software Foundation in version 3 of the License.
+#
+# ADDITIONAL TERMS APPLY: Pursuant to Section 7 of the GNU Affero General Public License, additional terms are
+# applicable granting you additional permissions and placing additional restrictions on your usage of this software.
+# Please refer to the pretix LICENSE file to obtain the full terms applicable to this work. If you did not receive
+# this file, see <https://pretix.eu/about/en/license>.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
+# <https://www.gnu.org/licenses/>.
+#
+
+"""This command supersedes the Django-inbuilt runserver command.
+
+It runs the local frontend server, if node is installed and the setting
+is set.
+"""
+import atexit
+import os
+import subprocess
+from pathlib import Path
+
+from django.conf import settings
+from django.contrib.staticfiles.management.commands.runserver import (
+    Command as Parent,
+)
+from django.utils.autoreload import DJANGO_AUTORELOAD_ENV
+
+
+class Command(Parent):
+    def handle(self, *args, **options):
+        # Only start Vite in the non-main process of the autoreloader
+        if settings.VITE_DEV_MODE and os.environ.get(DJANGO_AUTORELOAD_ENV) != "true":
+            # Start the vite server in the background
+            vite_server = subprocess.Popen(
+                ["npm", "run", "dev:control"],
+                cwd=Path(__file__).parent.parent.parent.parent.parent
+            )
+
+            def cleanup():
+                vite_server.terminate()
+                try:
+                    vite_server.wait(timeout=5)
+                except subprocess.TimeoutExpired:
+                    vite_server.kill()
+
+            atexit.register(cleanup)
+
+        super().handle(*args, **options)

src/pretix/base/middleware.py

@@ -24,6 +24,7 @@ from urllib.parse import urlparse, urlsplit
 from zoneinfo import ZoneInfo, ZoneInfoNotFoundError
 
 from django.conf import settings
+from django.core.exceptions import BadRequest
 from django.http import Http404, HttpRequest, HttpResponse
 from django.middleware.common import CommonMiddleware
 from django.urls import get_script_prefix, resolve
@@ -280,7 +281,7 @@ class SecurityMiddleware(MiddlewareMixin):
 
         h = {
             'default-src': ["{static}"],
-            'script-src': ['{static}'],
+            'script-src': ["{static}"],
             'object-src': ["'none'"],
             'frame-src': ['{static}'],
             'style-src': ["{static}", "{media}"],
@@ -294,6 +295,18 @@ class SecurityMiddleware(MiddlewareMixin):
             # this. However, we'll restrict it to HTTPS.
             'form-action': ["{dynamic}", "https:"] + (['http:'] if settings.SITE_URL.startswith('http://') else []),
         }
+
+        if settings.VITE_DEV_MODE:
+            h['script-src'] += ["http://localhost:5173", "ws://localhost:5173"]
+            h['style-src'] += ["'unsafe-inline'"]
+            h['connect-src'] += ["http://localhost:5173", "ws://localhost:5173"]
+
+        if hasattr(request, 'csp_nonce'):
+            nonce = f"'nonce-{request.csp_nonce}'"
+            h['script-src'].append(nonce)
+            if not settings.VITE_DEV_MODE:
+                # can't have 'unsafe-inline' and nonce at the same time
+                h['style-src'].append(nonce)
         # Only include pay.google.com for wallet detection purposes on the Payment selection page
         if (
                 url.url_name == "event.order.pay.change" or
@@ -347,6 +360,18 @@ class SecurityMiddleware(MiddlewareMixin):
         return resp
 
 
+class RejectInvalidInputMiddleware(MiddlewareMixin):
+
+    def process_request(self, request):
+        # Nullbytes in GET/POST parameters are mostly harmless, as they will later fail on database insertion, but it
+        # keeps spamming our error logs whenever someone tries to run a vulnerability scanner.
+        if "\x00" in request.META['QUERY_STRING'] or "%00" in request.META['QUERY_STRING']:
+            raise BadRequest("Invalid characters in input.")
+        if request.method in ('POST', 'PUT', 'PATCH') and request.content_type == "application/x-www-form-urlencoded":
+            if any("\x00" in value for key, value_list in request.POST.lists() for value in value_list):
+                raise BadRequest("Invalid characters in input.")
+
+
 class CustomCommonMiddleware(CommonMiddleware):
 
     def get_full_path_with_slash(self, request):

src/pretix/base/migrations/0234_total_ordering.py

@@ -41,16 +41,20 @@ class Migration(migrations.Migration):
             name='datetime',
             field=models.DateTimeField(),
         ),
-        migrations.AlterIndexTogether(
-            name='logentry',
-            index_together={('datetime', 'id')},
+        migrations.AddIndex(
+            'logentry',
+            models.Index(fields=('datetime', 'id'), name="pretixbase__datetim_b1fe5a_idx"),
         ),
-        migrations.AlterIndexTogether(
-            name='order',
-            index_together={('datetime', 'id'), ('last_modified', 'id')},
+        migrations.AddIndex(
+            'order',
+            models.Index(fields=["datetime", "id"], name="pretixbase__datetim_66aff0_idx"),
         ),
-        migrations.AlterIndexTogether(
-            name='transaction',
-            index_together={('datetime', 'id')},
+        migrations.AddIndex(
+            'order',
+            models.Index(fields=["last_modified", "id"], name="pretixbase__last_mo_4ebf8b_idx"),
+        ),
+        migrations.AddIndex(
+            'transaction',
+            models.Index(fields=('datetime', 'id'), name="pretixbase__datetim_b20405_idx"),
         ),
     ]

src/pretix/base/migrations/0236_reusable_media.py

@@ -61,7 +61,10 @@ class Migration(migrations.Migration):
             options={
                 'ordering': ('identifier', 'type', 'organizer'),
                 'unique_together': {('identifier', 'type', 'organizer')},
-                'index_together': {('identifier', 'type', 'organizer'), ('updated', 'id')},
+                'indexes': [
+                    models.Index(fields=('identifier', 'type', 'organizer'), name='reusable_medium_organizer_index'),
+                    models.Index(fields=('updated', 'id'), name="pretixbase__updated_093277_idx")
+                ],
             },
             bases=(models.Model, pretix.base.models.base.LoggingMixin),
         ),

src/pretix/base/migrations/0246_bigint.py

@@ -9,31 +9,6 @@ class Migration(migrations.Migration):
     ]
 
     operations = [
-        migrations.RenameIndex(
-            model_name="logentry",
-            new_name="pretixbase__datetim_b1fe5a_idx",
-            old_fields=("datetime", "id"),
-        ),
-        migrations.RenameIndex(
-            model_name="order",
-            new_name="pretixbase__datetim_66aff0_idx",
-            old_fields=("datetime", "id"),
-        ),
-        migrations.RenameIndex(
-            model_name="order",
-            new_name="pretixbase__last_mo_4ebf8b_idx",
-            old_fields=("last_modified", "id"),
-        ),
-        migrations.RenameIndex(
-            model_name="reusablemedium",
-            new_name="pretixbase__updated_093277_idx",
-            old_fields=("updated", "id"),
-        ),
-        migrations.RenameIndex(
-            model_name="transaction",
-            new_name="pretixbase__datetim_b20405_idx",
-            old_fields=("datetime", "id"),
-        ),
         migrations.AlterField(
             model_name="attendeeprofile",
             name="id",

src/pretix/base/migrations/0260_alter_reusablemedium_index_together.py

@@ -1,6 +1,6 @@
 # Generated by Django 4.2.10 on 2024-04-02 15:16
 
-from django.db import migrations
+from django.db import migrations, models
 
 
 class Migration(migrations.Migration):
@@ -10,8 +10,8 @@ class Migration(migrations.Migration):
     ]
 
     operations = [
-        migrations.AlterIndexTogether(
-            name="reusablemedium",
-            index_together=set(),
+        migrations.RemoveIndex(
+            "reusablemedium",
+            'reusable_medium_organizer_index',
         ),
     ]

src/pretix/base/migrations/0298_pluggable_permissions.py

@@ -0,0 +1,137 @@
+from django.db import migrations, models
+
+from pretix.helpers.permission_migration import (
+    OLD_TO_NEW_EVENT_MIGRATION, OLD_TO_NEW_ORGANIZER_MIGRATION,
+)
+
+
+def migrate_teams_forward(apps, schema_editor):
+    Team = apps.get_model("pretixbase", "Team")
+
+    for team in Team.objects.iterator():
+        if all(getattr(team, k) for k in OLD_TO_NEW_EVENT_MIGRATION.keys() if k != "can_checkin_orders"):
+            team.all_event_permissions = True
+            team.limit_event_permissions = {}
+        else:
+            team.all_event_permissions = False
+            for k, v in OLD_TO_NEW_EVENT_MIGRATION.items():
+                if getattr(team, k):
+                    team.limit_event_permissions.update({kk: True for kk in v})
+
+            # Prevent combinations that were possible previously but no longer make sense
+            if team.limit_event_permissions.get("event.orders:checkin") and team.limit_event_permissions.get("event.orders:write"):
+                team.limit_event_permissions.pop("event.orders:checkin")
+            if team.limit_event_permissions.get("event.orders:write") and not team.limit_event_permissions.get("event.orders:read"):
+                team.limit_event_permissions.pop("event.orders:write")
+            if team.limit_event_permissions.get("event.vouchers:write") and not team.limit_event_permissions.get("event.vouchers:read"):
+                team.limit_event_permissions.pop("event.vouchers:write")
+
+        if all(getattr(team, k) for k in OLD_TO_NEW_ORGANIZER_MIGRATION.keys()):
+            team.all_organizer_permissions = True
+            team.limit_organizer_permissions = {}
+        else:
+            team.all_organizer_permissions = False
+            for k, v in OLD_TO_NEW_ORGANIZER_MIGRATION.items():
+                if getattr(team, k):
+                    team.limit_organizer_permissions.update({kk: True for kk in v})
+
+        team.save(update_fields=[
+            "all_event_permissions", "limit_event_permissions", "all_organizer_permissions", "limit_organizer_permissions"
+        ])
+
+
+def migrate_teams_backward(apps, schema_editor):
+    Team = apps.get_model("pretixbase", "Team")
+
+    for team in Team.objects.iterator():
+        for k, v in OLD_TO_NEW_EVENT_MIGRATION.items():
+            setattr(team, k, team.all_event_permissions or all(team.limit_event_permissions.get(kk) for kk in v))
+        for k, v in OLD_TO_NEW_ORGANIZER_MIGRATION.items():
+            setattr(team, k, team.all_organizer_permissions or all(team.limit_organizer_permissions.get(kk) for kk in v))
+        team.save()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("pretixbase", "0297_outgoingmail"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="team",
+            name="all_event_permissions",
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AddField(
+            model_name="team",
+            name="all_organizer_permissions",
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AddField(
+            model_name="team",
+            name="limit_event_permissions",
+            field=models.JSONField(default=dict),
+        ),
+        migrations.AddField(
+            model_name="team",
+            name="limit_organizer_permissions",
+            field=models.JSONField(default=dict),
+        ),
+        migrations.RunPython(
+            migrate_teams_forward,
+            migrate_teams_backward,
+        ),
+        migrations.RemoveField(
+            model_name="team",
+            name="can_change_event_settings",
+        ),
+        migrations.RemoveField(
+            model_name="team",
+            name="can_change_items",
+        ),
+        migrations.RemoveField(
+            model_name="team",
+            name="can_change_orders",
+        ),
+        migrations.RemoveField(
+            model_name="team",
+            name="can_change_organizer_settings",
+        ),
+        migrations.RemoveField(
+            model_name="team",
+            name="can_change_teams",
+        ),
+        migrations.RemoveField(
+            model_name="team",
+            name="can_change_vouchers",
+        ),
+        migrations.RemoveField(
+            model_name="team",
+            name="can_checkin_orders",
+        ),
+        migrations.RemoveField(
+            model_name="team",
+            name="can_create_events",
+        ),
+        migrations.RemoveField(
+            model_name="team",
+            name="can_manage_customers",
+        ),
+        migrations.RemoveField(
+            model_name="team",
+            name="can_manage_gift_cards",
+        ),
+        migrations.RemoveField(
+            model_name="team",
+            name="can_manage_reusable_media",
+        ),
+        migrations.RemoveField(
+            model_name="team",
+            name="can_view_orders",
+        ),
+        migrations.RemoveField(
+            model_name="team",
+            name="can_view_vouchers",
+        ),
+    ]

src/pretix/base/migrations/0299_itemprogramtime_location.py

@@ -0,0 +1,19 @@
+# Generated by Django 4.2.27 on 2026-01-21 12:06
+
+import i18nfield.fields
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("pretixbase", "0298_pluggable_permissions"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="itemprogramtime",
+            name="location",
+            field=i18nfield.fields.I18nTextField(max_length=200, null=True),
+        )
+    ]

src/pretix/base/modelimport.py

@@ -70,6 +70,10 @@ def parse_csv(file, length=None, mode="strict", charset=None):
         except ImportError:
             charset = file.charset
     data = data.decode(charset or "utf-8", mode)
+
+    # remove stray linebreaks from the end of the file
+    data = data.rstrip("\n")
+
     # If the file was modified on a Mac, it only contains \r as line breaks
     if '\r' in data and '\n' not in data:
         data = data.replace('\r', '\n')

src/pretix/base/models/_transactions.py

@@ -29,7 +29,9 @@ import inspect
 import logging
 import os
 import threading
+from pathlib import Path
 
+import django
 from django.conf import settings
 from django.db import transaction
 
@@ -74,10 +76,14 @@ def _transactions_mark_order_dirty(order_id, using=None):
     if "PYTEST_CURRENT_TEST" in os.environ:
         # We don't care about Order.objects.create() calls in test code so let's try to figure out if this is test code
         # or not.
-        for frame in inspect.stack():
-            if 'pretix/base/models/orders' in frame.filename:
+        for frame in inspect.stack()[1:]:
+            if (
+                'pretix/base/models/orders' in frame.filename
+                or Path(frame.filename).is_relative_to(Path(django.__file__).parent)
+            ):
+                # Ignore model- and django-internal code
                 continue
-            elif 'test_' in frame.filename or 'conftest.py in frame.filename':
+            elif 'test_' in frame.filename or 'conftest.py' in frame.filename:
                 return
             elif 'pretix/' in frame.filename or 'pretix_' in frame.filename:
                 # This went through non-test code, let's consider it non-test

src/pretix/base/models/auth.py

@@ -38,6 +38,7 @@ import operator
 import secrets
 from datetime import timedelta
 from functools import reduce
+from typing import Protocol
 
 from django.conf import settings
 from django.contrib.auth.models import (
@@ -49,6 +50,7 @@ from django.core.exceptions import BadRequest, PermissionDenied
 from django.db import IntegrityError, models, transaction
 from django.db.models import Q
 from django.utils.crypto import get_random_string, salted_hmac
+from django.utils.functional import cached_property
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
 from django_otp.models import Device
@@ -66,6 +68,14 @@ class EmailAddressTakenError(IntegrityError):
     pass
 
 
+class PermissionHolder(Protocol):
+    def has_event_permission(self, organizer, event, perm_name=None, request=None, session_key=None) -> bool:
+        ...
+
+    def has_organizer_permission(self, organizer, perm_name=None, request=None):
+        ...
+
+
 class UserManager(BaseUserManager):
     """
     This is the user manager for our custom user model. See the User
@@ -212,6 +222,28 @@ class SuperuserPermissionSet:
         return True
 
 
+class EventPermissionSet(set):
+    def __contains__(self, item):
+        from pretix.base.permissions import assert_valid_event_permission
+
+        if super().__contains__(item):
+            return True
+
+        assert_valid_event_permission(item, allow_tuple=False)
+        return False
+
+
+class OrganizerPermissionSet(set):
+    def __contains__(self, item):
+        from pretix.base.permissions import assert_valid_organizer_permission
+
+        if super().__contains__(item):
+            return True
+
+        assert_valid_organizer_permission(item, allow_tuple=False)
+        return False
+
+
 class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
     """
     This is the user model used by pretix for authentication.
@@ -346,7 +378,8 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
             {
                 'user': self,
                 'messages': msg,
-                'url': build_absolute_uri('control:user.settings')
+                'url': build_absolute_uri('control:user.settings'),
+                'instance': settings.PRETIX_INSTANCE_NAME,
             },
             event=None,
             user=self,
@@ -391,6 +424,7 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
                 'user': self,
                 'reason': msg,
                 'code': code,
+                'instance': settings.PRETIX_INSTANCE_NAME,
             },
             event=None,
             user=self,
@@ -430,6 +464,7 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
         mail(
             self.email, _('Password recovery'), 'pretixcontrol/email/forgot.txt',
             {
+                'instance': settings.PRETIX_INSTANCE_NAME,
                 'user': self,
                 'url': (build_absolute_uri('control:auth.forgot.recover')
                         + '?id=%d&token=%s' % (self.id, default_token_generator.make_token(self)))
@@ -469,7 +504,7 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
         :return: set
         """
         teams = self._get_teams_for_event(organizer, event)
-        sets = [t.permission_set() for t in teams]
+        sets = [t.event_permission_set() for t in teams]
         if sets:
             return set.union(*sets)
         else:
@@ -483,7 +518,7 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
         :return: set
         """
         teams = self._get_teams_for_organizer(organizer)
-        sets = [t.permission_set() for t in teams]
+        sets = [t.organizer_permission_set() for t in teams]
         if sets:
             return set.union(*sets)
         else:
@@ -498,7 +533,7 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
 
         :param organizer: The organizer of the event
         :param event: The event to check
-        :param perm_name: The permission, e.g. ``can_change_teams``
+        :param perm_name: The permission, e.g. ``event.orders:read``
         :param request: The current request (optional)
         :param session_key: The current session key (optional)
         :return: bool
@@ -510,8 +545,8 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
         if teams:
             self._teamcache['e{}'.format(event.pk)] = teams
             if isinstance(perm_name, (tuple, list)):
-                return any([any(team.has_permission(p) for team in teams) for p in perm_name])
-            if not perm_name or any([team.has_permission(perm_name) for team in teams]):
+                return any([any(team.has_event_permission(p) for team in teams) for p in perm_name])
+            if not perm_name or any([team.has_event_permission(perm_name) for team in teams]):
                 return True
         return False
 
@@ -521,7 +556,7 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
         to the organizer ``organizer``.
 
         :param organizer: The organizer to check
-        :param perm_name: The permission, e.g. ``can_change_teams``
+        :param perm_name: The permission, e.g. ``organizer.events:create``
         :param request: The current request (optional). Required to detect staff sessions properly.
         :return: bool
         """
@@ -530,8 +565,8 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
         teams = self._get_teams_for_organizer(organizer)
         if teams:
             if isinstance(perm_name, (tuple, list)):
-                return any([any(team.has_permission(p) for team in teams) for p in perm_name])
-            if not perm_name or any([team.has_permission(perm_name) for team in teams]):
+                return any([any(team.has_organizer_permission(p) for team in teams) for p in perm_name])
+            if not perm_name or any([team.has_organizer_permission(perm_name) for team in teams]):
                 return True
         return False
 
@@ -562,14 +597,15 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
         :return: Iterable of Events
         """
         from .event import Event
+        from .organizer import TeamQuerySet
 
         if request and self.has_active_staff_session(request.session.session_key):
             return Event.objects.all()
 
         if isinstance(permission, (tuple, list)):
-            q = reduce(operator.or_, [Q(**{p: True}) for p in permission])
+            q = reduce(operator.or_, [TeamQuerySet.event_permission_q(p) for p in permission])
         else:
-            q = Q(**{permission: True})
+            q = TeamQuerySet.event_permission_q(permission)
 
         return Event.objects.filter(
             Q(organizer_id__in=self.teams.filter(q, all_events=True).values_list('organizer', flat=True))
@@ -602,14 +638,13 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
         :return: Iterable of Organizers
         """
         from .event import Organizer
+        from .organizer import TeamQuerySet
 
         if request and self.has_active_staff_session(request.session.session_key):
             return Organizer.objects.all()
 
-        kwargs = {permission: True}
-
         return Organizer.objects.filter(
-            id__in=self.teams.filter(**kwargs).values_list('organizer', flat=True)
+            id__in=self.teams.filter(TeamQuerySet.organizer_permission_q(permission)).values_list('organizer', flat=True)
         )
 
     def has_active_staff_session(self, session_key=None):
@@ -664,6 +699,23 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
         self.session_token = generate_session_token()
         self.save(update_fields=['session_token'])
 
+    @cached_property
+    @scopes_disabled()
+    def is_in_any_teams(self):
+        return self.teams.exists()
+
+
+class UserWithStaffSession:
+    # Wrapper around a User object with a staff session, implementing the PermissionHolder Protocol
+    def __init__(self, user):
+        self.user = user
+
+    def has_event_permission(self, organizer, event, perm_name=None, request=None, session_key=None) -> bool:
+        return True
+
+    def has_organizer_permission(self, organizer, perm_name=None, request=None):
+        return True
+
 
 class UserKnownLoginSource(models.Model):
     user = models.ForeignKey('User', on_delete=models.CASCADE, related_name="known_login_sources")

src/pretix/base/models/datasync.py

@@ -86,7 +86,7 @@ class OrderSyncQueue(models.Model):
 
     def set_sync_error(self, failure_mode, messages, full_message):
         logger.exception(
-            f"Could not sync order {self.order.code} to {type(self).__name__} ({failure_mode})"
+            f"Could not sync order {self.order.code} to {self.sync_provider} ({failure_mode})"
         )
         self.order.log_action(f"pretix.event.order.data_sync.failed.{failure_mode}", {
             "provider": self.sync_provider,

src/pretix/base/models/devices.py

@@ -29,6 +29,9 @@ from django.utils.translation import gettext_lazy as _
 from django_scopes import ScopedManager, scopes_disabled
 
 from pretix.base.models import LoggedModel
+from pretix.base.permissions import (
+    AnyPermissionOf, assert_valid_event_permission,
+)
 
 
 @scopes_disabled()
@@ -189,13 +192,19 @@ class Device(LoggedModel):
                 kwargs['update_fields'] = {'device_id'}.union(kwargs['update_fields'])
         super().save(*args, **kwargs)
 
-    def permission_set(self) -> set:
+    def _event_permission_set(self) -> set:
         return {
-            'can_view_orders',
-            'can_change_orders',
-            'can_view_vouchers',
-            'can_manage_gift_cards',
-            'can_manage_reusable_media',
+            'event.orders:read',
+            'event.orders:write',
+            'event.vouchers:read',
+        }
+
+    def _organizer_permission_set(self) -> set:
+        return {
+            'organizer.giftcards:read',
+            'organizer.giftcards:write',
+            'organizer.reusablemedia:read',
+            'organizer.reusablemedia:write',
         }
 
     def get_event_permission_set(self, organizer, event) -> set:
@@ -209,7 +218,7 @@ class Device(LoggedModel):
         has_event_access = (self.all_events and organizer == self.organizer) or (
             event in self.limit_events.all()
         )
-        return self.permission_set() if has_event_access else set()
+        return self._event_permission_set() if has_event_access else set()
 
     def get_organizer_permission_set(self, organizer) -> set:
         """
@@ -218,25 +227,26 @@ class Device(LoggedModel):
         :param organizer: The organizer of the event
         :return: set of permissions
         """
-        return self.permission_set() if self.organizer == organizer else set()
+        return self._organizer_permission_set() if self.organizer == organizer else set()
 
-    def has_event_permission(self, organizer, event, perm_name=None, request=None) -> bool:
+    def has_event_permission(self, organizer, event, perm_name=None, request=None, session_key=None) -> bool:
         """
         Checks if this token is part of a team that grants access of type ``perm_name``
         to the event ``event``.
 
         :param organizer: The organizer of the event
         :param event: The event to check
-        :param perm_name: The permission, e.g. ``can_change_teams``
+        :param perm_name: The permission, e.g. ``event.orders:read``
         :param request: This parameter is ignored and only defined for compatibility reasons.
+        :param session_key: This parameter is ignored and only defined for compatibility reasons.
         :return: bool
         """
         has_event_access = (self.all_events and organizer == self.organizer) or (
             event in self.limit_events.all()
         )
         if isinstance(perm_name, (tuple, list)):
-            return has_event_access and any(p in self.permission_set() for p in perm_name)
-        return has_event_access and (not perm_name or perm_name in self.permission_set())
+            return has_event_access and any(p in self._event_permission_set() for p in perm_name)
+        return has_event_access and (not perm_name or perm_name in self._event_permission_set())
 
     def has_organizer_permission(self, organizer, perm_name=None, request=None):
         """
@@ -244,13 +254,13 @@ class Device(LoggedModel):
         to the organizer ``organizer``.
 
         :param organizer: The organizer to check
-        :param perm_name: The permission, e.g. ``can_change_teams``
+        :param perm_name: The permission, e.g. ``organizer.events:create``
         :param request: This parameter is ignored and only defined for compatibility reasons.
         :return: bool
         """
         if isinstance(perm_name, (tuple, list)):
-            return organizer == self.organizer and any(p in self.permission_set() for p in perm_name)
-        return organizer == self.organizer and (not perm_name or perm_name in self.permission_set())
+            return organizer == self.organizer and any(p in self._organizer_permission_set() for p in perm_name)
+        return organizer == self.organizer and (not perm_name or perm_name in self._organizer_permission_set())
 
     def get_events_with_any_permission(self):
         """
@@ -270,9 +280,10 @@ class Device(LoggedModel):
         :param request: Ignored, for compatibility with User model
         :return: Iterable of Events
         """
+        assert_valid_event_permission(permission)
         if (
-                isinstance(permission, (list, tuple)) and any(p in self.permission_set() for p in permission)
-        ) or (isinstance(permission, str) and permission in self.permission_set()):
+            isinstance(permission, (AnyPermissionOf, list, tuple)) and any(p in self._event_permission_set() for p in permission)
+        ) or (isinstance(permission, str) and permission in self._event_permission_set()):
             return self.get_events_with_any_permission()
         else:
             return self.organizer.events.none()

src/pretix/base/models/event.py

@@ -715,6 +715,12 @@ class Event(EventMixin, LoggedModel):
         self.settings.name_scheme = 'given_family'
         self.settings.payment_banktransfer_invoice_immediately = True
         self.settings.low_availability_percentage = 10
+        self.settings.mail_send_order_free_attendee = True
+        self.settings.mail_send_order_placed_attendee = True
+        self.settings.mail_send_order_paid_attendee = True
+        self.settings.mail_send_order_approved_attendee = True
+        self.settings.mail_send_order_approved_free_attendee = True
+        self.settings.mail_text_download_reminder_attendee = True
 
     @property
     def social_image(self):
@@ -843,6 +849,33 @@ class Event(EventMixin, LoggedModel):
             time(hour=23, minute=59, second=59)
         ), tz)
 
+    def allow_copy_data(self, new_organizer, auth) -> bool:
+        """
+        Returns whether it is allowed to copy the event to the target organizer. Auth can be TeamAPIToken or User.
+        """
+        from ..permissions import get_all_event_permissions
+        from .auth import User
+
+        if self.organizer == new_organizer:
+            # Copying in the same organizer is always okay with any read access, we just need to ensure it does not
+            # grant more permissions than I had before, but that is handled by the view logic
+            return auth.has_event_permission(self.organizer, self, None)
+
+        if isinstance(auth, User):
+            # Cross-organizer copying requires almost full permission of source to prevent settings extraction
+            required_permissions = get_all_event_permissions() - {
+                # We do not require these, as this data is not copied
+                "event.orders:read", "event.orders:write", "event.vouchers:read", "event.vouchers:write",
+                "event.subevents:write",
+            }
+            given_permission = auth.get_event_permission_set(self.organizer, self)
+            return all(p in given_permission for p in required_permissions if ":" in p)
+
+        else:
+            # Tokens or devices can never copy between organizers, as they are organizer-bound. Kept for future
+            # compatibility and easier calling
+            return False
+
     def copy_data_from(self, other, skip_meta_data=False):
         from ..signals import event_copy_data
         from . import (
@@ -1386,14 +1419,13 @@ class Event(EventMixin, LoggedModel):
         from .auth import User
 
         if permission:
-            kwargs = {permission: True}
+            qs = Team.objects.with_event_permission(permission)
         else:
-            kwargs = {}
+            qs = Team.objects.all()
 
-        team_with_perm = Team.objects.filter(
+        team_with_perm = qs.filter(
             members__pk=OuterRef('pk'),
             organizer=self.organizer,
-            **kwargs
         ).filter(
             Q(all_events=True) | Q(limit_events__pk=self.pk)
         )

src/pretix/base/models/items.py

@@ -2306,10 +2306,17 @@ class ItemProgramTime(models.Model):
     :type start: datetime
     :param end: The date and time this program time ends
     :type end: datetime
+    :param location: venue
+    :type location: str
     """
     item = models.ForeignKey('Item', related_name='program_times', on_delete=models.CASCADE)
     start = models.DateTimeField(verbose_name=_("Start"))
     end = models.DateTimeField(verbose_name=_("End"))
+    location = I18nTextField(
+        null=True, blank=True,
+        max_length=200,
+        verbose_name=_("Location"),
+    )
 
     def clean(self):
         if hasattr(self, 'item') and self.item and self.item.event.has_subevents:

src/pretix/base/models/log.py

@@ -88,7 +88,7 @@ class LogEntry(models.Model):
 
     class Meta:
         ordering = ('-datetime', '-id')
-        indexes = [models.Index(fields=["datetime", "id"])]
+        indexes = [models.Index(fields=["datetime", "id"], name="pretixbase__datetim_b1fe5a_idx")]
 
     def display(self):
         from pretix.base.logentrytype_registry import log_entry_types

src/pretix/base/models/mail.py

@@ -220,3 +220,20 @@ class OutgoingMail(models.Model):
             error_log_action_type = 'pretix.email.error'
             log_target = None
         return log_target, error_log_action_type
+
+    def log_data(self):
+        return {
+            "subject": self.subject,
+            "message": self.body_plain,
+            "to": self.to,
+            "cc": self.cc,
+            "bcc": self.bcc,
+
+            "invoices": [i.pk for i in self.should_attach_invoices.all()],
+            "attach_tickets": self.should_attach_tickets,
+            "attach_ical": self.should_attach_ical,
+            "attach_other_files": self.should_attach_other_files,
+            "attach_cached_files": [cf.filename for cf in self.should_attach_cached_files.all()],
+
+            "position": self.orderposition.positionid if self.orderposition else None,
+        }

src/pretix/base/models/media.py

@@ -122,7 +122,7 @@ class ReusableMedium(LoggedModel):
     class Meta:
         unique_together = (("identifier", "type", "organizer"),)
         indexes = [
-            models.Index(fields=("updated", "id")),
+            models.Index(fields=("updated", "id"), name="pretixbase__updated_093277_idx"),
         ]
         ordering = "identifier", "type", "organizer"