Add voucher tag to orderlist positions export

Safari currently exhibits a bug where Partitioned cookies (CHIPS) are not
sent back to the originating site after multi-hop cross-site redirects,
breaking SSO login flows in pretix.

Partitioned cookies were initially introduced in Safari 18.4, removed
again in 18.5 due to a bug, and reintroduced in Safari 26.2, where the
current issue is present.

As a mitigation, disable sending the `Partitioned` attribute for Safari
user agents. This is intentionally conservative; once the Safari issue
is fixed, this check should be refined to be conditional on the affected
versions only.

WebKit issues:

  - https://bugs.webkit.org/show_bug.cgi?id=292975
  - https://bugs.webkit.org/show_bug.cgi?id=306194

pyproject.toml

@@ -92,7 +92,7 @@ dependencies = [
   "redis==7.1.*",
   "reportlab==4.4.*",
   "requests==2.32.*",
-  "sentry-sdk==2.52.*",
+  "sentry-sdk==2.53.*",
   "sepaxml==2.7.*",
   "stripe==7.9.*",
   "text-unidecode==1.*",
@@ -110,7 +110,7 @@ dev = [
   "aiohttp==3.13.*",
   "coverage",
   "coveralls",
-  "fakeredis==2.33.*",
+  "fakeredis==2.34.*",
   "flake8==7.3.*",
   "freezegun",
   "isort==7.0.*",

src/pretix/api/views/checkin.py

@@ -188,11 +188,15 @@ class CheckinListViewSet(viewsets.ModelViewSet):
         clist = self.get_object()
         if serializer.validated_data.get('nonce'):
             if kwargs.get('position'):
-                prev = kwargs['position'].all_checkins.filter(nonce=serializer.validated_data['nonce']).first()
+                prev = kwargs['position'].all_checkins.filter(
+                    nonce=serializer.validated_data['nonce'],
+                    successful=False
+                ).first()
             else:
                 prev = clist.checkins.filter(
                     nonce=serializer.validated_data['nonce'],
                     raw_barcode=serializer.validated_data['raw_barcode'],
+                    successful=False
                 ).first()
             if prev:
                 # Ignore because nonce is already handled

src/pretix/base/exporters/orderlist.py

@@ -651,6 +651,7 @@ class OrderListExporter(MultiSheetListExporter):
             pgettext('address', 'State'),
             _('Voucher'),
             _('Voucher budget usage'),
+            _('Voucher tag'),
             _('Pseudonymization ID'),
             _('Ticket secret'),
             _('Seat ID'),
@@ -769,6 +770,7 @@ class OrderListExporter(MultiSheetListExporter):
                     op.state_for_address or '',
                     op.voucher.code if op.voucher else '',
                     op.voucher_budget_use if op.voucher_budget_use else '',
+                    op.voucher.tag if op.voucher else '',
                     op.pseudonymization_id,
                     op.secret,
                 ]

src/pretix/base/modelimport_vouchers.py

@@ -132,7 +132,7 @@ class AllowIgnoreQuotaColumn(BooleanColumnMixin, ImportColumn):
 
 class PriceModeColumn(ImportColumn):
     identifier = 'price_mode'
-    verbose_name = gettext_lazy('Price mode')
+    verbose_name = gettext_lazy('Price effect')
     default_value = None
     initial = 'static:none'
 
@@ -147,7 +147,7 @@ class PriceModeColumn(ImportColumn):
         elif value in reverse:
             return reverse[value]
         else:
-            raise ValidationError(_("Could not parse {value} as a price mode, use one of {options}.").format(
+            raise ValidationError(_("Could not parse {value} as a price effect, use one of {options}.").format(
                 value=value, options=', '.join(d.keys())
             ))
 
@@ -162,7 +162,7 @@ class ValueColumn(DecimalColumnMixin, ImportColumn):
     def clean(self, value, previous_values):
         value = super().clean(value, previous_values)
         if value and previous_values.get("price_mode") == "none":
-            raise ValidationError(_("It is pointless to set a value without a price mode."))
+            raise ValidationError(_("It is pointless to set a value without a price effect."))
         return value
 
     def assign(self, value, obj: Voucher, **kwargs):

src/pretix/base/models/vouchers.py

@@ -239,7 +239,7 @@ class Voucher(LoggedModel):
         )
     )
     price_mode = models.CharField(
-        verbose_name=_("Price mode"),
+        verbose_name=_("Price effect"),
         max_length=100,
         choices=PRICE_MODES,
         default='none'

src/pretix/base/services/mail.py

@@ -409,18 +409,6 @@ def mail_send_task(self, **kwargs) -> bool:
         outgoing_mail.inflight_since = now()
         outgoing_mail.save(update_fields=["status", "inflight_since"])
 
-    # Performance optimization, saves database queries later on if we resolve the known relationships
-    if outgoing_mail.event_id:
-        assert outgoing_mail.event.organizer_id == outgoing_mail.organizer.pk
-        outgoing_mail.event.organizer = outgoing_mail.organizer
-    if outgoing_mail.order_id:
-        assert outgoing_mail.order.event_id == outgoing_mail.event_id
-        outgoing_mail.order.event = outgoing_mail.event
-        outgoing_mail.order.organizer = outgoing_mail.organizer
-    if outgoing_mail.orderposition_id:
-        assert outgoing_mail.orderposition.order_id == outgoing_mail.order_id
-        outgoing_mail.orderposition.order = outgoing_mail.order
-
     headers = dict(outgoing_mail.headers)
     headers.setdefault('X-PX-Correlation', str(outgoing_mail.guid))
     email = CustomEmail(

src/pretix/base/services/placeholders.py

@@ -24,7 +24,6 @@ import logging
 from datetime import timedelta
 from decimal import Decimal
 
-from django.db.models import Prefetch, prefetch_related_objects
 from django.dispatch import receiver
 from django.utils.formats import date_format
 from django.utils.html import escape, mark_safe
@@ -36,7 +35,6 @@ from pretix.base.forms.widgets import format_placeholders_help_text
 from pretix.base.i18n import (
     LazyCurrencyNumber, LazyDate, LazyExpiresDate, LazyNumber,
 )
-from pretix.base.models import EventMetaValue
 from pretix.base.reldate import RelativeDateWrapper
 from pretix.base.settings import PERSON_NAME_SCHEMES, get_name_parts_localized
 from pretix.base.signals import (
@@ -754,11 +752,6 @@ def base_placeholders(sender, **kwargs):
             name_scheme['sample'][f]
         ))
 
-    prefetch_related_objects(
-        [sender],
-        Prefetch('meta_values', queryset=EventMetaValue.objects.select_related("property"), to_attr="meta_values_cached")
-    )
-    prefetch_related_objects([sender.organizer], Prefetch('meta_properties'))
     for k, v in sender.meta_data.items():
         ph.append(MarkdownTextPlaceholder(
             'meta_%s' % k, ['event'], lambda event, k=k: event.meta_data[k],

src/pretix/base/templates/404.html

@@ -8,9 +8,6 @@
         <h1>{% trans "Not found" %}</h1>
         <p>{% trans "I'm afraid we could not find the the resource you requested." %}</p>
         <p>{{ exception }}</p>
-        <p class="links">
-            <a id='goback' href='#'>{% trans "Take a step back" %}</a>
-        </p>
         {% if request.user.is_staff and not staff_session %}
             <form action="{% url 'control:user.sudo' %}?next={{ request.path|add:"?"|add:request.GET.urlencode|urlencode }}" method="post">
                 <p>

src/pretix/helpers/cookies.py

@@ -34,7 +34,10 @@ def set_cookie_without_samesite(request, response, key, *args, **kwargs):
     if not is_secure:
         # https://www.chromestatus.com/feature/5633521622188032
         return
-    if should_send_same_site_none(request.headers.get('User-Agent', '')):
+
+    useragent = request.headers.get('User-Agent', '')
+
+    if should_send_same_site_none(useragent):
         # Chromium is rolling out SameSite=Lax as a default
         # https://www.chromestatus.com/feature/5088147346030592
         # This however breaks all pretix-in-an-iframe things, such as the pretix Widget.
@@ -44,8 +47,29 @@ def set_cookie_without_samesite(request, response, key, *args, **kwargs):
         # This will only work on secure cookies as well
         # https://www.chromestatus.com/feature/5633521622188032
         response.cookies[key]['secure'] = is_secure
-        # CHIPS
-        response.cookies[key]['Partitioned'] = True
+
+        if can_send_partitioned_cookie(useragent):
+            # CHIPS
+            response.cookies[key]['Partitioned'] = True
+
+
+def can_send_partitioned_cookie(useragent):
+    # Safari currently exhibits a bug where Partitioned cookies (CHIPS) are not
+    # sent back to the originating site after multi-hop cross-site redirects,
+    # breaking SSO login flows in pretix.
+    #
+    # Partitioned cookies were initially introduced in Safari 18.4, removed
+    # again in 18.5 due to a bug, and reintroduced in Safari 26.2, where the
+    # current issue is present.
+    #
+    # Once the Safari issue is fixed, this check should be refined to be
+    # conditional on the affected versions only.
+    #
+    # WebKit issues:
+    #
+    #   - https://bugs.webkit.org/show_bug.cgi?id=292975
+    #   - https://bugs.webkit.org/show_bug.cgi?id=306194
+    return not is_safari(useragent)
 
 
 # Based on https://www.chromium.org/updates/same-site/incompatible-clients

src/pretix/plugins/banktransfer/templates/pretixplugins/banktransfer/pending.html

@@ -21,10 +21,10 @@
             <dt>{% trans "Reference code (important):" %}</dt><dd><b>{{ code }}</b></dd>
             <dt>{% trans "Amount:" %}</dt><dd>{{ amount|money:event.currency }}</dd>
             {% if settings.bank_details_type == "sepa" %}
-                <dt>{% trans "Account holder" %}:</dt><dd>{{ settings.bank_details_sepa_name }}</dt>
-                <dt>{% trans "IBAN" %}:</dt><dd>{{ settings.bank_details_sepa_iban|ibanformat }}</dt>
-                <dt>{% trans "BIC" %}:</dt><dd>{{ settings.bank_details_sepa_bic }}</dt>
-                <dt>{% trans "Bank" %}:</dt><dd>{{ settings.bank_details_sepa_bank }}</dt>
+                <dt>{% trans "Account holder" %}:</dt><dd>{{ settings.bank_details_sepa_name }}</dd>
+                <dt>{% trans "IBAN" %}:</dt><dd>{{ settings.bank_details_sepa_iban|ibanformat }}</dd>
+                <dt>{% trans "BIC" %}:</dt><dd>{{ settings.bank_details_sepa_bic }}</dd>
+                <dt>{% trans "Bank" %}:</dt><dd>{{ settings.bank_details_sepa_bank }}</dd>
             {% endif %}
         </dl>
         {% if details %}
@@ -38,4 +38,4 @@
     {% if payment_qr_codes %}
         {% include "pretixpresale/event/payment_qr_codes.html" %}
     {% endif %}
-</div>
+</div>

src/pretix/presale/templates/pretixpresale/event/resend_link.html

@@ -1,14 +1,14 @@
 {% extends "pretixpresale/event/base.html" %}
 {% load i18n %}
 {% load bootstrap3 %}
-{% block title %}{% trans "Resend order links" %}{% endblock %}
+{% block title %}{% trans "Resend order link" %}{% endblock %}
 {% block custom_header %}
     {{ block.super }}
     <meta name="robots" content="noindex, nofollow">
 {% endblock %}
 {% block content %}
     <h2>
-        {% trans "Resend order links" %}
+        {% trans "Resend order link" %}
     </h2>
     <p>
         {% blocktrans trimmed %}

src/pretix/presale/views/order.py

@@ -1510,7 +1510,10 @@ class OrderChangeMixin:
                             'max_count': iao.max_count,
                             'iao': iao,
                             'items': [i for i in items if not i.require_voucher],
-                            'items_missing': {k: v for k, v in current_addon_products_missing.items() if v},
+                            'items_missing': {
+                                k: v for k, v in current_addon_products_missing.items()
+                                if v and k[0].category_id == iao.addon_category_id
+                            },
                         })
 
         return positions

src/tests/api/test_checkin.py

@@ -1177,6 +1177,30 @@ def test_store_failed(token_client, organizer, clist, event, order):
     assert resp.status_code == 400
 
 
+@pytest.mark.django_db
+def test_store_failed_after_success(token_client, organizer, clist, event, order):
+    with scopes_disabled():
+        p = order.positions.first()
+        p.all_checkins.create(
+            type=Checkin.TYPE_ENTRY,
+            nonce='foobar',
+            successful=True,
+            list=clist,
+            raw_barcode=p.secret
+        )
+    resp = token_client.post('/api/v1/organizers/{}/events/{}/checkinlists/{}/failed_checkins/'.format(
+        organizer.slug, event.slug, clist.pk,
+    ), {
+        'raw_barcode': p.secret,
+        'nonce': 'foobar',
+        'position': p.pk,
+        'error_reason': 'unpaid'
+    }, format='json')
+    assert resp.status_code == 201
+    with scopes_disabled():
+        assert Checkin.all.filter(position=p).count() == 2
+
+
 @pytest.mark.django_db
 def test_redeem_unknown(token_client, organizer, clist, event, order):
     resp = _redeem(token_client, organizer, clist, 'unknown_secret', {'force': True})

src/tests/base/test_modelimport_vouchers.py

@@ -170,7 +170,7 @@ def test_price_mode_validation(event, item, user):
         import_vouchers.apply(
             args=(event.pk, inputfile_factory().id, settings, 'en', user.pk)
         ).get()
-    assert 'It is pointless to set a value without a price mode.' in str(excinfo.value)
+    assert 'It is pointless to set a value without a price effect.' in str(excinfo.value)
 
     settings['price_mode'] = 'static:percent'
     import_vouchers.apply(