Add test for translations

doc/api/deviceauth.rst

@@ -197,10 +197,11 @@ Permissions & security profiles
 
 Device authentication is currently hardcoded to grant the following permissions:
 
-* View event meta data and products etc.
-* View orders
-* Change orders
-* Manage gift cards
+* Read event meta data and products etc.
+* Read and write orders
+* Read and write gift cards
+* Read and write reusable media
+* Read vouchers
 
 Devices cannot change events or products and cannot access vouchers.
 

doc/api/resources/devices.rst

@@ -30,7 +30,7 @@ software_brand                        string                     Device software
 software_version                      string                     Device software version (read-only)
 created                               datetime                   Creation time
 initialized                           datetime                   Time of initialization (or ``null``)
-initialization_token                  string                     Token for initialization
+initialization_token                  string                     Token for initialization (field invisible without without write permission)
 revoked                               boolean                    Whether this device no longer has access
 security_profile                      string                     The name of a supported security profile restricting API access
 ===================================== ========================== =======================================================

doc/api/resources/events.rst

@@ -65,8 +65,6 @@ Endpoints
 
    Returns a list of all events within a given organizer the authenticated user/token has access to.
 
-   Permission required: "Can change event settings"
-
    **Example request**:
 
    .. sourcecode:: http
@@ -161,8 +159,6 @@ Endpoints
 
    Returns information on one event, identified by its slug.
 
-   Permission required: "Can change event settings"
-
    **Example request**:
 
    .. sourcecode:: http
@@ -234,8 +230,6 @@ Endpoints
    Please note that events cannot be created as 'live' using this endpoint. Quotas and payment must be added to the
    event before sales can go live.
 
-   Permission required: "Can create events"
-
    **Example request**:
 
    .. sourcecode:: http
@@ -338,8 +332,6 @@ Endpoints
    Please note that you can only copy from events under the same organizer this way. Use the ``clone_from`` parameter
    when creating a new event for this instead.
 
-   Permission required: "Can create events"
-
    **Example request**:
 
    .. sourcecode:: http
@@ -433,8 +425,6 @@ Endpoints
 
    Updates an event
 
-   Permission required: "Can change event settings"
-
    **Example request**:
 
    .. sourcecode:: http
@@ -510,8 +500,6 @@ Endpoints
 
    Delete an event. Note that events with orders cannot be deleted to ensure data integrity.
 
-   Permission required: "Can change event settings"
-
    **Example request**:
 
    .. sourcecode:: http
@@ -561,8 +549,6 @@ organizer level.
 
    Get current values of event settings.
 
-   Permission required: "Can change event settings" (Exception: with device auth, *some* settings can always be *read*.)
-
    **Example request**:
 
    .. sourcecode:: http
@@ -615,6 +601,8 @@ organizer level.
 
    Updates event settings. Note that ``PUT`` is not allowed here, only ``PATCH``.
 
+   Permission "Can change event settings" is always required. Some keys requrie additional permissions.
+
     .. warning::
 
        Settings can be stored at different levels in pretix. If a value is not set on event level, a default setting

doc/api/resources/organizers.rst

@@ -110,8 +110,6 @@ Endpoints
 
    Updates an organizer. Currently only the ``plugins`` field may be updated.
 
-   Permission required: "Can change organizer settings"
-
    **Example request**:
 
    .. sourcecode:: http
@@ -172,8 +170,6 @@ information about the properties.
 
    Get current values of organizer settings.
 
-   Permission required: "Can change organizer settings"
-
    **Example request**:
 
    .. sourcecode:: http

doc/api/resources/reusablemedia.rst

@@ -154,7 +154,7 @@ Endpoints
 .. http:post:: /api/v1/organizers/(organizer)/reusablemedia/lookup/
 
    Look up a new reusable medium by its identifier. In some cases, this might lead to the automatic creation of a new
-   medium behind the scenes.
+   medium behind the scenes, therefore this endpoint requires write permissions.
 
    This endpoint, and this endpoint only, might return media from a different organizer if there is a cross-acceptance
    agreement. In this case, only linked gift cards will be returned, no order position or customer records,

doc/api/resources/subevents.rst

@@ -154,8 +154,6 @@ Endpoints
 
    Creates a new subevent.
 
-   Permission required: "Can create events"
-
    **Example request**:
 
    .. sourcecode:: http
@@ -300,8 +298,6 @@ Endpoints
    provide all fields of the resource, other fields will be reset to default. With ``PATCH``, you only need to provide
    the fields that you want to change.
 
-   Permission required: "Can change event settings"
-
    **Example request**:
 
    .. sourcecode:: http
@@ -373,8 +369,6 @@ Endpoints
 
    Delete a sub-event. Note that events with orders cannot be deleted to ensure data integrity.
 
-   Permission required: "Can change event settings"
-
    **Example request**:
 
    .. sourcecode:: http

doc/api/resources/teams.rst

@@ -24,21 +24,56 @@ all_events                            boolean                    Whether this te
 limit_events                          list                       List of event slugs this team has access to
 require_2fa                           boolean                    Whether members of this team are required to use
                                                                  two-factor authentication
-can_create_events                     boolean
-can_change_teams                      boolean
-can_change_organizer_settings         boolean
-can_manage_customers                  boolean
-can_manage_reusable_media             boolean
-can_manage_gift_cards                 boolean
-can_change_event_settings             boolean
-can_change_items                      boolean
-can_view_orders                       boolean
-can_change_orders                     boolean
-can_view_vouchers                     boolean
-can_change_vouchers                   boolean
-can_checkin_orders                    boolean
+all_event_permissions                 bool                       Whether members of this team are granted all event-level
+                                                                 permissions, including future additions
+limit_event_permissions               list of strings            The event-level permissions team members are granted
+all_organizer_permissions             bool                       Whether members of this team are granted all organizer-level
+                                                                 permissions, including future additions
+all_organizer_permissions             list of strings            The organizer-level permissions team members are granted
+can_create_events                     boolean                    **DEPRECATED**. Legacy interface, use ``limit_organizer_permissions``.
+can_change_teams                      boolean                    **DEPRECATED**. Legacy interface, use ``limit_organizer_permissions``.
+can_change_organizer_settings         boolean                    **DEPRECATED**. Legacy interface, use ``limit_organizer_permissions``.
+can_manage_customers                  boolean                    **DEPRECATED**. Legacy interface, use ``limit_organizer_permissions``.
+can_manage_reusable_media             boolean                    **DEPRECATED**. Legacy interface, use ``limit_organizer_permissions``.
+can_manage_gift_cards                 boolean                    **DEPRECATED**. Legacy interface, use ``limit_organizer_permissions``.
+can_change_event_settings             boolean                    **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
+can_change_items                      boolean                    **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
+can_view_orders                       boolean                    **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
+can_change_orders                     boolean                    **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
+can_view_vouchers                     boolean                    **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
+can_change_vouchers                   boolean                    **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
+can_checkin_orders                    boolean                    **DEPRECATED**. Legacy interface, use ``limit_event_permissions``.
 ===================================== ========================== =======================================================
 
+Possible values for ``limit_organizer_permissions`` defined in the core pretix system (plugins might add more)::
+
+    organizer.events:create
+    organizer.settings.general:write
+    organizer.teams:write
+    organizer.giftcards:read
+    organizer.giftcards:write
+    organizer.customers:read
+    organizer.customers:write
+    organizer.reusablemedia:read
+    organizer.reusablemedia:write
+    organizer.devices:read
+    organizer.devices:write
+
+Possible values for ``limit_event_permissions`` defined in the core pretix system (plugins might add more)::
+
+    event.settings.general:write
+    event.settings.payment:write
+    event.settings.tax:write
+    event.settings.invoicing:write
+    event.subevents:write
+    event.items:write
+    event.orders:read
+    event.orders:write
+    event.orders:checkin
+    event.vouchers:read
+    event.vouchers:write
+    event:cancel
+
 Team member resource
 --------------------
 
@@ -121,6 +156,10 @@ Team endpoints
             "all_events": true,
             "limit_events": [],
             "require_2fa": true,
+            "all_event_permissions": true,
+            "limit_event_permissions": [],
+            "all_organizer_permissions": true,
+            "limit_organizer_permissions": [],
             "can_create_events": true,
             ...
           }
@@ -159,6 +198,10 @@ Team endpoints
         "all_events": true,
         "limit_events": [],
         "require_2fa": true,
+        "all_event_permissions": true,
+        "limit_event_permissions": [],
+        "all_organizer_permissions": true,
+        "limit_organizer_permissions": [],
         "can_create_events": true,
         ...
       }
@@ -187,7 +230,10 @@ Team endpoints
         "all_events": true,
         "limit_events": [],
         "require_2fa": true,
-        "can_create_events": true,
+        "all_event_permissions": true,
+        "limit_event_permissions": [],
+        "all_organizer_permissions": true,
+        "limit_organizer_permissions": [],
         ...
       }
 
@@ -205,6 +251,10 @@ Team endpoints
         "all_events": true,
         "limit_events": [],
         "require_2fa": true,
+        "all_event_permissions": true,
+        "limit_event_permissions": [],
+        "all_organizer_permissions": true,
+        "limit_organizer_permissions": [],
         "can_create_events": true,
         ...
       }
@@ -232,7 +282,8 @@ Team endpoints
       Content-Length: 94
 
       {
-        "can_create_events": true
+        "all_organizer_permissions": false,
+        "limit_organizer_permissions": ["organizer.events:create"]
       }
 
    **Example response**:
@@ -249,6 +300,10 @@ Team endpoints
         "all_events": true,
         "limit_events": [],
         "require_2fa": true,
+        "all_event_permissions": true,
+        "limit_event_permissions": [],
+        "all_organizer_permissions": false,
+        "limit_organizer_permissions": ["organizer.events:create"],
         "can_create_events": true,
         ...
       }

doc/development/api/customview.rst

@@ -55,12 +55,12 @@ your views:
     )
 
     class AdminView(EventPermissionRequiredMixin, View):
-        permission = 'can_view_orders'
+        permission = 'event.orders:read'
 
         ...
 
 
-    @event_permission_required('can_view_orders')
+    @event_permission_required('event.orders:read')
     def admin_view(request, organizer, event):
         ...
 
@@ -78,7 +78,7 @@ event-related views, there is also a signal that allows you to add the view to t
     @receiver(nav_event, dispatch_uid='friends_tickets_nav')
     def navbar_info(sender, request, **kwargs):
         url = resolve(request.path_info)
-        if not request.user.has_event_permission(request.organizer, request.event, 'can_change_vouchers'):
+        if not request.user.has_event_permission(request.organizer, request.event, 'event.vouchers:read'):
             return []
         return [{
             'label': _('My plugin view'),
@@ -118,7 +118,7 @@ for good integration. If you just want to display a form, you could do it like t
 
     class MySettingsView(EventSettingsViewMixin, EventSettingsFormView):
         model = Event
-        permission = 'can_change_settings'
+        permission = 'event.settings.general:write'
         form_class = MySettingsForm
         template_name = 'my_plugin/settings.html'
 
@@ -204,13 +204,13 @@ In case of ``orga_router`` and ``event_router``, permission checking is done for
 in the control panel. However, you need to make sure on your own only to return the correct subset of data! ``request
 .event`` and ``request.organizer`` are available as usual.
 
-To require a special permission like ``can_view_orders``, you do not need to inherit from a special ViewSet base
+To require a special permission like ``event.orders:read``, you do not need to inherit from a special ViewSet base
 class, you can just set the ``permission`` attribute on your viewset:
 
 .. code-block:: python
 
     class MyViewSet(ModelViewSet):
-        permission = 'can_view_orders'
+        permission = 'event.orders:read'
         ...
 
 If you want to check the permission only for some methods of your viewset, you have to do it yourself. Note here that
@@ -220,7 +220,7 @@ following:
 .. code-block:: python
 
     perm_holder = (request.auth if isinstance(request.auth, TeamAPIToken) else request.user)
-    if perm_holder.has_event_permission(request.event.organizer, request.event, 'can_view_orders'):
+    if perm_holder.has_event_permission(request.event.organizer, request.event, 'event.orders:read'):
         ...
 
 

doc/development/api/general.rst

@@ -14,7 +14,8 @@ Core
    :members: periodic_task, event_live_issues, event_copy_data, email_filter, register_notification_types, notification,
       item_copy_data, register_sales_channel_types, register_global_settings, quota_availability, global_email_filter,
       register_ticket_secret_generators, gift_card_transaction_display,
-      register_text_placeholders, register_mail_placeholders, device_info_updated
+      register_text_placeholders, register_mail_placeholders, device_info_updated,
+      register_event_permissions, register_organizer_permissions
 
 Order events
 """"""""""""

doc/development/implementation/logging.rst

@@ -196,7 +196,7 @@ A simple implementation could look like this:
 .. code-block:: python
 
     class MyNotificationType(NotificationType):
-        required_permission = "can_view_orders"
+        required_permission = "event.orders:read"
         action_type = "pretix.event.order.paid"
         verbose_name = _("Order has been paid")
 

doc/development/implementation/permissions.rst

@@ -2,7 +2,7 @@ Permissions
 ===========
 
 pretix uses a fine-grained permission system to control who is allowed to control what parts of the system.
-The central concept here is the concept of *Teams*. You can read more on `configuring teams and permissions <user-teams>`_
+The central concept here is the concept of *Teams*. You can read more on `configuring teams and permissions`_
 and the :class:`pretix.base.models.Team` model in the respective parts of the documentation. The basic digest is:
 An organizer account can have any number of teams, and any number of users can be part of a team. A team can be
 assigned a set of permissions and connected to some or all of the events of the organizer.
@@ -25,8 +25,8 @@ permission level to access a view:
 
 
     class MyOrgaView(OrganizerPermissionRequiredMixin, View):
-        permission = 'can_change_organizer_settings'
-        # Only users with the permission ``can_change_organizer_settings`` on
+        permission = 'organizer.settings.general:write'
+        # Only users with the permission ``organizer.settings.general:write`` on
         # this organizer can access this
 
 
@@ -35,9 +35,9 @@ permission level to access a view:
         # Only users with *any* permission on this organizer can access this
 
 
-    @organizer_permission_required('can_change_organizer_settings')
+    @organizer_permission_required('organizer.settings.general:write')
     def my_orga_view(request, organizer, **kwargs):
-        # Only users with the permission ``can_change_organizer_settings`` on
+        # Only users with the permission ``organizer.settings.general:write`` on
         # this organizer can access this
 
 
@@ -56,8 +56,8 @@ Of course, the same is available on event level:
 
 
     class MyEventView(EventPermissionRequiredMixin, View):
-        permission = 'can_change_event_settings'
-        # Only users with the permission ``can_change_event_settings`` on
+        permission = 'event.settings.general:write'
+        # Only users with the permission ``event.settings.general:write`` on
         # this event can access this
 
 
@@ -66,9 +66,9 @@ Of course, the same is available on event level:
         # Only users with *any* permission on this event can access this
 
 
-    @event_permission_required('can_change_event_settings')
+    @event_permission_required('event.settings.general:write')
     def my_event_view(request, organizer, **kwargs):
-        # Only users with the permission ``can_change_event_settings`` on
+        # Only users with the permission ``event.settings.general:write`` on
         # this event can access this
 
 
@@ -121,7 +121,7 @@ When creating your own ``viewset`` using Django REST framework, you just need to
 and pretix will check it automatically for you::
 
     class MyModelViewSet(viewsets.ReadOnlyModelViewSet):
-        permission = 'can_view_orders'
+        permission = 'event.orders:read'
 
 Checking permission in code
 ---------------------------
@@ -136,12 +136,12 @@ Return all users that are in any team that is connected to this event::
 
 Return all users that are in a team with a specific permission for this event::
 
-    >>> event.get_users_with_permission('can_change_event_settings')
+    >>> event.get_users_with_permission('event.orders:read')
     <QuerySet: …>
 
 Determine if a user has a certain permission for a specific event::
 
-    >>> user.has_event_permission(organizer, event, 'can_change_event_settings', request=request)
+    >>> user.has_event_permission(organizer, event, 'event.orders:read', request=request)
     True
 
 Determine if a user has any permission for a specific event::
@@ -153,27 +153,27 @@ In the two previous commands, the ``request`` argument is optional, but required
 
 The same method exists for organizer-level permissions::
 
-    >>> user.has_organizer_permission(organizer, 'can_change_event_settings', request=request)
+    >>> user.has_organizer_permission(organizer, 'event.orders:read', request=request)
     True
 
 Sometimes, it might be more useful to get the set of permissions at once::
 
     >>> user.get_event_permission_set(organizer, event)
-    {'can_change_event_settings', 'can_view_orders', 'can_change_orders'}
+    {'event.settings.general:write', 'event.orders:read', 'event.orders:write'}
 
     >>> user.get_organizer_permission_set(organizer, event)
-    {'can_change_organizer_settings', 'can_create_events'}
+    {'organizer.settings.general:write', 'organizer.events:create'}
 
 Within a view on the ``/control`` subpath, the results of these two methods are already available in the
 ``request.eventpermset`` and ``request.orgapermset`` properties. This makes it convenient to query them in templates::
 
-    {% if "can_change_orders" in request.eventpermset %}
+    {% if "event.orders:write" in request.eventpermset %}
         …
     {% endif %}
 
 You can also do the reverse to get any events a user has access to::
 
-    >>> user.get_events_with_permission('can_change_event_settings', request=request)
+    >>> user.get_events_with_permission('event.settings.general:write', request=request)
     <QuerySet: …>
 
     >>> user.get_events_with_any_permission(request=request)
@@ -195,3 +195,30 @@ staff mode is active. You can check if a user is in staff mode using their sessi
 Staff mode has a hard time limit and during staff mode, a middleware will log all requests made by that user. Later,
 the user is able to also save a message to comment on what they did in their administrative session. This feature is
 intended to help compliance with data protection rules as imposed e.g. by GDPR.
+
+Adding permissions
+------------------
+
+Plugins can add permissions through the ``register_event_permissions`` and ``register_organizer_permission``.
+We recommend to use this only for very significant permissions, as the system will become less usable with too many
+permission levels, also because the team page will show all permission options, even those of disabled plugins.
+We recommend to prefix the permission string with the plugin name and follow the ``<module>.<thing>:<action>`` pattern.
+
+Example::
+
+    @receiver(register_event_permissions)
+    def register_default_event_permissions(sender, **kwargs):
+        return [
+            Permission("pretix_myplugin.resource:read", _("Read resources"),
+                       "pretix_myplugin", _("Some helptext")),
+        ]
+
+
+    @receiver(register_organizer_permissions)
+    def register_default_organizer_permissions(sender, **kwargs):
+        return [
+            Permission("pretix_myplugin.resource:read", _("Read resources"),
+                       "pretix_myplugin", _("Some helptext")),
+        ]
+
+.. _configuring teams and permissions: https://docs.pretix.eu/guides/teams/

src/pretix/api/auth/permission.py

@@ -124,12 +124,12 @@ class EventCRUDPermission(EventPermission):
     def has_permission(self, request, view):
         if not super(EventCRUDPermission, self).has_permission(request, view):
             return False
-        elif view.action == 'create' and 'can_create_events' not in request.orgapermset:
+        elif view.action == 'create' and 'organizer.events:create' not in request.orgapermset:
             return False
-        elif view.action == 'destroy' and 'can_change_event_settings' not in request.eventpermset:
+        elif view.action == 'destroy' and 'event.settings.general:write' not in request.eventpermset:
             return False
         elif view.action in ['update', 'partial_update'] \
-                and 'can_change_event_settings' not in request.eventpermset:
+                and 'event.settings.general:write' not in request.eventpermset:
             return False
 
         return True

src/pretix/api/serializers/event.py

@@ -300,7 +300,7 @@ class EventSerializer(SalesChannelMigrationMixin, I18nAwareModelSerializer):
     def ignored_meta_properties(self):
         perm_holder = (self.context['request'].auth if isinstance(self.context['request'].auth, (Device, TeamAPIToken))
                        else self.context['request'].user)
-        if perm_holder.has_organizer_permission(self.context['request'].organizer, 'can_change_organizer_settings', request=self.context['request']):
+        if perm_holder.has_organizer_permission(self.context['request'].organizer, 'organizer.settings.general:write', request=self.context['request']):
             return []
         return [k for k, p in self.meta_properties.items() if p.protected]
 
@@ -561,7 +561,7 @@ class SubEventSerializer(I18nAwareModelSerializer):
     def ignored_meta_properties(self):
         perm_holder = (self.context['request'].auth if isinstance(self.context['request'].auth, (Device, TeamAPIToken))
                        else self.context['request'].user)
-        if perm_holder.has_organizer_permission(self.context['request'].organizer, 'can_change_organizer_settings', request=self.context['request']):
+        if perm_holder.has_organizer_permission(self.context['request'].organizer, 'organizer.settings.general:write', request=self.context['request']):
             return []
         return [k for k, p in self.meta_properties.items() if p.protected]
 
@@ -707,7 +707,10 @@ class TaxRuleSerializer(CountryFieldMixin, I18nAwareModelSerializer):
 
 
 class EventSettingsSerializer(SettingsSerializer):
+    default_write_permission = 'event.settings.general:write'
     default_fields = [
+        # These are readable for all users with access to the events, therefore secrets made in the settings store
+        # should not be included!
         'imprint_url',
         'checkout_email_helptext',
         'presale_has_ended_text',
@@ -1079,16 +1082,16 @@ class SeatSerializer(I18nAwareModelSerializer):
 
     def prefetch_expanded_data(self, items, request, expand_fields):
         if 'orderposition' in expand_fields:
-            if 'can_view_orders' not in request.eventpermset:
-                raise PermissionDenied('can_view_orders permission required for expand=orderposition')
+            if 'event.orders:read' not in request.eventpermset:
+                raise PermissionDenied('event.orders:read permission required for expand=orderposition')
             prefetch_by_id(items, OrderPosition.objects.prefetch_related('order'), 'orderposition_id', 'orderposition')
         if 'cartposition' in expand_fields:
-            if 'can_view_orders' not in request.eventpermset:
-                raise PermissionDenied('can_view_orders permission required for expand=cartposition')
+            if 'event.orders:read' not in request.eventpermset:
+                raise PermissionDenied('event.orders:read permission required for expand=cartposition')
             prefetch_by_id(items, CartPosition.objects, 'cartposition_id', 'cartposition')
         if 'voucher' in expand_fields:
-            if 'can_view_vouchers' not in request.eventpermset:
-                raise PermissionDenied('can_view_vouchers permission required for expand=voucher')
+            if 'event.vouchers:read' not in request.eventpermset:
+                raise PermissionDenied('event.vouchers:read permission required for expand=voucher')
             prefetch_by_id(items, Voucher.objects, 'voucher_id', 'voucher')
 
     def __init__(self, instance, *args, **kwargs):

src/pretix/api/serializers/media.py

@@ -24,7 +24,7 @@ from decimal import Decimal
 
 from django.utils.translation import gettext_lazy as _
 from rest_framework import serializers
-from rest_framework.exceptions import ValidationError
+from rest_framework.exceptions import PermissionDenied, ValidationError
 
 from pretix.api.serializers.i18n import I18nAwareModelSerializer
 from pretix.api.serializers.order import OrderPositionSerializer
@@ -66,6 +66,9 @@ class ReusableMediaSerializer(I18nAwareModelSerializer):
         super().__init__(*args, **kwargs)
 
         if 'linked_giftcard' in self.context['request'].query_params.getlist('expand'):
+            if not self.context["can_read_giftcards"]:
+                raise PermissionDenied("No permission to access gift card details.")
+
             self.fields['linked_giftcard'] = NestedGiftCardSerializer(read_only=True, context=self.context)
             if 'linked_giftcard.owner_ticket' in self.context['request'].query_params.getlist('expand'):
                 self.fields['linked_giftcard'].fields['owner_ticket'] = NestedOrderPositionSerializer(read_only=True, context=self.context)
@@ -77,6 +80,8 @@ class ReusableMediaSerializer(I18nAwareModelSerializer):
             )
 
         if 'linked_orderposition' in self.context['request'].query_params.getlist('expand'):
+            # No additional permission check performed, documented limitation of the permission system
+            # Would get to complex/unusable otherwise since the permission depends on the event
             self.fields['linked_orderposition'] = NestedOrderPositionSerializer(read_only=True)
         else:
             self.fields['linked_orderposition'] = serializers.PrimaryKeyRelatedField(
@@ -86,6 +91,9 @@ class ReusableMediaSerializer(I18nAwareModelSerializer):
             )
 
         if 'customer' in self.context['request'].query_params.getlist('expand'):
+            if not self.context["can_read_customers"]:
+                raise PermissionDenied("No permission to access customer details.")
+
             self.fields['customer'] = CustomerSerializer(read_only=True)
         else:
             self.fields['customer'] = serializers.SlugRelatedField(

src/pretix/api/serializers/order.py

@@ -613,7 +613,7 @@ class OrderPositionSerializer(I18nAwareModelSerializer):
             # /events/…/checkinlists/…/positions/
             # We're unable to check this on this level if we're on /checkinrpc/, in which case we rely on the view
             # layer to not set pdf_data=true in the first place.
-            request and hasattr(request, 'eventpermset') and 'can_view_orders' not in request.eventpermset
+            request and hasattr(request, 'eventpermset') and 'event.orders:read' not in request.eventpermset
         )
         if ('pdf_data' in self.context and not self.context['pdf_data']) or pdf_data_forbidden:
             self.fields.pop('pdf_data', None)

src/pretix/api/serializers/organizer.py

@@ -45,12 +45,19 @@ from pretix.base.models import (
     SalesChannel, SeatingPlan, Team, TeamAPIToken, TeamInvite, User,
 )
 from pretix.base.models.seating import SeatingPlanLayoutValidator
+from pretix.base.permissions import (
+    get_all_event_permissions, get_all_organizer_permissions,
+)
 from pretix.base.plugins import (
     PLUGIN_LEVEL_EVENT, PLUGIN_LEVEL_EVENT_ORGANIZER_HYBRID,
     PLUGIN_LEVEL_ORGANIZER,
 )
 from pretix.base.services.mail import SendMailException, mail
 from pretix.base.settings import validate_organizer_settings
+from pretix.helpers.permission_migration import (
+    OLD_TO_NEW_EVENT_COMPAT, OLD_TO_NEW_EVENT_MIGRATION,
+    OLD_TO_NEW_ORGANIZER_COMPAT, OLD_TO_NEW_ORGANIZER_MIGRATION,
+)
 from pretix.helpers.urls import build_absolute_uri as build_global_uri
 from pretix.multidomain.urlreverse import build_absolute_uri
 
@@ -306,21 +313,97 @@ class EventSlugField(serializers.SlugRelatedField):
         return self.context['organizer'].events.all()
 
 
+class PermissionMultipleChoiceField(serializers.MultipleChoiceField):
+    def to_internal_value(self, data):
+        return {
+            p: True for p in super().to_internal_value(data)
+        }
+
+    def to_representation(self, value):
+        return [p for p, v in value.items() if v]
+
+
 class TeamSerializer(serializers.ModelSerializer):
     limit_events = EventSlugField(slug_field='slug', many=True)
+    limit_event_permissions = PermissionMultipleChoiceField(choices=[], required=False, allow_null=False, allow_empty=True)
+    limit_organizer_permissions = PermissionMultipleChoiceField(choices=[], required=False, allow_null=False, allow_empty=True)
+
+    # Legacy fields, handled in to_representation and validate
+    can_change_event_settings = serializers.BooleanField(required=False, write_only=True)
+    can_change_items = serializers.BooleanField(required=False, write_only=True)
+    can_view_orders = serializers.BooleanField(required=False, write_only=True)
+    can_change_orders = serializers.BooleanField(required=False, write_only=True)
+    can_checkin_orders = serializers.BooleanField(required=False, write_only=True)
+    can_view_vouchers = serializers.BooleanField(required=False, write_only=True)
+    can_change_vouchers = serializers.BooleanField(required=False, write_only=True)
+    can_create_events = serializers.BooleanField(required=False, write_only=True)
+    can_change_organizer_settings = serializers.BooleanField(required=False, write_only=True)
+    can_change_teams = serializers.BooleanField(required=False, write_only=True)
+    can_manage_gift_cards = serializers.BooleanField(required=False, write_only=True)
+    can_manage_customers = serializers.BooleanField(required=False, write_only=True)
+    can_manage_reusable_media = serializers.BooleanField(required=False, write_only=True)
 
     class Meta:
         model = Team
         fields = (
-            'id', 'name', 'require_2fa', 'all_events', 'limit_events', 'can_create_events', 'can_change_teams',
-            'can_change_organizer_settings', 'can_manage_gift_cards', 'can_change_event_settings',
-            'can_change_items', 'can_view_orders', 'can_change_orders', 'can_view_vouchers',
-            'can_change_vouchers', 'can_checkin_orders', 'can_manage_customers', 'can_manage_reusable_media'
+            'id', 'name', 'require_2fa', 'all_events', 'limit_events', 'all_event_permissions', 'limit_event_permissions',
+            'all_organizer_permissions', 'limit_organizer_permissions', 'can_change_event_settings',
+            'can_change_items', 'can_view_orders', 'can_change_orders', 'can_checkin_orders', 'can_view_vouchers',
+            'can_change_vouchers', 'can_create_events', 'can_change_organizer_settings', 'can_change_teams',
+            'can_manage_gift_cards', 'can_manage_customers', 'can_manage_reusable_media'
         )
 
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.fields['limit_event_permissions'].choices = [(p.name, p.name) for p in get_all_event_permissions().values()]
+        self.fields['limit_organizer_permissions'].choices = [(p.name, p.name) for p in get_all_organizer_permissions().values()]
+
+    def to_representation(self, instance):
+        r = super().to_representation(instance)
+        for old, new in OLD_TO_NEW_EVENT_COMPAT.items():
+            r[old] = instance.all_event_permissions or all(instance.limit_event_permissions.get(n) for n in new)
+        for old, new in OLD_TO_NEW_ORGANIZER_COMPAT.items():
+            r[old] = instance.all_organizer_permissions or all(instance.limit_organizer_permissions.get(n) for n in new)
+        return r
+
     def validate(self, data):
+        old_data_set = any(k.startswith("can_") for k in data)
+        new_data_set = any(k in data for k in [
+            "all_event_permissions", "limit_event_permissions", "all_organizer_permissions", "limit_organizer_permissions"
+        ])
+        if old_data_set and new_data_set:
+            raise ValidationError("You cannot set deprecated and current permission attributes at the same time.")
+
         full_data = self.to_internal_value(self.to_representation(self.instance)) if self.instance else {}
         full_data.update(data)
+
+        if new_data_set:
+            if full_data.get('limit_event_permissions') and full_data.get('all_event_permissions'):
+                raise ValidationError('Do not set both limit_event_permissions and all_event_permissions.')
+            if full_data.get('limit_organizer_permissions') and full_data.get('all_organizer_permissions'):
+                raise ValidationError('Do not set both limit_organizer_permissions and all_organizer_permissions.')
+
+        if old_data_set:
+            # Migrate with same logic as in migration 0297_plugable_permissions
+            if all(full_data.get(k) is True for k in OLD_TO_NEW_EVENT_MIGRATION.keys() if k != "can_checkin_orders"):
+                data["all_event_permissions"] = True
+                data["limit_event_permissions"] = {}
+            else:
+                data["all_event_permissions"] = False
+                data["limit_event_permissions"] = {}
+                for k, v in OLD_TO_NEW_EVENT_MIGRATION.items():
+                    if full_data.get(k) is True:
+                        data["limit_event_permissions"].update({kk: True for kk in v})
+            if all(full_data.get(k) is True for k in OLD_TO_NEW_ORGANIZER_MIGRATION.keys() if k != "can_checkin_orders"):
+                data["all_organizer_permissions"] = True
+                data["limit_organizer_permissions"] = {}
+            else:
+                data["all_organizer_permissions"] = False
+                data["limit_organizer_permissions"] = {}
+                for k, v in OLD_TO_NEW_ORGANIZER_MIGRATION.items():
+                    if full_data.get(k) is True:
+                        data["limit_organizer_permissions"].update({kk: True for kk in v})
+
         if full_data.get('limit_events') and full_data.get('all_events'):
             raise ValidationError('Do not set both limit_events and all_events.')
         return data
@@ -339,7 +422,7 @@ class DeviceSerializer(serializers.ModelSerializer):
     created = serializers.DateTimeField(read_only=True)
     revoked = serializers.BooleanField(read_only=True)
     initialized = serializers.DateTimeField(read_only=True)
-    initialization_token = serializers.DateTimeField(read_only=True)
+    initialization_token = serializers.CharField(read_only=True)
     security_profile = serializers.ChoiceField(choices=[], required=False, default="full")
 
     class Meta:
@@ -353,6 +436,8 @@ class DeviceSerializer(serializers.ModelSerializer):
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
         self.fields['security_profile'].choices = [(k, v.verbose_name) for k, v in get_all_security_profiles().items()]
+        if not self.context['can_see_tokens']:
+            del self.fields['initialization_token']
 
 
 class TeamInviteSerializer(serializers.ModelSerializer):
@@ -439,7 +524,10 @@ class TeamMemberSerializer(serializers.ModelSerializer):
 
 
 class OrganizerSettingsSerializer(SettingsSerializer):
+    default_write_permission = 'organizer.settings.general:write'
     default_fields = [
+        # These are readable for all users with access to the events, therefore secrets made in the settings store
+        # should not be included!
         'customer_accounts',
         'customer_accounts_native',
         'customer_accounts_link_by_email',

src/pretix/api/serializers/settings.py

@@ -37,6 +37,8 @@ logger = logging.getLogger(__name__)
 class SettingsSerializer(serializers.Serializer):
     default_fields = []
     readonly_fields = []
+    default_write_permission = 'organizer.settings.general:write'
+    write_permission_required = {}
 
     def __init__(self, *args, **kwargs):
         self.changed_data = []
@@ -58,9 +60,17 @@ class SettingsSerializer(serializers.Serializer):
             f._label = str(form_kwargs.get('label', fname))
             f._help_text = str(form_kwargs.get('help_text'))
             f.parent = self
+
+            self.write_permission_required[fname] = DEFAULTS[fname].get('write_permission', self.default_write_permission)
+
             self.fields[fname] = f
 
     def validate(self, attrs):
+        for k in attrs.keys():
+            p = self.write_permission_required.get(k, self.default_write_permission)
+            if p not in self.context["permissions"]:
+                raise ValidationError({k: f"Setting this field requires permission {p}"})
+
         return {k: v for k, v in attrs.items() if k not in self.readonly_fields}
 
     def update(self, instance: HierarkeyProxy, validated_data):

src/pretix/api/views/cart.py

@@ -52,8 +52,8 @@ class CartPositionViewSet(CreateModelMixin, DestroyModelMixin, viewsets.ReadOnly
     ordering = ('datetime',)
     ordering_fields = ('datetime', 'cart_id')
     lookup_field = 'id'
-    permission = 'can_view_orders'
-    write_permission = 'can_change_orders'
+    permission = 'event.orders:read'
+    write_permission = 'event.orders:write'
 
     def get_queryset(self):
         return CartPosition.objects.filter(

src/pretix/api/views/checkin.py

@@ -118,11 +118,11 @@ class CheckinListViewSet(viewsets.ModelViewSet):
 
     def _get_permission_name(self, request):
         if request.path.endswith('/failed_checkins/'):
-            return 'can_checkin_orders', 'can_change_orders'
+            return 'event.orders:checkin', 'event.orders:write'
         elif request.method in SAFE_METHODS:
-            return 'can_view_orders', 'can_checkin_orders',
+            return 'event.orders:read', 'event.orders:checkin',
         else:
-            return 'can_change_event_settings'
+            return 'event.settings.general:write'
 
     def get_queryset(self):
         qs = self.request.event.checkin_lists.prefetch_related(
@@ -457,7 +457,7 @@ def _redeem_process(*, checkinlists, raw_barcode, answers_data, datetime, force,
             'event': op.order.event,
             'pdf_data': pdf_data and (
                 user if user and user.is_authenticated else auth
-            ).has_event_permission(request.organizer, event, 'can_view_orders', request),
+            ).has_event_permission(request.organizer, event, 'event.orders:read', request),
         }
 
     common_checkin_args = dict(
@@ -822,8 +822,8 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
     }
 
     filterset_class = CheckinOrderPositionFilter
-    permission = ('can_view_orders', 'can_checkin_orders')
-    write_permission = ('can_change_orders', 'can_checkin_orders')
+    permission = ('event.orders:read', 'event.orders:checkin')
+    write_permission = ('event.orders:write', 'event.orders:checkin')
 
     def get_serializer_context(self):
         ctx = super().get_serializer_context()
@@ -854,7 +854,7 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
             expand=self.request.query_params.getlist('expand'),
         )
 
-        if 'pk' not in self.request.resolver_match.kwargs and 'can_view_orders' not in self.request.eventpermset \
+        if 'pk' not in self.request.resolver_match.kwargs and 'event.orders:read' not in self.request.eventpermset \
                 and len(self.request.query_params.get('search', '')) < 3:
             qs = qs.none()
 
@@ -903,9 +903,9 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
 class CheckinRPCRedeemView(views.APIView):
     def post(self, request, *args, **kwargs):
         if isinstance(self.request.auth, (TeamAPIToken, Device)):
-            events = self.request.auth.get_events_with_permission(('can_change_orders', 'can_checkin_orders'))
+            events = self.request.auth.get_events_with_permission(('event.orders:write', 'event.orders:checkin'))
         elif self.request.user.is_authenticated:
-            events = self.request.user.get_events_with_permission(('can_change_orders', 'can_checkin_orders'), self.request).filter(
+            events = self.request.user.get_events_with_permission(('event.orders:write', 'event.orders:checkin'), self.request).filter(
                 organizer=self.request.organizer
             )
         else:
@@ -972,9 +972,9 @@ class CheckinRPCSearchView(ListAPIView):
     @cached_property
     def lists(self):
         if isinstance(self.request.auth, (TeamAPIToken, Device)):
-            events = self.request.auth.get_events_with_permission(('can_view_orders', 'can_checkin_orders'))
+            events = self.request.auth.get_events_with_permission(('event.orders:read', 'event.orders:checkin'))
         elif self.request.user.is_authenticated:
-            events = self.request.user.get_events_with_permission(('can_view_orders', 'can_checkin_orders'), self.request).filter(
+            events = self.request.user.get_events_with_permission(('event.orders:read', 'event.orders:checkin'), self.request).filter(
                 organizer=self.request.organizer
             )
         else:
@@ -991,9 +991,9 @@ class CheckinRPCSearchView(ListAPIView):
     @cached_property
     def has_full_access_permission(self):
         if isinstance(self.request.auth, (TeamAPIToken, Device)):
-            events = self.request.auth.get_events_with_permission('can_view_orders')
+            events = self.request.auth.get_events_with_permission('event.orders:read')
         elif self.request.user.is_authenticated:
-            events = self.request.user.get_events_with_permission('can_view_orders', self.request).filter(
+            events = self.request.user.get_events_with_permission('event.orders:read', self.request).filter(
                 organizer=self.request.organizer
             )
         else:
@@ -1020,9 +1020,9 @@ class CheckinRPCSearchView(ListAPIView):
 class CheckinRPCAnnulView(views.APIView):
     def post(self, request, *args, **kwargs):
         if isinstance(self.request.auth, (TeamAPIToken, Device)):
-            events = self.request.auth.get_events_with_permission(('can_change_orders', 'can_checkin_orders'))
+            events = self.request.auth.get_events_with_permission(('event.orders:write', 'event.orders:checkin'))
         elif self.request.user.is_authenticated:
-            events = self.request.user.get_events_with_permission(('can_change_orders', 'can_checkin_orders'), self.request).filter(
+            events = self.request.user.get_events_with_permission(('event.orders:write', 'event.orders:checkin'), self.request).filter(
                 organizer=self.request.organizer
             )
         else:
@@ -1100,7 +1100,7 @@ class CheckinViewSet(viewsets.ReadOnlyModelViewSet):
     filterset_class = CheckinFilter
     ordering = ('created', 'id')
     ordering_fields = ('created', 'datetime', 'id',)
-    permission = 'can_view_orders'
+    permission = 'event.orders:read'
 
     def get_queryset(self):
         qs = Checkin.all.filter().select_related(

src/pretix/api/views/discount.py

@@ -57,7 +57,7 @@ class DiscountViewSet(ConditionalListView, viewsets.ModelViewSet):
     ordering_fields = ('id', 'position')
     ordering = ('position', 'id')
     permission = None
-    write_permission = 'can_change_items'
+    write_permission = 'event.items:write'
 
     def get_queryset(self):
         return self.request.event.discounts.prefetch_related(

src/pretix/api/views/event.py

@@ -341,7 +341,7 @@ class CloneEventViewSet(viewsets.ModelViewSet):
     lookup_field = 'slug'
     lookup_url_kwarg = 'event'
     http_method_names = ['post']
-    write_permission = 'can_create_events'
+    write_permission = 'event.settings.general:write'
 
     def get_serializer_context(self):
         ctx = super().get_serializer_context()
@@ -350,6 +350,12 @@ class CloneEventViewSet(viewsets.ModelViewSet):
         return ctx
 
     def perform_create(self, serializer):
+        # Weird edge case: Requires settings permission on the event (to read) but also on the organizer (two write)
+        perm_holder = (self.request.auth if isinstance(self.request.auth, (Device, TeamAPIToken))
+                       else self.request.user)
+        if not perm_holder.has_organizer_permission(self.request.organizer, "organizer.events:create", request=self.request):
+            raise PermissionDenied("No permission to create events")
+
         serializer.save(organizer=self.request.organizer)
 
         serializer.instance.log_action(
@@ -426,7 +432,7 @@ with scopes_disabled():
 class SubEventViewSet(ConditionalListView, viewsets.ModelViewSet):
     serializer_class = SubEventSerializer
     queryset = SubEvent.objects.none()
-    write_permission = 'can_change_event_settings'
+    write_permission = 'event.subevents:write'
     filter_backends = (DjangoFilterBackend, TotalOrderingFilter)
     ordering = ('date_from',)
     ordering_fields = ('id', 'date_from', 'last_modified')
@@ -546,7 +552,7 @@ class SubEventViewSet(ConditionalListView, viewsets.ModelViewSet):
 class TaxRuleViewSet(ConditionalListView, viewsets.ModelViewSet):
     serializer_class = TaxRuleSerializer
     queryset = TaxRule.objects.none()
-    write_permission = 'can_change_event_settings'
+    write_permission = 'event.settings.tax:write'
 
     def get_queryset(self):
         return self.request.event.tax_rules.all()
@@ -589,7 +595,7 @@ class TaxRuleViewSet(ConditionalListView, viewsets.ModelViewSet):
 class ItemMetaPropertiesViewSet(viewsets.ModelViewSet):
     serializer_class = ItemMetaPropertiesSerializer
     queryset = ItemMetaProperty.objects.none()
-    write_permission = 'can_change_event_settings'
+    write_permission = 'event.settings.general:write'
 
     def get_queryset(self):
         qs = self.request.event.item_meta_properties.all()
@@ -636,19 +642,18 @@ class ItemMetaPropertiesViewSet(viewsets.ModelViewSet):
 
 class EventSettingsView(views.APIView):
     permission = None
-    write_permission = 'can_change_event_settings'
+    write_permission = 'event.settings.general:write'
 
     def get(self, request, *args, **kwargs):
         if isinstance(request.auth, Device):
             s = DeviceEventSettingsSerializer(instance=request.event.settings, event=request.event, context={
-                'request': request
-            })
-        elif 'can_change_event_settings' in request.eventpermset:
-            s = EventSettingsSerializer(instance=request.event.settings, event=request.event, context={
-                'request': request
+                'request': request, 'permissions': request.eventpermset
             })
         else:
-            raise PermissionDenied()
+            s = EventSettingsSerializer(instance=request.event.settings, event=request.event, context={
+                'request': request, 'permissions': request.eventpermset,
+            })
+
         if 'explain' in request.GET:
             return Response({
                 fname: {
@@ -662,7 +667,7 @@ class EventSettingsView(views.APIView):
 
     def patch(self, request, *wargs, **kwargs):
         s = EventSettingsSerializer(instance=request.event.settings, data=request.data, partial=True,
-                                    event=request.event, context={'request': request})
+                                    event=request.event, context={'request': request, 'permissions': request.eventpermset})
         s.is_valid(raise_exception=True)
         with transaction.atomic():
             s.save()
@@ -674,7 +679,7 @@ class EventSettingsView(views.APIView):
                 )
         s = EventSettingsSerializer(
             instance=request.event.settings, event=request.event, context={
-                'request': request
+                'request': request, 'permissions': request.eventpermset
             })
         return Response(s.data)
 
@@ -701,7 +706,7 @@ class SeatFilter(FilterSet):
 class SeatViewSet(ConditionalListView, viewsets.ModelViewSet):
     serializer_class = SeatSerializer
     queryset = Seat.objects.none()
-    write_permission = 'can_change_event_settings'
+    write_permission = 'event.settings.general:write'
     filter_backends = (DjangoFilterBackend, )
     filterset_class = SeatFilter
 

src/pretix/api/views/exporters.py

@@ -136,7 +136,7 @@ class ExportersMixin:
 
 
 class EventExportersViewSet(ExportersMixin, viewsets.ViewSet):
-    permission = 'can_view_orders'
+    permission = 'event.orders:read'
 
     def get_serializer_kwargs(self):
         return {}
@@ -169,7 +169,7 @@ class OrganizerExportersViewSet(ExportersMixin, viewsets.ViewSet):
             perm_holder = self.request.auth
         else:
             perm_holder = self.request.user
-        events = perm_holder.get_events_with_permission('can_view_orders', request=self.request).filter(
+        events = perm_holder.get_events_with_permission('event.orders:read', request=self.request).filter(
             organizer=self.request.organizer
         )
         responses = register_multievent_data_exporters.send(self.request.organizer)
@@ -196,7 +196,7 @@ class OrganizerExportersViewSet(ExportersMixin, viewsets.ViewSet):
         else:
             perm_holder = self.request.user
         return {
-            'events': perm_holder.get_events_with_permission('can_view_orders', request=self.request).filter(
+            'events': perm_holder.get_events_with_permission('event.orders:read', request=self.request).filter(
                 organizer=self.request.organizer
             )
         }
@@ -222,11 +222,11 @@ class ScheduledExportersViewSet(viewsets.ModelViewSet):
 class ScheduledEventExportViewSet(ScheduledExportersViewSet):
     serializer_class = ScheduledEventExportSerializer
     queryset = ScheduledEventExport.objects.none()
-    permission = 'can_view_orders'
+    permission = 'event.orders:read'
 
     def get_queryset(self):
         perm_holder = self.request.auth if isinstance(self.request.auth, (TeamAPIToken, Device)) else self.request.user
-        if not perm_holder.has_event_permission(self.request.organizer, self.request.event, 'can_change_event_settings',
+        if not perm_holder.has_event_permission(self.request.organizer, self.request.event, 'event.settings.general:write',
                                                 request=self.request):
             if self.request.user.is_authenticated:
                 qs = self.request.event.scheduled_exports.filter(owner=self.request.user)
@@ -291,7 +291,7 @@ class ScheduledOrganizerExportViewSet(ScheduledExportersViewSet):
 
     def get_queryset(self):
         perm_holder = self.request.auth if isinstance(self.request.auth, (TeamAPIToken, Device)) else self.request.user
-        if not perm_holder.has_organizer_permission(self.request.organizer, 'can_change_organizer_settings',
+        if not perm_holder.has_organizer_permission(self.request.organizer, 'organizer.settings.general:write',
                                                     request=self.request):
             if self.request.user.is_authenticated:
                 qs = self.request.organizer.scheduled_exports.filter(owner=self.request.user)
@@ -324,9 +324,9 @@ class ScheduledOrganizerExportViewSet(ScheduledExportersViewSet):
     @cached_property
     def events(self):
         if isinstance(self.request.auth, (TeamAPIToken, Device)):
-            return self.request.auth.get_events_with_permission('can_view_orders')
+            return self.request.auth.get_events_with_permission('event.orders:read')
         elif self.request.user.is_authenticated:
-            return self.request.user.get_events_with_permission('can_view_orders', self.request).filter(
+            return self.request.user.get_events_with_permission('event.orders:read', self.request).filter(
                 organizer=self.request.organizer
             )
 

src/pretix/api/views/item.py

@@ -99,7 +99,7 @@ class ItemViewSet(ConditionalListView, viewsets.ModelViewSet):
     ordering = ('position', 'id')
     filterset_class = ItemFilter
     permission = None
-    write_permission = 'can_change_items'
+    write_permission = 'event.items:write'
 
     def get_queryset(self):
         return self.request.event.items.select_related('tax_rule').prefetch_related(
@@ -163,7 +163,7 @@ class ItemVariationViewSet(viewsets.ModelViewSet):
     ordering_fields = ('id', 'position')
     ordering = ('id',)
     permission = None
-    write_permission = 'can_change_items'
+    write_permission = 'event.items:write'
 
     @cached_property
     def item(self):
@@ -234,7 +234,7 @@ class ItemBundleViewSet(viewsets.ModelViewSet):
     ordering_fields = ('id',)
     ordering = ('id',)
     permission = None
-    write_permission = 'can_change_items'
+    write_permission = 'event.items:write'
 
     @cached_property
     def item(self):
@@ -286,7 +286,7 @@ class ItemProgramTimeViewSet(viewsets.ModelViewSet):
     ordering_fields = ('id',)
     ordering = ('id',)
     permission = None
-    write_permission = 'can_change_items'
+    write_permission = 'event.items:write'
 
     @cached_property
     def item(self):
@@ -339,7 +339,7 @@ class ItemAddOnViewSet(viewsets.ModelViewSet):
     ordering_fields = ('id', 'position')
     ordering = ('id',)
     permission = None
-    write_permission = 'can_change_items'
+    write_permission = 'event.items:write'
 
     @cached_property
     def item(self):
@@ -398,7 +398,7 @@ class ItemCategoryViewSet(ConditionalListView, viewsets.ModelViewSet):
     ordering_fields = ('id', 'position')
     ordering = ('position', 'id')
     permission = None
-    write_permission = 'can_change_items'
+    write_permission = 'event.items:write'
 
     def get_queryset(self):
         return self.request.event.categories.all()
@@ -453,7 +453,7 @@ class QuestionViewSet(ConditionalListView, viewsets.ModelViewSet):
     ordering_fields = ('id', 'position')
     ordering = ('position', 'id')
     permission = None
-    write_permission = 'can_change_items'
+    write_permission = 'event.items:write'
 
     def get_queryset(self):
         return self.request.event.questions.prefetch_related('options').all()
@@ -497,7 +497,7 @@ class QuestionOptionViewSet(viewsets.ModelViewSet):
     ordering_fields = ('id', 'position')
     ordering = ('position',)
     permission = None
-    write_permission = 'can_change_items'
+    write_permission = 'event.items:write'
 
     def get_queryset(self):
         q = get_object_or_404(Question, pk=self.kwargs['question'], event=self.request.event)
@@ -564,7 +564,7 @@ class QuotaViewSet(ConditionalListView, viewsets.ModelViewSet):
     ordering_fields = ('id', 'size')
     ordering = ('id',)
     permission = None
-    write_permission = 'can_change_items'
+    write_permission = 'event.items:write'
 
     def get_queryset(self):
         return self.request.event.quotas.select_related('subevent').prefetch_related('items', 'variations').all()

src/pretix/api/views/media.py

@@ -62,8 +62,8 @@ with scopes_disabled():
 class ReusableMediaViewSet(viewsets.ModelViewSet):
     serializer_class = ReusableMediaSerializer
     queryset = ReusableMedium.objects.none()
-    permission = 'can_manage_reusable_media'
-    write_permission = 'can_manage_reusable_media'
+    permission = 'organizer.reusablemedia:read'
+    write_permission = 'organizer.reusablemedia:write'
     filter_backends = (DjangoFilterBackend, OrderingFilter)
     ordering = ('-updated', '-id')
     ordering_fields = ('created', 'updated', 'identifier', 'type', 'id')
@@ -95,6 +95,8 @@ class ReusableMediaViewSet(viewsets.ModelViewSet):
     def get_serializer_context(self):
         ctx = super().get_serializer_context()
         ctx['organizer'] = self.request.organizer
+        ctx['can_read_giftcards'] = 'organizer.giftcards:read' in self.request.orgapermset
+        ctx['can_read_customers'] = 'organizer.customers:read' in self.request.orgapermset
         return ctx
 
     @transaction.atomic()

src/pretix/api/views/order.py

@@ -317,7 +317,7 @@ class OrderViewSetMixin:
 
 class OrganizerOrderViewSet(OrderViewSetMixin, viewsets.ReadOnlyModelViewSet):
     def get_base_queryset(self):
-        perm = "can_view_orders" if self.request.method in SAFE_METHODS else "can_change_orders"
+        perm = "event.orders:read" if self.request.method in SAFE_METHODS else "event.orders:write"
         if isinstance(self.request.auth, (TeamAPIToken, Device)):
             return Order.objects.filter(
                 event__organizer=self.request.organizer,
@@ -338,8 +338,8 @@ class OrganizerOrderViewSet(OrderViewSetMixin, viewsets.ReadOnlyModelViewSet):
 
 
 class EventOrderViewSet(OrderViewSetMixin, viewsets.ModelViewSet):
-    permission = 'can_view_orders'
-    write_permission = 'can_change_orders'
+    permission = 'event.orders:read'
+    write_permission = 'event.orders:write'
 
     def get_serializer_context(self):
         ctx = super().get_serializer_context()
@@ -1078,8 +1078,8 @@ class OrderPositionViewSet(viewsets.ModelViewSet):
     ordering = ('order__datetime', 'positionid')
     ordering_fields = ('order__code', 'order__datetime', 'positionid', 'attendee_name', 'order__status',)
     filterset_class = OrderPositionFilter
-    permission = 'can_view_orders'
-    write_permission = 'can_change_orders'
+    permission = 'event.orders:read'
+    write_permission = 'event.orders:write'
     ordering_custom = {
         'attendee_name': {
             '_order': F('display_name').asc(nulls_first=True),
@@ -1580,8 +1580,8 @@ class OrderPositionViewSet(viewsets.ModelViewSet):
 class PaymentViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
     serializer_class = OrderPaymentSerializer
     queryset = OrderPayment.objects.none()
-    permission = 'can_view_orders'
-    write_permission = 'can_change_orders'
+    permission = 'event.orders:read'
+    write_permission = 'event.orders:write'
     lookup_field = 'local_id'
 
     def get_serializer_context(self):
@@ -1757,8 +1757,8 @@ class PaymentViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
 class RefundViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
     serializer_class = OrderRefundSerializer
     queryset = OrderRefund.objects.none()
-    permission = 'can_view_orders'
-    write_permission = 'can_change_orders'
+    permission = 'event.orders:read'
+    write_permission = 'event.orders:write'
     lookup_field = 'local_id'
 
     def get_queryset(self):
@@ -1915,13 +1915,18 @@ class InvoiceViewSet(viewsets.ReadOnlyModelViewSet):
     ordering = ('nr',)
     ordering_fields = ('nr', 'date')
     filterset_class = InvoiceFilter
-    permission = 'can_view_orders'
     lookup_url_kwarg = 'number'
     lookup_field = 'nr'
-    write_permission = 'can_change_orders'
+
+    def _get_permission_name(self, request):
+        if 'event' in request.resolver_match.kwargs:
+            if request.method not in SAFE_METHODS:
+                return "event.orders:write"
+            return "event.orders:read"
+        return None  # org-level is handled by event__in check
 
     def get_queryset(self):
-        perm = "can_view_orders" if self.request.method in SAFE_METHODS else "can_change_orders"
+        perm = "event.orders:read" if self.request.method in SAFE_METHODS else "event.orders:write"
         if getattr(self.request, 'event', None):
             qs = self.request.event.invoices
         elif isinstance(self.request.auth, (TeamAPIToken, Device)):
@@ -2062,8 +2067,8 @@ class RevokedSecretViewSet(viewsets.ReadOnlyModelViewSet):
     ordering = ('-created',)
     ordering_fields = ('created', 'secret')
     filterset_class = RevokedSecretFilter
-    permission = 'can_view_orders'
-    write_permission = 'can_change_orders'
+    permission = 'event.orders:read'
+    write_permission = 'event.orders:write'
 
     def get_queryset(self):
         return RevokedTicketSecret.objects.filter(event=self.request.event)
@@ -2084,8 +2089,8 @@ class BlockedSecretViewSet(viewsets.ReadOnlyModelViewSet):
     filter_backends = (DjangoFilterBackend, TotalOrderingFilter)
     ordering = ('-updated', '-pk')
     filterset_class = BlockedSecretFilter
-    permission = 'can_view_orders'
-    write_permission = 'can_change_orders'
+    permission = 'event.orders:read'
+    write_permission = 'event.orders:write'
 
     def get_queryset(self):
         return BlockedTicketSecret.objects.filter(event=self.request.event)
@@ -2120,7 +2125,7 @@ class TransactionViewSet(viewsets.ReadOnlyModelViewSet):
     ordering = ('datetime', 'pk')
     ordering_fields = ('datetime', 'created', 'id',)
     filterset_class = TransactionFilter
-    permission = 'can_view_orders'
+    permission = 'event.orders:read'
 
     def get_queryset(self):
         return Transaction.objects.filter(order__event=self.request.event).select_related("order")
@@ -2137,11 +2142,11 @@ class OrganizerTransactionViewSet(TransactionViewSet):
 
         if isinstance(self.request.auth, (TeamAPIToken, Device)):
             qs = qs.filter(
-                order__event__in=self.request.auth.get_events_with_permission("can_view_orders"),
+                order__event__in=self.request.auth.get_events_with_permission("event.orders:read"),
             )
         elif self.request.user.is_authenticated:
             qs = qs.filter(
-                order__event__in=self.request.user.get_events_with_permission("can_view_orders", request=self.request)
+                order__event__in=self.request.user.get_events_with_permission("event.orders:read", request=self.request)
             )
         else:
             raise PermissionDenied("Unknown authentication scheme")

src/pretix/api/views/organizer.py

@@ -70,7 +70,7 @@ class OrganizerViewSet(mixins.UpdateModelMixin, viewsets.ReadOnlyModelViewSet):
     filter_backends = (TotalOrderingFilter,)
     ordering = ('slug',)
     ordering_fields = ('name', 'slug')
-    write_permission = "can_change_organizer_settings"
+    write_permission = "organizer.settings.general:write"
 
     def get_queryset(self):
         if self.request.user.is_authenticated:
@@ -154,8 +154,8 @@ class OrganizerViewSet(mixins.UpdateModelMixin, viewsets.ReadOnlyModelViewSet):
 class SeatingPlanViewSet(viewsets.ModelViewSet):
     serializer_class = SeatingPlanSerializer
     queryset = SeatingPlan.objects.none()
-    permission = 'can_change_organizer_settings'
-    write_permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
+    write_permission = 'organizer.settings.general:write'
 
     def get_queryset(self):
         return self.request.organizer.seating_plans.order_by('name')
@@ -221,8 +221,8 @@ with scopes_disabled():
 class GiftCardViewSet(viewsets.ModelViewSet):
     serializer_class = GiftCardSerializer
     queryset = GiftCard.objects.none()
-    permission = 'can_manage_gift_cards'
-    write_permission = 'can_manage_gift_cards'
+    permission = 'organizer.giftcards:read'
+    write_permission = 'organizer.giftcards:write'
     filter_backends = (DjangoFilterBackend,)
     filterset_class = GiftCardFilter
 
@@ -323,8 +323,8 @@ class GiftCardViewSet(viewsets.ModelViewSet):
 class GiftCardTransactionViewSet(viewsets.ReadOnlyModelViewSet):
     serializer_class = GiftCardTransactionSerializer
     queryset = GiftCardTransaction.objects.none()
-    permission = 'can_manage_gift_cards'
-    write_permission = 'can_manage_gift_cards'
+    permission = 'organizer.giftcards:read'
+    write_permission = 'organizer.giftcards:write'
 
     @cached_property
     def giftcard(self):
@@ -341,8 +341,8 @@ class GiftCardTransactionViewSet(viewsets.ReadOnlyModelViewSet):
 class TeamViewSet(viewsets.ModelViewSet):
     serializer_class = TeamSerializer
     queryset = Team.objects.none()
-    permission = 'can_change_teams'
-    write_permission = 'can_change_teams'
+    permission = 'organizer.teams:write'
+    write_permission = 'organizer.teams:write'
 
     def get_queryset(self):
         return self.request.organizer.teams.order_by('pk')
@@ -381,8 +381,8 @@ class TeamViewSet(viewsets.ModelViewSet):
 class TeamMemberViewSet(DestroyModelMixin, viewsets.ReadOnlyModelViewSet):
     serializer_class = TeamMemberSerializer
     queryset = User.objects.none()
-    permission = 'can_change_teams'
-    write_permission = 'can_change_teams'
+    permission = 'organizer.teams:write'
+    write_permission = 'organizer.teams:write'
 
     @cached_property
     def team(self):
@@ -410,8 +410,8 @@ class TeamMemberViewSet(DestroyModelMixin, viewsets.ReadOnlyModelViewSet):
 class TeamInviteViewSet(CreateModelMixin, DestroyModelMixin, viewsets.ReadOnlyModelViewSet):
     serializer_class = TeamInviteSerializer
     queryset = TeamInvite.objects.none()
-    permission = 'can_change_teams'
-    write_permission = 'can_change_teams'
+    permission = 'organizer.teams:write'
+    write_permission = 'organizer.teams:write'
 
     @cached_property
     def team(self):
@@ -447,8 +447,8 @@ class TeamInviteViewSet(CreateModelMixin, DestroyModelMixin, viewsets.ReadOnlyMo
 class TeamAPITokenViewSet(CreateModelMixin, DestroyModelMixin, viewsets.ReadOnlyModelViewSet):
     serializer_class = TeamAPITokenSerializer
     queryset = TeamAPIToken.objects.none()
-    permission = 'can_change_teams'
-    write_permission = 'can_change_teams'
+    permission = 'organizer.teams:write'
+    write_permission = 'organizer.teams:write'
 
     @cached_property
     def team(self):
@@ -511,8 +511,8 @@ class DeviceViewSet(mixins.CreateModelMixin,
                     GenericViewSet):
     serializer_class = DeviceSerializer
     queryset = Device.objects.none()
-    permission = 'can_change_organizer_settings'
-    write_permission = 'can_change_organizer_settings'
+    permission = 'organizer.devices:read'
+    write_permission = 'organizer.devices:write'
     lookup_field = 'device_id'
 
     def get_queryset(self):
@@ -521,6 +521,9 @@ class DeviceViewSet(mixins.CreateModelMixin,
     def get_serializer_context(self):
         ctx = super().get_serializer_context()
         ctx['organizer'] = self.request.organizer
+        ctx['can_see_tokens'] = (
+            self.request.user if self.request.user and self.request.user.is_authenticated else self.request.auth
+        ).has_organizer_permission(self.request.organizer, 'organizer.devices:write', request=self.request)
         return ctx
 
     @transaction.atomic()
@@ -547,11 +550,11 @@ class DeviceViewSet(mixins.CreateModelMixin,
 
 class OrganizerSettingsView(views.APIView):
     permission = None
-    write_permission = 'can_change_organizer_settings'
+    write_permission = 'organizer.settings.general:write'
 
     def get(self, request, *args, **kwargs):
         s = OrganizerSettingsSerializer(instance=request.organizer.settings, organizer=request.organizer, context={
-            'request': request
+            'request': request, 'permissions': request.orgapermset
         })
         if 'explain' in request.GET:
             return Response({
@@ -568,7 +571,7 @@ class OrganizerSettingsView(views.APIView):
         s = OrganizerSettingsSerializer(
             instance=request.organizer.settings, data=request.data, partial=True,
             organizer=request.organizer, context={
-                'request': request
+                'request': request, 'permissions': request.orgapermset
             }
         )
         s.is_valid(raise_exception=True)
@@ -580,7 +583,7 @@ class OrganizerSettingsView(views.APIView):
                 }
             )
         s = OrganizerSettingsSerializer(instance=request.organizer.settings, organizer=request.organizer, context={
-            'request': request
+            'request': request, 'permissions': request.orgapermset
         })
         return Response(s.data)
 
@@ -597,7 +600,8 @@ with scopes_disabled():
 class CustomerViewSet(viewsets.ModelViewSet):
     serializer_class = CustomerSerializer
     queryset = Customer.objects.none()
-    permission = 'can_manage_customers'
+    permission = 'organizer.customers:read'
+    write_permission = 'organizer.customers:write'
     lookup_field = 'identifier'
     filter_backends = (DjangoFilterBackend,)
     filterset_class = CustomerFilter
@@ -657,7 +661,7 @@ class CustomerViewSet(viewsets.ModelViewSet):
 class MembershipTypeViewSet(viewsets.ModelViewSet):
     serializer_class = MembershipTypeSerializer
     queryset = MembershipType.objects.none()
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
 
     def get_queryset(self):
         qs = self.request.organizer.membership_types.all()
@@ -714,7 +718,8 @@ with scopes_disabled():
 class MembershipViewSet(viewsets.ModelViewSet):
     serializer_class = MembershipSerializer
     queryset = Membership.objects.none()
-    permission = 'can_manage_customers'
+    permission = 'organizer.customers:read'
+    write_permission = 'organizer.customers:write'
     filter_backends = (DjangoFilterBackend,)
     filterset_class = MembershipFilter
 
@@ -764,8 +769,8 @@ with scopes_disabled():
 class SalesChannelViewSet(viewsets.ModelViewSet):
     serializer_class = SalesChannelSerializer
     queryset = SalesChannel.objects.none()
-    permission = 'can_change_organizer_settings'
-    write_permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
+    write_permission = 'organizer.settings.general:write'
     filter_backends = (DjangoFilterBackend,)
     filterset_class = SalesChannelFilter
     lookup_field = 'identifier'

src/pretix/api/views/shredders.py

@@ -204,7 +204,7 @@ class ShreddersMixin:
 
 
 class EventShreddersViewSet(ShreddersMixin, viewsets.ViewSet):
-    permission = 'can_change_orders'
+    permission = 'event.orders:write'
 
     def get_serializer_kwargs(self):
         return {}

src/pretix/api/views/voucher.py

@@ -62,8 +62,8 @@ class VoucherViewSet(viewsets.ModelViewSet):
     ordering = ('id',)
     ordering_fields = ('id', 'code', 'max_usages', 'valid_until', 'value')
     filterset_class = VoucherFilter
-    permission = 'can_view_vouchers'
-    write_permission = 'can_change_vouchers'
+    permission = 'event.vouchers:read'
+    write_permission = 'event.vouchers:write'
 
     @scopes_disabled()  # we have an event check here, and we can save some performance on subqueries
     def get_queryset(self):

src/pretix/api/views/waitinglist.py

@@ -51,8 +51,8 @@ class WaitingListViewSet(viewsets.ModelViewSet):
     ordering = ('created', 'pk',)
     ordering_fields = ('id', 'created', 'email', 'item')
     filterset_class = WaitingListFilter
-    permission = 'can_view_orders'
-    write_permission = 'can_change_orders'
+    permission = 'event.orders:read'
+    write_permission = 'event.orders:write'
 
     def get_queryset(self):
         return self.request.event.waitinglistentries.all()

src/pretix/api/views/webhooks.py

@@ -35,8 +35,8 @@ class WebhookFilter(FilterSet):
 class WebHookViewSet(viewsets.ModelViewSet):
     serializer_class = WebHookSerializer
     queryset = WebHook.objects.none()
-    permission = 'can_change_organizer_settings'
-    write_permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
+    write_permission = 'organizer.settings.general:write'
     filter_backends = (DjangoFilterBackend,)
     filterset_class = WebhookFilter
 

src/pretix/base/auth.py

@@ -224,7 +224,7 @@ class HistoryPasswordValidator:
         ).delete()
 
 
-def has_event_access_permission(request, permission='can_change_event_settings'):
+def has_event_access_permission(request, permission='event.settings.general:write'):
     return (
         request.user.is_authenticated and
         request.user.has_event_permission(request.organizer, request.event, permission, request=request)

src/pretix/base/exporter.py

@@ -184,7 +184,7 @@ class OrganizerLevelExportMixin:
         The permission level required to use this exporter. Only useful for organizer-level exports,
         not for event-level exports.
         """
-        return 'can_view_orders'
+        return 'event.orders:read'
 
 
 class ListExporter(BaseExporter):

src/pretix/base/exporters/customers.py

@@ -47,7 +47,7 @@ from ..signals import register_multievent_data_exporters
 class CustomerListExporter(OrganizerLevelExportMixin, ListExporter):
     identifier = 'customerlist'
     verbose_name = gettext_lazy('Customer accounts')
-    organizer_required_permission = 'can_manage_customers'
+    organizer_required_permission = 'organizer.customers:write'
     category = pgettext_lazy('export_category', 'Customer accounts')
     description = gettext_lazy('Download a spreadsheet of all currently registered customer accounts.')
 

src/pretix/base/exporters/orderlist.py

@@ -1200,7 +1200,7 @@ class QuotaListExporter(ListExporter):
 class GiftcardTransactionListExporter(OrganizerLevelExportMixin, ListExporter):
     identifier = 'giftcardtransactionlist'
     verbose_name = gettext_lazy('Gift card transactions')
-    organizer_required_permission = 'can_manage_gift_cards'
+    organizer_required_permission = 'organizer.giftcards:write'
     category = pgettext_lazy('export_category', 'Gift cards')
     description = gettext_lazy('Download a spreadsheet of all gift card transactions.')
     repeatable_read = False
@@ -1307,7 +1307,7 @@ class GiftcardRedemptionListExporter(ListExporter):
 class GiftcardListExporter(OrganizerLevelExportMixin, ListExporter):
     identifier = 'giftcardlist'
     verbose_name = gettext_lazy('Gift cards')
-    organizer_required_permission = 'can_manage_gift_cards'
+    organizer_required_permission = 'organizer.giftcards:write'
     category = pgettext_lazy('export_category', 'Gift cards')
     description = gettext_lazy('Download a spreadsheet of all gift cards including their current value.')
 

src/pretix/base/migrations/0297_pluggable_permissions.py

@@ -0,0 +1,129 @@
+from django.db import migrations, models
+
+from pretix.helpers.permission_migration import (
+    OLD_TO_NEW_EVENT_MIGRATION, OLD_TO_NEW_ORGANIZER_MIGRATION,
+)
+
+
+def migrate_teams_forward(apps, schema_editor):
+    Team = apps.get_model("pretixbase", "Team")
+
+    for team in Team.objects.iterator():
+        if all(getattr(team, k) for k in OLD_TO_NEW_EVENT_MIGRATION.keys() if k != "can_checkin_orders"):
+            team.all_event_permissions = True
+            team.limit_event_permissions = {}
+        else:
+            team.all_event_permissions = False
+            for k, v in OLD_TO_NEW_EVENT_MIGRATION.items():
+                if getattr(team, k):
+                    team.limit_event_permissions.update({kk: True for kk in v})
+
+        if all(getattr(team, k) for k in OLD_TO_NEW_ORGANIZER_MIGRATION.keys()):
+            team.all_organizer_permissions = True
+            team.limit_organizer_permissions = {}
+        else:
+            team.all_organizer_permissions = False
+            for k, v in OLD_TO_NEW_ORGANIZER_MIGRATION.items():
+                if getattr(team, k):
+                    team.limit_organizer_permissions.update({kk: True for kk in v})
+
+        team.save(update_fields=[
+            "all_event_permissions", "limit_event_permissions", "all_organizer_permissions", "limit_organizer_permissions"
+        ])
+
+
+def migrate_teams_backward(apps, schema_editor):
+    Team = apps.get_model("pretixbase", "Team")
+
+    for team in Team.objects.iterator():
+        for k, v in OLD_TO_NEW_EVENT_MIGRATION.items():
+            setattr(team, k, team.all_event_permissions or all(team.limit_event_permissions.get(kk) for kk in v))
+        for k, v in OLD_TO_NEW_ORGANIZER_MIGRATION.items():
+            setattr(team, k, team.all_organizer_permissions or all(team.limit_organizer_permissions.get(kk) for kk in v))
+        team.save()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("pretixbase", "0296_invoice_invoice_from_state"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="team",
+            name="all_event_permissions",
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AddField(
+            model_name="team",
+            name="all_organizer_permissions",
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AddField(
+            model_name="team",
+            name="limit_event_permissions",
+            field=models.JSONField(default=dict),
+        ),
+        migrations.AddField(
+            model_name="team",
+            name="limit_organizer_permissions",
+            field=models.JSONField(default=dict),
+        ),
+        migrations.RunPython(
+            migrate_teams_forward,
+            migrate_teams_backward,
+        ),
+        migrations.RemoveField(
+            model_name="team",
+            name="can_change_event_settings",
+        ),
+        migrations.RemoveField(
+            model_name="team",
+            name="can_change_items",
+        ),
+        migrations.RemoveField(
+            model_name="team",
+            name="can_change_orders",
+        ),
+        migrations.RemoveField(
+            model_name="team",
+            name="can_change_organizer_settings",
+        ),
+        migrations.RemoveField(
+            model_name="team",
+            name="can_change_teams",
+        ),
+        migrations.RemoveField(
+            model_name="team",
+            name="can_change_vouchers",
+        ),
+        migrations.RemoveField(
+            model_name="team",
+            name="can_checkin_orders",
+        ),
+        migrations.RemoveField(
+            model_name="team",
+            name="can_create_events",
+        ),
+        migrations.RemoveField(
+            model_name="team",
+            name="can_manage_customers",
+        ),
+        migrations.RemoveField(
+            model_name="team",
+            name="can_manage_gift_cards",
+        ),
+        migrations.RemoveField(
+            model_name="team",
+            name="can_manage_reusable_media",
+        ),
+        migrations.RemoveField(
+            model_name="team",
+            name="can_view_orders",
+        ),
+        migrations.RemoveField(
+            model_name="team",
+            name="can_view_vouchers",
+        ),
+    ]

src/pretix/base/models/auth.py

@@ -472,7 +472,7 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
         :return: set
         """
         teams = self._get_teams_for_event(organizer, event)
-        sets = [t.permission_set() for t in teams]
+        sets = [t.event_permission_set() for t in teams]
         if sets:
             return set.union(*sets)
         else:
@@ -486,7 +486,7 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
         :return: set
         """
         teams = self._get_teams_for_organizer(organizer)
-        sets = [t.permission_set() for t in teams]
+        sets = [t.organizer_permission_set() for t in teams]
         if sets:
             return set.union(*sets)
         else:
@@ -501,7 +501,7 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
 
         :param organizer: The organizer of the event
         :param event: The event to check
-        :param perm_name: The permission, e.g. ``can_change_teams``
+        :param perm_name: The permission, e.g. ``event.orders:read``
         :param request: The current request (optional)
         :param session_key: The current session key (optional)
         :return: bool
@@ -513,8 +513,8 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
         if teams:
             self._teamcache['e{}'.format(event.pk)] = teams
             if isinstance(perm_name, (tuple, list)):
-                return any([any(team.has_permission(p) for team in teams) for p in perm_name])
-            if not perm_name or any([team.has_permission(perm_name) for team in teams]):
+                return any([any(team.has_event_permission(p) for team in teams) for p in perm_name])
+            if not perm_name or any([team.has_event_permission(perm_name) for team in teams]):
                 return True
         return False
 
@@ -524,7 +524,7 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
         to the organizer ``organizer``.
 
         :param organizer: The organizer to check
-        :param perm_name: The permission, e.g. ``can_change_teams``
+        :param perm_name: The permission, e.g. ``organizer.events:create``
         :param request: The current request (optional). Required to detect staff sessions properly.
         :return: bool
         """
@@ -533,8 +533,8 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
         teams = self._get_teams_for_organizer(organizer)
         if teams:
             if isinstance(perm_name, (tuple, list)):
-                return any([any(team.has_permission(p) for team in teams) for p in perm_name])
-            if not perm_name or any([team.has_permission(perm_name) for team in teams]):
+                return any([any(team.has_organizer_permission(p) for team in teams) for p in perm_name])
+            if not perm_name or any([team.has_organizer_permission(perm_name) for team in teams]):
                 return True
         return False
 
@@ -565,14 +565,15 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
         :return: Iterable of Events
         """
         from .event import Event
+        from .organizer import TeamQuerySet
 
         if request and self.has_active_staff_session(request.session.session_key):
             return Event.objects.all()
 
         if isinstance(permission, (tuple, list)):
-            q = reduce(operator.or_, [Q(**{p: True}) for p in permission])
+            q = reduce(operator.or_, [TeamQuerySet.event_permission_q(p) for p in permission])
         else:
-            q = Q(**{permission: True})
+            q = TeamQuerySet.event_permission_q(permission)
 
         return Event.objects.filter(
             Q(organizer_id__in=self.teams.filter(q, all_events=True).values_list('organizer', flat=True))
@@ -605,14 +606,13 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
         :return: Iterable of Organizers
         """
         from .event import Organizer
+        from .organizer import TeamQuerySet
 
         if request and self.has_active_staff_session(request.session.session_key):
             return Organizer.objects.all()
 
-        kwargs = {permission: True}
-
         return Organizer.objects.filter(
-            id__in=self.teams.filter(**kwargs).values_list('organizer', flat=True)
+            id__in=self.teams.filter(TeamQuerySet.organizer_permission_q(permission)).values_list('organizer', flat=True)
         )
 
     def has_active_staff_session(self, session_key=None):

src/pretix/base/models/devices.py

@@ -189,13 +189,19 @@ class Device(LoggedModel):
                 kwargs['update_fields'] = {'device_id'}.union(kwargs['update_fields'])
         super().save(*args, **kwargs)
 
-    def permission_set(self) -> set:
+    def _event_permission_set(self) -> set:
         return {
-            'can_view_orders',
-            'can_change_orders',
-            'can_view_vouchers',
-            'can_manage_gift_cards',
-            'can_manage_reusable_media',
+            'event.orders:read',
+            'event.orders:write',
+            'event.vouchers:read',
+        }
+
+    def _organizer_permission_set(self) -> set:
+        return {
+            'organizer.giftcards:read',
+            'organizer.giftcards:write',
+            'organizer.reusablemedia:read',
+            'organizer.reusablemedia:write',
         }
 
     def get_event_permission_set(self, organizer, event) -> set:
@@ -209,7 +215,7 @@ class Device(LoggedModel):
         has_event_access = (self.all_events and organizer == self.organizer) or (
             event in self.limit_events.all()
         )
-        return self.permission_set() if has_event_access else set()
+        return self._event_permission_set() if has_event_access else set()
 
     def get_organizer_permission_set(self, organizer) -> set:
         """
@@ -218,7 +224,7 @@ class Device(LoggedModel):
         :param organizer: The organizer of the event
         :return: set of permissions
         """
-        return self.permission_set() if self.organizer == organizer else set()
+        return self._organizer_permission_set() if self.organizer == organizer else set()
 
     def has_event_permission(self, organizer, event, perm_name=None, request=None) -> bool:
         """
@@ -227,7 +233,7 @@ class Device(LoggedModel):
 
         :param organizer: The organizer of the event
         :param event: The event to check
-        :param perm_name: The permission, e.g. ``can_change_teams``
+        :param perm_name: The permission, e.g. ``event.orders:read``
         :param request: This parameter is ignored and only defined for compatibility reasons.
         :return: bool
         """
@@ -235,8 +241,8 @@ class Device(LoggedModel):
             event in self.limit_events.all()
         )
         if isinstance(perm_name, (tuple, list)):
-            return has_event_access and any(p in self.permission_set() for p in perm_name)
-        return has_event_access and (not perm_name or perm_name in self.permission_set())
+            return has_event_access and any(p in self._event_permission_set() for p in perm_name)
+        return has_event_access and (not perm_name or perm_name in self._event_permission_set())
 
     def has_organizer_permission(self, organizer, perm_name=None, request=None):
         """
@@ -244,13 +250,13 @@ class Device(LoggedModel):
         to the organizer ``organizer``.
 
         :param organizer: The organizer to check
-        :param perm_name: The permission, e.g. ``can_change_teams``
+        :param perm_name: The permission, e.g. ``organizer.events:create``
         :param request: This parameter is ignored and only defined for compatibility reasons.
         :return: bool
         """
         if isinstance(perm_name, (tuple, list)):
-            return organizer == self.organizer and any(p in self.permission_set() for p in perm_name)
-        return organizer == self.organizer and (not perm_name or perm_name in self.permission_set())
+            return organizer == self.organizer and any(p in self._organizer_permission_set() for p in perm_name)
+        return organizer == self.organizer and (not perm_name or perm_name in self._organizer_permission_set())
 
     def get_events_with_any_permission(self):
         """
@@ -271,8 +277,8 @@ class Device(LoggedModel):
         :return: Iterable of Events
         """
         if (
-                isinstance(permission, (list, tuple)) and any(p in self.permission_set() for p in permission)
-        ) or (isinstance(permission, str) and permission in self.permission_set()):
+            isinstance(permission, (list, tuple)) and any(p in self._event_permission_set() for p in permission)
+        ) or (isinstance(permission, str) and permission in self._event_permission_set()):
             return self.get_events_with_any_permission()
         else:
             return self.organizer.events.none()

src/pretix/base/models/event.py

@@ -1386,14 +1386,13 @@ class Event(EventMixin, LoggedModel):
         from .auth import User
 
         if permission:
-            kwargs = {permission: True}
+            qs = Team.objects.with_event_permission(permission)
         else:
-            kwargs = {}
+            qs = Team.objects.all()
 
-        team_with_perm = Team.objects.filter(
+        team_with_perm = qs.filter(
             members__pk=OuterRef('pk'),
             organizer=self.organizer,
-            **kwargs
         ).filter(
             Q(all_events=True) | Q(limit_events__pk=self.pk)
         )

src/pretix/base/models/organizer.py

@@ -31,9 +31,10 @@
 # Unless required by applicable law or agreed to in writing, software distributed under the Apache License 2.0 is
 # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations under the License.
-
+import operator
 import string
 from datetime import date, datetime, time
+from functools import reduce
 
 import pytz_deprecation_shim
 from django.conf import settings
@@ -53,6 +54,10 @@ from i18nfield.strings import LazyI18nString
 from pretix.base.models.base import LoggedModel
 from pretix.base.validators import OrganizerSlugBanlistValidator
 
+from ...helpers.permission_migration import (
+    OLD_TO_NEW_EVENT_COMPAT, OLD_TO_NEW_ORGANIZER_COMPAT,
+    LegacyPermissionProperty,
+)
 from ..settings import settings_hierarkey
 from .auth import User
 
@@ -309,6 +314,32 @@ def generate_api_token():
     return get_random_string(length=64, allowed_chars=string.ascii_lowercase + string.digits)
 
 
+class TeamQuerySet(models.QuerySet):
+    @classmethod
+    def event_permission_q(cls, perm_name):
+        if perm_name.startswith('can_') and perm_name in OLD_TO_NEW_EVENT_COMPAT:  # legacy
+            return reduce(operator.and_, [cls.event_permission_q(p) for p in OLD_TO_NEW_EVENT_COMPAT[perm_name]])
+        return (
+            Q(all_event_permissions=True) |
+            Q(**{f'limit_event_permissions__{perm_name}': True})
+        )
+
+    @classmethod
+    def organizer_permission_q(cls, perm_name):
+        if perm_name.startswith('can_') and perm_name in OLD_TO_NEW_ORGANIZER_COMPAT:  # legacy
+            return reduce(operator.and_, [cls.organizer_permission_q(p) for p in OLD_TO_NEW_ORGANIZER_COMPAT[perm_name]])
+        return (
+            Q(all_organizer_permissions=True) |
+            Q(**{f'limit_organizer_permissions__{perm_name}': True})
+        )
+
+    def with_event_permission(self, perm_name):
+        return self.filter(self.event_permission_q(perm_name))
+
+    def with_organizer_permission(self, perm_name):
+        return self.filter(self.organizer_permission_q(perm_name))
+
+
 class Team(LoggedModel):
     """
     A team is a collection of people given certain access rights to one or more events of an organizer.
@@ -321,36 +352,10 @@ class Team(LoggedModel):
     :param all_events: Whether this team has access to all events of this organizer
     :type all_events: bool
     :param limit_events: A set of events this team has access to. Irrelevant if ``all_events`` is ``True``.
-    :param can_create_events: Whether or not the members can create new events with this organizer account.
-    :type can_create_events: bool
-    :param can_change_teams: If ``True``, the members can change the teams of this organizer account.
-    :type can_change_teams: bool
-    :param can_manage_customers: If ``True``, the members can view and change organizer-level customer accounts.
-    :type can_manage_customers: bool
-    :param can_manage_reusable_media: If ``True``, the members can view and change organizer-level reusable media.
-    :type can_manage_reusable_media: bool
-    :param can_change_organizer_settings: If ``True``, the members can change the settings of this organizer account.
-    :type can_change_organizer_settings: bool
-    :param can_change_event_settings: If ``True``, the members can change the settings of the associated events.
-    :type can_change_event_settings: bool
-    :param can_change_items: If ``True``, the members can change and add items and related objects for the associated events.
-    :type can_change_items: bool
-    :param can_view_orders: If ``True``, the members can inspect details of all orders of the associated events.
-    :type can_view_orders: bool
-    :param can_change_orders: If ``True``, the members can change details of orders of the associated events.
-    :type can_change_orders: bool
-    :param can_checkin_orders: If ``True``, the members can perform check-in related actions.
-    :type can_checkin_orders: bool
-    :param can_view_vouchers: If ``True``, the members can inspect details of all vouchers of the associated events.
-    :type can_view_vouchers: bool
-    :param can_change_vouchers: If ``True``, the members can change and create vouchers for the associated events.
-    :type can_change_vouchers: bool
     """
     organizer = models.ForeignKey(Organizer, related_name="teams", on_delete=models.CASCADE)
     name = models.CharField(max_length=190, verbose_name=_("Team name"))
     members = models.ManyToManyField(User, related_name="teams", verbose_name=_("Team members"))
-    all_events = models.BooleanField(default=False, verbose_name=_("All events (including newly created ones)"))
-    limit_events = models.ManyToManyField('Event', verbose_name=_("Limit to events"), blank=True)
     require_2fa = models.BooleanField(
         default=False, verbose_name=_("Require all members of this team to use two-factor authentication"),
         help_text=_("If you turn this on, all members of the team will be required to either set up two-factor "
@@ -358,62 +363,33 @@ class Team(LoggedModel):
                     "all users.")
     )
 
-    can_create_events = models.BooleanField(
-        default=False,
-        verbose_name=_("Can create events"),
-    )
-    can_change_teams = models.BooleanField(
-        default=False,
-        verbose_name=_("Can change teams and permissions"),
-    )
-    can_change_organizer_settings = models.BooleanField(
-        default=False,
-        verbose_name=_("Can change organizer settings"),
-        help_text=_('Someone with this setting can get access to most data of all of your events, i.e. via privacy '
-                    'reports, so be careful who you add to this team!')
-    )
-    can_manage_customers = models.BooleanField(
-        default=False,
-        verbose_name=_("Can manage customer accounts")
-    )
-    can_manage_reusable_media = models.BooleanField(
-        default=False,
-        verbose_name=_("Can manage reusable media")
-    )
-    can_manage_gift_cards = models.BooleanField(
-        default=False,
-        verbose_name=_("Can manage gift cards")
-    )
-    can_change_event_settings = models.BooleanField(
-        default=False,
-        verbose_name=_("Can change event settings")
-    )
-    can_change_items = models.BooleanField(
-        default=False,
-        verbose_name=_("Can change product settings")
-    )
-    can_view_orders = models.BooleanField(
-        default=False,
-        verbose_name=_("Can view orders")
-    )
-    can_change_orders = models.BooleanField(
-        default=False,
-        verbose_name=_("Can change orders")
-    )
-    can_checkin_orders = models.BooleanField(
-        default=False,
-        verbose_name=_("Can perform check-ins"),
-        help_text=_('This includes searching for attendees, which can be used to obtain personal information about '
-                    'attendees. Users with "can change orders" can also perform check-ins.')
-    )
-    can_view_vouchers = models.BooleanField(
-        default=False,
-        verbose_name=_("Can view vouchers")
-    )
-    can_change_vouchers = models.BooleanField(
-        default=False,
-        verbose_name=_("Can change vouchers")
-    )
+    # Scope
+    all_events = models.BooleanField(default=False, verbose_name=_("All events (including newly created ones)"))
+    limit_events = models.ManyToManyField('Event', verbose_name=_("Limit to events"), blank=True)
+
+    # Permissions
+    # We store them as {key: True} instead of [key] because otherwise not all lookups we need are supported on SQLite
+    all_event_permissions = models.BooleanField(default=False, verbose_name=_("All event permissions"))
+    limit_event_permissions = models.JSONField(default=dict, verbose_name=_("Event permissions"))
+    all_organizer_permissions = models.BooleanField(default=False, verbose_name=_("All organizer permissions"))
+    limit_organizer_permissions = models.JSONField(default=dict, verbose_name=_("Organizer permissions"))
+
+    # Legacy lookups for plugin compatibility
+    can_change_event_settings = LegacyPermissionProperty()
+    can_change_items = LegacyPermissionProperty()
+    can_view_orders = LegacyPermissionProperty()
+    can_change_orders = LegacyPermissionProperty()
+    can_checkin_orders = LegacyPermissionProperty()
+    can_view_vouchers = LegacyPermissionProperty()
+    can_change_vouchers = LegacyPermissionProperty()
+    can_create_events = LegacyPermissionProperty()
+    can_change_organizer_settings = LegacyPermissionProperty()
+    can_change_teams = LegacyPermissionProperty()
+    can_manage_gift_cards = LegacyPermissionProperty()
+    can_manage_customers = LegacyPermissionProperty()
+    can_manage_reusable_media = LegacyPermissionProperty()
+
+    objects = TeamQuerySet.as_manager()
 
     def __str__(self) -> str:
         return _("%(name)s on %(object)s") % {
@@ -421,21 +397,51 @@ class Team(LoggedModel):
             'object': str(self.organizer),
         }
 
-    def permission_set(self) -> set:
-        attribs = dir(self)
-        return {
-            a for a in attribs if a.startswith('can_') and self.has_permission(a)
-        }
+    def event_permission_set(self, include_legacy=True) -> set:
+        from ..permissions import get_all_event_permissions
+
+        result = set()
+        for permission in get_all_event_permissions().keys():
+            if self.all_event_permissions or self.limit_event_permissions.get(permission):
+                result.add(permission)
+
+        if include_legacy:
+            # Add legacy permissions as well for plugin compatibility
+            for k, v in OLD_TO_NEW_EVENT_COMPAT.items():
+                if self.all_event_permissions or all(self.limit_event_permissions.get(kk) for kk in v):
+                    result.add(k)
+
+        return result
+
+    def organizer_permission_set(self, include_legacy=True) -> set:
+        from ..permissions import get_all_organizer_permissions
+
+        result = set()
+        for permission in get_all_organizer_permissions().keys():
+            if self.all_organizer_permissions or self.limit_organizer_permissions.get(permission):
+                result.add(permission)
+
+        if include_legacy:
+            # Add legacy permissions as well for plugin compatibility
+            for k, v in OLD_TO_NEW_ORGANIZER_COMPAT.items():
+                if self.all_organizer_permissions or all(self.limit_organizer_permissions.get(kk) for kk in v):
+                    result.add(k)
+
+        return result
 
     @property
-    def can_change_settings(self):  # Legacy compatiblilty
+    def can_change_settings(self):  # Legacy compatibility
         return self.can_change_event_settings
 
-    def has_permission(self, perm_name):
-        try:
+    def has_event_permission(self, perm_name):
+        if perm_name.startswith('can_') and hasattr(self, perm_name):  # legacy
             return getattr(self, perm_name)
-        except AttributeError:
-            raise ValueError('Invalid required permission: %s' % perm_name)
+        return self.all_event_permissions or self.limit_event_permissions.get(perm_name, False)
+
+    def has_organizer_permission(self, perm_name):
+        if perm_name.startswith('can_') and hasattr(self, perm_name):  # legacy
+            return getattr(self, perm_name)
+        return self.all_organizer_permissions or self.limit_organizer_permissions.get(perm_name, False)
 
     def permission_for_event(self, event):
         if self.all_events:
@@ -447,6 +453,19 @@ class Team(LoggedModel):
     def active_tokens(self):
         return self.tokens.filter(active=True)
 
+    def save(self, **kwargs):
+        if not isinstance(self.limit_event_permissions, dict):
+            raise TypeError("Permissions must be a dictionary")
+        if not isinstance(self.limit_organizer_permissions, dict):
+            raise TypeError("Permissions must be a dictionary")
+        for k in self.limit_event_permissions.values():
+            if k is not True:
+                raise TypeError("Permissions must only contain True values")
+        for k in self.limit_organizer_permissions.values():
+            if k is not True:
+                raise TypeError("Permissions must only contain True values")
+        return super().save(**kwargs)
+
     class Meta:
         verbose_name = _("Team")
         verbose_name_plural = _("Teams")
@@ -503,7 +522,7 @@ class TeamAPIToken(models.Model):
         has_event_access = (self.team.all_events and organizer == self.team.organizer) or (
             event in self.team.limit_events.all()
         )
-        return self.team.permission_set() if has_event_access else set()
+        return self.team.event_permission_set() if has_event_access else set()
 
     def get_organizer_permission_set(self, organizer) -> set:
         """
@@ -512,7 +531,7 @@ class TeamAPIToken(models.Model):
         :param organizer: The organizer of the event
         :return: set of permissions
         """
-        return self.team.permission_set() if self.team.organizer == organizer else set()
+        return self.team.organizer_permission_set() if self.team.organizer == organizer else set()
 
     def has_event_permission(self, organizer, event, perm_name=None, request=None) -> bool:
         """
@@ -521,7 +540,7 @@ class TeamAPIToken(models.Model):
 
         :param organizer: The organizer of the event
         :param event: The event to check
-        :param perm_name: The permission, e.g. ``can_change_teams``
+        :param perm_name: The permission, e.g. ``event.orders:read``
         :param request: This parameter is ignored and only defined for compatibility reasons.
         :return: bool
         """
@@ -529,8 +548,8 @@ class TeamAPIToken(models.Model):
             event in self.team.limit_events.all()
         )
         if isinstance(perm_name, (tuple, list)):
-            return has_event_access and any(self.team.has_permission(p) for p in perm_name)
-        return has_event_access and (not perm_name or self.team.has_permission(perm_name))
+            return has_event_access and any(self.team.has_event_permission(p) for p in perm_name)
+        return has_event_access and (not perm_name or self.team.has_event_permission(perm_name))
 
     def has_organizer_permission(self, organizer, perm_name=None, request=None):
         """
@@ -538,13 +557,13 @@ class TeamAPIToken(models.Model):
         to the organizer ``organizer``.
 
         :param organizer: The organizer to check
-        :param perm_name: The permission, e.g. ``can_change_teams``
+        :param perm_name: The permission, e.g. ``organizer:events.create``
         :param request: This parameter is ignored and only defined for compatibility reasons.
         :return: bool
         """
         if isinstance(perm_name, (tuple, list)):
-            return organizer == self.team.organizer and any(self.team.has_permission(p) for p in perm_name)
-        return organizer == self.team.organizer and (not perm_name or self.team.has_permission(perm_name))
+            return organizer == self.team.organizer and any(self.team.has_organizer_permission(p) for p in perm_name)
+        return organizer == self.team.organizer and (not perm_name or self.team.has_organizer_permission(perm_name))
 
     def get_events_with_any_permission(self):
         """
@@ -565,8 +584,8 @@ class TeamAPIToken(models.Model):
         :return: Iterable of Events
         """
         if (
-                isinstance(permission, (list, tuple)) and any(getattr(self.team, p, False) for p in permission)
-        ) or (isinstance(permission, str) and getattr(self.team, permission, False)):
+            isinstance(permission, (list, tuple)) and any(self.team.has_event_permission(p) for p in permission)
+        ) or (isinstance(permission, str) and self.team.has_event_permission(permission)):
             return self.get_events_with_any_permission()
         else:
             return self.team.organizer.events.none()

src/pretix/base/notifications.py

@@ -151,7 +151,7 @@ def get_all_notification_types(event=None):
 
 
 class ParametrizedOrderNotificationType(NotificationType):
-    required_permission = "can_view_orders"
+    required_permission = "event.orders:read"
 
     def __init__(self, event, action_type, verbose_name, title):
         self._action_type = action_type

src/pretix/base/permissions.py

@@ -0,0 +1,115 @@
+#
+# This file is part of pretix (Community Edition).
+#
+# Copyright (C) 2014-2020  Raphael Michel and contributors
+# Copyright (C) 2020-today pretix GmbH and contributors
+#
+# This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General
+# Public License as published by the Free Software Foundation in version 3 of the License.
+#
+# ADDITIONAL TERMS APPLY: Pursuant to Section 7 of the GNU Affero General Public License, additional terms are
+# applicable granting you additional permissions and placing additional restrictions on your usage of this software.
+# Please refer to the pretix LICENSE file to obtain the full terms applicable to this work. If you did not receive
+# this file, see <https://pretix.eu/about/en/license>.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
+# <https://www.gnu.org/licenses/>.
+#
+
+import logging
+from collections import OrderedDict, namedtuple
+
+from django.dispatch import receiver
+from django.utils.translation import gettext_lazy as _, pgettext_lazy
+
+from pretix.base.signals import (
+    register_event_permissions, register_organizer_permissions,
+)
+
+logger = logging.getLogger(__name__)
+_ALL_EVENT_PERMISSIONS = None
+_ALL_ORGANIZER_PERMISSIONS = None
+
+
+Permission = namedtuple('Permission', ('name', 'label', 'plugin_name', 'help_text'))
+
+
+def get_all_event_permissions():
+    global _ALL_EVENT_PERMISSIONS
+
+    if _ALL_EVENT_PERMISSIONS:
+        return _ALL_EVENT_PERMISSIONS
+
+    types = OrderedDict()
+    for recv, ret in register_event_permissions.send(None):
+        if isinstance(ret, (list, tuple)):
+            for r in ret:
+                types[r.name] = r
+        else:
+            types[ret.name] = ret
+    _ALL_EVENT_PERMISSIONS = types
+    return types
+
+
+def get_all_organizer_permissions():
+    global _ALL_ORGANIZER_PERMISSIONS
+
+    if _ALL_ORGANIZER_PERMISSIONS:
+        return _ALL_ORGANIZER_PERMISSIONS
+
+    types = OrderedDict()
+    for recv, ret in register_organizer_permissions.send(None):
+        if isinstance(ret, (list, tuple)):
+            for r in ret:
+                types[r.name] = r
+        else:
+            types[ret.name] = ret
+    _ALL_ORGANIZER_PERMISSIONS = types
+    return types
+
+
+@receiver(register_event_permissions, dispatch_uid="base_register_default_event_permissions")
+def register_default_event_permissions(sender, **kwargs):
+    return [
+        Permission("event.settings.general:write", _("Change general settings"), None,
+                   _("This includes access to all settings not listed explicitly below, including plugin settings.")),
+        Permission("event.settings.payment:write", _("Change payment settings"), None, None),
+        Permission("event.settings.tax:write", _("Change tax rules"), None, None),
+        Permission("event.settings.invoicing:write", _("Change invoicing settings"), None, None),
+        Permission("event.subevents:write", pgettext_lazy("subevent", "Change event series dates"), None,
+                   _("Read access is granted to all teams with access to the event.")),
+        Permission("event.items:write", _("Change products, quotas, and questions"), None,
+                   _("Also includes related objects like categories or discounts. Read access is granted to all teams with access to the event.")),
+        Permission("event.orders:read", _("View orders"), None, None),
+        Permission("event.orders:write", _("Change orders"), None, _("This includes the ability to cancel and refund individual orders.")),
+        Permission("event.orders:checkin", _("Check-in orders"), None, None),
+        Permission("event.vouchers:read", _("View vouchers"), None, None),
+        Permission("event.vouchers:write", _("Change vouchers"), None, None),
+        Permission("event:cancel", pgettext_lazy("subevent", "Cancel entire event or date"), None, None),
+    ]
+
+
+@receiver(register_organizer_permissions, dispatch_uid="base_register_default_organizer_permissions")
+def register_default_organizer_permissions(sender, **kwargs):
+    return [
+        Permission("organizer.events:create", _("Create events"), None, None),
+        Permission("organizer.settings.general:write", _("Change settings"), None,
+                   _("This includes access to all organizer-level functionality not listed explicitly below, including plugin settings.")),
+        Permission("organizer.teams:write", _("Change teams"), None,
+                   _("This includes the ability to give someone (including oneself) additional permissions. Read access "
+                     "is implicitly granted to the same team.")),
+        Permission("organizer.giftcards:read", _("View gift cards"), None, None),
+        Permission("organizer.giftcards:write", _("Change gift cards"), None, None),
+        Permission("organizer.customers:read", _("View customer accounts"), None, None),
+        Permission("organizer.customers:write", _("Change customer accounts"), None, None),
+        Permission("organizer.reusablemedia:read", _("View reusable media"), None,
+                   _("This includes access to data of tickets connected to reusable media.")),
+        Permission("organizer.reusablemedia:write", _("Change reusable media"), None, None),
+        Permission("organizer.devices:read", _("View devices and gates"), None, None),
+        Permission("organizer.devices:write", _("Change devices and gates"), None,
+                   _("This includes the ability to give access to events and data oneself does not have access to.")),
+    ]

src/pretix/base/services/export.py

@@ -106,7 +106,7 @@ def multiexport(self, organizer: Organizer, user: User, device: int, token: int,
         device = Device.objects.get(pk=device)
     if token:
         device = TeamAPIToken.objects.get(pk=token)
-    allowed_events = (device or token or user).get_events_with_permission('can_view_orders')
+    allowed_events = (device or token or user).get_events_with_permission('event.orders:read')
     if user and staff_session:
         allowed_events = organizer.events.all()
 
@@ -291,7 +291,7 @@ def _run_scheduled_export(schedule, context: Union[Event, Organizer], exporter,
 def scheduled_organizer_export(self, organizer: Organizer, schedule: int) -> None:
     schedule = organizer.scheduled_exports.get(pk=schedule)
 
-    allowed_events = schedule.owner.get_events_with_permission('can_view_orders')
+    allowed_events = schedule.owner.get_events_with_permission('event.orders:read')
     if schedule.export_form_data.get('events') is not None and not schedule.export_form_data.get('all_events'):
         if isinstance(schedule.export_form_data['events'][0], str):
             events = allowed_events.filter(slug__in=schedule.export_form_data.get('events'), organizer=organizer)
@@ -346,7 +346,7 @@ def scheduled_event_export(self, event: Event, schedule: int) -> None:
             exporter = ex
             break
 
-    has_permission = schedule.owner.is_active and schedule.owner.has_event_permission(event.organizer, event, 'can_view_orders')
+    has_permission = schedule.owner.is_active and schedule.owner.has_event_permission(event.organizer, event, 'event.orders:read')
 
     _run_scheduled_export(
         schedule,

src/pretix/base/settings.py

@@ -331,6 +331,7 @@ DEFAULTS = {
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.tax:write',
         'form_kwargs': dict(
             label=_("Show net prices instead of gross prices in the product list"),
             help_text=_("Independent of your choice, the cart will show gross prices as this is the price that needs to be "
@@ -478,6 +479,7 @@ DEFAULTS = {
         'type': str,
         'form_class': forms.ChoiceField,
         'serializer_class': serializers.ChoiceField,
+        'write_permission': 'event.settings.tax:write',
         'form_kwargs': dict(
             label=_("Rounding of taxes"),
             widget=forms.RadioSelect,
@@ -497,15 +499,17 @@ DEFAULTS = {
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Ask for invoice address"),
-        )
+        ),
     },
     'invoice_address_not_asked_free': {
         'default': 'False',
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_('Do not ask for invoice address if an order is free'),
         )
@@ -515,6 +519,7 @@ DEFAULTS = {
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Require customer name"),
         )
@@ -524,6 +529,7 @@ DEFAULTS = {
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Show attendee names on invoices"),
         )
@@ -533,6 +539,7 @@ DEFAULTS = {
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Show event location on invoices"),
             help_text=_("The event location will be shown below the list of products if it is the same for all "
@@ -544,6 +551,7 @@ DEFAULTS = {
         'type': str,
         'form_class': forms.ChoiceField,
         'serializer_class': serializers.ChoiceField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Show exchange rates"),
             widget=forms.RadioSelect,
@@ -567,6 +575,7 @@ DEFAULTS = {
         'default': 'False',
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.invoicing:write',
         'type': bool,
         'form_kwargs': dict(
             label=_("Require invoice address"),
@@ -577,6 +586,7 @@ DEFAULTS = {
         'default': 'False',
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.invoicing:write',
         'type': bool,
         'form_kwargs': dict(
             label=_("Require a business address"),
@@ -589,6 +599,7 @@ DEFAULTS = {
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Ask for beneficiary"),
             widget=forms.CheckboxInput(attrs={'data-checkbox-dependency': '#id_invoice_address_asked'}),
@@ -599,6 +610,7 @@ DEFAULTS = {
         'type': LazyI18nString,
         'form_class': I18nFormField,
         'serializer_class': I18nField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Custom recipient field label"),
             widget=I18nTextInput,
@@ -614,6 +626,7 @@ DEFAULTS = {
         'type': LazyI18nString,
         'form_class': I18nFormField,
         'serializer_class': I18nField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Custom recipient field help text"),
             widget=I18nTextInput,
@@ -626,6 +639,7 @@ DEFAULTS = {
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Ask for VAT ID"),
             help_text=format_lazy(
@@ -641,6 +655,7 @@ DEFAULTS = {
         'type': list,
         'form_class': forms.MultipleChoiceField,
         'serializer_class': serializers.MultipleChoiceField,
+        'write_permission': 'event.settings.invoicing:write',
         'serializer_kwargs': dict(
             choices=lazy(
                 lambda *args: sorted([(cc, gettext(Country(cc).name)) for cc in VAT_ID_COUNTRIES], key=lambda c: c[1]),
@@ -668,6 +683,7 @@ DEFAULTS = {
         'type': LazyI18nString,
         'form_class': I18nFormField,
         'serializer_class': I18nField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Invoice address explanation"),
             widget=I18nMarkdownTextarea,
@@ -680,6 +696,7 @@ DEFAULTS = {
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Show paid amount on partially paid invoices"),
             help_text=_("If an invoice has already been paid partially, this option will add the paid and pending "
@@ -691,6 +708,7 @@ DEFAULTS = {
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Show free products on invoices"),
             help_text=_("Note that invoices will never be generated for orders that contain only free "
@@ -702,6 +720,7 @@ DEFAULTS = {
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Show expiration date of order"),
             help_text=_("The expiration date will not be shown if the invoice is generated after the order is paid."),
@@ -713,6 +732,7 @@ DEFAULTS = {
         'form_class': forms.IntegerField,
         'serializer_class': serializers.IntegerField,
         'serializer_kwargs': dict(),
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Minimum length of invoice number after prefix"),
             help_text=_("The part of your invoice number after your prefix will be filled up with leading zeros up to this length, e.g. INV-001 or INV-00001."),
@@ -726,6 +746,7 @@ DEFAULTS = {
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Generate invoices with consecutive numbers"),
             help_text=_("If deactivated, the order code will be used in the invoice number."),
@@ -736,6 +757,7 @@ DEFAULTS = {
         'type': str,
         'form_class': forms.CharField,
         'serializer_class': serializers.CharField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Invoice number prefix"),
             help_text=_("This will be prepended to invoice numbers. If you leave this field empty, your event slug will "
@@ -763,6 +785,7 @@ DEFAULTS = {
         'type': str,
         'form_class': forms.CharField,
         'serializer_class': serializers.CharField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Invoice number prefix for cancellations"),
             help_text=_("This will be prepended to invoice numbers of cancellations. If you leave this field empty, "
@@ -786,6 +809,7 @@ DEFAULTS = {
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Highlight order code to make it stand out visibly"),
             help_text=_("Only respected by some invoice renderers."),
@@ -797,6 +821,7 @@ DEFAULTS = {
         'form_class': forms.ChoiceField,
         'serializer_class': serializers.ChoiceField,
         'serializer_kwargs': lambda: dict(**invoice_font_kwargs()),
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': lambda: dict(
             label=_('Font'),
             help_text=_("Only respected by some invoice renderers."),
@@ -807,6 +832,7 @@ DEFAULTS = {
     'invoice_renderer': {
         'default': 'classic',  # default for new events is 'modern1'
         'type': str,
+        'write_permission': 'event.settings.invoicing:write',
     },
     'ticket_secret_generator': {
         'default': 'random',
@@ -883,6 +909,7 @@ DEFAULTS = {
         'type': LazyI18nString,
         'form_class': I18nFormField,
         'serializer_class': I18nField,
+        'write_permission': 'event.settings.payment:write',
         'form_kwargs': dict(
             widget=I18nMarkdownTextarea,
             widget_kwargs={'attrs': {
@@ -904,6 +931,7 @@ DEFAULTS = {
                 ('minutes', _("in minutes"))
             ),
         ),
+        'write_permission': 'event.settings.payment:write',
         'form_kwargs': dict(
             label=_("Set payment term"),
             widget=forms.RadioSelect,
@@ -921,6 +949,7 @@ DEFAULTS = {
         'type': int,
         'form_class': forms.IntegerField,
         'serializer_class': serializers.IntegerField,
+        'write_permission': 'event.settings.payment:write',
         'form_kwargs': dict(
             label=_('Payment term in days'),
             widget=forms.NumberInput(
@@ -946,6 +975,7 @@ DEFAULTS = {
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.payment:write',
         'form_kwargs': dict(
             label=_('Only end payment terms on weekdays'),
             help_text=_("If this is activated and the payment term of any order ends on a Saturday or Sunday, it will be "
@@ -963,6 +993,7 @@ DEFAULTS = {
         'type': int,
         'form_class': forms.IntegerField,
         'serializer_class': serializers.IntegerField,
+        'write_permission': 'event.settings.payment:write',
         'form_kwargs': dict(
             label=_('Payment term in minutes'),
             help_text=_("The number of minutes after placing an order the user has to pay to preserve their reservation. "
@@ -987,6 +1018,7 @@ DEFAULTS = {
         'type': RelativeDateWrapper,
         'form_class': RelativeDateField,
         'serializer_class': SerializerRelativeDateField,
+        'write_permission': 'event.settings.payment:write',
         'form_kwargs': dict(
             label=_('Last date of payments'),
             help_text=_("The last date any payments are accepted. This has precedence over the terms "
@@ -999,6 +1031,7 @@ DEFAULTS = {
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.payment:write',
         'form_kwargs': dict(
             label=_('Automatically expire unpaid orders'),
             help_text=_("If checked, all unpaid orders will automatically go from 'pending' to 'expired' "
@@ -1011,6 +1044,7 @@ DEFAULTS = {
         'type': int,
         'form_class': forms.IntegerField,
         'serializer_class': serializers.IntegerField,
+        'write_permission': 'event.settings.payment:write',
         'form_kwargs': dict(
             label=_('Expiration delay'),
             help_text=_("The order will only actually expire this many days after the expiration date communicated "
@@ -1033,6 +1067,7 @@ DEFAULTS = {
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.payment:write',
         'form_kwargs': dict(
             label=_('Hide "payment pending" state on customer-facing pages'),
             help_text=_("The payment instructions panel will still be shown to the primary customer, but no indication "
@@ -1044,9 +1079,11 @@ DEFAULTS = {
         'default': 'True',
         'type': bool,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.payment:write',
     },
     'payment_giftcard_public_name': {
         'default': LazyI18nString.from_gettext(gettext_noop('Gift card')),
+        'write_permission': 'event.settings.payment:write',
         'type': LazyI18nString
     },
     'payment_giftcard_public_description': {
@@ -1055,10 +1092,12 @@ DEFAULTS = {
             'enough credit to pay for the full order, you will be shown this page again and you can either '
             'redeem another gift card or select a different payment method for the difference.'
         )),
+        'write_permission': 'event.settings.payment:write',
         'type': LazyI18nString
     },
     'payment_resellers__restrict_to_sales_channels': {
         'default': ['resellers'],
+        'write_permission': 'event.settings.payment:write',
         'type': list
     },
     'payment_term_accept_late': {
@@ -1066,6 +1105,7 @@ DEFAULTS = {
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.payment:write',
         'form_kwargs': dict(
             label=_('Accept late payments'),
             help_text=_("Accept payments for orders even when they are in 'expired' state as long as enough "
@@ -1095,6 +1135,7 @@ DEFAULTS = {
                 ('none', _('Charge no taxes')),
             ),
         ),
+        'write_permission': 'event.settings.payment:write',
         'form_kwargs': dict(
             label=_("Tax handling on payment fees"),
             widget=forms.RadioSelect,
@@ -1141,6 +1182,7 @@ DEFAULTS = {
                 ('paid', _('Automatically on payment or when required by payment method')),
             ),
         ),
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Generate invoices"),
             widget=forms.RadioSelect,
@@ -1169,6 +1211,7 @@ DEFAULTS = {
                 ('invoice_date', _('Invoice date')),
             ),
         ),
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Date of service"),
             widget=forms.RadioSelect,
@@ -1189,6 +1232,7 @@ DEFAULTS = {
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Automatically cancel and reissue invoice on address changes"),
             help_text=_("If customers change their invoice address on an existing order, the invoice will "
@@ -1201,6 +1245,7 @@ DEFAULTS = {
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Allow to update existing invoices"),
             help_text=_("By default, invoices can never again be changed once they are issued. In most countries, we "
@@ -1210,6 +1255,7 @@ DEFAULTS = {
     },
     'invoice_generate_sales_channels': {
         'default': json.dumps(['web']),
+        'write_permission': 'event.settings.invoicing:write',
         'type': list
     },
     'invoice_address_from': {
@@ -1217,6 +1263,7 @@ DEFAULTS = {
         'type': str,
         'form_class': forms.CharField,
         'serializer_class': serializers.CharField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Address line"),
             widget=forms.Textarea(attrs={
@@ -1232,6 +1279,7 @@ DEFAULTS = {
         'type': str,
         'form_class': forms.CharField,
         'serializer_class': serializers.CharField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             max_length=190,
             label=_("Company name"),
@@ -1242,6 +1290,7 @@ DEFAULTS = {
         'type': str,
         'form_class': forms.CharField,
         'serializer_class': serializers.CharField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             widget=forms.TextInput(attrs={
                 'placeholder': '12345'
@@ -1255,6 +1304,7 @@ DEFAULTS = {
         'type': str,
         'form_class': forms.CharField,
         'serializer_class': serializers.CharField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             widget=forms.TextInput(attrs={
                 'placeholder': _('Random City')
@@ -1271,6 +1321,7 @@ DEFAULTS = {
         'serializer_kwargs': {
             'choices': [('', '')],
         },
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': {
             "label": pgettext_lazy('address', 'State'),
             'choices': [('', '')],
@@ -1282,6 +1333,7 @@ DEFAULTS = {
         'form_class': forms.ChoiceField,
         'serializer_class': serializers.ChoiceField,
         'serializer_kwargs': lambda: dict(**country_choice_kwargs()),
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': lambda: dict(
             label=_('Country'),
             widget=forms.Select(attrs={
@@ -1295,6 +1347,7 @@ DEFAULTS = {
         'type': str,
         'form_class': forms.CharField,
         'serializer_class': serializers.CharField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Domestic tax ID"),
             help_text=_("e.g. tax number in Germany, ABN in Australia, …"),
@@ -1306,6 +1359,7 @@ DEFAULTS = {
         'type': str,
         'form_class': forms.CharField,
         'serializer_class': serializers.CharField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("EU VAT ID"),
             max_length=190,
@@ -1316,6 +1370,7 @@ DEFAULTS = {
         'type': LazyI18nString,
         'form_class': I18nFormField,
         'serializer_class': I18nField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             widget=I18nTextarea,
             widget_kwargs={'attrs': {
@@ -1333,6 +1388,7 @@ DEFAULTS = {
         'type': LazyI18nString,
         'form_class': I18nFormField,
         'serializer_class': I18nField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             widget=I18nTextarea,
             widget_kwargs={'attrs': {
@@ -1350,6 +1406,7 @@ DEFAULTS = {
         'type': LazyI18nString,
         'form_class': I18nFormField,
         'serializer_class': I18nField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             widget=I18nTextarea,
             widget_kwargs={'attrs': {
@@ -1364,6 +1421,7 @@ DEFAULTS = {
     },
     'invoice_language': {
         'default': '__user__',
+        'write_permission': 'event.settings.invoicing:write',
         'type': str
     },
     'invoice_email_attachment': {
@@ -1371,6 +1429,7 @@ DEFAULTS = {
         'type': bool,
         'form_class': forms.BooleanField,
         'serializer_class': serializers.BooleanField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Attach invoices to emails"),
             help_text=_("If invoices are automatically generated for all orders, they will be attached to the order "
@@ -1384,6 +1443,7 @@ DEFAULTS = {
         'type': str,
         'form_class': forms.CharField,
         'serializer_class': serializers.CharField,
+        'write_permission': 'event.settings.invoicing:write',
         'form_kwargs': dict(
             label=_("Email address to receive a copy of each invoice"),
             help_text=_("Each newly created invoice will be sent to this email address shortly after creation. You can "
@@ -3215,7 +3275,8 @@ Your {organizer} team"""))  # noqa: W291
                 'image/png', 'image/jpeg', 'image/gif'
             ],
             max_size=settings.FILE_UPLOAD_MAX_SIZE_IMAGE,
-        )
+        ),
+        'write_permission': 'event.settings.invoicing:write',
     },
     'frontpage_text': {
         'default': '',

src/pretix/base/signals.py

@@ -561,6 +561,18 @@ however for this signal, the ``sender`` **may also be None** to allow creating t
 notification settings!
 """
 
+register_event_permissions = GlobalSignal()
+"""
+This signal is sent out to get all known permissions. Receivers should return an
+instance of pretix.base.permissions.Permission or a list of such instances.
+"""
+
+register_organizer_permissions = GlobalSignal()
+"""
+This signal is sent out to get all known permissions. Receivers should return an
+instance of pretix.base.permissions.Permission or a list of such instances.
+"""
+
 notification = EventPluginSignal()
 """
 Arguments: ``logentry_id``, ``notification_type``
@@ -1098,6 +1110,9 @@ api_event_settings_fields = EventPluginSignal()
 This signal is sent out to collect serializable settings fields for the API. You are expected to
 return a dictionary mapping names of attributes in the settings store to DRF serializer field instances.
 
+These are readable for all users with access to the events, therefore secrets made in the settings store
+should not be included!
+
 As with all event-plugin signals, the ``sender`` keyword argument will contain the event.
 """
 

src/pretix/base/timeline.py

@@ -32,7 +32,11 @@ from pretix.base.models import ItemVariation
 from pretix.base.reldate import RelativeDateWrapper
 from pretix.base.signals import timeline_events
 
-TimelineEvent = namedtuple('TimelineEvent', ('event', 'subevent', 'datetime', 'description', 'edit_url'))
+TimelineEvent = namedtuple(
+    'TimelineEvent',
+    ('event', 'subevent', 'datetime', 'description', 'edit_url', 'edit_permission'),
+    defaults=(None, None, None, None, None, 'event.settings.general:write')
+)
 
 
 def timeline_for_event(event, subevent=None):
@@ -46,6 +50,7 @@ def timeline_for_event(event, subevent=None):
                 'subevent': subevent.pk
             }
         )
+        ev_edit_permission = 'event.subevents:write'
     else:
         ev_edit_url = reverse(
             'control:event.settings', kwargs={
@@ -53,12 +58,14 @@ def timeline_for_event(event, subevent=None):
                 'organizer': event.organizer.slug
             }
         )
+        ev_edit_permission = 'event.settings.general:write'
 
     tl.append(TimelineEvent(
         event=event, subevent=subevent,
         datetime=ev.date_from,
         description=pgettext_lazy('timeline', 'Your event starts'),
-        edit_url=ev_edit_url + '#id_date_from_0'
+        edit_url=ev_edit_url + '#id_date_from_0',
+        edit_permission=ev_edit_permission,
     ))
 
     if ev.date_to:
@@ -66,7 +73,8 @@ def timeline_for_event(event, subevent=None):
             event=event, subevent=subevent,
             datetime=ev.date_to,
             description=pgettext_lazy('timeline', 'Your event ends'),
-            edit_url=ev_edit_url + '#id_date_to_0'
+            edit_url=ev_edit_url + '#id_date_to_0',
+            edit_permission=ev_edit_permission,
         ))
 
     if ev.date_admission:
@@ -74,7 +82,8 @@ def timeline_for_event(event, subevent=None):
             event=event, subevent=subevent,
             datetime=ev.date_admission,
             description=pgettext_lazy('timeline', 'Admissions for your event start'),
-            edit_url=ev_edit_url + '#id_date_admission_0'
+            edit_url=ev_edit_url + '#id_date_admission_0',
+            edit_permission=ev_edit_permission,
         ))
 
     if ev.presale_start:
@@ -82,7 +91,8 @@ def timeline_for_event(event, subevent=None):
             event=event, subevent=subevent,
             datetime=ev.presale_start,
             description=pgettext_lazy('timeline', 'Start of ticket sales'),
-            edit_url=ev_edit_url + '#id_presale_start_0'
+            edit_url=ev_edit_url + '#id_presale_start_0',
+            edit_permission=ev_edit_permission,
         ))
 
     tl.append(TimelineEvent(
@@ -97,7 +107,8 @@ def timeline_for_event(event, subevent=None):
         ) if not ev.presale_end else (
             pgettext_lazy('timeline', 'End of ticket sales')
         ),
-        edit_url=ev_edit_url + '#id_presale_end_0'
+        edit_url=ev_edit_url + '#id_presale_end_0',
+        edit_permission=ev_edit_permission,
     ))
 
     rd = event.settings.get('last_order_modification_date', as_type=RelativeDateWrapper)
@@ -106,7 +117,8 @@ def timeline_for_event(event, subevent=None):
             event=event, subevent=subevent,
             datetime=rd.datetime(ev),
             description=pgettext_lazy('timeline', 'Customers can no longer modify their order information'),
-            edit_url=ev_edit_url + '#id_settings-last_order_modification_date_0_0'
+            edit_url=ev_edit_url + '#id_settings-last_order_modification_date_0_0',
+            edit_permission='event.settings.general:write',
         ))
 
     rd = event.settings.get('payment_term_last', as_type=RelativeDateWrapper)
@@ -122,7 +134,8 @@ def timeline_for_event(event, subevent=None):
             edit_url=reverse('control:event.settings.payment', kwargs={
                 'event': event.slug,
                 'organizer': event.organizer.slug
-            })
+            }),
+            edit_permission='event.settings.payment:write',
         ))
 
     rd = event.settings.get('ticket_download_date', as_type=RelativeDateWrapper)
@@ -134,7 +147,8 @@ def timeline_for_event(event, subevent=None):
             edit_url=reverse('control:event.settings.tickets', kwargs={
                 'event': event.slug,
                 'organizer': event.organizer.slug
-            })
+            }),
+            edit_permission='event.settings.general:write',
         ))
 
     rd = event.settings.get('cancel_allow_user_until', as_type=RelativeDateWrapper)
@@ -146,7 +160,8 @@ def timeline_for_event(event, subevent=None):
             edit_url=reverse('control:event.settings.cancel', kwargs={
                 'event': event.slug,
                 'organizer': event.organizer.slug
-            })
+            }),
+            edit_permission='event.settings.general:write',
         ))
 
     rd = event.settings.get('cancel_allow_user_paid_until', as_type=RelativeDateWrapper)
@@ -158,7 +173,8 @@ def timeline_for_event(event, subevent=None):
             edit_url=reverse('control:event.settings.cancel', kwargs={
                 'event': event.slug,
                 'organizer': event.organizer.slug
-            })
+            }),
+            edit_permission='event.settings.general:write',
         ))
 
     rd = event.settings.get('change_allow_user_until', as_type=RelativeDateWrapper)
@@ -170,7 +186,8 @@ def timeline_for_event(event, subevent=None):
             edit_url=reverse('control:event.settings.cancel', kwargs={
                 'event': event.slug,
                 'organizer': event.organizer.slug
-            })
+            }),
+            edit_permission='event.settings.general:write',
         ))
 
     rd = event.settings.get('waiting_list_auto_disable', as_type=RelativeDateWrapper)
@@ -182,7 +199,8 @@ def timeline_for_event(event, subevent=None):
             edit_url=reverse('control:event.settings', kwargs={
                 'event': event.slug,
                 'organizer': event.organizer.slug
-            }) + '#waiting-list-open'
+            }) + '#waiting-list-open',
+            edit_permission='event.settings.general:write',
         ))
 
     if not event.has_subevents:
@@ -196,7 +214,8 @@ def timeline_for_event(event, subevent=None):
                 edit_url=reverse('control:event.settings.mail', kwargs={
                     'event': event.slug,
                     'organizer': event.organizer.slug
-                })
+                }),
+                edit_permission='event.settings.general:write',
             ))
 
     if subevent:
@@ -210,7 +229,8 @@ def timeline_for_event(event, subevent=None):
                         'event': event.slug,
                         'organizer': event.organizer.slug,
                         'subevent': subevent.pk,
-                    })
+                    }),
+                    edit_permission='event.subevents:write',
                 ))
             if sei.available_until:
                 tl.append(TimelineEvent(
@@ -221,7 +241,8 @@ def timeline_for_event(event, subevent=None):
                         'event': event.slug,
                         'organizer': event.organizer.slug,
                         'subevent': subevent.pk,
-                    })
+                    }),
+                    edit_permission='event.subevents:write',
                 ))
         for sei in subevent.var_overrides.values():
             if sei.available_from:
@@ -234,7 +255,8 @@ def timeline_for_event(event, subevent=None):
                         'event': event.slug,
                         'organizer': event.organizer.slug,
                         'subevent': subevent.pk,
-                    })
+                    }),
+                    edit_permission='event.subevents:write',
                 ))
             if sei.available_until:
                 tl.append(TimelineEvent(
@@ -246,7 +268,8 @@ def timeline_for_event(event, subevent=None):
                         'event': event.slug,
                         'organizer': event.organizer.slug,
                         'subevent': subevent.pk,
-                    })
+                    }),
+                    edit_permission='event.subevents:write',
                 ))
 
     for d in event.discounts.filter(Q(available_from__isnull=False) | Q(available_until__isnull=False)):
@@ -259,7 +282,8 @@ def timeline_for_event(event, subevent=None):
                     'event': event.slug,
                     'organizer': event.organizer.slug,
                     'discount': d.pk,
-                })
+                }),
+                edit_permission='event.items:write',
             ))
         if d.available_until:
             tl.append(TimelineEvent(
@@ -270,7 +294,8 @@ def timeline_for_event(event, subevent=None):
                     'event': event.slug,
                     'organizer': event.organizer.slug,
                     'discount': d.pk,
-                })
+                }),
+                edit_permission='event.items:write',
             ))
 
     for p in event.items.filter(Q(available_from__isnull=False) | Q(available_until__isnull=False)):
@@ -283,7 +308,8 @@ def timeline_for_event(event, subevent=None):
                     'event': event.slug,
                     'organizer': event.organizer.slug,
                     'item': p.pk,
-                }) + '#id_available_from_0'
+                }) + '#id_available_from_0',
+                edit_permission='event.items:write',
             ))
         if p.available_until:
             tl.append(TimelineEvent(
@@ -294,7 +320,8 @@ def timeline_for_event(event, subevent=None):
                     'event': event.slug,
                     'organizer': event.organizer.slug,
                     'item': p.pk,
-                }) + '#id_available_until_0'
+                }) + '#id_available_until_0',
+                edit_permission='event.items:write',
             ))
 
     for v in ItemVariation.objects.filter(
@@ -313,7 +340,8 @@ def timeline_for_event(event, subevent=None):
                     'event': event.slug,
                     'organizer': event.organizer.slug,
                     'item': v.item.pk,
-                }) + '#tab-0-3-open'
+                }) + '#tab-0-3-open',
+                edit_permission='event.items:write',
             ))
         if v.available_until:
             tl.append(TimelineEvent(
@@ -327,7 +355,8 @@ def timeline_for_event(event, subevent=None):
                     'event': event.slug,
                     'organizer': event.organizer.slug,
                     'item': v.item.pk,
-                }) + '#tab-0-3-open'
+                }) + '#tab-0-3-open',
+                edit_permission='event.items:write',
             ))
 
     pprovs = event.get_payment_providers()
@@ -357,7 +386,8 @@ def timeline_for_event(event, subevent=None):
                     'event': event.slug,
                     'organizer': event.organizer.slug,
                     'provider': pprov.identifier,
-                })
+                }),
+                edit_permission='event.settings.payment:write',
             ))
         availability_date = pprov.settings.get('_availability_date', as_type=RelativeDateWrapper)
         if availability_date:
@@ -375,7 +405,8 @@ def timeline_for_event(event, subevent=None):
                     'event': event.slug,
                     'organizer': event.organizer.slug,
                     'provider': pprov.identifier,
-                })
+                }),
+                edit_permission='event.settings.payment:write',
             ))
 
     for recv, resp in timeline_events.send(sender=event, subevent=subevent):

src/pretix/control/context.py

@@ -102,7 +102,7 @@ def _default_context(request):
                     complain_testmode_orders = request.event.orders.filter(testmode=True).exists()
                     request.event.cache.set('complain_testmode_orders', complain_testmode_orders, 30)
             ctx['complain_testmode_orders'] = complain_testmode_orders and request.user.has_event_permission(
-                request.organizer, request.event, 'can_view_orders', request=request
+                request.organizer, request.event, 'event.orders:read', request=request
             )
         else:
             ctx['complain_testmode_orders'] = False

src/pretix/control/forms/event.py

@@ -62,6 +62,7 @@ from pretix.base.forms import (
 )
 from pretix.base.models import Event, Organizer, TaxRule, Team
 from pretix.base.models.event import EventFooterLink, EventMetaValue, SubEvent
+from pretix.base.models.organizer import TeamQuerySet
 from pretix.base.models.tax import TAX_CODE_LISTS
 from pretix.base.reldate import RelativeDateField, RelativeDateTimeField
 from pretix.base.services.placeholders import FormPlaceholderMixin
@@ -104,7 +105,7 @@ class EventWizardFoundationForm(forms.Form):
         qs = Organizer.objects.all()
         if not self.user.has_active_staff_session(self.session.session_key):
             qs = qs.filter(
-                id__in=self.user.teams.filter(can_create_events=True).values_list('organizer', flat=True)
+                id__in=self.user.teams.filter(TeamQuerySet.organizer_permission_q("organizer.events:create")).values_list('organizer', flat=True)
             )
         self.fields['organizer'] = forms.ModelChoiceField(
             label=_("Organizer"),
@@ -262,8 +263,12 @@ class EventWizardBasicsForm(I18nModelForm):
     @staticmethod
     def has_control_rights(user, organizer, session):
         return user.teams.filter(
-            organizer=organizer, all_events=True, can_change_event_settings=True, can_change_items=True,
-            can_change_orders=True, can_change_vouchers=True
+            TeamQuerySet.event_permission_q("event.items:write"),
+            TeamQuerySet.event_permission_q("event.orders:write"),
+            TeamQuerySet.event_permission_q("event.vouchers:write"),
+            TeamQuerySet.event_permission_q("event.settings.general:write"),
+            organizer=organizer,
+            all_events=True,
         ).exists() or user.has_active_staff_session(session.session_key)
 
 
@@ -294,9 +299,14 @@ class EventWizardCopyForm(forms.Form):
             return Event.objects.all()
         return Event.objects.filter(
             Q(organizer_id__in=user.teams.filter(
-                all_events=True, can_change_event_settings=True, can_change_items=True
+                # TODO: review these!
+                # Restrict cross-organizer copying further than same-organizer copying?
+                TeamQuerySet.event_permission_q("event.settings.general:write"),
+                TeamQuerySet.event_permission_q("event.items:write"),
+                all_events=True,
             ).values_list('organizer', flat=True)) | Q(id__in=user.teams.filter(
-                can_change_event_settings=True, can_change_items=True
+                TeamQuerySet.event_permission_q("event.settings.general:write"),
+                TeamQuerySet.event_permission_q("event.items:write"),
             ).values_list('limit_events__id', flat=True))
         )
 

src/pretix/control/forms/filter.py

@@ -1110,7 +1110,7 @@ class OrderPaymentSearchFilterForm(forms.Form):
             self.fields['organizer'].queryset = Organizer.objects.filter(
                 pk__in=self.request.user.teams.values_list('organizer', flat=True)
             )
-            self.fields['event'].queryset = self.request.user.get_events_with_permission('can_view_orders')
+            self.fields['event'].queryset = self.request.user.get_events_with_permission('event.orders:read')
 
         self.fields['provider'].choices += get_all_payment_providers()
 

src/pretix/control/forms/organizer.py

@@ -75,7 +75,10 @@ from pretix.base.models import (
     ReusableMedium, SalesChannel, Team,
 )
 from pretix.base.models.customers import CustomerSSOClient, CustomerSSOProvider
-from pretix.base.models.organizer import OrganizerFooterLink
+from pretix.base.models.organizer import OrganizerFooterLink, TeamQuerySet
+from pretix.base.permissions import (
+    get_all_event_permissions, get_all_organizer_permissions,
+)
 from pretix.base.settings import (
     PERSON_NAME_SCHEMES, PERSON_NAME_TITLE_GROUPS, validate_organizer_settings,
 )
@@ -297,6 +300,18 @@ class MembershipTypeForm(I18nModelForm):
         fields = ['name', 'transferable', 'allow_parallel_usage', 'max_usages']
 
 
+class PermissionMultipleChoiceField(forms.MultipleChoiceField):
+    def to_python(self, value):
+        return {
+            k: True for k in super().to_python(value) if k
+        }
+
+    def prepare_value(self, value):
+        if isinstance(value, dict):
+            return [k for k, v in value.items() if v is True]
+        return super().prepare_value(value)
+
+
 class TeamForm(forms.ModelForm):
 
     def __init__(self, *args, **kwargs):
@@ -305,16 +320,50 @@ class TeamForm(forms.ModelForm):
         self.fields['limit_events'].queryset = organizer.events.all().order_by(
             '-has_subevents', '-date_from'
         )
+        self.fields['limit_event_permissions'] = PermissionMultipleChoiceField(
+            label=self.fields['limit_event_permissions'].label,
+            choices=[
+                (
+                    p.name,
+                    format_html(
+                        '{} <span class="fa fa-info-circle text-muted" data-toggle="tooltip" title="{}"></span> (<code>{}</code>)',
+                        p.label, p.help_text, p.name
+                    ) if p.help_text
+                    else format_html('{} (<code>{}</code>)', p.label, p.name)
+                )
+                for p in get_all_event_permissions().values()
+            ],
+            widget=forms.CheckboxSelectMultiple(attrs={
+                'data-inverse-dependency': '#id_all_event_permissions',
+                'class': 'scrolling-multiple-choice scrolling-multiple-choice-large',
+            }),
+            required=False,
+        )
+        self.fields['limit_organizer_permissions'] = PermissionMultipleChoiceField(
+            label=self.fields['limit_organizer_permissions'].label,
+            choices=[
+                (
+                    p.name,
+                    format_html(
+                        '{} <span class="fa fa-info-circle text-muted" data-toggle="tooltip" title="{}"></span> (<code>{}</code>)',
+                        p.label, p.help_text, p.name
+                    ) if p.help_text
+                    else format_html('{} (<code>{}</code>)', p.label, p.name)
+                )
+                for p in get_all_organizer_permissions().values()
+            ],
+            widget=forms.CheckboxSelectMultiple(attrs={
+                'data-inverse-dependency': '#id_all_organizer_permissions',
+                'class': 'scrolling-multiple-choice scrolling-multiple-choice-large',
+            }),
+            required=False,
+        )
 
     class Meta:
         model = Team
-        fields = ['name', 'require_2fa', 'all_events', 'limit_events', 'can_create_events',
-                  'can_change_teams', 'can_change_organizer_settings',
-                  'can_manage_gift_cards', 'can_manage_customers',
-                  'can_manage_reusable_media',
-                  'can_change_event_settings', 'can_change_items',
-                  'can_view_orders', 'can_change_orders', 'can_checkin_orders',
-                  'can_view_vouchers', 'can_change_vouchers']
+        fields = ['name', 'require_2fa', 'all_events', 'limit_events',
+                  'all_event_permissions', 'limit_event_permissions',
+                  'all_organizer_permissions', 'limit_organizer_permissions']
         widgets = {
             'limit_events': forms.CheckboxSelectMultiple(attrs={
                 'data-inverse-dependency': '#id_all_events',
@@ -327,9 +376,10 @@ class TeamForm(forms.ModelForm):
 
     def clean(self):
         data = super().clean()
-        if self.instance.pk and not data['can_change_teams']:
+        if self.instance.pk and not data['all_organizer_permissions'] and 'organizer.teams:write' not in data.get('limit_organizer_permissions', []):
             if not self.instance.organizer.teams.exclude(pk=self.instance.pk).filter(
-                    can_change_teams=True, members__isnull=False
+                TeamQuerySet.organizer_permission_q("organizer.teams:write"),
+                members__isnull=False
             ).exists():
                 raise ValidationError(_('The changes could not be saved because there would be no remaining team with '
                                         'the permission to change teams and permissions.'))

src/pretix/control/navigation.py

@@ -43,24 +43,29 @@ def get_event_navigation(request: HttpRequest):
             'icon': 'dashboard',
         }
     ]
-    if 'can_change_event_settings' in request.eventpermset:
-        event_settings = [
-            {
-                'label': _('General'),
-                'url': reverse('control:event.settings', kwargs={
-                    'event': request.event.slug,
-                    'organizer': request.event.organizer.slug,
-                }),
-                'active': url.url_name == 'event.settings',
-            },
-            {
-                'label': _('Payment'),
-                'url': reverse('control:event.settings.payment', kwargs={
-                    'event': request.event.slug,
-                    'organizer': request.event.organizer.slug,
-                }),
-                'active': url.url_name in ('event.settings.payment', 'event.settings.payment.provider'),
-            },
+    event_settings = []
+    if "event.settings.general:write" in request.eventpermset:
+        event_settings.append({
+            'label': _('General'),
+            'url': reverse('control:event.settings', kwargs={
+                'event': request.event.slug,
+                'organizer': request.event.organizer.slug,
+            }),
+            'active': url.url_name == 'event.settings',
+        })
+
+    if "event.settings.payment:write" in request.eventpermset or "event.settings.general:write" in request.eventpermset:
+        event_settings.append({
+            'label': _('Payment'),
+            'url': reverse('control:event.settings.payment', kwargs={
+                'event': request.event.slug,
+                'organizer': request.event.organizer.slug,
+            }),
+            'active': url.url_name in ('event.settings.payment', 'event.settings.payment.provider'),
+        })
+
+    if "event.settings.general:write" in request.eventpermset:
+        event_settings += [
             {
                 'label': _('Plugins'),
                 'url': reverse('control:event.settings.plugins', kwargs={
@@ -84,23 +89,31 @@ def get_event_navigation(request: HttpRequest):
                     'organizer': request.event.organizer.slug,
                 }),
                 'active': url.url_name == 'event.settings.mail',
-            },
-            {
-                'label': _('Taxes'),
-                'url': reverse('control:event.settings.tax', kwargs={
-                    'event': request.event.slug,
-                    'organizer': request.event.organizer.slug,
-                }),
-                'active': url.url_name.startswith('event.settings.tax'),
-            },
-            {
-                'label': _('Invoicing'),
-                'url': reverse('control:event.settings.invoice', kwargs={
-                    'event': request.event.slug,
-                    'organizer': request.event.organizer.slug,
-                }),
-                'active': url.url_name == 'event.settings.invoice',
-            },
+            }
+        ]
+
+    if "event.settings.tax:write" in request.eventpermset or "event.settings.general:write" in request.eventpermset:
+        event_settings.append({
+            'label': _('Taxes'),
+            'url': reverse('control:event.settings.tax', kwargs={
+                'event': request.event.slug,
+                'organizer': request.event.organizer.slug,
+            }),
+            'active': url.url_name.startswith('event.settings.tax'),
+        })
+
+    if "event.settings.invoicing:write" in request.eventpermset or "event.settings.general:write" in request.eventpermset:
+        event_settings.append({
+            'label': _('Invoicing'),
+            'url': reverse('control:event.settings.invoice', kwargs={
+                'event': request.event.slug,
+                'organizer': request.event.organizer.slug,
+            }),
+            'active': url.url_name == 'event.settings.invoice',
+        })
+
+    if "event.settings.general:write" in request.eventpermset:
+        event_settings += [
             {
                 'label': pgettext_lazy('action', 'Cancellation'),
                 'url': reverse('control:event.settings.cancel', kwargs={
@@ -118,88 +131,87 @@ def get_event_navigation(request: HttpRequest):
                 'active': url.url_name == 'event.settings.widget',
             },
         ]
+
+        # It would be better to allow plugins to handle the permission themselves, but for backwards compatibility
+        # we need to have it in the "if" statement
         event_settings += sorted(
             sum((list(a[1]) for a in nav_event_settings.send(request.event, request=request)), []),
             key=lambda r: r['label']
         )
+    if event_settings:
         nav.append({
             'label': _('Settings'),
-            'url': reverse('control:event.settings', kwargs={
-                'event': request.event.slug,
-                'organizer': request.event.organizer.slug,
-            }),
+            'url': event_settings[0]["url"],
             'active': False,
             'icon': 'wrench',
             'children': event_settings
         })
 
-    if 'can_change_items' in request.eventpermset:
-        nav.append({
-            'label': _('Products'),
-            'url': reverse('control:event.items', kwargs={
-                'event': request.event.slug,
-                'organizer': request.event.organizer.slug,
-            }),
-            'active': False,
-            'icon': 'ticket',
-            'children': [
-                {
-                    'label': _('Products'),
-                    'url': reverse('control:event.items', kwargs={
-                        'event': request.event.slug,
-                        'organizer': request.event.organizer.slug,
-                    }),
-                    'active': url.url_name in (
-                        'event.item', 'event.items.add', 'event.items') or "event.item." in url.url_name,
-                },
-                {
-                    'label': _('Quotas'),
-                    'url': reverse('control:event.items.quotas', kwargs={
-                        'event': request.event.slug,
-                        'organizer': request.event.organizer.slug,
-                    }),
-                    'active': 'event.items.quota' in url.url_name,
-                },
-                {
-                    'label': _('Categories'),
-                    'url': reverse('control:event.items.categories', kwargs={
-                        'event': request.event.slug,
-                        'organizer': request.event.organizer.slug,
-                    }),
-                    'active': 'event.items.categories' in url.url_name,
-                },
-                {
-                    'label': _('Questions'),
-                    'url': reverse('control:event.items.questions', kwargs={
-                        'event': request.event.slug,
-                        'organizer': request.event.organizer.slug,
-                    }),
-                    'active': 'event.items.questions' in url.url_name,
-                },
-                {
-                    'label': _('Discounts'),
-                    'url': reverse('control:event.items.discounts', kwargs={
-                        'event': request.event.slug,
-                        'organizer': request.event.organizer.slug,
-                    }),
-                    'active': 'event.items.discounts' in url.url_name,
-                },
-            ]
-        })
-
-    if 'can_change_event_settings' in request.eventpermset:
-        if request.event.has_subevents:
-            nav.append({
-                'label': pgettext_lazy('subevent', 'Dates'),
-                'url': reverse('control:event.subevents', kwargs={
+    nav.append({
+        'label': _('Products'),
+        'url': reverse('control:event.items', kwargs={
+            'event': request.event.slug,
+            'organizer': request.event.organizer.slug,
+        }),
+        'active': False,
+        'icon': 'ticket',
+        'children': [
+            {
+                'label': _('Products'),
+                'url': reverse('control:event.items', kwargs={
                     'event': request.event.slug,
                     'organizer': request.event.organizer.slug,
                 }),
-                'active': ('event.subevent' in url.url_name),
-                'icon': 'calendar',
-            })
+                'active': url.url_name in (
+                    'event.item', 'event.items.add', 'event.items') or "event.item." in url.url_name,
+            },
+            {
+                'label': _('Quotas'),
+                'url': reverse('control:event.items.quotas', kwargs={
+                    'event': request.event.slug,
+                    'organizer': request.event.organizer.slug,
+                }),
+                'active': 'event.items.quota' in url.url_name,
+            },
+            {
+                'label': _('Categories'),
+                'url': reverse('control:event.items.categories', kwargs={
+                    'event': request.event.slug,
+                    'organizer': request.event.organizer.slug,
+                }),
+                'active': 'event.items.categories' in url.url_name,
+            },
+            {
+                'label': _('Questions'),
+                'url': reverse('control:event.items.questions', kwargs={
+                    'event': request.event.slug,
+                    'organizer': request.event.organizer.slug,
+                }),
+                'active': 'event.items.questions' in url.url_name,
+            },
+            {
+                'label': _('Discounts'),
+                'url': reverse('control:event.items.discounts', kwargs={
+                    'event': request.event.slug,
+                    'organizer': request.event.organizer.slug,
+                }),
+                'active': 'event.items.discounts' in url.url_name,
+            },
+        ]
+    })
 
-    if 'can_view_orders' in request.eventpermset:
+    if request.event.has_subevents:
+        nav.append({
+            'label': pgettext_lazy('subevent', 'Dates'),
+            'url': reverse('control:event.subevents', kwargs={
+                'event': request.event.slug,
+                'organizer': request.event.organizer.slug,
+            }),
+            'active': ('event.subevent' in url.url_name),
+            'icon': 'calendar',
+        })
+
+    if 'event.orders:read' in request.eventpermset:
         children = [
             {
                 'label': _('All orders'),
@@ -242,7 +254,7 @@ def get_event_navigation(request: HttpRequest):
                 'active': 'event.orders.waitinglist' in url.url_name,
             },
         ]
-        if 'can_change_orders' in request.eventpermset:
+        if 'event.orders:write' in request.eventpermset:
             children.append({
                 'label': _('Import'),
                 'url': reverse('control:event.orders.import', kwargs={
@@ -262,7 +274,7 @@ def get_event_navigation(request: HttpRequest):
             'children': children
         })
 
-    if 'can_view_vouchers' in request.eventpermset:
+    if 'event.vouchers:read' in request.eventpermset:
         nav.append({
             'label': _('Vouchers'),
             'url': reverse('control:event.vouchers', kwargs={
@@ -291,7 +303,7 @@ def get_event_navigation(request: HttpRequest):
             ]
         })
 
-    if 'can_view_orders' in request.eventpermset:
+    if 'event.orders:read' in request.eventpermset or 'event.settings.general:write' in request.eventpermset:
         nav.append({
             'label': pgettext_lazy('navigation', 'Check-in'),
             'url': reverse('control:event.orders.checkinlists', kwargs={
@@ -480,7 +492,7 @@ def get_organizer_navigation(request):
             'icon': 'calendar',
         },
     ]
-    if 'can_change_organizer_settings' in request.orgapermset:
+    if 'organizer.settings.general:write' in request.orgapermset:
         nav.append({
             'label': _('Settings'),
             'url': reverse('control:organizer.edit', kwargs={
@@ -534,7 +546,7 @@ def get_organizer_navigation(request):
             ]
         })
 
-    if 'can_change_teams' in request.orgapermset:
+    if 'organizer.teams:write' in request.orgapermset:
         nav.append({
             'label': _('Teams'),
             'url': reverse('control:organizer.teams', kwargs={
@@ -544,7 +556,7 @@ def get_organizer_navigation(request):
             'icon': 'group',
         })
 
-    if 'can_manage_gift_cards' in request.orgapermset:
+    if 'organizer.giftcards:read' in request.orgapermset or 'organizer.giftcards:write' in request.orgapermset:
         children = []
         children.append({
             'label': _('Gift cards'),
@@ -554,7 +566,7 @@ def get_organizer_navigation(request):
             'active': 'organizer.giftcard' in url.url_name and 'acceptance' not in url.url_name,
             'children': children,
         })
-        if 'can_change_organizer_settings' in request.orgapermset:
+        if 'organizer.settings.general:write' in request.orgapermset:
             children.append(
                 {
                     'label': _('Acceptance'),
@@ -575,7 +587,7 @@ def get_organizer_navigation(request):
 
     if request.organizer.settings.customer_accounts:
         children = []
-        if 'can_manage_customers' in request.orgapermset:
+        if 'organizer.customers:read' in request.orgapermset or 'organizer.customers:write' in request.orgapermset:
             children.append(
                 {
                     'label': _('Customers'),
@@ -585,7 +597,7 @@ def get_organizer_navigation(request):
                     'active': 'organizer.customer' in url.url_name,
                 }
             )
-        if 'can_change_organizer_settings' in request.orgapermset:
+        if 'organizer.settings.general:write' in request.orgapermset:
             children.append(
                 {
                     'label': _('Membership types'),
@@ -624,16 +636,17 @@ def get_organizer_navigation(request):
             })
 
     if request.organizer.settings.reusable_media_active:
-        nav.append({
-            'label': _('Reusable media'),
-            'url': reverse('control:organizer.reusable_media', kwargs={
-                'organizer': request.organizer.slug
-            }),
-            'icon': 'key',
-            'active': 'organizer.reusable_medi' in url.url_name,
-        })
+        if 'organizer.reusablemedia:read' in request.orgapermset or 'organizer.reusablemedia:write' in request.orgapermset:
+            nav.append({
+                'label': _('Reusable media'),
+                'url': reverse('control:organizer.reusable_media', kwargs={
+                    'organizer': request.organizer.slug
+                }),
+                'icon': 'key',
+                'active': 'organizer.reusable_medi' in url.url_name,
+            })
 
-    if 'can_change_organizer_settings' in request.orgapermset:
+    if 'organizer.devices:read' in request.orgapermset or 'organizer.devices:write' in request.orgapermset:
         nav.append({
             'label': _('Devices'),
             'url': reverse('control:organizer.devices', kwargs={
@@ -667,7 +680,7 @@ def get_organizer_navigation(request):
         'icon': 'download',
     })
 
-    if 'can_change_organizer_settings' in request.orgapermset:
+    if 'organizer.settings.general:write' in request.orgapermset:
         merge_in(nav, [{
             'parent': reverse('control:organizer.export', kwargs={
                 'organizer': request.organizer.slug,

src/pretix/control/permissions.py

@@ -55,7 +55,7 @@ def event_permission_required(permission):
     """
     if permission == 'can_change_settings':
         # Legacy support
-        permission = 'can_change_event_settings'
+        permission = 'event.settings.general:write'
 
     def decorator(function):
         def wrapper(request, *args, **kw):
@@ -92,9 +92,9 @@ def organizer_permission_required(permission):
     This view decorator rejects all requests with a 403 response which are not from
     users having the given permission for the event the request is associated with.
     """
-    if permission == 'can_change_settings':
+    if permission == 'event.settings.general:write':
         # Legacy support
-        permission = 'can_change_organizer_settings'
+        permission = 'organizer.settings.general:write'
 
     def decorator(function):
         def wrapper(request, *args, **kw):

src/pretix/control/templates/pretixcontrol/checkin/index.html

@@ -9,7 +9,7 @@
 {% block content %}
     <h1>
         {% blocktrans with name=checkinlist.name %}Check-in list: {{ name }}{% endblocktrans %}
-        {% if 'can_change_event_settings' in request.eventpermset %}
+        {% if 'event.settings.general:write' in request.eventpermset %}
             <a href="{% url "control:event.orders.checkinlists.edit" event=request.event.slug organizer=request.event.organizer.slug list=checkinlist.pk %}"
                     class="btn btn-default">
                 <span class="fa fa-wrench"></span>
@@ -87,7 +87,7 @@
                     <thead>
                     <tr>
                         <th>
-                            {% if "can_change_orders" in request.eventpermset or "can_checkin_orders" in request.eventpermset %}
+                            {% if "event.orders:write" in request.eventpermset or "event.orders:checkin" in request.eventpermset %}
                                 <label aria-label="{% trans "select all rows for batch-operation" %}"
                                        class="batch-select-label"><input type="checkbox" data-toggle-table/></label>
                             {% endif %}
@@ -132,7 +132,7 @@
                     {% for e in entries %}
                         <tr>
                             <td>
-                                {% if "can_change_orders" in request.eventpermset or "can_checkin_orders" in request.eventpermset %}
+                                {% if "event.orders:write" in request.eventpermset or "event.orders:checkin" in request.eventpermset %}
                                     <input type="checkbox" name="checkin" id="id_checkin" class="" value="{{ e.pk }}"/>
                                 {% endif %}
                             </td>
@@ -207,7 +207,7 @@
                 </table>
             </div>
             <div class="batch-select-actions">
-                {% if "can_change_orders" in request.eventpermset or "can_checkin_orders" in request.eventpermset %}
+                {% if "event.orders:write" in request.eventpermset or "event.orders:checkin" in request.eventpermset %}
                     <button type="submit" class="btn btn-primary btn-save">
                         <span class="fa fa-sign-in" aria-hidden="true"></span>
                         {% trans "Check-In selected attendees" %}
@@ -217,7 +217,7 @@
                         {% trans "Check-Out selected attendees" %}
                     </button>
                 {% endif %}
-                {% if "can_change_orders" in request.eventpermset %}
+                {% if "event.orders:write" in request.eventpermset %}
                     <button type="submit" class="btn btn-danger btn-save" name="revert"
                             formaction="{% url "control:event.orders.checkinlists.bulk_revert" event=request.event.slug organizer=request.event.organizer.slug list=checkinlist.pk %}"
                             data-no-asynctask

src/pretix/control/templates/pretixcontrol/checkin/lists.html

@@ -63,27 +63,27 @@
                 {% endif %}
             </p>
 
-            {% if "can_change_event_settings" in request.eventpermset %}
+            {% if "event.settings.general:write" in request.eventpermset %}
                 <a href="{% url "control:event.orders.checkinlists.add" organizer=request.event.organizer.slug event=request.event.slug %}"
                    class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new check-in list" %}
                 </a>
             {% endif %}
-            {% if can_change_organizer_settings %}
+            {% if link_device_settings %}
                 <a href="{% url "control:organizer.devices" organizer=request.organizer.slug %}"
                    class="btn btn-default btn-lg"><i class="fa fa-tablet"></i> {% trans "Connected devices" %}</a>
             {% endif %}
         </div>
     {% else %}
         <p>
-            {% if "can_change_event_settings" in request.eventpermset %}
+            {% if "event.settings.general:write" in request.eventpermset %}
                 <a href="{% url "control:event.orders.checkinlists.add" organizer=request.event.organizer.slug event=request.event.slug %}"
                    class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new check-in list" %}</a>
             {% endif %}
-            {% if can_change_organizer_settings %}
+            {% if link_device_settings %}
                 <a href="{% url "control:organizer.devices" organizer=request.organizer.slug %}"
                    class="btn btn-default"><i class="fa fa-tablet"></i> {% trans "Connected devices" %}</a>
             {% endif %}
-            {% if "can_change_orders" in request.eventpermset %}
+            {% if "event.settings.general:write" in request.eventpermset and "event.orders:write" in request.eventpermset %}
                 <a href="{% url "control:event.orders.checkinlists.reset" organizer=request.event.organizer.slug event=request.event.slug %}"
                    class="btn btn-default">
                     <span class="fa fa-repeat"></span>
@@ -100,7 +100,9 @@
                         <a href="?{% url_replace request 'ordering' '-name' %}"><i class="fa fa-caret-down"></i></a>
                         <a href="?{% url_replace request 'ordering' 'name' %}"><i class="fa fa-caret-up"></i></a>
                     </th>
-                    <th>{% trans "Checked in" %}</th>
+                    {% if "event.orders:read" in request.eventpermset %}
+                        <th>{% trans "Checked in" %}</th>
+                    {% endif %}
                     {% if request.event.has_subevents %}
                         <th>
                             {% trans "Date" context "subevent" %}
@@ -119,18 +121,20 @@
                             <strong><a
                                     href="{% url "control:event.orders.checkinlists.show" organizer=request.event.organizer.slug event=request.event.slug list=cl.id %}">{{ cl.name }}</a></strong>
                         </td>
-                        <td>
-                            <div class="quotabox availability">
-                                <div class="progress">
-                                    <div class="progress-bar progress-bar-success progress-bar-{{ cl.percent }}">
+                        {% if "event.orders:read" in request.eventpermset %}
+                            <td>
+                                <div class="quotabox availability">
+                                    <div class="progress">
+                                        <div class="progress-bar progress-bar-success progress-bar-{{ cl.percent }}">
+                                        </div>
+                                    </div>
+                                    <div class="numbers">
+                                        {{ cl.checkin_count|default_if_none:"0" }} /
+                                        {{ cl.position_count|default_if_none:"0" }}
                                     </div>
                                 </div>
-                                <div class="numbers">
-                                    {{ cl.checkin_count|default_if_none:"0" }} /
-                                    {{ cl.position_count|default_if_none:"0" }}
-                                </div>
-                            </div>
-                        </td>
+                            </td>
+                        {% endif %}
                         {% if request.event.has_subevents %}
                             {% if cl.subevent %}
                                 <td>
@@ -156,16 +160,18 @@
                             {% endif %}
                         </td>
                         <td class="text-right flip">
-                            <a href="{% url "control:event.orders.checkinlists.show" organizer=request.event.organizer.slug event=request.event.slug list=cl.id %}"
-                               class="btn btn-default btn-sm"><i class="fa fa-eye"></i></a>
-                            {% if "can_change_event_settings" in request.eventpermset %}
+                            {% if "event.orders:read" in request.eventpermset %}
+                                <a href="{% url "control:event.orders.checkinlists.show" organizer=request.event.organizer.slug event=request.event.slug list=cl.id %}"
+                                   class="btn btn-default btn-sm"><i class="fa fa-eye"></i></a>
+                                <a href="{% url "control:event.orders.checkinlists.simulator" organizer=request.event.organizer.slug event=request.event.slug list=cl.id %}"
+                                   title="{% trans "Check-in simulator" %}" data-toggle="tooltip"
+                                   class="btn btn-default btn-sm"><i class="fa fa-flask"></i></a>
+                            {% endif %}
+                            {% if "event.settings.general:write" in request.eventpermset %}
                                 <a href="{% url "control:event.orders.checkinlists.add" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ cl.id }}"
                                    class="btn btn-sm btn-default" title="{% trans "Clone" %}" data-toggle="tooltip">
                                     <span class="fa fa-copy"></span>
                                 </a>
-                                <a href="{% url "control:event.orders.checkinlists.simulator" organizer=request.event.organizer.slug event=request.event.slug list=cl.id %}"
-                                   title="{% trans "Check-in simulator" %}" data-toggle="tooltip"
-                                   class="btn btn-default btn-sm"><i class="fa fa-flask"></i></a>
                                 <a href="{% url "control:event.orders.checkinlists.edit" organizer=request.event.organizer.slug event=request.event.slug list=cl.id %}"
                                    class="btn btn-default btn-sm"><i class="fa fa-wrench"></i></a>
                                 <a href="{% url "control:event.orders.checkinlists.delete" organizer=request.event.organizer.slug event=request.event.slug list=cl.id %}"

src/pretix/control/templates/pretixcontrol/checkin/simulator.html

@@ -9,7 +9,7 @@
 {% block inside %}
     <h1>
         {% blocktrans with name=checkinlist.name %}Check-in list: {{ name }}{% endblocktrans %}
-        {% if 'can_change_event_settings' in request.eventpermset %}
+        {% if 'event.settings.general:write' in request.eventpermset %}
             <a href="{% url "control:event.orders.checkinlists.edit" event=request.event.slug organizer=request.event.organizer.slug list=checkinlist.pk %}"
                class="btn btn-default">
                 <span class="fa fa-wrench"></span>

src/pretix/control/templates/pretixcontrol/datasync/control_order_info.html

@@ -11,18 +11,20 @@
     <ul class="list-group">
         {% for identifier, display_name, pending, objects in providers %}
             <li class="list-group-item">
-                <form action="{% url "control:event.order.sync_job" organizer=event.organizer.slug event=event.slug code=order.code provider=identifier %}" method="post" class="form-inline pull-right">
-                    {% csrf_token %}
-                    {% if pending %}
-                        {% if pending.not_before > now or pending.need_manual_retry %}
-                            <button type="submit" name="run_job_now" value="{{ pending.pk }}" class="btn btn-default"><i class="fa fa-refresh"></i> {% trans "Retry now" %}</button>
+                {% if "event.orders:write" in request.eventpermset %}
+                    <form action="{% url "control:event.order.sync_job" organizer=event.organizer.slug event=event.slug code=order.code provider=identifier %}" method="post" class="form-inline pull-right">
+                        {% csrf_token %}
+                        {% if pending %}
+                            {% if pending.not_before > now or pending.need_manual_retry %}
+                                <button type="submit" name="run_job_now" value="{{ pending.pk }}" class="btn btn-default"><i class="fa fa-refresh"></i> {% trans "Retry now" %}</button>
+                            {% endif %}
+                            <button type="submit" name="cancel_job" value="{{ pending.pk }}" class="btn btn-danger"><i class="fa fa-times"></i> {% trans "Cancel" %}</button>
+                        {% else %}
+                            <button type="submit" class="btn btn-default"><i class="fa fa-refresh"></i> {% trans "Sync now" %}</button>
+                            <input type="hidden" name="queue_sync" value="true">
                         {% endif %}
-                        <button type="submit" name="cancel_job" value="{{ pending.pk }}" class="btn btn-danger"><i class="fa fa-times"></i> {% trans "Cancel" %}</button>
-                    {% else %}
-                        <button type="submit" class="btn btn-default"><i class="fa fa-refresh"></i> {% trans "Sync now" %}</button>
-                        <input type="hidden" name="queue_sync" value="true">
-                    {% endif %}
-                </form>
+                    </form>
+                {% endif %}
                 <p><b>{{ display_name }}</b></p>
                 {% if pending %}
                     <p>

src/pretix/control/templates/pretixcontrol/event/dangerzone.html

@@ -40,12 +40,16 @@
                     this option.
                 {% endblocktrans %}
             </div>
-            <div class="col-sm-12 col-md-3">
-                <a href="{% url "control:event.cancel" organizer=request.organizer.slug event=request.event.slug %}"
-                        class="btn btn-danger btn-block btn-lg">
-                    <span class="fa fa-ban"></span>
-                    {% trans "Cancel event" %}
-                </a>
+            <div class="col-sm-12 col-md-3 text-center">
+                {% if "event:cancel" in request.eventpermset %}
+                    <a href="{% url "control:event.cancel" organizer=request.organizer.slug event=request.event.slug %}"
+                            class="btn btn-danger btn-block btn-lg">
+                        <span class="fa fa-ban"></span>
+                        {% trans "Cancel event" %}
+                    </a>
+                {% else %}
+                    {% trans "No permission" %}
+                {% endif %}
             </div>
         </div>
     </div>

src/pretix/control/templates/pretixcontrol/event/fragment_timeline.html

@@ -19,7 +19,7 @@
                         <span class="{% if e.time < nearly_now %}text-muted{% endif %}">
                             {{ e.entry.description }}
                         </span>
-                        {% if e.entry.edit_url %}
+                        {% if e.entry.edit_url and e.entry.edit_permission in request.eventpermset %}
                             &nbsp;
                             <a href="{{ e.entry.edit_url }}" class="text-muted">
                                 <span class="fa fa-edit"></span>

src/pretix/control/templates/pretixcontrol/event/index.html

@@ -155,22 +155,24 @@
             </form>
         </div>
     </div>
-    <div class="panel panel-default">
-        <div class="panel-heading">
-            <h3 class="panel-title">
-                {% trans "Event logs" %}
-            </h3>
-        </div>
-        <ul class="list-group" id="logs_target">
-            <div class="logs-lazy-loading">
-                <span class="fa fa-cog fa-4x"></span>
+    {% if "event.orders:read" in request.eventpermset or "event.orders:write" in request.eventpermset or "event.settings.general:write" in request.eventpermset or "event.items:write" in request.eventpermset %}
+        <div class="panel panel-default">
+            <div class="panel-heading">
+                <h3 class="panel-title">
+                    {% trans "Event logs" %}
+                </h3>
+            </div>
+            <ul class="list-group" id="logs_target">
+                <div class="logs-lazy-loading">
+                    <span class="fa fa-cog fa-4x"></span>
+                </div>
+            </ul>
+            <div class="panel-footer">
+                <a href="{% url "control:event.log" event=request.event.slug organizer=request.event.organizer.slug %}">
+                    {% trans "Show more logs" %}
+                </a>
             </div>
-        </ul>
-        <div class="panel-footer">
-            <a href="{% url "control:event.log" event=request.event.slug organizer=request.event.organizer.slug %}">
-                {% trans "Show more logs" %}
-            </a>
         </div>
-    </div>
+    {% endif %}
 
 {% endblock %}

src/pretix/control/templates/pretixcontrol/event/invoicing.html

@@ -169,13 +169,15 @@
                 </p>
             </fieldset>
         </div>
-        <div class="form-group submit-group">
-            <button type="submit" class="btn btn-default btn-lg" name="preview" value="preview" formtarget="_blank">
-                {% trans "Save and show preview" %}
-            </button>
-            <button type="submit" class="btn btn-primary btn-save">
-                {% trans "Save" %}
-            </button>
-        </div>
+        {% if "event.settings.invoicing:write" in request.eventpermset %}
+            <div class="form-group submit-group">
+                <button type="submit" class="btn btn-default btn-lg" name="preview" value="preview" formtarget="_blank">
+                    {% trans "Save and show preview" %}
+                </button>
+                <button type="submit" class="btn btn-primary btn-save">
+                    {% trans "Save" %}
+                </button>
+            </div>
+        {% endif %}
     </form>
 {% endblock %}

src/pretix/control/templates/pretixcontrol/event/payment.html

@@ -41,14 +41,17 @@
                                 {% endfor %}
                             </td>
                             <td class="text-right flip">
-                                <a href="{% url 'control:event.settings.payment.provider' event=request.event.slug organizer=request.organizer.slug provider=provider.identifier %}"
-                                        class="btn btn-default">
-                                    <span class="fa fa-cog"></span>
-                                    {% trans "Settings" %}
-                                </a>
+                                {% if "event.settings.payment:write" in request.eventpermset %}
+                                    <a href="{% url 'control:event.settings.payment.provider' event=request.event.slug organizer=request.organizer.slug provider=provider.identifier %}"
+                                            class="btn btn-default">
+                                        <span class="fa fa-cog"></span>
+                                        {% trans "Settings" %}
+                                    </a>
+                                {% endif %}
                             </td>
                         </tr>
                     {% endfor %}
+                    {% if "event.settings.general:write" in request.eventpermset %}
                         <tr>
                             <td colspan="4">
                                 <br>
@@ -58,6 +61,7 @@
                                 </a>
                             </td>
                         </tr>
+                    {% endif %}
                     </tbody>
                 </table>
 
@@ -83,10 +87,12 @@
                 {% bootstrap_field form.payment_explanation layout="control" %}
             </fieldset>
         </div>
-        <div class="form-group submit-group">
-            <button type="submit" class="btn btn-primary btn-save">
-                {% trans "Save" %}
-            </button>
-        </div>
+        {% if "event.settings.payment:write" in request.eventpermset %}
+            <div class="form-group submit-group">
+                <button type="submit" class="btn btn-primary btn-save">
+                    {% trans "Save" %}
+                </button>
+            </div>
+        {% endif %}
     </form>
 {% endblock %}

src/pretix/control/templates/pretixcontrol/event/tax.html

@@ -23,8 +23,10 @@
                     {% endblocktrans %}
                 </p>
 
-                <a href="{% url "control:event.settings.tax.add" organizer=request.event.organizer.slug event=request.event.slug %}"
-                   class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new tax rule" %}</a>
+                {% if "event.settings.tax:write" in request.eventpermset %}
+                    <a href="{% url "control:event.settings.tax.add" organizer=request.event.organizer.slug event=request.event.slug %}"
+                       class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new tax rule" %}</a>
+                {% endif %}
             </div>
         {% else %}
             <div class="table-responsive">
@@ -42,10 +44,14 @@
                     {% for tr in taxrules %}
                         <tr>
                             <td>
-                                <strong><a
-                                        href="{% url "control:event.settings.tax.edit" organizer=request.event.organizer.slug event=request.event.slug rule=tr.id %}">
-                                    {{ tr.internal_name|default:tr.name }}
-                                </a></strong>
+                                {% if "event.settings.tax:write" in request.eventpermset %}
+                                    <strong><a
+                                            href="{% url "control:event.settings.tax.edit" organizer=request.event.organizer.slug event=request.event.slug rule=tr.id %}">
+                                        {{ tr.internal_name|default:tr.name }}
+                                    </a></strong>
+                                {% else %}
+                                    <strong>{{ tr.internal_name|default:tr.name }}</strong>
+                                {% endif %}
                             </td>
                             <td>
                                 {% if tr.default %}
@@ -53,7 +59,7 @@
                                     <span class="fa fa-check"></span>
                                     {% trans "Default" %}
                                 </span>
-                                {% else %}
+                                {% elif "event.settings.tax:write" in request.eventpermset %}
                                     <form class="form-inline" method="post"
                                           action="{% url "control:event.settings.tax.default" organizer=request.event.organizer.slug event=request.event.slug rule=tr.id %}">
                                         {% csrf_token %}
@@ -83,10 +89,12 @@
                                 {% endif %}
                             </td>
                             <td class="text-right flip">
-                                <a href="{% url "control:event.settings.tax.edit" organizer=request.event.organizer.slug event=request.event.slug rule=tr.id %}"
-                                   class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
-                                <a href="{% url "control:event.settings.tax.delete" organizer=request.event.organizer.slug event=request.event.slug rule=tr.id %}"
-                                   class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
+                                {% if "event.settings.tax:write" in request.eventpermset %}
+                                    <a href="{% url "control:event.settings.tax.edit" organizer=request.event.organizer.slug event=request.event.slug rule=tr.id %}"
+                                       class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
+                                    <a href="{% url "control:event.settings.tax.delete" organizer=request.event.organizer.slug event=request.event.slug rule=tr.id %}"
+                                       class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
+                                {% endif %}
                             </td>
                         </tr>
                     {% endfor %}
@@ -94,9 +102,11 @@
                     <tfoot>
                     <tr>
                         <td colspan="5">
-                            <a href="{% url "control:event.settings.tax.add" organizer=request.event.organizer.slug event=request.event.slug %}"
-                               class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new tax rule" %}
-                            </a>
+                            {% if "event.settings.tax:write" in request.eventpermset %}
+                                <a href="{% url "control:event.settings.tax.add" organizer=request.event.organizer.slug event=request.event.slug %}"
+                                   class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new tax rule" %}
+                                </a>
+                            {% endif %}
                         </td>
                     </tr>
                     </tfoot>
@@ -111,10 +121,12 @@
             {% bootstrap_field form.tax_rounding layout="control" %}
             {% bootstrap_field form.display_net_prices layout="control" %}
         </fieldset>
-        <div class="form-group submit-group">
-            <button type="submit" class="btn btn-primary btn-save">
-                {% trans "Save" %}
-            </button>
-        </div>
+        {% if "event.settings.tax:write" in request.eventpermset %}
+            <div class="form-group submit-group">
+                <button type="submit" class="btn btn-primary btn-save">
+                    {% trans "Save" %}
+                </button>
+            </div>
+        {% endif %}
     </form>
 {% endblock %}

src/pretix/control/templates/pretixcontrol/items/categories.html

@@ -16,14 +16,18 @@
                 {% endblocktrans %}
             </p>
 
-            <a href="{% url "control:event.items.categories.add" organizer=request.event.organizer.slug event=request.event.slug %}"
-                    class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new category" %}</a>
+            {% if 'event.items:write' in request.eventpermset %}
+                <a href="{% url "control:event.items.categories.add" organizer=request.event.organizer.slug event=request.event.slug %}"
+                        class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new category" %}</a>
+            {% endif %}
         </div>
     {% else %}
-        <p>
-            <a href="{% url "control:event.items.categories.add" organizer=request.event.organizer.slug event=request.event.slug %}" class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new category" %}
-            </a>
-        </p>
+        {% if 'event.items:write' in request.eventpermset %}
+            <p>
+                <a href="{% url "control:event.items.categories.add" organizer=request.event.organizer.slug event=request.event.slug %}" class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new category" %}
+                </a>
+            </p>
+        {% endif %}
         <form method="post">
             {% csrf_token %}
         <div class="table-responsive">
@@ -39,7 +43,11 @@
                 {% for c in categories %}
                     <tr data-dnd-id="{{ c.id }}">
                         <td>
-                            <strong><a href="{% url "control:event.items.categories.edit" organizer=request.event.organizer.slug event=request.event.slug category=c.id %}">{{ c.internal_name|default:c.name }}</a></strong>
+                            {% if 'event.items:write' in request.eventpermset %}
+                                <strong><a href="{% url "control:event.items.categories.edit" organizer=request.event.organizer.slug event=request.event.slug category=c.id %}">{{ c.internal_name|default:c.name }}</a></strong>
+                            {% else %}
+                                <strong>{{ c.internal_name|default:c.name }}</strong>
+                            {% endif %}
                             <br>
                             <small class="text-muted">
                                 #{{ c.pk }}
@@ -49,15 +57,17 @@
                             {{ c.get_category_type_display }}
                         </td>
                         <td class="text-right flip">
-                            <button title="{% trans "Move up" %}" formaction="{% url "control:event.items.categories.up" organizer=request.event.organizer.slug event=request.event.slug category=c.id %}" class="btn btn-default btn-sm sortable-up"{% if forloop.counter0 == 0 and not page_obj.has_previous %} disabled{% endif %}><i class="fa fa-arrow-up"></i></button>
-                            <button title="{% trans "Move down" %}" formaction="{% url "control:event.items.categories.down" organizer=request.event.organizer.slug event=request.event.slug category=c.id %}" class="btn btn-default btn-sm sortable-down"{% if forloop.revcounter0 == 0 and not page_obj.has_next %} disabled{% endif %}><i class="fa fa-arrow-down"></i></button>
-                            <span class="dnd-container" title="{% trans "Click and drag this button to reorder. Double click to show buttons for reordering." %}"></span>
-                            <a title="{% trans "Edit" %}" href="{% url "control:event.items.categories.edit" organizer=request.event.organizer.slug event=request.event.slug category=c.id %}" class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
-                            <a href="{% url "control:event.items.categories.add" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ c.id }}"
-                               class="btn btn-sm btn-default" title="{% trans "Clone" %}" data-toggle="tooltip">
-                                <span class="fa fa-copy"></span>
-                            </a>
-                            <a title="{% trans "Delete" %}" href="{% url "control:event.items.categories.delete" organizer=request.event.organizer.slug event=request.event.slug category=c.id %}" class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
+                            {% if 'event.items:write' in request.eventpermset %}
+                                <button title="{% trans "Move up" %}" formaction="{% url "control:event.items.categories.up" organizer=request.event.organizer.slug event=request.event.slug category=c.id %}" class="btn btn-default btn-sm sortable-up"{% if forloop.counter0 == 0 and not page_obj.has_previous %} disabled{% endif %}><i class="fa fa-arrow-up"></i></button>
+                                <button title="{% trans "Move down" %}" formaction="{% url "control:event.items.categories.down" organizer=request.event.organizer.slug event=request.event.slug category=c.id %}" class="btn btn-default btn-sm sortable-down"{% if forloop.revcounter0 == 0 and not page_obj.has_next %} disabled{% endif %}><i class="fa fa-arrow-down"></i></button>
+                                <span class="dnd-container" title="{% trans "Click and drag this button to reorder. Double click to show buttons for reordering." %}"></span>
+                                <a title="{% trans "Edit" %}" href="{% url "control:event.items.categories.edit" organizer=request.event.organizer.slug event=request.event.slug category=c.id %}" class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
+                                <a href="{% url "control:event.items.categories.add" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ c.id }}"
+                                   class="btn btn-sm btn-default" title="{% trans "Clone" %}" data-toggle="tooltip">
+                                    <span class="fa fa-copy"></span>
+                                </a>
+                                <a title="{% trans "Delete" %}" href="{% url "control:event.items.categories.delete" organizer=request.event.organizer.slug event=request.event.slug category=c.id %}" class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
+                            {% endif %}
                         </td>
                     </tr>
                 {% endfor %}

src/pretix/control/templates/pretixcontrol/items/discounts.html

@@ -39,15 +39,19 @@
                 {% endblocktrans %}
             </p>
 
-            <a href="{% url "control:event.items.discounts.add" organizer=request.event.organizer.slug event=request.event.slug %}"
-               class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new discount" %}</a>
+            {% if 'event.items:write' in request.eventpermset %}
+                <a href="{% url "control:event.items.discounts.add" organizer=request.event.organizer.slug event=request.event.slug %}"
+                   class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new discount" %}</a>
+            {% endif %}
         </div>
     {% else %}
-        <p>
-            <a href="{% url "control:event.items.discounts.add" organizer=request.event.organizer.slug event=request.event.slug %}"
-               class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new discount" %}
-            </a>
-        </p>
+        {% if 'event.items:write' in request.eventpermset %}
+            <p>
+                <a href="{% url "control:event.items.discounts.add" organizer=request.event.organizer.slug event=request.event.slug %}"
+                   class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new discount" %}
+                </a>
+            </p>
+        {% endif %}
         <form method="post">
             {% csrf_token %}
             <div class="table-responsive">
@@ -70,8 +74,12 @@
                                 {% else %}
                                     <del>
                                 {% endif %}
-                                    <a  href="{% url "control:event.items.discounts.edit" organizer=request.event.organizer.slug event=request.event.slug discount=d.id %}">
+                                {% if 'event.items:write' in request.eventpermset %}
+                                    <a href="{% url "control:event.items.discounts.edit" organizer=request.event.organizer.slug event=request.event.slug discount=d.id %}">
                                     {{ d.internal_name }}</a>
+                                {% else %}
+                                    {{ d.internal_name }}
+                                {% endif %}
                                 {% if d.active %}
                                     </strong>
                                 {% else %}
@@ -134,23 +142,25 @@
                                 </td>
                             {% endif %}
                             <td class="text-right flip">
-                                <button formaction="{% url "control:event.items.discounts.up" organizer=request.event.organizer.slug event=request.event.slug discount=d.id %}"
-                                        class="btn btn-default btn-sm sortable-up" title="{% trans "Move up" %}"
-                                        {% if forloop.counter0 == 0 and not page_obj.has_previous %}
-                                        disabled{% endif %}><i class="fa fa-arrow-up"></i></button>
-                                <button formaction="{% url "control:event.items.discounts.down" organizer=request.event.organizer.slug event=request.event.slug discount=d.id %}"
-                                        class="btn btn-default btn-sm sortable-down" title="{% trans "Move down" %}"
-                                        {% if forloop.revcounter0 == 0 and not page_obj.has_next %} disabled{% endif %}>
-                                    <i class="fa fa-arrow-down"></i></button>
-                                <span class="dnd-container" title="{% trans "Click and drag this button to reorder. Double click to show buttons for reordering." %}"></span>
-                                <a href="{% url "control:event.items.discounts.edit" organizer=request.event.organizer.slug event=request.event.slug discount=d.id %}"
-                                   class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
-                                <a href="{% url "control:event.items.discounts.add" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ d.id }}"
-                                   class="btn btn-sm btn-default" title="{% trans "Clone" %}" data-toggle="tooltip">
-                                    <span class="fa fa-copy"></span>
-                                </a>
-                                <a href="{% url "control:event.items.discounts.delete" organizer=request.event.organizer.slug event=request.event.slug discount=d.id %}"
-                                   class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
+                                {% if 'event.items:write' in request.eventpermset %}
+                                    <button formaction="{% url "control:event.items.discounts.up" organizer=request.event.organizer.slug event=request.event.slug discount=d.id %}"
+                                            class="btn btn-default btn-sm sortable-up" title="{% trans "Move up" %}"
+                                            {% if forloop.counter0 == 0 and not page_obj.has_previous %}
+                                            disabled{% endif %}><i class="fa fa-arrow-up"></i></button>
+                                    <button formaction="{% url "control:event.items.discounts.down" organizer=request.event.organizer.slug event=request.event.slug discount=d.id %}"
+                                            class="btn btn-default btn-sm sortable-down" title="{% trans "Move down" %}"
+                                            {% if forloop.revcounter0 == 0 and not page_obj.has_next %} disabled{% endif %}>
+                                        <i class="fa fa-arrow-down"></i></button>
+                                    <span class="dnd-container" title="{% trans "Click and drag this button to reorder. Double click to show buttons for reordering." %}"></span>
+                                    <a href="{% url "control:event.items.discounts.edit" organizer=request.event.organizer.slug event=request.event.slug discount=d.id %}"
+                                       class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
+                                    <a href="{% url "control:event.items.discounts.add" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ d.id }}"
+                                       class="btn btn-sm btn-default" title="{% trans "Clone" %}" data-toggle="tooltip">
+                                        <span class="fa fa-copy"></span>
+                                    </a>
+                                    <a href="{% url "control:event.items.discounts.delete" organizer=request.event.organizer.slug event=request.event.slug discount=d.id %}"
+                                       class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
+                                {% endif %}
                             </td>
                         </tr>
                     {% endfor %}

src/pretix/control/templates/pretixcontrol/items/index.html

@@ -21,14 +21,18 @@
                 {% endblocktrans %}
             </p>
 
-            <a href="{% url "control:event.items.add" organizer=request.event.organizer.slug event=request.event.slug %}"
-                    class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new product" %}</a>
+            {% if 'event.items:write' in request.eventpermset %}
+                <a href="{% url "control:event.items.add" organizer=request.event.organizer.slug event=request.event.slug %}"
+                        class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new product" %}</a>
+            {% endif %}
         </div>
     {% else %}
-        <p>
-            <a href="{% url "control:event.items.add" organizer=request.event.organizer.slug event=request.event.slug %}"
-                    class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new product" %}</a>
-        </p>
+        {% if 'event.items:write' in request.eventpermset %}
+            <p>
+                <a href="{% url "control:event.items.add" organizer=request.event.organizer.slug event=request.event.slug %}"
+                        class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new product" %}</a>
+            </p>
+        {% endif %}
         <form method="post">
             {% csrf_token %}
         <div class="table-responsive">
@@ -51,7 +55,9 @@
                         <tbody>
                             <tr class="sortable-disabled"><th colspan="9" scope="colgroup" class="text-muted">
                                 {{ c.internal_name|default:c.name }}{% if c.category_type != "normal" %} <span class="font-normal">({{ c.get_category_type_display }})</span>{% endif %}
-                                <a href="{% url "control:event.items.categories.edit" organizer=request.event.organizer.slug event=request.event.slug category=c.id %}" title="{% trans "Edit" %}"><span class="fa fa-edit fa-fw"></span></a>
+                                {% if 'event.items:write' in request.eventpermset %}
+                                    <a href="{% url "control:event.items.categories.edit" organizer=request.event.organizer.slug event=request.event.slug category=c.id %}" title="{% trans "Edit" %}"><span class="fa fa-edit fa-fw"></span></a>
+                                {% endif %}
                             </th></tr>
                         </tbody>
                     {% endif %}
@@ -62,7 +68,11 @@
                         <tr data-dnd-id="{{ i.id }}" {% if not i.active %}class="row-muted"{% endif %}>
                             <td><strong>
                                 {% if not i.active %}<strike>{% endif %}
-                                <a href="{% url "control:event.item" organizer=request.event.organizer.slug event=request.event.slug item=i.id %}">{{ i }}</a>
+                                {% if 'event.items:write' in request.eventpermset %}
+                                    <a href="{% url "control:event.item" organizer=request.event.organizer.slug event=request.event.slug item=i.id %}">{{ i }}</a>
+                                {% else %}
+                                    {{ i }}
+                                {% endif %}
                                 {% if not i.active %}</strike>{% endif %}
                                 </strong>
                                 <br>
@@ -158,12 +168,14 @@
                                 {% endif %}
                             </td>
                             <td class="text-right flip col-actions">
-                                <button title="{% trans "Move up" %}" formaction="{% url "control:event.items.up" organizer=request.event.organizer.slug event=request.event.slug item=i.id %}" class="btn btn-default btn-sm sortable-up"{% if forloop.counter0 == 0 %} disabled{% endif %}><i class="fa fa-arrow-up"></i></button>
-                                <button title="{% trans "Move down" %}" formaction="{% url "control:event.items.down" organizer=request.event.organizer.slug event=request.event.slug item=i.id %}" class="btn btn-default btn-sm sortable-down"{% if forloop.revcounter0 == 0 %} disabled{% endif %}><i class="fa fa-arrow-down"></i></button>
-                                <span class="dnd-container" title="{% trans "Click and drag this button to reorder. Double click to show buttons for reordering." %}"></span>
-                                <a href="{% url "control:event.item" organizer=request.event.organizer.slug event=request.event.slug item=i.id %}" class="btn btn-default btn-sm" title="{% trans "Edit" %}"><i class="fa fa-edit"></i></a>
-                                <a href="{% url "control:event.items.add" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ i.id }}" class="btn btn-default btn-sm" title="{% trans "Clone" %}" data-toggle="tooltip"><i class="fa fa-copy"></i></a>
-                                <a href="{% url "control:event.items.delete" organizer=request.event.organizer.slug event=request.event.slug item=i.id %}" class="btn btn-danger btn-sm" title="{% trans "Delete" %}"><i class="fa fa-trash"></i></a>
+                                {% if 'event.items:write' in request.eventpermset %}
+                                    <button title="{% trans "Move up" %}" formaction="{% url "control:event.items.up" organizer=request.event.organizer.slug event=request.event.slug item=i.id %}" class="btn btn-default btn-sm sortable-up"{% if forloop.counter0 == 0 %} disabled{% endif %}><i class="fa fa-arrow-up"></i></button>
+                                    <button title="{% trans "Move down" %}" formaction="{% url "control:event.items.down" organizer=request.event.organizer.slug event=request.event.slug item=i.id %}" class="btn btn-default btn-sm sortable-down"{% if forloop.revcounter0 == 0 %} disabled{% endif %}><i class="fa fa-arrow-down"></i></button>
+                                    <span class="dnd-container" title="{% trans "Click and drag this button to reorder. Double click to show buttons for reordering." %}"></span>
+                                    <a href="{% url "control:event.item" organizer=request.event.organizer.slug event=request.event.slug item=i.id %}" class="btn btn-default btn-sm" title="{% trans "Edit" %}"><i class="fa fa-edit"></i></a>
+                                    <a href="{% url "control:event.items.add" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ i.id }}" class="btn btn-default btn-sm" title="{% trans "Clone" %}" data-toggle="tooltip"><i class="fa fa-copy"></i></a>
+                                    <a href="{% url "control:event.items.delete" organizer=request.event.organizer.slug event=request.event.slug item=i.id %}" class="btn btn-danger btn-sm" title="{% trans "Delete" %}"><i class="fa fa-trash"></i></a>
+                                {% endif %}
                             </td>
                         </tr>
                     {% endfor %}

src/pretix/control/templates/pretixcontrol/items/question.html

@@ -7,45 +7,57 @@
 {% block inside %}
     <h1>
         {% blocktrans with name=question.question %}Question: {{ name }}{% endblocktrans %}
-        <a href="{% url "control:event.items.questions.edit" event=request.event.slug organizer=request.event.organizer.slug question=question.pk %}"
-                class="btn btn-default">
-            <span class="fa fa-edit"></span>
-            {% trans "Edit question" %}
-        </a>
+        {% if 'event.items:write' in request.eventpermset %}
+            <a href="{% url "control:event.items.questions.edit" event=request.event.slug organizer=request.event.organizer.slug question=question.pk %}"
+                    class="btn btn-default">
+                <span class="fa fa-edit"></span>
+                {% trans "Edit question" %}
+            </a>
+        {% endif %}
     </h1>
 
-    <div class="panel panel-default">
-        <div class="panel-heading">
-            <h3 class="panel-title">{% trans "Filter" %}</h3>
+    {% if 'event.orders:read' in request.eventpermset %}
+        <div class="panel panel-default">
+            <div class="panel-heading">
+                <h3 class="panel-title">{% trans "Filter" %}</h3>
+            </div>
+            <form class="panel-body filter-form" action="" method="get">
+                <div class="row">
+                     <div class="col-md-2 col-xs-6">
+                         {% bootstrap_field form.status %}
+                     </div>
+                     <div class="col-md-3 col-xs-6">
+                         {% bootstrap_field form.item %}
+                     </div>
+                {% if has_subevents %}
+                    <div class="col-md-3 col-xs-6">
+                        {% bootstrap_field form.subevent %}
+                    </div>
+                    <div class="col-md-4 col-xs-6">
+                        {% bootstrap_field form.date_range %}
+                    </div>
+                {% endif %}
+                </div>
+                <div class="text-right">
+                    <button class="btn btn-primary btn-lg" type="submit">
+                        <span class="fa fa-filter"></span>
+                        {% trans "Filter" %}
+                    </button>
+                </div>
+            </form>
         </div>
-        <form class="panel-body filter-form" action="" method="get">
-            <div class="row">
-                 <div class="col-md-2 col-xs-6">
-                     {% bootstrap_field form.status %}
-                 </div>
-                 <div class="col-md-3 col-xs-6">
-                     {% bootstrap_field form.item %}
-                 </div>
-            {% if has_subevents %}
-                <div class="col-md-3 col-xs-6">
-                    {% bootstrap_field form.subevent %}
-                </div>
-                <div class="col-md-4 col-xs-6">
-                    {% bootstrap_field form.date_range %}
-                </div>
-            {% endif %}
-            </div>
-            <div class="text-right">
-                <button class="btn btn-primary btn-lg" type="submit">
-                    <span class="fa fa-filter"></span>
-                    {% trans "Filter" %}
-                </button>
-            </div>
-        </form>
-    </div>
+    {% endif %}
 
     <div class="row">
-        {% if not stats %}
+        {% if 'event.orders:read' not in request.eventpermset %}
+            <div class="empty-collection col-md-10 col-xs-12">
+                <p>
+                    {% blocktrans trimmed %}
+                        No permission to view answers.
+                    {% endblocktrans %}
+                </p>
+            </div>
+        {% elif not stats %}
             <div class="empty-collection col-md-10 col-xs-12">
                 <p>
                     {% blocktrans trimmed %}

src/pretix/control/templates/pretixcontrol/items/questions.html

@@ -10,10 +10,12 @@
         {% endblocktrans %}
     </p>
     {% csrf_token %}
-    <p>
-        <a href="{% url "control:event.items.questions.add" organizer=request.event.organizer.slug event=request.event.slug %}" class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new question" %}
-        </a>
-    </p>
+    {% if 'event.items:write' in request.eventpermset %}
+        <p>
+            <a href="{% url "control:event.items.questions.add" organizer=request.event.organizer.slug event=request.event.slug %}" class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new question" %}
+            </a>
+        </p>
+    {% endif %}
     <div class="table-responsive">
         <table class="table table-hover table-quotas">
             <thead>
@@ -24,7 +26,9 @@
                 <th class="iconcol"></th>
                 <th class="iconcol"></th>
                 <th>{% trans "Products" %}</th>
-                <th class="action-col-2"></th>
+                {% if 'event.items:write' in request.eventpermset %}
+                    <th class="action-col-2"></th>
+                {% endif %}
                 <th class="action-col-2"></th>
             </tr>
             </thead>
@@ -79,16 +83,22 @@
                             <small>{% trans "All personalized products" %}</small>
                         {% endif %}
                     </td>
-                    <td class="dnd-container">
-                    </td>
+                    {% if 'event.items:write' in request.eventpermset %}
+                        <td class="dnd-container">
+                        </td>
+                    {% endif %}
                     <td class="text-right flip">
                         {% if q.pk %}
                             <a href="{% url "control:event.items.questions.show" organizer=request.event.organizer.slug event=request.event.slug question=q.id %}" class="btn btn-default btn-sm"><i class="fa fa-bar-chart"></i></a>
-                            <a href="{% url "control:event.items.questions.edit" organizer=request.event.organizer.slug event=request.event.slug question=q.id %}" class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
-                            <a href="{% url "control:event.items.questions.delete" organizer=request.event.organizer.slug event=request.event.slug question=q.id %}" class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
+                            {% if 'event.items:write' in request.eventpermset %}
+                                <a href="{% url "control:event.items.questions.edit" organizer=request.event.organizer.slug event=request.event.slug question=q.id %}" class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
+                                <a href="{% url "control:event.items.questions.delete" organizer=request.event.organizer.slug event=request.event.slug question=q.id %}" class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
+                            {% endif %}
                         {% else %}
-                            <a href="{% url "control:event.settings" organizer=request.event.organizer.slug event=request.event.slug %}#tab-0-2-open"
-                                    class="btn btn-default btn-sm"><i class="fa fa-wrench"></i></a>
+                            {% if 'event.settings.general:write' in request.eventpermset %}
+                                <a href="{% url "control:event.settings" organizer=request.event.organizer.slug event=request.event.slug %}#tab-0-2-open"
+                                        class="btn btn-default btn-sm"><i class="fa fa-wrench"></i></a>
+                            {% endif %}
                         {% endif %}
                     </td>
                 </tr>

src/pretix/control/templates/pretixcontrol/items/quota.html

@@ -7,7 +7,7 @@
 {% block inside %}
     <h1>
         {% blocktrans with name=quota.name %}Quota: {{ name }}{% endblocktrans %}
-        {% if 'can_change_items' in request.eventpermset %}
+        {% if 'event.items:write' in request.eventpermset %}
             <a href="{% url "control:event.items.quotas.edit" event=request.event.slug organizer=request.event.organizer.slug quota=quota.pk %}"
                class="btn btn-default">
                 <span class="fa fa-edit"></span>

src/pretix/control/templates/pretixcontrol/items/quotas.html

@@ -30,14 +30,18 @@
                 {% endif %}
             </p>
 
-            <a href="{% url "control:event.items.quotas.add" organizer=request.event.organizer.slug event=request.event.slug %}"
-                    class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new quota" %}</a>
+            {% if 'event.items:write' in request.eventpermset %}
+                <a href="{% url "control:event.items.quotas.add" organizer=request.event.organizer.slug event=request.event.slug %}"
+                        class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new quota" %}</a>
+            {% endif %}
         </div>
     {% else %}
-        <p>
-            <a href="{% url "control:event.items.quotas.add" organizer=request.event.organizer.slug event=request.event.slug %}" class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new quota" %}
-            </a>
-        </p>
+        {% if 'event.items:write' in request.eventpermset %}
+            <p>
+                <a href="{% url "control:event.items.quotas.add" organizer=request.event.organizer.slug event=request.event.slug %}" class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new quota" %}
+                </a>
+            </p>
+        {% endif %}
         <div class="table-responsive">
             <table class="table table-hover table-quotas">
                 <thead>
@@ -91,12 +95,14 @@
                         <td>{% if q.size == None %}Unlimited{% else %}{{ q.size }}{% endif %}</td>
                         <td>{% include "pretixcontrol/items/fragment_quota_availability.html" with availability=q.cached_avail closed=q.closed %}</td>
                         <td class="text-right flip">
-                            <a href="{% url "control:event.items.quotas.edit" organizer=request.event.organizer.slug event=request.event.slug quota=q.id %}" class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
-                            <a href="{% url "control:event.items.quotas.add" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ q.id }}"
-                               class="btn btn-sm btn-default" title="{% trans "Clone" %}" data-toggle="tooltip">
-                                <span class="fa fa-copy"></span>
-                            </a>
-                            <a href="{% url "control:event.items.quotas.delete" organizer=request.event.organizer.slug event=request.event.slug quota=q.id %}" class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
+                            {% if 'event.items:write' in request.eventpermset %}
+                                <a href="{% url "control:event.items.quotas.edit" organizer=request.event.organizer.slug event=request.event.slug quota=q.id %}" class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
+                                <a href="{% url "control:event.items.quotas.add" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ q.id }}"
+                                   class="btn btn-sm btn-default" title="{% trans "Clone" %}" data-toggle="tooltip">
+                                    <span class="fa fa-copy"></span>
+                                </a>
+                                <a href="{% url "control:event.items.quotas.delete" organizer=request.event.organizer.slug event=request.event.slug quota=q.id %}" class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
+                            {% endif %}
                         </td>
                     </tr>
                 {% endfor %}

src/pretix/control/templates/pretixcontrol/order/index.html

@@ -26,7 +26,7 @@
         {% endif %}
         {% include "pretixcontrol/orders/fragment_order_status.html" with order=order class="pull-right flip" %}
     </h1>
-    {% if 'can_change_orders' in request.eventpermset %}
+    {% if 'event.orders:write' in request.eventpermset %}
         <form action="{% url "control:event.order.transition" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}"
                 method="post">
             {% csrf_token %}
@@ -193,7 +193,7 @@
                         <dt>{% trans "Order locale" %}</dt>
                         <dd>
                             {{ display_locale }}
-                            {% if "can_change_orders" in request.eventpermset %}
+                            {% if "event.orders:write" in request.eventpermset %}
                                 <a href="{% url "control:event.order.locale" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}" class="btn btn-default btn-xs">
                                     <span class="fa fa-edit"></span>
                                 </a>
@@ -220,7 +220,7 @@
                                         {{ order.customer.identifier }} – {{ order.customer.email }}
                                     </a>
                                 {% endif %}
-                                {% if "can_change_orders" in request.eventpermset %}
+                                {% if "event.orders:write" in request.eventpermset %}
                                     <a href="{% url "control:event.order.contact" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}" class="btn btn-default btn-xs">
                                         <span class="fa fa-edit"></span>
                                     </a>
@@ -233,7 +233,7 @@
                             {% if order.email and order.email_known_to_work %}
                                 <span class="fa fa-check-circle text-success" data-toggle="tooltip" title="{% trans "We know that this email address works because the user clicked a link we sent them." %}"></span>
                             {% endif %}
-                            {% if "can_change_orders" in request.eventpermset %}
+                            {% if "event.orders:write" in request.eventpermset %}
                                 <a href="{% url "control:event.order.contact" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}" class="btn btn-default btn-xs">
                                     <span class="fa fa-edit"></span>
                                 </a>
@@ -257,7 +257,7 @@
                             <dt>{% trans "Phone number" %}</dt>
                             <dd>
                                 {{ order.phone|default_if_none:""|phone_format }}
-                                {% if "can_change_orders" in request.eventpermset %}
+                                {% if "event.orders:write" in request.eventpermset %}
                                     <a href="{% url "control:event.order.contact" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}" class="btn btn-default btn-xs">
                                         <span class="fa fa-edit"></span>
                                     </a>
@@ -319,7 +319,7 @@
                                             <span class="fa fa-check text-success fa-stack-1x fa-stack-shifted"></span>
                                         </span>
                                     {% endif %}
-                                    {% if i.transmission_status != "inflight" %}
+                                    {% if i.transmission_status != "inflight" and "event.orders:write" in request.eventpermset %}
                                         <form class="form-inline helper-display-inline" method="post"
                                               action="{% url "control:event.order.retransmitinvoice" event=request.event.slug organizer=request.event.organizer.slug code=order.code id=i.pk %}">
                                             {% csrf_token %}
@@ -334,7 +334,7 @@
                                         </form>
                                     {% endif %}
                                     {% if not i.canceled %}
-                                        {% if i.regenerate_allowed %}
+                                        {% if i.regenerate_allowed and "event.orders:write" in request.eventpermset %}
                                             <form class="form-inline helper-display-inline" method="post"
                                                     action="{% url "control:event.order.regeninvoice" event=request.event.slug organizer=request.event.organizer.slug code=order.code id=i.pk %}">
                                                 {% csrf_token %}
@@ -344,7 +344,7 @@
                                                 </button>
                                             </form>
                                         {% endif %}
-                                        {% if not i.is_cancellation %}
+                                        {% if not i.is_cancellation and "event.orders:write" in request.eventpermset %}
                                             <form class="form-inline helper-display-inline" method="post"
                                                     action="{% url "control:event.order.reissueinvoice" event=request.event.slug organizer=request.event.organizer.slug code=order.code id=i.pk %}">
                                                 {% csrf_token %}
@@ -371,7 +371,7 @@
                                         <br/>
                                     {% endif %}
                                 {% endfor %}
-                                {% if can_generate_invoice and 'can_change_orders' in request.eventpermset %}
+                                {% if can_generate_invoice and 'event.orders:write' in request.eventpermset %}
                                     <br/>
                                     <form class="form-inline helper-display-inline" method="post"
                                             action="{% url "control:event.order.geninvoice" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}">
@@ -382,7 +382,7 @@
                                     </form>
                                 {% endif %}
                             </dd>
-                        {% elif can_generate_invoice and 'can_change_orders' in request.eventpermset %}
+                        {% elif can_generate_invoice and 'event.orders:write' in request.eventpermset %}
                             <dt>{% trans "Invoices" %}</dt>
                             <dd>
                                 <form class="form-inline helper-display-inline" method="post"
@@ -400,7 +400,7 @@
             <div class="panel panel-default items">
                 <div class="panel-heading">
                     <div class="pull-right flip">
-                        {% if 'can_change_orders' in request.eventpermset %}
+                        {% if 'event.orders:write' in request.eventpermset %}
                             <a href="{% url "control:event.order.info" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}">
                                 <span class="fa fa-edit"></span>
                                 {% trans "Change answers" %}
@@ -893,7 +893,7 @@
                                     {% endfor %}
                                     </tbody>
                                 </table>
-                                {% if order.payment_refund_sum > 0 and "can_change_orders" in request.eventpermset %}
+                                {% if order.payment_refund_sum > 0 and "event.orders:write" in request.eventpermset %}
                                     <a href="{% url "control:event.order.refunds.start" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}" class="btn btn-default">
                                         {% trans "Create a refund" %}
                                     </a>
@@ -1012,7 +1012,7 @@
                         <div class="panel panel-default">
                             <div class="panel-heading">
                                 <div class="pull-right flip">
-                                    {% if 'can_change_orders' in request.eventpermset %}
+                                    {% if 'event.orders:write' in request.eventpermset %}
                                         <a href="{% url "control:event.order.info" event=request.event.slug organizer=request.event.organizer.slug code=order.code %}">
                                             <span class="fa fa-edit"></span>
                                             {% trans "Change" %}
@@ -1088,7 +1088,7 @@
                                 {% bootstrap_field comment_form.custom_followup_at %}
                                 {% bootstrap_field comment_form.checkin_attention show_help=True show_label=False %}
                                 {% bootstrap_field comment_form.checkin_text show_help=True show_label=False %}
-                                {% if "can_change_orders" in request.eventpermset %}
+                                {% if "event.orders:write" in request.eventpermset %}
                                     <button class="btn btn-default">
                                         {% trans "Update comment" %}
                                     </button>

src/pretix/control/templates/pretixcontrol/orders/index.html

@@ -122,7 +122,7 @@
                 <table class="table table-condensed table-hover table-orders">
                     <thead>
                     <tr>
-                        {% if "can_change_orders" in request.eventpermset %}
+                        {% if "event.orders:write" in request.eventpermset %}
                             <th>
                                 <label aria-label="{% trans "select all rows for batch-operation" %}"
                                        class="batch-select-label"><input type="checkbox" data-toggle-table/></label>
@@ -154,7 +154,7 @@
                             <a href="?{% url_replace request 'ordering' 'status' %}"><i class="fa fa-caret-up"></i></a>
                         </th>
                     </tr>
-                    {% if page_obj.paginator.num_pages > 1 and "can_change_orders" in request.eventpermset %}
+                    {% if page_obj.paginator.num_pages > 1 and "event.orders:write" in request.eventpermset %}
                         <tr class="table-select-all warning hidden">
                             <td>
                                 <input type="checkbox" name="__ALL" id="__all"
@@ -171,7 +171,7 @@
                     <tbody>
                     {% for o in orders %}
                         <tr>
-                            {% if "can_change_orders" in request.eventpermset %}
+                            {% if "event.orders:write" in request.eventpermset %}
                                 <td>
                                     <label aria-label="{% trans "select row for batch-operation" %}"
                                            class="batch-select-label"><input type="checkbox" name="order"
@@ -281,7 +281,7 @@
                     {% endif %}
                 </table>
             </div>
-            {% if "can_change_orders" in request.eventpermset %}
+            {% if "event.orders:write" in request.eventpermset %}
                 <div class="batch-select-actions">
                     <div class="btn-group dropup">
                         <button type="button" class="btn btn-default dropdown-toggle" data-toggle="dropdown"

src/pretix/control/templates/pretixcontrol/orders/refunds.html

@@ -100,28 +100,30 @@
                             {{ r.amount|money:request.event.currency }}
                         </td>
                         <td class="text-right flip">
-                            {% if r.state == "transit" or r.state == "created" %}
-                                <a href="{% url "control:event.order.refunds.cancel" event=request.event.slug organizer=request.event.organizer.slug code=r.order.code refund=r.pk %}?next={{ request.get_full_path|urlencode }}"
-                                   class="btn btn-danger btn-xs" data-toggle="tooltip">
-                                    <span class="fa fa-times"></span>
-                                    {% trans "Cancel" %}
-                                </a>
-                                <a href="{% url "control:event.order.refunds.done" event=request.event.slug organizer=request.event.organizer.slug code=r.order.code refund=r.pk %}?next={{ request.get_full_path|urlencode }}"
-                                   class="btn btn-primary btn-xs" data-toggle="tooltip">
-                                    <span class="fa fa-check"></span>
-                                    {% trans "Confirm as done" %}
-                                </a>
+                            {% if "event.orders:write" in request.eventpermset %}
+                                {% if r.state == "transit" or r.state == "created" %}
+                                    <a href="{% url "control:event.order.refunds.cancel" event=request.event.slug organizer=request.event.organizer.slug code=r.order.code refund=r.pk %}?next={{ request.get_full_path|urlencode }}"
+                                       class="btn btn-danger btn-xs" data-toggle="tooltip">
+                                        <span class="fa fa-times"></span>
+                                        {% trans "Cancel" %}
+                                    </a>
+                                    <a href="{% url "control:event.order.refunds.done" event=request.event.slug organizer=request.event.organizer.slug code=r.order.code refund=r.pk %}?next={{ request.get_full_path|urlencode }}"
+                                       class="btn btn-primary btn-xs" data-toggle="tooltip">
+                                        <span class="fa fa-check"></span>
+                                        {% trans "Confirm as done" %}
+                                    </a>
                                 {% elif r.state == "external" %}
-                                <a href="{% url "control:event.order.refunds.cancel" event=request.event.slug organizer=request.event.organizer.slug code=r.order.code refund=r.pk %}?next={{ request.get_full_path|urlencode }}"
-                                   class="btn btn-default btn-xs" data-toggle="tooltip">
-                                    <span class="fa fa-times"></span>
-                                    {% trans "Ignore" %}
-                                </a>
-                                <a href="{% url "control:event.order.refunds.process" event=request.event.slug organizer=request.event.organizer.slug code=r.order.code refund=r.pk %}?next={{ request.get_full_path|urlencode }}"
-                                   class="btn btn-primary btn-xs" data-toggle="tooltip">
-                                    <span class="fa fa-check"></span>
-                                    {% trans "Process refund" %}
-                                </a>
+                                    <a href="{% url "control:event.order.refunds.cancel" event=request.event.slug organizer=request.event.organizer.slug code=r.order.code refund=r.pk %}?next={{ request.get_full_path|urlencode }}"
+                                       class="btn btn-default btn-xs" data-toggle="tooltip">
+                                        <span class="fa fa-times"></span>
+                                        {% trans "Ignore" %}
+                                    </a>
+                                    <a href="{% url "control:event.order.refunds.process" event=request.event.slug organizer=request.event.organizer.slug code=r.order.code refund=r.pk %}?next={{ request.get_full_path|urlencode }}"
+                                       class="btn btn-primary btn-xs" data-toggle="tooltip">
+                                        <span class="fa fa-check"></span>
+                                        {% trans "Process refund" %}
+                                    </a>
+                                {% endif %}
                             {% endif %}
                         </td>
                     </tr>

src/pretix/control/templates/pretixcontrol/organizers/customer.html

@@ -93,16 +93,18 @@
                         {% endif %}
                         </dl>
                     </form>
-                    <div class="text-right">
-                        <a href="{% url "control:organizer.customer.edit" organizer=request.organizer.slug customer=customer.identifier %}"
-                                class="btn btn-default">
-                            <i class="fa fa-edit"></i> {% trans "Edit" %}
-                        </a>
-                        <a href="{% url "control:organizer.customer.anonymize" organizer=request.organizer.slug customer=customer.identifier %}"
-                                class="btn btn-danger">
-                            <i class="fa fa-trash"></i> {% trans "Anonymize" %}
-                        </a>
-                    </div>
+                    {% if "organizer.customers:write" in request.orgapermset %}
+                        <div class="text-right">
+                            <a href="{% url "control:organizer.customer.edit" organizer=request.organizer.slug customer=customer.identifier %}"
+                                    class="btn btn-default">
+                                <i class="fa fa-edit"></i> {% trans "Edit" %}
+                            </a>
+                            <a href="{% url "control:organizer.customer.anonymize" organizer=request.organizer.slug customer=customer.identifier %}"
+                                    class="btn btn-danger">
+                                <i class="fa fa-trash"></i> {% trans "Anonymize" %}
+                            </a>
+                        </div>
+                    {% endif %}
                 </div>
             </div>
             <div class="panel panel-default items">
@@ -162,35 +164,39 @@
                                 </div>
                             </td>
                             <td class="text-right flip">
-                                <a href="{% url "control:organizer.customer.membership.edit" organizer=request.organizer.slug customer=customer.identifier id=m.pk %}"
-                                        data-toggle="tooltip"
-                                        title="{% trans "Edit" %}"
-                                        class="btn btn-default">
-                                    <i class="fa fa-edit"></i>
-                                </a>
-                                {% if m.testmode %}
-                                    <a href="{% url "control:organizer.customer.membership.delete" organizer=request.organizer.slug customer=customer.identifier id=m.pk %}"
+                                {% if "organizer.customers:write" in request.orgapermset %}
+                                    <a href="{% url "control:organizer.customer.membership.edit" organizer=request.organizer.slug customer=customer.identifier id=m.pk %}"
                                             data-toggle="tooltip"
-                                            title="{% trans "Delete" %}"
-                                            class="btn btn-danger">
-                                        <i class="fa fa-trash"></i>
+                                            title="{% trans "Edit" %}"
+                                            class="btn btn-default">
+                                        <i class="fa fa-edit"></i>
                                     </a>
+                                    {% if m.testmode %}
+                                        <a href="{% url "control:organizer.customer.membership.delete" organizer=request.organizer.slug customer=customer.identifier id=m.pk %}"
+                                                data-toggle="tooltip"
+                                                title="{% trans "Delete" %}"
+                                                class="btn btn-danger">
+                                            <i class="fa fa-trash"></i>
+                                        </a>
+                                    {% endif %}
                                 {% endif %}
                             </td>
                         </tr>
                     {% endfor %}
                     </tbody>
-                    <tfoot>
-                    <tr>
-                        <td colspan="7">
-                            <a href="{% url "control:organizer.customer.membership.add" organizer=request.organizer.slug customer=customer.identifier %}"
-                                    class="btn btn-default">
-                                <i class="fa fa-plus"></i>
-                                {% trans "Add membership" %}
-                            </a>
-                        </td>
-                    </tr>
-                    </tfoot>
+                    {% if "organizer.customers:write" in request.orgapermset %}
+                        <tfoot>
+                        <tr>
+                            <td colspan="7">
+                                <a href="{% url "control:organizer.customer.membership.add" organizer=request.organizer.slug customer=customer.identifier %}"
+                                        class="btn btn-default">
+                                    <i class="fa fa-plus"></i>
+                                    {% trans "Add membership" %}
+                                </a>
+                            </td>
+                        </tr>
+                        </tfoot>
+                    {% endif %}
                 </table>
             </div>
             <div class="panel panel-default items">
@@ -300,14 +306,18 @@
                         {% for gc in gift_cards %}
                             <tr>
                                 <td>
-                                    <a href="{% url "control:organizer.giftcard" organizer=organizer.slug giftcard=gc.id %}">
-                                <strong>{{ gc.secret }}</strong></a>
-                                {% if gc.testmode %}
-                                    <span class="label label-warning">{% trans "TEST MODE" %}</span>
-                                {% endif %}
-                                {% if gc.expired %}
-                                    <span class="label label-danger">{% trans "Expired" %}</span>
-                                {% endif %}
+                                    {% if "organizer.giftcards:read" in request.orgapermset %}
+                                        <a href="{% url "control:organizer.giftcard" organizer=organizer.slug giftcard=gc.id %}">
+                                            <strong>{{ gc.secret }}</strong></a>
+                                    {% else %}
+                                        <strong>{{ gc.secret|slice:":3" }}…</strong>
+                                    {% endif %}
+                                    {% if gc.testmode %}
+                                        <span class="label label-warning">{% trans "TEST MODE" %}</span>
+                                    {% endif %}
+                                    {% if gc.expired %}
+                                        <span class="label label-danger">{% trans "Expired" %}</span>
+                                    {% endif %}
                                 </td>
                                 <td>{{ gc.issuance|date:"SHORT_DATETIME_FORMAT" }}</td>
                                 <td>{% if gc.expires %}{{ gc.expires|date:"SHORT_DATETIME_FORMAT" }}{% endif %}</td>
@@ -316,10 +326,12 @@
                                     <p class="text-right">{{ gc.value|money:gc.currency }}</p>
                                 </td>
                                 <td class="text-right">
-                                    <a href="{% url "control:organizer.giftcard" organizer=organizer.slug giftcard=gc.id %}"
-                                            class="btn btn-default btn-sm" data-toggle="tooltip" title="{% trans "Details" %}">
-                                        <i class="fa fa-eye"></i>
-                                    </a>
+                                    {% if "organizer.giftcards:read" in request.orgapermset %}
+                                        <a href="{% url "control:organizer.giftcard" organizer=organizer.slug giftcard=gc.id %}"
+                                                class="btn btn-default btn-sm" data-toggle="tooltip" title="{% trans "Details" %}">
+                                            <i class="fa fa-eye"></i>
+                                        </a>
+                                    {% endif %}
                                 </td>
                             </tr>
                         {% endfor %}

src/pretix/control/templates/pretixcontrol/organizers/customers.html

@@ -15,8 +15,10 @@
                     No customer accounts have been created yet.
                 {% endblocktrans %}
             </p>
-            <a href="{% url "control:organizer.customer.create" organizer=request.organizer.slug %}"
-               class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new customer" %}</a>
+            {% if "organizer.customers:write" in request.orgapermset %}
+                <a href="{% url "control:organizer.customer.create" organizer=request.organizer.slug %}"
+                   class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new customer" %}</a>
+            {% endif %}
         </div>
     {% else %}
         <div class="panel panel-default">
@@ -43,10 +45,12 @@
                 </div>
             </form>
         </div>
-        <p>
-            <a href="{% url "control:organizer.customer.create" organizer=request.organizer.slug %}"
-               class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new customer" %}</a>
-        </p>
+        {% if "organizer.customers:write" in request.orgapermset %}
+            <p>
+                <a href="{% url "control:organizer.customer.create" organizer=request.organizer.slug %}"
+                   class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new customer" %}</a>
+            </p>
+        {% endif %}
         <div class="table-responsive">
             <table class="table table-condensed table-hover">
                 <thead>

src/pretix/control/templates/pretixcontrol/organizers/detail.html

@@ -6,7 +6,7 @@
         {% blocktrans with name=request.organizer.name %}Organizer: {{ name }}{% endblocktrans %}
     </h1>
     {% if events|length == 0 and not filter_form.filtered %}
-        {% if "can_create_events" in request.orgapermset %}
+        {% if "organizer.events:create" in request.orgapermset %}
             <p>
                 <a href="{% url "control:events.add" %}?organizer={{ request.organizer.slug }}" class="btn btn-primary">
                     <span class="fa fa-plus"></span>
@@ -50,7 +50,7 @@
                 </div>
             </form>
         </div>
-        {% if "can_create_events" in request.orgapermset %}
+        {% if "organizer.events:create" in request.orgapermset %}
             <p>
                 <a href="{% url "control:events.add" %}?organizer={{ request.organizer.slug }}" class="btn btn-primary">
                     <span class="fa fa-plus"></span>
@@ -125,7 +125,7 @@
                                 data-toggle="tooltip">
                             <span class="fa fa-eye"></span>
                         </a>
-                        {% if "can_create_events" in request.orgapermset %}
+                        {% if "organizer.events:create" in request.orgapermset %}
                             <a href="{% url "control:events.add" %}?clone={{ e.pk }}" class="btn btn-sm btn-default"
                                     title="{% trans "Clone event" %}" data-toggle="tooltip">
                                 <span class="fa fa-copy"></span>

src/pretix/control/templates/pretixcontrol/organizers/devices.html

@@ -51,10 +51,12 @@
                 </div>
             </form>
         </div>
-        <p>
-            <a href="{% url "control:organizer.device.add" organizer=request.organizer.slug %}"
-               class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Connect a device" %}</a>
-        </p>
+        {% if "organizer.devices:write" in request.orgapermset %}
+            <p>
+                <a href="{% url "control:organizer.device.add" organizer=request.organizer.slug %}"
+                   class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Connect a device" %}</a>
+            </p>
+        {% endif %}
         <form action="{% url "control:organizer.device.bulk_edit" organizer=request.organizer.slug %}" method="post">
             {% csrf_token %}
             {% for field in filter_form %}
@@ -64,10 +66,12 @@
                 <table class="table table-condensed table-hover table-quotas">
                     <thead>
                     <tr>
-                        <th>
-                            <label aria-label="{% trans "select all rows for batch-operation" %}"
-                                   class="batch-select-label"><input type="checkbox" data-toggle-table/></label>
-                        </th>
+                        {% if "organizer.devices:write" in request.orgapermset %}
+                            <th>
+                                <label aria-label="{% trans "select all rows for batch-operation" %}"
+                                       class="batch-select-label"><input type="checkbox" data-toggle-table/></label>
+                            </th>
+                        {% endif %}
                         <th>{% trans "Device ID" %}
                             <a href="?{% url_replace request 'ordering' '-device_id' %}"><i
                                     class="fa fa-caret-down"></i></a>
@@ -105,12 +109,14 @@
                     <tbody>
                     {% for d in devices %}
                         <tr {% if d.revoked %}class="text-muted"{% endif %}>
-                            <td>
-                                <label aria-label="{% trans "select row for batch-operation" %}"
-                                       class="batch-select-label"><input type="checkbox" name="device"
-                                                                         class="batch-select-checkbox"
-                                                                         value="{{ d.pk }}"/></label>
-                            </td>
+                            {% if "organizer.devices:write" in request.orgapermset %}
+                                <td>
+                                    <label aria-label="{% trans "select row for batch-operation" %}"
+                                           class="batch-select-label"><input type="checkbox" name="device"
+                                                                             class="batch-select-checkbox"
+                                                                             value="{{ d.pk }}"/></label>
+                                </td>
+                            {% endif %}
                             <td>
                                 {{ d.device_id }}
                             </td>
@@ -158,15 +164,17 @@
                                 {% endif %}
                             </td>
                             <td class="text-right flip">
-                                {% if not d.initialized %}
-                                    <a href="{% url "control:organizer.device.connect" organizer=request.organizer.slug device=d.id %}"
-                                       class="btn btn-primary btn-sm"><i class="fa fa-link"></i>
-                                        {% trans "Connect" %}</a>
-                                {% endif %}
-                                {% if not d.initialized or d.api_token %}
-                                    <a href="{% url "control:organizer.device.revoke" organizer=request.organizer.slug device=d.id %}"
-                                       class="btn btn-default btn-sm">
-                                        {% trans "Revoke access" %}</a>
+                                {% if "organizer.devices:write" in request.orgapermset %}
+                                    {% if not d.initialized %}
+                                        <a href="{% url "control:organizer.device.connect" organizer=request.organizer.slug device=d.id %}"
+                                           class="btn btn-primary btn-sm"><i class="fa fa-link"></i>
+                                            {% trans "Connect" %}</a>
+                                    {% endif %}
+                                    {% if not d.initialized or d.api_token %}
+                                        <a href="{% url "control:organizer.device.revoke" organizer=request.organizer.slug device=d.id %}"
+                                           class="btn btn-default btn-sm">
+                                            {% trans "Revoke access" %}</a>
+                                    {% endif %}
                                 {% endif %}
                                 {% if d.initialized %}
                                     <a href="{% url "control:organizer.device.logs" organizer=request.organizer.slug device=d.id %}"
@@ -175,19 +183,23 @@
                                         {% trans "Logs" %}
                                     </a>
                                 {% endif %}
-                                <a href="{% url "control:organizer.device.edit" organizer=request.organizer.slug device=d.id %}"
-                                   class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
+                                {% if "organizer.devices:write" in request.orgapermset %}
+                                    <a href="{% url "control:organizer.device.edit" organizer=request.organizer.slug device=d.id %}"
+                                       class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
+                                {% endif %}
                             </td>
                         </tr>
                     {% endfor %}
                     </tbody>
                 </table>
             </div>
-            <div class="batch-select-actions">
-                <button type="submit" class="btn btn-primary btn-save" name="action" value="edit">
-                    <i class="fa fa-edit"></i>{% trans "Edit selected" %}
-                </button>
-            </div>
+            {% if "organizer.devices:write" in request.orgapermset %}
+                <div class="batch-select-actions">
+                    <button type="submit" class="btn btn-primary btn-save" name="action" value="edit">
+                        <i class="fa fa-edit"></i>{% trans "Edit selected" %}
+                    </button>
+                </div>
+            {% endif %}
         </form>
         {% include "pretixcontrol/pagination.html" %}
     {% endif %}

src/pretix/control/templates/pretixcontrol/organizers/gates.html

@@ -6,10 +6,12 @@
     <p>
         {% trans "The list below shows gates that you can use to group check-in devices." %}
     </p>
-    <a href="{% url "control:organizer.gate.add" organizer=request.organizer.slug %}" class="btn btn-default">
-        <span class="fa fa-plus"></span>
-        {% trans "Create a new gate" %}
-    </a>
+    {% if "organizer.devices:write" in request.orgapermset %}
+        <a href="{% url "control:organizer.gate.add" organizer=request.organizer.slug %}" class="btn btn-default">
+            <span class="fa fa-plus"></span>
+            {% trans "Create a new gate" %}
+        </a>
+    {% endif %}
     <table class="table table-condensed table-hover">
         <thead>
         <tr>
@@ -21,15 +23,21 @@
         {% for g in gates %}
             <tr>
                 <td><strong>
-                    <a href="{% url "control:organizer.gate.edit" organizer=request.organizer.slug gate=g.id %}">
+                    {% if "organizer.devices:write" in request.orgapermset %}
+                        <a href="{% url "control:organizer.gate.edit" organizer=request.organizer.slug gate=g.id %}">
+                            {{ g.name }}
+                        </a>
+                    {% else %}
                         {{ g.name }}
-                    </a>
+                    {% endif %}
                 </strong></td>
                 <td class="text-right flip">
-                    <a href="{% url "control:organizer.gate.edit" organizer=request.organizer.slug gate=g.id %}"
-                            class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
-                    <a href="{% url "control:organizer.gate.delete" organizer=request.organizer.slug gate=g.id %}"
-                            class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
+                    {% if "organizer.devices:write" in request.orgapermset %}
+                        <a href="{% url "control:organizer.gate.edit" organizer=request.organizer.slug gate=g.id %}"
+                                class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
+                        <a href="{% url "control:organizer.gate.delete" organizer=request.organizer.slug gate=g.id %}"
+                                class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
+                    {% endif %}
                 </td>
             </tr>
         {% endfor %}

src/pretix/control/templates/pretixcontrol/organizers/giftcard.html

@@ -10,10 +10,12 @@
         {% if card.testmode %}
             <span class="label label-warning">{% trans "TEST MODE" %}</span>
         {% endif %}
-        <a href="{% url "control:organizer.giftcard.edit" organizer=request.organizer.slug giftcard=card.id %}"
-                class="btn btn-default">
-            <i class="fa fa-edit"></i> {% trans "Edit" %}
-        </a>
+        {% if "organizer.giftcards:write" in request.orgapermset %}
+            <a href="{% url "control:organizer.giftcard.edit" organizer=request.organizer.slug giftcard=card.id %}"
+                    class="btn btn-default">
+                <i class="fa fa-edit"></i> {% trans "Edit" %}
+            </a>
+        {% endif %}
     </h1>
     <div class="row">
         <div class="col-md-10 col-xs-12">
@@ -112,22 +114,24 @@
                             </tr>
                         {% endfor %}
                         </tbody>
-                        <tfoot>
-                        <tr>
-                            <td></td>
-                            <td>
-                                <input type="text" class="form-control helper-display-block" placeholder="{% trans "Text" %}"
-                                        name="text">
-                            </td>
-                            <td class="text-right form-inline">
-                                <input type="text" class="form-control input-sm" placeholder="{% trans "Value" %}" name="value">
-                                <button type="submit" class="btn btn-primary">
-                                    <span class="fa fa-plus"></span>
-                                </button>
-                            </td>
+                        {% if "organizer.giftcards:write" in request.orgapermset %}
+                            <tfoot>
+                            <tr>
+                                <td></td>
+                                <td>
+                                    <input type="text" class="form-control helper-display-block" placeholder="{% trans "Text" %}"
+                                            name="text">
+                                </td>
+                                <td class="text-right form-inline">
+                                    <input type="text" class="form-control input-sm" placeholder="{% trans "Value" %}" name="value">
+                                    <button type="submit" class="btn btn-primary">
+                                        <span class="fa fa-plus"></span>
+                                    </button>
+                                </td>
 
-                        </tr>
-                        </tfoot>
+                            </tr>
+                            </tfoot>
+                        {% endif %}
                     </table>
                 </form>
             </div>

src/pretix/control/templates/pretixcontrol/organizers/giftcards.html

@@ -15,10 +15,11 @@
                     or you can manually issue gift cards.
                 {% endblocktrans %}
             </p>
-
-            <a href="{% url "control:organizer.giftcard.add" organizer=request.organizer.slug %}"
-                    class="btn btn-default btn-lg"><i class="fa fa-plus"></i> {% trans "Manually issue a gift card" %}
-            </a>
+            {% if "organizer.giftcards:write" in request.orgapermset %}
+                <a href="{% url "control:organizer.giftcard.add" organizer=request.organizer.slug %}"
+                        class="btn btn-default btn-lg"><i class="fa fa-plus"></i> {% trans "Manually issue a gift card" %}
+                </a>
+            {% endif %}
         </div>
     {% else %}
         <div class="panel panel-default">
@@ -45,10 +46,12 @@
                 </div>
             </form>
         </div>
-        <p>
-            <a href="{% url "control:organizer.giftcard.add" organizer=request.organizer.slug %}"
-                    class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Manually issue a gift card" %}</a>
-        </p>
+        {% if "organizer.giftcards:write" in request.orgapermset %}
+            <p>
+                <a href="{% url "control:organizer.giftcard.add" organizer=request.organizer.slug %}"
+                        class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Manually issue a gift card" %}</a>
+            </p>
+        {% endif %}
         <div class="table-responsive">
             <table class="table table-condensed table-hover">
                 <thead>

src/pretix/control/templates/pretixcontrol/organizers/reusable_media.html

@@ -15,8 +15,10 @@
                     No media have been created yet.
                 {% endblocktrans %}
             </p>
-            <a href="{% url "control:organizer.reusable_medium.create" organizer=request.organizer.slug %}"
-               class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new medium" %}</a>
+            {% if "organizer.reusablemedia:write" in request.orgapermset %}
+                <a href="{% url "control:organizer.reusable_medium.create" organizer=request.organizer.slug %}"
+                   class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new medium" %}</a>
+            {% endif %}
         </div>
     {% else %}
         <div class="panel panel-default">
@@ -40,10 +42,12 @@
                 </div>
             </form>
         </div>
-        <p>
-            <a href="{% url "control:organizer.reusable_medium.create" organizer=request.organizer.slug %}"
-               class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new medium" %}</a>
-        </p>
+        {% if "organizer.reusablemedia:write" in request.orgapermset %}
+            <p>
+                <a href="{% url "control:organizer.reusable_medium.create" organizer=request.organizer.slug %}"
+                   class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new medium" %}</a>
+            </p>
+        {% endif %}
         <div class="table-responsive">
             <table class="table table-condensed table-hover">
                 <thead>
@@ -77,9 +81,13 @@
                             {% if m.customer %}
                                 <span class="helper-display-block">
                                     <span class="fa fa-user fa-fw"></span>
-                                    <a href="{% url "control:organizer.customer" organizer=request.organizer.slug customer=m.customer.identifier %}">
+                                    {% if "organizer.customers:read" in request.orgapermset %}
+                                        <a href="{% url "control:organizer.customer" organizer=request.organizer.slug customer=m.customer.identifier %}">
+                                            {{ m.customer }}
+                                        </a>
+                                    {% else %}
                                         {{ m.customer }}
-                                    </a>
+                                    {% endif %}
                                 </span>
                             {% endif %}
                             {% if m.linked_orderposition %}
@@ -92,8 +100,12 @@
                             {% if m.linked_giftcard %}
                                 <span class="helper-display-block">
                                     <span class="fa fa-credit-card fa-fw"></span>
-                                    <a href="{% url "control:organizer.giftcard" organizer=request.organizer.slug giftcard=m.linked_giftcard.id %}">
-                                        {{ m.linked_giftcard.secret }}</a>
+                                    {% if "organizer.giftcards:read" in request.orgapermset %}
+                                        <a href="{% url "control:organizer.giftcard" organizer=request.organizer.slug giftcard=m.linked_giftcard.id %}">
+                                            {{ m.linked_giftcard.secret }}</a>
+                                    {% else %}
+                                        {{ m.linked_giftcard.secret|slice:":3" }}…
+                                    {% endif %}
                                 </span>
                             {% endif %}
                         </td>

src/pretix/control/templates/pretixcontrol/organizers/reusable_medium.html

@@ -22,60 +22,69 @@
                     </h3>
                 </div>
                 <div class="panel-body">
-                    <form action="" method="post">
-                        {% csrf_token %}
-                        <dl class="dl-horizontal">
-                            <dt>{% trans "Media type" context "reusable_media" %}</dt>
-                            <dd>{{ medium.get_type_display }}</dd>
-                            <dt>{% trans "Identifier" context "reusable_media" %}</dt>
-                            <dd><code>{{ medium.identifier }}</code></dd>
-                            <dt>{% trans "Status" %}</dt>
-                            <dd>
-                                {% if not medium.active %}
-                                    {% trans "disabled" %}
-                                {% elif medium.is_expired %}
-                                    {% trans "expired" %}
-                                {% else %}
-                                    {% trans "active" %}
-                                {% endif %}
-                            </dd>
-                            <dt>{% trans "Connections" context "reusable_media" %}</dt>
-                            <dd>
-                                {% if medium.customer %}
-                                    <span class="helper-display-block">
-                                    <span class="fa fa-user fa-fw"></span>
+                    {% csrf_token %}
+                    <dl class="dl-horizontal">
+                        <dt>{% trans "Media type" context "reusable_media" %}</dt>
+                        <dd>{{ medium.get_type_display }}</dd>
+                        <dt>{% trans "Identifier" context "reusable_media" %}</dt>
+                        <dd><code>{{ medium.identifier }}</code></dd>
+                        <dt>{% trans "Status" %}</dt>
+                        <dd>
+                            {% if not medium.active %}
+                                {% trans "disabled" %}
+                            {% elif medium.is_expired %}
+                                {% trans "expired" %}
+                            {% else %}
+                                {% trans "active" %}
+                            {% endif %}
+                        </dd>
+                        <dt>{% trans "Connections" context "reusable_media" %}</dt>
+                        <dd>
+                            {% if medium.customer %}
+                                <span class="helper-display-block">
+                                <span class="fa fa-user fa-fw"></span>
+                                {% if "organizer.customers:read" in request.orgapermset %}
                                     <a href="{% url "control:organizer.customer" organizer=request.organizer.slug customer=medium.customer.identifier %}">
                                         {{ medium.customer }}
                                     </a>
-                                </span>
+                                {% else %}
+                                    {{ medium.customer }}
                                 {% endif %}
-                                {% if medium.linked_orderposition %}
-                                    <span class="helper-display-block">
-                                    <span class="fa fa-ticket fa-fw"></span>
-                                    <a href="{% url "control:event.order" event=medium.linked_orderposition.order.event.slug organizer=request.organizer.slug code=medium.linked_orderposition.order.code %}">
-                                        {{ medium.linked_orderposition.order.code }}</a>-{{ medium.linked_orderposition.positionid }}
-                                </span>
-                                {% endif %}
-                                {% if medium.linked_giftcard %}
-                                    <span class="helper-display-block">
-                                    <span class="fa fa-credit-card fa-fw"></span>
-                                    <a href="{% url "control:organizer.giftcard" organizer=request.organizer.slug giftcard=medium.linked_giftcard.id %}">
-                                        {{ medium.linked_giftcard.secret }}</a>
-                                </span>
-                                {% endif %}
-                            </dd>
-                            {% if medium.notes %}
-                                <dt>{% trans "Notes" %}</dt>
-                                <dd>{{ medium.notes }}</dd>
+                            </span>
                             {% endif %}
-                        </dl>
-                    </form>
-                    <div class="text-right">
-                        <a href="{% url "control:organizer.reusable_medium.edit" organizer=request.organizer.slug pk=medium.pk %}"
-                           class="btn btn-default">
-                            <i class="fa fa-edit"></i> {% trans "Edit" %}
-                        </a>
-                    </div>
+                            {% if medium.linked_orderposition %}
+                                <span class="helper-display-block">
+                                <span class="fa fa-ticket fa-fw"></span>
+                                <a href="{% url "control:event.order" event=medium.linked_orderposition.order.event.slug organizer=request.organizer.slug code=medium.linked_orderposition.order.code %}">
+                                    {{ medium.linked_orderposition.order.code }}</a>-{{ medium.linked_orderposition.positionid }}
+                            </span>
+                            {% endif %}
+                            {% if medium.linked_giftcard %}
+                                <span class="helper-display-block">
+                                <span class="fa fa-credit-card fa-fw"></span>
+                                {% if "organizer.giftcards:read" in request.orgapermset %}
+                                    <a href="{% url "control:organizer.giftcard" organizer=request.organizer.slug giftcard=medium.linked_giftcard.id %}">
+                                        {{ medium.linked_giftcard.secret }}
+                                    </a>
+                                {% else %}
+                                    {{ medium.linked_giftcard.secret|slice:":3" }}…
+                                {% endif %}
+                            </span>
+                            {% endif %}
+                        </dd>
+                        {% if medium.notes %}
+                            <dt>{% trans "Notes" %}</dt>
+                            <dd>{{ medium.notes }}</dd>
+                        {% endif %}
+                    </dl>
+                    {% if "organizer.reusablemedia:write" in request.orgapermset %}
+                        <div class="text-right">
+                            <a href="{% url "control:organizer.reusable_medium.edit" organizer=request.organizer.slug pk=medium.pk %}"
+                               class="btn btn-default">
+                                <i class="fa fa-edit"></i> {% trans "Edit" %}
+                            </a>
+                        </div>
+                    {% endif %}
                 </div>
             </div>
         </div>

src/pretix/control/templates/pretixcontrol/organizers/team_edit.html

@@ -22,25 +22,16 @@
         </fieldset>
         <fieldset>
             <legend>{% trans "Organizer permissions" %}</legend>
-            {% bootstrap_field form.can_create_events layout="control" %}
-            {% bootstrap_field form.can_manage_gift_cards layout="control" %}
-            {% bootstrap_field form.can_manage_customers layout="control" %}
-            {% bootstrap_field form.can_manage_reusable_media layout="control" %}
-            {% bootstrap_field form.can_change_teams layout="control" %}
-            {% bootstrap_field form.can_change_organizer_settings layout="control" %}
+            {% bootstrap_field form.all_organizer_permissions layout="control" %}
+            {% bootstrap_field form.limit_organizer_permissions layout="control" %}
         </fieldset>
         <fieldset>
             <legend>{% trans "Event permissions" %}</legend>
 
             {% bootstrap_field form.all_events layout="control" %}
             {% bootstrap_field form.limit_events layout="control" %}
-            {% bootstrap_field form.can_change_event_settings layout="control" %}
-            {% bootstrap_field form.can_change_items layout="control" %}
-            {% bootstrap_field form.can_view_orders layout="control" %}
-            {% bootstrap_field form.can_change_orders layout="control" %}
-            {% bootstrap_field form.can_checkin_orders layout="control" %}
-            {% bootstrap_field form.can_view_vouchers layout="control" %}
-            {% bootstrap_field form.can_change_vouchers layout="control" %}
+            {% bootstrap_field form.all_event_permissions layout="control" %}
+            {% bootstrap_field form.limit_event_permissions layout="control" %}
         </fieldset>
         <div class="form-group submit-group">
             <button type="submit" class="btn btn-primary btn-save">

src/pretix/control/templates/pretixcontrol/subevents/index.html

@@ -13,12 +13,14 @@
                 {% endblocktrans %}
             </p>
 
-            <a href="{% url "control:event.subevents.add" organizer=request.event.organizer.slug event=request.event.slug %}"
-                    class="btn btn-primary btn-lg"><i class="fa fa-plus"></i>
-                {% trans "Create a new date" context "subevent" %}</a>
-            <a href="{% url "control:event.subevents.bulk" organizer=request.event.organizer.slug event=request.event.slug %}"
-                    class="btn btn-primary btn-lg"><i class="fa fa-plus"></i>
-                {% trans "Create many new dates" context "subevent" %}</a>
+            {% if "event.subevents:write" in request.eventpermset %}
+                <a href="{% url "control:event.subevents.add" organizer=request.event.organizer.slug event=request.event.slug %}"
+                        class="btn btn-primary btn-lg"><i class="fa fa-plus"></i>
+                    {% trans "Create a new date" context "subevent" %}</a>
+                <a href="{% url "control:event.subevents.bulk" organizer=request.event.organizer.slug event=request.event.slug %}"
+                        class="btn btn-primary btn-lg"><i class="fa fa-plus"></i>
+                    {% trans "Create many new dates" context "subevent" %}</a>
+            {% endif %}
         </div>
     {% else %}
         <div class="panel panel-default">
@@ -65,7 +67,7 @@
                 </div>
             </form>
         </div>
-        {% if "can_change_event_settings" in request.eventpermset %}
+        {% if "event.subevents:write" in request.eventpermset %}
             <p>
                 <a href="{% url "control:event.subevents.add" organizer=request.event.organizer.slug event=request.event.slug %}"
                         class="btn btn-default"><i class="fa fa-plus"></i>
@@ -84,11 +86,13 @@
                 <table class="table table-hover table-quotas">
                     <thead>
                     <tr>
-                        <th>
-                            {% if "can_change_event_settings" in request.eventpermset %}
-                                <label aria-label="{% trans "select all rows for batch-operation" %}" class="batch-select-label"><input type="checkbox" data-toggle-table/></label>
-                            {% endif %}
-                        </th>
+                        {% if "event.subevents:write" in request.eventpermset %}
+                            <th>
+                                {% if "event.subevents:write" in request.eventpermset %}
+                                    <label aria-label="{% trans "select all rows for batch-operation" %}" class="batch-select-label"><input type="checkbox" data-toggle-table/></label>
+                                {% endif %}
+                            </th>
+                        {% endif %}
                         <th>
                             {% trans "Name" %}
                         </th>
@@ -107,7 +111,7 @@
                         </th>
                         <th></th>
                     </tr>
-                    {% if "can_change_event_settings" in request.eventpermset and page_obj.paginator.num_pages > 1 %}
+                    {% if "event.subevents:write" in request.eventpermset and page_obj.paginator.num_pages > 1 %}
                         <tr class="table-select-all warning hidden">
                             <td>
                                 <input type="checkbox" name="__ALL" id="__all" data-results-total="{{ page_obj.paginator.count }}">
@@ -123,11 +127,11 @@
                     <tbody>
                     {% for s in subevents %}
                         <tr>
-                            <td>
-                                {% if "can_change_event_settings" in request.eventpermset %}
+                            {% if "event.subevents:write" in request.eventpermset %}
+                                <td>
                                     <label aria-label="{% trans "select row for batch-operation" %}" class="batch-select-label"><input type="checkbox" name="subevent" class="batch-select-checkbox" value="{{ s.pk }}"/></label>
-                                {% endif %}
-                            </td>
+                                </td>
+                            {% endif %}
                             <td>
                                 <strong><a href="{% url "control:event.subevent" organizer=request.event.organizer.slug event=request.event.slug subevent=s.id %}?returnto={{ request.GET.urlencode|urlencode }}">
                                     {{ s.name }}</a></strong><br>
@@ -173,35 +177,39 @@
                                 {% endif %}
                             </td>
                             <td class="text-right flip">
-                                <a href="{% url "control:event.orders" organizer=request.event.organizer.slug event=request.event.slug %}?subevent={{ s.id }}" class="btn btn-default btn-sm" title="{% trans "Show orders" %}"><i class="fa fa-shopping-cart" aria-hidden="true"></i></a>
+                                {% if "event.orders:read" in request.eventpermset %}
+                                    <a href="{% url "control:event.orders" organizer=request.event.organizer.slug event=request.event.slug %}?subevent={{ s.id }}" class="btn btn-default btn-sm" title="{% trans "Show orders" %}"><i class="fa fa-shopping-cart" aria-hidden="true"></i></a>
+                                {% endif %}
 
-                                <a href="{% url "control:event.subevent" organizer=request.event.organizer.slug event=request.event.slug subevent=s.id %}?returnto={{ request.GET.urlencode|urlencode }}" class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
-                                <div class="btn-group {% if forloop.revcounter0 < 2 %}dropup{% endif %}">
-                                    <button type="button" class="btn btn-default btn-sm dropdown-toggle"
-                                            data-toggle="dropdown">
-                                        <span class="fa fa-copy"></span>
-                                    </button>
-                                    <ul class="dropdown-menu dropdown-menu-right">
-                                        <li>
-                                            <a href="{% url "control:event.subevents.add" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ s.id }}">
-                                                {% trans "Use as a template for a new date" context "subevent" %}
-                                            </a>
-                                        </li>
-                                        <li>
-                                            <a href="{% url "control:event.subevents.bulk" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ s.id }}">
-                                                {% trans "Use as a template for many new dates" context "subevent" %}
-                                            </a>
-                                        </li>
-                                    </ul>
-                                </div>
-                                <a href="{% url "control:event.subevent.delete" organizer=request.event.organizer.slug event=request.event.slug subevent=s.id %}?returnto={{ request.GET.urlencode|urlencode }}" class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
+                                {% if "event.subevents:write" in request.eventpermset %}
+                                    <a href="{% url "control:event.subevent" organizer=request.event.organizer.slug event=request.event.slug subevent=s.id %}?returnto={{ request.GET.urlencode|urlencode }}" class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
+                                    <div class="btn-group {% if forloop.revcounter0 < 2 %}dropup{% endif %}">
+                                        <button type="button" class="btn btn-default btn-sm dropdown-toggle"
+                                                data-toggle="dropdown">
+                                            <span class="fa fa-copy"></span>
+                                        </button>
+                                        <ul class="dropdown-menu dropdown-menu-right">
+                                            <li>
+                                                <a href="{% url "control:event.subevents.add" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ s.id }}">
+                                                    {% trans "Use as a template for a new date" context "subevent" %}
+                                                </a>
+                                            </li>
+                                            <li>
+                                                <a href="{% url "control:event.subevents.bulk" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ s.id }}">
+                                                    {% trans "Use as a template for many new dates" context "subevent" %}
+                                                </a>
+                                            </li>
+                                        </ul>
+                                    </div>
+                                    <a href="{% url "control:event.subevent.delete" organizer=request.event.organizer.slug event=request.event.slug subevent=s.id %}?returnto={{ request.GET.urlencode|urlencode }}" class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
+                                {% endif %}
                             </td>
                         </tr>
                     {% endfor %}
                     </tbody>
                 </table>
             </div>
-            {% if "can_change_event_settings" in request.eventpermset %}
+            {% if "event.subevents:write" in request.eventpermset %}
                 <div class="batch-select-actions">
                     <button type="submit" class="btn btn-danger btn-save" name="action" value="delete">
                         <i class="fa fa-trash"></i>{% trans "Delete selected" %}

src/pretix/control/templates/pretixcontrol/vouchers/detail.html

@@ -120,7 +120,7 @@
                 </div>
             </div>
         </div>
-        {% if "can_change_vouchers" in request.eventpermset %}
+        {% if "event.vouchers:write" in request.eventpermset %}
             <div class="form-group submit-group">
                 <button type="submit" class="btn btn-primary btn-save">
                     {% trans "Save" %}

src/pretix/control/templates/pretixcontrol/vouchers/index.html

@@ -72,7 +72,7 @@
                 {% endif %}
             </p>
 
-            {% if "can_change_vouchers" in request.eventpermset %}
+            {% if "event.vouchers:write" in request.eventpermset %}
                 <a href="{% url "control:event.vouchers.add" organizer=request.event.organizer.slug event=request.event.slug %}"
                         class="btn btn-primary btn-lg"><i class="fa fa-plus"></i> {% trans "Create a new voucher" %}</a>
                 <a href="{% url "control:event.vouchers.bulk" organizer=request.event.organizer.slug event=request.event.slug %}"
@@ -83,7 +83,7 @@
         </div>
     {% else %}
         <p>
-            {% if "can_change_vouchers" in request.eventpermset %}
+            {% if "event.vouchers:write" in request.eventpermset %}
                 <a href="{% url "control:event.vouchers.add" organizer=request.event.organizer.slug event=request.event.slug %}"
                         class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new voucher" %}</a>
                 <a href="{% url "control:event.vouchers.bulk" organizer=request.event.organizer.slug event=request.event.slug %}"
@@ -103,7 +103,7 @@
                 <table class="table table-hover table-quotas">
                     <thead>
                     <tr>
-                        {% if "can_change_vouchers" in request.eventpermset %}
+                        {% if "event.vouchers:write" in request.eventpermset %}
                             <th>
                                 <label aria-label="{% trans "select all rows for batch-operation" %}" class="batch-select-label">
                                     <input type="checkbox" data-toggle-table />
@@ -148,7 +148,7 @@
                     <tbody>
                     {% for v in vouchers %}
                         <tr>
-                            {% if "can_change_vouchers" in request.eventpermset %}
+                            {% if "event.vouchers:write" in request.eventpermset %}
                                 <td>
                                     <label aria-label="{% trans "select row for batch-operation" %}" class="batch-select-label">
                                         <input type="checkbox" name="voucher" class="batch-select-checkbox" value="{{ v.pk }}"/>
@@ -192,7 +192,7 @@
                                 </td>
                             {% endif %}
                             <td class="text-right flip">
-                                {% if "can_change_vouchers" in request.eventpermset %}
+                                {% if "event.vouchers:write" in request.eventpermset %}
                                     <a href="{% url "control:event.vouchers.bulk" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ v.id }}"
                                        class="btn btn-sm btn-default" title="{% trans "Use as a template for new vouchers" %}" data-toggle="tooltip">
                                         <span class="fa fa-copy"></span>
@@ -205,7 +205,7 @@
                     </tbody>
                 </table>
             </div>
-            {% if "can_change_vouchers" in request.eventpermset %}
+            {% if "event.vouchers:write" in request.eventpermset %}
                 <div class="batch-select-actions">
                     <button type="submit" class="btn btn-danger" name="action" value="delete">
                         <i class="fa fa-trash" aria-hidden="true"></i>

src/pretix/control/templates/pretixcontrol/waitinglist/index.html

@@ -7,10 +7,12 @@
 {% block content %}
     <h1>
         {% trans "Waiting list" %}
-        <a href="{% url "control:event.settings" event=request.event.slug organizer=request.organizer.slug %}#waiting-list-open" class="btn btn-default">
-            <span class="fa fa-cog"></span>
-            {% trans "Settings" %}
-        </a>
+        {% if "event.settings.general:write" in request.eventpermset %}
+            <a href="{% url "control:event.settings" event=request.event.slug organizer=request.organizer.slug %}#waiting-list-open" class="btn btn-default">
+                <span class="fa fa-cog"></span>
+                {% trans "Settings" %}
+            </a>
+        {% endif %}
     </h1>
     {% if not request.event.settings.waiting_list_enabled %}
         <div class="alert alert-danger">
@@ -27,7 +29,7 @@
         </div>
     {% endif %}
     <div class="row">
-        {% if 'can_change_orders' in request.eventpermset %}
+        {% if 'event.orders:write' in request.eventpermset %}
             <form method="post" class="col-md-6"
                     action="{% url "control:event.orders.waitinglist.auto" event=request.event.slug organizer=request.organizer.slug %}"
                     data-asynctask>
@@ -80,7 +82,7 @@
                 </div>
             </form>
         {% endif %}
-        <div class="{% if 'can_change_orders' in request.eventpermset %}col-md-6{% else %}col-md-12{% endif %}">
+        <div class="{% if 'event.orders:write' in request.eventpermset %}col-md-6{% else %}col-md-12{% endif %}">
             <div class="panel panel-default">
                 <div class="panel-heading">
                     {% trans "Sales estimate" %}
@@ -151,7 +153,7 @@
                 <thead>
                 <tr>
                     <th>
-                        {% if "can_change_orders" in request.eventpermset %}
+                        {% if "event.orders:write" in request.eventpermset %}
                             <label aria-label="{% trans "select all rows for batch-operation" %}" class="batch-select-label"><input type="checkbox" data-toggle-table/></label>
                         {% endif %}
                     </th>
@@ -171,7 +173,7 @@
                     <th>{% trans "Voucher" %}</th>
                     <th></th>
                 </tr>
-                {% if "can_change_orders" in request.eventpermset and page_obj.paginator.num_pages > 1 %}
+                {% if "event.orders:write" in request.eventpermset and page_obj.paginator.num_pages > 1 %}
                     <tr class="table-select-all warning hidden">
                         <td>
                             <input type="checkbox" name="__ALL" id="__all" data-results-total="{{ page_obj.paginator.count }}">
@@ -188,7 +190,7 @@
                 {% for e in entries %}
                     <tr>
                         <td>
-                            {% if "can_change_orders" in request.eventpermset %}
+                            {% if "event.orders:write" in request.eventpermset %}
                                 <label aria-label="{% trans "select row for batch-operation" %}" class="batch-select-label"><input type="checkbox" name="entry" class="batch-select-checkbox" value="{{ e.pk }}"/></label>
                             {% endif %}
                         </td>
@@ -258,31 +260,33 @@
                             {% endif %}
                         </td>
                         <td class="text-right flip">
-                            {% if not e.voucher %}
-                                <button name="move_top" value="{{ e.pk }}" class="btn btn-default btn-sm"
-                                        data-toggle="tooltip" title="{% trans "Move to the top of the list" %}">
-                                    <span class="fa fa-thumbs-up"></span>
-                                </button>
-                                <button name="move_end" value="{{ e.pk }}" class="btn btn-default btn-sm"
-                                    data-toggle="tooltip" title="{% trans "Move to the end of the list" %}">
-                                    <span class="fa fa-thumbs-down"></span>
-                                </button>
-                                {% if request.event.has_subevents %}
-                                    <a href="{% url "control:event.orders.waitinglist.transfer" organizer=request.event.organizer.slug event=request.event.slug entry=e.id %}"
-                                       class="btn btn-default btn-sm" title="{% trans "Transfer to other date" context "subevent" %}"
-                                        data-toggle="tooltip">
-                                        <i class="fa fa-calendar" aria-hidden="true"></i>
-                                    </a>
+                            {% if 'event.orders:write' in request.eventpermset %}
+                                {% if not e.voucher %}
+                                    <button name="move_top" value="{{ e.pk }}" class="btn btn-default btn-sm"
+                                            data-toggle="tooltip" title="{% trans "Move to the top of the list" %}">
+                                        <span class="fa fa-thumbs-up"></span>
+                                    </button>
+                                    <button name="move_end" value="{{ e.pk }}" class="btn btn-default btn-sm"
+                                        data-toggle="tooltip" title="{% trans "Move to the end of the list" %}">
+                                        <span class="fa fa-thumbs-down"></span>
+                                    </button>
+                                    {% if request.event.has_subevents %}
+                                        <a href="{% url "control:event.orders.waitinglist.transfer" organizer=request.event.organizer.slug event=request.event.slug entry=e.id %}"
+                                           class="btn btn-default btn-sm" title="{% trans "Transfer to other date" context "subevent" %}"
+                                            data-toggle="tooltip">
+                                            <i class="fa fa-calendar" aria-hidden="true"></i>
+                                        </a>
+                                    {% endif %}
+                                    <a href="{% url "control:event.orders.waitinglist.delete" organizer=request.event.organizer.slug event=request.event.slug entry=e.id %}?next={{ request.get_full_path|urlencode }}" class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
+                                {% else %}
+                                    <button class="btn btn-default btn-sm disabled">
+                                        <span class="fa fa-thumbs-up"></span>
+                                    </button>
+                                    <button class="btn btn-default btn-sm disabled">
+                                        <span class="fa fa-thumbs-down"></span>
+                                    </button>
+                                    <span class="btn btn-danger btn-sm disabled"><i class="fa fa-trash"></i></span>
                                 {% endif %}
-                                <a href="{% url "control:event.orders.waitinglist.delete" organizer=request.event.organizer.slug event=request.event.slug entry=e.id %}?next={{ request.get_full_path|urlencode }}" class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
-                            {% else %}
-                                <button class="btn btn-default btn-sm disabled">
-                                    <span class="fa fa-thumbs-up"></span>
-                                </button>
-                                <button class="btn btn-default btn-sm disabled">
-                                    <span class="fa fa-thumbs-down"></span>
-                                </button>
-                                <span class="btn btn-danger btn-sm disabled"><i class="fa fa-trash"></i></span>
                             {% endif %}
                         </td>
                     </tr>
@@ -290,7 +294,7 @@
                 </tbody>
             </table>
         </div>
-        {% if "can_change_orders" in request.eventpermset %}
+        {% if "event.orders:write" in request.eventpermset %}
             <div class="batch-select-actions">
                 <button type="submit" class="btn btn-danger btn-save" name="action" value="delete">
                     <i class="fa fa-trash"></i>

src/pretix/control/views/checkin.py

@@ -150,7 +150,7 @@ class CheckInListShow(EventPermissionRequiredMixin, PaginationMixin, CheckInList
     model = Checkin
     context_object_name = 'entries'
     template_name = 'pretixcontrol/checkin/index.html'
-    permission = 'can_view_orders'
+    permission = 'event.orders:read'
 
     def dispatch(self, request, *args, **kwargs):
         self.list = get_object_or_404(self.request.event.checkin_lists.all(), pk=kwargs.get("list"))
@@ -211,7 +211,7 @@ class CheckInListBulkRevertConfirmView(CheckInListQueryMixin, EventPermissionReq
 
 
 class CheckInListBulkActionView(CheckInListQueryMixin, EventPermissionRequiredMixin, AsyncPostView):
-    permission = ('can_change_orders', 'can_checkin_orders')
+    permission = ('event.orders:write', 'event.orders:checkin')
 
     def dispatch(self, request, *args, **kwargs):
         self.list = get_object_or_404(self.request.event.checkin_lists.all(), pk=kwargs.get("list"))
@@ -228,7 +228,7 @@ class CheckInListBulkActionView(CheckInListQueryMixin, EventPermissionRequiredMi
         self.list = get_object_or_404(request.event.checkin_lists.all(), pk=kwargs.get("list"))
         positions = self.get_queryset()
         if request.POST.get('revert') == 'true':
-            if not request.user.has_event_permission(request.organizer, request.event, 'can_change_orders', request=request):
+            if not request.user.has_event_permission(request.organizer, request.event, 'event.orders:write', request=request):
                 raise PermissionDenied()
             for op in positions:
                 if op.order.status == Order.STATUS_PAID or (
@@ -295,7 +295,7 @@ class CheckInListBulkActionView(CheckInListQueryMixin, EventPermissionRequiredMi
 class CheckinListList(EventPermissionRequiredMixin, PaginationMixin, ListView):
     model = CheckinList
     context_object_name = 'checkinlists'
-    permission = 'can_view_orders'
+    permission = ('event.orders:read', 'event.settings.general:write')
     template_name = 'pretixcontrol/checkin/lists.html'
     ordering = ('subevent__date_from', 'name', 'pk')
 
@@ -317,9 +317,9 @@ class CheckinListList(EventPermissionRequiredMixin, PaginationMixin, ListView):
                 cl.subevent.event = self.request.event  # re-use same event object to make sure settings are cached
         ctx['checkinlists'] = clists
 
-        ctx['can_change_organizer_settings'] = self.request.user.has_organizer_permission(
+        ctx['link_device_settings'] = self.request.user.has_organizer_permission(
             self.request.organizer,
-            'can_change_organizer_settings',
+            'organizer.devices:read',
             self.request
         )
         ctx['filter_form'] = self.filter_form
@@ -335,7 +335,7 @@ class CheckinListCreate(EventPermissionRequiredMixin, CreateView):
     model = CheckinList
     form_class = CheckinListForm
     template_name = 'pretixcontrol/checkin/list_edit.html'
-    permission = 'can_change_event_settings'
+    permission = 'event.settings.general:write'
     context_object_name = 'checkinlist'
 
     def dispatch(self, request, *args, **kwargs):
@@ -386,7 +386,7 @@ class CheckinListUpdate(EventPermissionRequiredMixin, UpdateView):
     model = CheckinList
     form_class = CheckinListForm
     template_name = 'pretixcontrol/checkin/list_edit.html'
-    permission = 'can_change_event_settings'
+    permission = 'event.settings.general:write'
     context_object_name = 'checkinlist'
 
     def dispatch(self, request, *args, **kwargs):
@@ -445,7 +445,7 @@ class CheckinListUpdate(EventPermissionRequiredMixin, UpdateView):
 class CheckinListDelete(EventPermissionRequiredMixin, CompatDeleteView):
     model = CheckinList
     template_name = 'pretixcontrol/checkin/list_delete.html'
-    permission = 'can_change_event_settings'
+    permission = 'event.settings.general:write'
     context_object_name = 'checkinlist'
 
     def get_object(self, queryset=None) -> CheckinList:
@@ -476,7 +476,7 @@ class CheckinListDelete(EventPermissionRequiredMixin, CompatDeleteView):
 class CheckinListView(EventPermissionRequiredMixin, PaginationMixin, ListView):
     model = Checkin
     context_object_name = 'checkins'
-    permission = 'can_view_orders'
+    permission = 'event.orders:read'
     template_name = 'pretixcontrol/checkin/checkins.html'
     ordering = ('-datetime', '-pk')
 
@@ -505,7 +505,7 @@ class CheckinListView(EventPermissionRequiredMixin, PaginationMixin, ListView):
 
 class CheckInListSimulator(EventPermissionRequiredMixin, FormView):
     template_name = 'pretixcontrol/checkin/simulator.html'
-    permission = 'can_view_orders'
+    permission = 'event.orders:read'
     form_class = CheckinListSimulatorForm
 
     def dispatch(self, request, *args, **kwargs):
@@ -575,9 +575,15 @@ class CheckInListSimulator(EventPermissionRequiredMixin, FormView):
 
 class CheckInResetView(CheckInListQueryMixin, EventPermissionRequiredMixin, AsyncFormView):
     form_class = CheckinResetForm
-    permission = "can_change_orders"
+    permission = "event.orders:write"
     template_name = "pretixcontrol/checkin/reset.html"
 
+    def dispatch(self, request, *args, **kwargs):
+        # Special case, we want two permissions to be set
+        if not request.user.has_event_permission(request.organizer, request.event, "event.settings.general:write", request=request):
+            raise PermissionDenied()
+        return super().dispatch(request, *args, **kwargs)
+
     def get_error_url(self, *args):
         return reverse(
             "control:event.orders.checkinlists",

src/pretix/control/views/dashboards.py

@@ -66,6 +66,7 @@ from pretix.control.signals import (
 from pretix.helpers.daterange import daterange
 
 from ...base.models.orders import CancellationRequest
+from ...base.models.organizer import TeamQuerySet
 from ...base.templatetags.money import money_filter
 from ..logdisplay import OVERVIEW_BANLIST
 
@@ -350,10 +351,10 @@ def event_index(request, organizer, event):
         except SubEvent.DoesNotExist:
             pass
 
-    can_view_orders = request.user.has_event_permission(request.organizer, request.event, 'can_view_orders',
+    can_view_orders = request.user.has_event_permission(request.organizer, request.event, 'event.orders:read',
                                                         request=request)
     can_change_event_settings = request.user.has_event_permission(request.organizer, request.event,
-                                                                  'can_change_event_settings', request=request)
+                                                                  'event.settings.general:write', request=request)
 
     widgets = []
     if can_view_orders:
@@ -425,11 +426,11 @@ def event_index_log_lazy(request, organizer, event):
                                                          'device').order_by('-datetime')
     qs = qs.exclude(action_type__in=OVERVIEW_BANLIST)
 
-    can_view_orders = request.user.has_event_permission(request.organizer, request.event, 'can_view_orders',
+    can_view_orders = request.user.has_event_permission(request.organizer, request.event, 'event.orders:read',
                                                         request=request)
     can_change_event_settings = request.user.has_event_permission(request.organizer, request.event,
-                                                                  'can_change_event_settings', request=request)
-    can_view_vouchers = request.user.has_event_permission(request.organizer, request.event, 'can_view_vouchers',
+                                                                  'event.settings.general:write', request=request)
+    can_view_vouchers = request.user.has_event_permission(request.organizer, request.event, 'event.vouchers:read',
                                                           request=request)
 
     if not can_view_orders:
@@ -441,7 +442,7 @@ def event_index_log_lazy(request, organizer, event):
             ContentType.objects.get_for_model(Voucher),
             ContentType.objects.get_for_model(Order)
         ]
-        if request.user.has_event_permission(request.organizer, request.event, 'can_change_items', request=request):
+        if request.user.has_event_permission(request.organizer, request.event, 'event.items:write', request=request):
             allowed_types += [
                 ContentType.objects.get_for_model(Item),
                 ContentType.objects.get_for_model(ItemCategory),
@@ -491,8 +492,13 @@ def widgets_for_event_qs(request, qs, user, nmax, lazy=False):
     # Get set of events where we have the permission to show the # of orders
     if not lazy:
         events_with_orders = set(qs.filter(
-            Q(organizer_id__in=user.teams.filter(all_events=True, can_view_orders=True).values_list('organizer', flat=True))
-            | Q(id__in=user.teams.filter(can_view_orders=True).values_list('limit_events__id', flat=True))
+            Q(organizer_id__in=user.teams.filter(
+                TeamQuerySet.event_permission_q("event.orders:read"),
+                all_events=True,
+            ).values_list('organizer', flat=True))
+            | Q(id__in=user.teams.filter(
+                TeamQuerySet.event_permission_q("event.orders:read"),
+            ).values_list('limit_events__id', flat=True))
         ).values_list('id', flat=True))
 
     tpl = """
@@ -635,7 +641,7 @@ def user_index(request):
 
     ctx = {
         'widgets': rearrange(widgets),
-        'can_create_event': request.user.teams.filter(can_create_events=True).exists(),
+        'can_create_event': request.user.teams.with_organizer_permission("organizer:events.create").exists(),
         'upcoming': widgets_for_event_qs(
             request,
             annotated_event_query(request, lazy=True).filter(

src/pretix/control/views/datasync.py

@@ -72,7 +72,7 @@ def on_control_order_info(sender: Event, request, order: Order, **kwargs):
 
 
 class ControlSyncJob(OrderView):
-    permission = 'can_change_orders'
+    permission = 'event.orders:write'
 
     def post(self, request, provider, *args, **kwargs):
         prov, meta = datasync_providers.get(active_in=self.request.event, identifier=provider)
@@ -154,7 +154,7 @@ class GlobalFailedSyncJobsView(AdministratorPermissionRequiredMixin, FailedSyncJ
 
 
 class OrganizerFailedSyncJobsView(OrganizerPermissionRequiredMixin, FailedSyncJobsView):
-    permission = "can_change_organizer_settings"
+    permission = "organizer.settings.general:write"
 
     def get_queryset(self):
         return super().get_queryset().filter(
@@ -163,7 +163,7 @@ class OrganizerFailedSyncJobsView(OrganizerPermissionRequiredMixin, FailedSyncJo
 
 
 class EventFailedSyncJobsView(EventPermissionRequiredMixin, FailedSyncJobsView):
-    permission = "can_change_event_settings"
+    permission = "event.settings.general:write"
 
     def get_queryset(self):
         return super().get_queryset().filter(

src/pretix/control/views/discounts.py

@@ -50,7 +50,7 @@ from . import CreateView, PaginationMixin, UpdateView
 class DiscountDelete(EventPermissionRequiredMixin, CompatDeleteView):
     model = Discount
     template_name = 'pretixcontrol/items/discount_delete.html'
-    permission = 'can_change_items'
+    permission = 'event.items:write'
     context_object_name = 'discount'
 
     def get_context_data(self, *args, **kwargs) -> dict:
@@ -96,7 +96,7 @@ class DiscountUpdate(EventPermissionRequiredMixin, UpdateView):
     model = Discount
     form_class = DiscountForm
     template_name = 'pretixcontrol/items/discount.html'
-    permission = 'can_change_items'
+    permission = 'event.items:write'
     context_object_name = 'discount'
 
     def get_object(self, queryset=None) -> Discount:
@@ -139,7 +139,7 @@ class DiscountCreate(EventPermissionRequiredMixin, CreateView):
     model = Discount
     form_class = DiscountForm
     template_name = 'pretixcontrol/items/discount.html'
-    permission = 'can_change_items'
+    permission = 'event.items:write'
     context_object_name = 'discount'
 
     def get_success_url(self) -> str:
@@ -227,7 +227,7 @@ def discount_move(request, discount, up=True):
     messages.success(request, _('The order of discounts has been updated.'))
 
 
-@event_permission_required("can_change_items")
+@event_permission_required("event.items:write")
 @require_http_methods(["POST"])
 def discount_move_up(request, organizer, event, discount):
     discount_move(request, discount, up=True)
@@ -236,7 +236,7 @@ def discount_move_up(request, organizer, event, discount):
                     event=request.event.slug)
 
 
-@event_permission_required("can_change_items")
+@event_permission_required("event.items:write")
 @require_http_methods(["POST"])
 def discount_move_down(request, organizer, event, discount):
     discount_move(request, discount, up=False)
@@ -246,7 +246,7 @@ def discount_move_down(request, organizer, event, discount):
 
 
 @transaction.atomic
-@event_permission_required("can_change_items")
+@event_permission_required("event.items:write")
 @require_http_methods(["POST"])
 def reorder_discounts(request, organizer, event):
     try:

src/pretix/control/views/event.py

@@ -155,7 +155,7 @@ class MetaDataEditorMixin:
             property=p,
             disabled=(
                 p.protected and
-                not self.request.user.has_organizer_permission(self.request.organizer, 'can_change_organizer_settings', request=self.request)
+                not self.request.user.has_organizer_permission(self.request.organizer, 'organizer.settings.general:write', request=self.request)
             ),
             instance=val_instances.get(p.pk, self.meta_model(property=p, event=self.object)),
             data=(self.request.POST if self.request.method == "POST" else None)
@@ -187,7 +187,7 @@ class EventUpdate(DecoupleMixin, EventSettingsViewMixin, EventPermissionRequired
     model = Event
     form_class = EventUpdateForm
     template_name = 'pretixcontrol/event/settings.html'
-    permission = 'can_change_event_settings'
+    permission = 'event.settings.general:write'
 
     @cached_property
     def object(self) -> Event:
@@ -346,7 +346,7 @@ class EventUpdate(DecoupleMixin, EventSettingsViewMixin, EventPermissionRequired
 class EventPlugins(EventSettingsViewMixin, EventPermissionRequiredMixin, TemplateView, SingleObjectMixin):
     model = Event
     context_object_name = 'event'
-    permission = 'can_change_event_settings'
+    permission = 'event.settings.general:write'
     template_name = 'pretixcontrol/event/plugins.html'
 
     def get_object(self, queryset=None) -> Event:
@@ -447,7 +447,7 @@ class EventPlugins(EventSettingsViewMixin, EventPermissionRequiredMixin, Templat
                             continue
 
                         if getattr(pluginmeta, 'level', PLUGIN_LEVEL_EVENT) == PLUGIN_LEVEL_EVENT_ORGANIZER_HYBRID:
-                            if not request.user.has_organizer_permission(request.organizer, "can_change_organizer_settings", request):
+                            if not request.user.has_organizer_permission(request.organizer, "organizer.settings.general:write", request):
                                 messages.error(
                                     request,
                                     _("You do not have sufficient permission to enable plugins that need to be enabled "
@@ -502,7 +502,7 @@ class EventPlugins(EventSettingsViewMixin, EventPermissionRequiredMixin, Templat
 class PaymentProviderSettings(EventSettingsViewMixin, EventPermissionRequiredMixin, TemplateView, SingleObjectMixin):
     model = Event
     context_object_name = 'event'
-    permission = 'can_change_event_settings'
+    permission = 'event.settings.payment:write'
     template_name = 'pretixcontrol/event/payment_provider.html'
 
     def get_success_url(self) -> str:
@@ -581,7 +581,7 @@ class PaymentProviderSettings(EventSettingsViewMixin, EventPermissionRequiredMix
 
 class EventSettingsFormView(EventPermissionRequiredMixin, DecoupleMixin, FormView):
     model = Event
-    permission = 'can_change_event_settings'
+    permission = 'event.settings.general:write'
 
     def get_context_data(self, *args, **kwargs) -> dict:
         context = super().get_context_data(*args, **kwargs)
@@ -618,10 +618,28 @@ class EventSettingsFormView(EventPermissionRequiredMixin, DecoupleMixin, FormVie
             return self.render_to_response(self.get_context_data(form=form))
 
 
-class PaymentSettings(EventSettingsViewMixin, EventSettingsFormView):
+class WritePermissionMixin:
+    def post(self, request, *args, **kwargs):
+        # Special case, we want to allow different access for read and write
+        if not request.user.has_event_permission(request.organizer, request.event, self.write_permission,
+                                                 request=request):
+            raise PermissionDenied()
+        return super().post(request, *args, **kwargs)
+
+    def get_form(self, *args, **kwargs):
+        form = super().get_form(*args, **kwargs)
+        if not self.request.user.has_event_permission(
+                self.request.organizer, self.request.event, self.write_permission, request=self.request):
+            for f in form.fields.values():
+                f.disabled = True
+        return form
+
+
+class PaymentSettings(WritePermissionMixin, EventSettingsViewMixin, EventSettingsFormView):
     template_name = 'pretixcontrol/event/payment.html'
     form_class = PaymentSettingsForm
-    permission = 'can_change_event_settings'
+    permission = ('event.settings.payment:write', 'event.settings.general:write')
+    write_permission = 'event.settings.payment:write'
 
     def get_success_url(self) -> str:
         return reverse('control:event.settings.payment', kwargs={
@@ -647,10 +665,11 @@ class PaymentSettings(EventSettingsViewMixin, EventSettingsFormView):
         return context
 
 
-class TaxSettings(EventSettingsViewMixin, EventSettingsFormView):
+class TaxSettings(WritePermissionMixin, EventSettingsViewMixin, EventSettingsFormView):
     template_name = 'pretixcontrol/event/tax.html'
     form_class = TaxSettingsForm
-    permission = 'can_change_event_settings'
+    permission = ('event.settings.tax:write', 'event.settings.general:write')
+    write_permission = 'event.settings.tax:write'
 
     def get_success_url(self) -> str:
         return reverse('control:event.settings.tax', kwargs={
@@ -666,11 +685,12 @@ class TaxSettings(EventSettingsViewMixin, EventSettingsFormView):
         return context
 
 
-class InvoiceSettings(EventSettingsViewMixin, EventSettingsFormView):
+class InvoiceSettings(WritePermissionMixin, EventSettingsViewMixin, EventSettingsFormView):
     model = Event
     form_class = InvoiceSettingsForm
     template_name = 'pretixcontrol/event/invoicing.html'
-    permission = 'can_change_event_settings'
+    permission = ('event.settings.invoicing:write', 'event.settings.general:write')
+    write_permission = 'event.settings.invoicing:write'
 
     def get_context_data(self, **kwargs):
         types = get_transmission_types()
@@ -704,7 +724,7 @@ class CancelSettings(EventSettingsViewMixin, EventSettingsFormView):
     model = Event
     form_class = CancelSettingsForm
     template_name = 'pretixcontrol/event/cancel.html'
-    permission = 'can_change_event_settings'
+    permission = 'event.settings.general:write'
 
     def get_success_url(self) -> str:
         return reverse('control:event.settings.cancel', kwargs={
@@ -738,7 +758,7 @@ class CancelSettings(EventSettingsViewMixin, EventSettingsFormView):
 
 
 class InvoicePreview(EventPermissionRequiredMixin, View):
-    permission = 'can_change_event_settings'
+    permission = 'event.settings.invoicing:write'
 
     def get(self, request, *args, **kwargs):
         fname, ftype, fcontent = build_preview_invoice_pdf(request.event)
@@ -753,7 +773,7 @@ class InvoicePreview(EventPermissionRequiredMixin, View):
 
 
 class DangerZone(EventPermissionRequiredMixin, TemplateView):
-    permission = 'can_change_event_settings'
+    permission = 'event.settings.general:write'
     template_name = 'pretixcontrol/event/dangerzone.html'
 
 
@@ -769,7 +789,7 @@ class MailSettings(EventSettingsViewMixin, EventSettingsFormView):
     model = Event
     form_class = MailSettingsForm
     template_name = 'pretixcontrol/event/mail.html'
-    permission = 'can_change_event_settings'
+    permission = 'event.settings.general:write'
 
     def get_success_url(self) -> str:
         return reverse('control:event.settings.mail', kwargs={
@@ -801,7 +821,7 @@ class MailSettings(EventSettingsViewMixin, EventSettingsFormView):
 
 
 class MailSettingsSetup(EventPermissionRequiredMixin, MailSettingsSetupView):
-    permission = 'can_change_event_settings'
+    permission = 'event.settings.general:write'
     basetpl = 'pretixcontrol/event/base.html'
 
     def get_success_url(self) -> str:
@@ -817,7 +837,7 @@ class MailSettingsSetup(EventPermissionRequiredMixin, MailSettingsSetupView):
 
 
 class MailSettingsPreview(EventPermissionRequiredMixin, View):
-    permission = 'can_change_event_settings'
+    permission = 'event.settings.general:write'
 
     # create index-language mapping
     @cached_property
@@ -883,7 +903,7 @@ class MailSettingsPreview(EventPermissionRequiredMixin, View):
 
 
 class MailSettingsRendererPreview(MailSettingsPreview):
-    permission = 'can_change_event_settings'
+    permission = 'event.settings.general:write'
 
     def post(self, request, *args, **kwargs):
         return HttpResponse(status=405)
@@ -931,7 +951,7 @@ class MailSettingsRendererPreview(MailSettingsPreview):
 
 
 class TicketSettingsPreview(EventPermissionRequiredMixin, View):
-    permission = 'can_change_event_settings'
+    permission = 'event.settings.general:write'
 
     @cached_property
     def output(self):
@@ -963,7 +983,7 @@ class TicketSettings(EventSettingsViewMixin, EventPermissionRequiredMixin, FormV
     model = Event
     form_class = TicketSettingsForm
     template_name = 'pretixcontrol/event/tickets.html'
-    permission = 'can_change_event_settings'
+    permission = 'event.settings.general:write'
 
     def get_context_data(self, *args, **kwargs) -> dict:
         context = super().get_context_data(*args, **kwargs)
@@ -1074,7 +1094,7 @@ class EventPermissions(EventSettingsViewMixin, EventPermissionRequiredMixin, Tem
 
 
 class EventLive(EventPermissionRequiredMixin, TemplateView):
-    permission = 'can_change_event_settings'
+    permission = 'event.settings.general:write'
     template_name = 'pretixcontrol/event/live.html'
 
     def get_context_data(self, **kwargs):
@@ -1141,12 +1161,12 @@ class EventLive(EventPermissionRequiredMixin, TemplateView):
 
 
 class EventTransferSession(EventPermissionRequiredMixin, TemplateView):
-    permission = 'can_change_event_settings'
+    permission = 'event.settings.general:write'
     template_name = 'pretixcontrol/event/transfer_session.html'
 
 
 class EventDelete(RecentAuthenticationRequiredMixin, EventPermissionRequiredMixin, FormView):
-    permission = 'can_change_event_settings'
+    permission = 'event.settings.general:write'
     template_name = 'pretixcontrol/event/delete.html'
     form_class = EventDeleteForm
 
@@ -1214,20 +1234,20 @@ class EventLog(EventPermissionRequiredMixin, PaginationMixin, ListView):
             'user', 'content_type', 'api_token', 'oauth_application', 'device'
         ).order_by('-datetime', '-pk')
         qs = qs.exclude(action_type__in=OVERVIEW_BANLIST)
-        if not self.request.user.has_event_permission(self.request.organizer, self.request.event, 'can_view_orders',
+        if not self.request.user.has_event_permission(self.request.organizer, self.request.event, 'event.orders:read',
                                                       request=self.request):
             qs = qs.exclude(content_type=ContentType.objects.get_for_model(Order))
-        if not self.request.user.has_event_permission(self.request.organizer, self.request.event, 'can_view_vouchers',
+        if not self.request.user.has_event_permission(self.request.organizer, self.request.event, 'event.vouchers:read',
                                                       request=self.request):
             qs = qs.exclude(content_type=ContentType.objects.get_for_model(Voucher))
         if not self.request.user.has_event_permission(self.request.organizer, self.request.event,
-                                                      'can_change_event_settings', request=self.request):
+                                                      'event.settings.general:write', request=self.request):
             allowed_types = [
                 ContentType.objects.get_for_model(Voucher),
                 ContentType.objects.get_for_model(Order)
             ]
             if self.request.user.has_event_permission(self.request.organizer, self.request.event,
-                                                      'can_change_items', request=self.request):
+                                                      'event.items:write', request=self.request):
                 allowed_types += [
                     ContentType.objects.get_for_model(Item),
                     ContentType.objects.get_for_model(ItemCategory),
@@ -1264,7 +1284,7 @@ class EventLog(EventPermissionRequiredMixin, PaginationMixin, ListView):
 
 
 class EventComment(EventPermissionRequiredMixin, View):
-    permission = 'can_change_event_settings'
+    permission = 'event.settings.general:write'
 
     def post(self, *args, **kwargs):
         form = CommentForm(self.request.POST)
@@ -1293,7 +1313,7 @@ class TaxCreate(EventSettingsViewMixin, EventPermissionRequiredMixin, CreateView
     model = TaxRule
     form_class = TaxRuleForm
     template_name = 'pretixcontrol/event/tax_edit.html'
-    permission = 'can_change_event_settings'
+    permission = 'event.settings.tax:write'
     context_object_name = 'taxrule'
 
     def get_success_url(self) -> str:
@@ -1354,7 +1374,7 @@ class TaxUpdate(EventSettingsViewMixin, EventPermissionRequiredMixin, UpdateView
     model = TaxRule
     form_class = TaxRuleForm
     template_name = 'pretixcontrol/event/tax_edit.html'
-    permission = 'can_change_event_settings'
+    permission = 'event.settings.tax:write'
     context_object_name = 'rule'
 
     def get_object(self, queryset=None) -> TaxRule:
@@ -1418,7 +1438,7 @@ class TaxUpdate(EventSettingsViewMixin, EventPermissionRequiredMixin, UpdateView
 
 class TaxDefault(EventSettingsViewMixin, EventPermissionRequiredMixin, DetailView):
     model = TaxRule
-    permission = 'can_change_event_settings'
+    permission = 'event.settings.tax:write'
 
     def get_object(self, queryset=None) -> TaxRule:
         try:
@@ -1463,7 +1483,7 @@ class TaxDefault(EventSettingsViewMixin, EventPermissionRequiredMixin, DetailVie
 class TaxDelete(EventSettingsViewMixin, EventPermissionRequiredMixin, CompatDeleteView):
     model = TaxRule
     template_name = 'pretixcontrol/event/tax_delete.html'
-    permission = 'can_change_event_settings'
+    permission = 'event.settings.tax:write'
     context_object_name = 'taxrule'
 
     def get_object(self, queryset=None) -> TaxRule:
@@ -1500,7 +1520,7 @@ class TaxDelete(EventSettingsViewMixin, EventPermissionRequiredMixin, CompatDele
 
 class WidgetSettings(EventSettingsViewMixin, EventPermissionRequiredMixin, FormView):
     template_name = 'pretixcontrol/event/widget.html'
-    permission = 'can_change_event_settings'
+    permission = 'event.settings.general:write'
     form_class = WidgetCodeForm
 
     def get_form_kwargs(self):
@@ -1529,7 +1549,7 @@ class WidgetSettings(EventSettingsViewMixin, EventPermissionRequiredMixin, FormV
 
 class QuickSetupView(FormView):
     template_name = 'pretixcontrol/event/quick_setup.html'
-    permission = 'can_change_event_settings'
+    permission = 'event.settings.general:write'
     form_class = QuickSetupForm
 
     def dispatch(self, request, *args, **kwargs):

src/pretix/control/views/item.py

@@ -159,7 +159,7 @@ def item_move(request, item, up=True):
     messages.success(request, _('The order of items has been updated.'))
 
 
-@event_permission_required("can_change_items")
+@event_permission_required("event.items:write")
 @require_http_methods(["POST"])
 def item_move_up(request, organizer, event, item):
     item_move(request, item, up=True)
@@ -168,7 +168,7 @@ def item_move_up(request, organizer, event, item):
                     event=request.event.slug)
 
 
-@event_permission_required("can_change_items")
+@event_permission_required("event.items:write")
 @require_http_methods(["POST"])
 def item_move_down(request, organizer, event, item):
     item_move(request, item, up=False)
@@ -178,7 +178,7 @@ def item_move_down(request, organizer, event, item):
 
 
 @transaction.atomic
-@event_permission_required("can_change_items")
+@event_permission_required("event.items:write")
 @require_http_methods(["POST"])
 def reorder_items(request, organizer, event, category):
     try:
@@ -215,7 +215,7 @@ def reorder_items(request, organizer, event, category):
 class CategoryDelete(EventPermissionRequiredMixin, CompatDeleteView):
     model = ItemCategory
     template_name = 'pretixcontrol/items/category_delete.html'
-    permission = 'can_change_items'
+    permission = 'event.items:write'
     context_object_name = 'category'
 
     def get_object(self, queryset=None) -> ItemCategory:
@@ -249,7 +249,7 @@ class CategoryUpdate(EventPermissionRequiredMixin, UpdateView):
     model = ItemCategory
     form_class = CategoryForm
     template_name = 'pretixcontrol/items/category.html'
-    permission = 'can_change_items'
+    permission = 'event.items:write'
     context_object_name = 'category'
 
     def get_object(self, queryset=None) -> ItemCategory:
@@ -287,7 +287,7 @@ class CategoryCreate(EventPermissionRequiredMixin, CreateView):
     model = ItemCategory
     form_class = CategoryForm
     template_name = 'pretixcontrol/items/category.html'
-    permission = 'can_change_items'
+    permission = 'event.items:write'
     context_object_name = 'category'
 
     def get_success_url(self) -> str:
@@ -371,7 +371,7 @@ def category_move(request, category, up=True):
     messages.success(request, _('The order of categories has been updated.'))
 
 
-@event_permission_required("can_change_items")
+@event_permission_required("event.items:write")
 @require_http_methods(["POST"])
 def category_move_up(request, organizer, event, category):
     category_move(request, category, up=True)
@@ -380,7 +380,7 @@ def category_move_up(request, organizer, event, category):
                     event=request.event.slug)
 
 
-@event_permission_required("can_change_items")
+@event_permission_required("event.items:write")
 @require_http_methods(["POST"])
 def category_move_down(request, organizer, event, category):
     category_move(request, category, up=False)
@@ -390,7 +390,7 @@ def category_move_down(request, organizer, event, category):
 
 
 @transaction.atomic
-@event_permission_required("can_change_items")
+@event_permission_required("event.items:write")
 @require_http_methods(["POST"])
 def reorder_categories(request, organizer, event):
     try:
@@ -522,7 +522,7 @@ class QuestionList(ListView):
 
 
 @transaction.atomic
-@event_permission_required("can_change_items")
+@event_permission_required("event.items:write")
 @require_http_methods(["POST"])
 def reorder_questions(request, organizer, event):
     try:
@@ -570,7 +570,7 @@ def reorder_questions(request, organizer, event):
 class QuestionDelete(EventPermissionRequiredMixin, CompatDeleteView):
     model = Question
     template_name = 'pretixcontrol/items/question_delete.html'
-    permission = 'can_change_items'
+    permission = 'event.items:write'
     context_object_name = 'question'
 
     def get_object(self, queryset=None) -> Question:
@@ -664,7 +664,7 @@ class QuestionMixin:
 class QuestionView(EventPermissionRequiredMixin, ChartContainingView, DetailView):
     model = Question
     template_name = 'pretixcontrol/items/question.html'
-    permission = 'can_change_items'
+    permission = None
     template_name_field = 'question'
 
     @cached_property
@@ -753,7 +753,7 @@ class QuestionUpdate(EventPermissionRequiredMixin, QuestionMixin, UpdateView):
     model = Question
     form_class = QuestionForm
     template_name = 'pretixcontrol/items/question_edit.html'
-    permission = 'can_change_items'
+    permission = 'event.items:write'
     context_object_name = 'question'
 
     def get_object(self, queryset=None) -> Question:
@@ -794,7 +794,7 @@ class QuestionCreate(EventPermissionRequiredMixin, QuestionMixin, CreateView):
     model = Question
     form_class = QuestionForm
     template_name = 'pretixcontrol/items/question_edit.html'
-    permission = 'can_change_items'
+    permission = 'event.items:write'
     context_object_name = 'question'
 
     def get_form_kwargs(self):
@@ -888,7 +888,7 @@ class QuotaCreate(EventPermissionRequiredMixin, CreateView):
     model = Quota
     form_class = QuotaForm
     template_name = 'pretixcontrol/items/quota_edit.html'
-    permission = 'can_change_items'
+    permission = 'event.items:write'
     context_object_name = 'quota'
 
     def get_success_url(self) -> str:
@@ -1055,7 +1055,7 @@ class QuotaView(ChartContainingView, DetailView):
             raise Http404(_("The requested quota does not exist."))
 
     def post(self, request, *args, **kwargs):
-        if not request.user.has_event_permission(request.organizer, request.event, 'can_change_items', request):
+        if not request.user.has_event_permission(request.organizer, request.event, 'event.items:write', request):
             raise PermissionDenied()
         quota = self.get_object()
         if 'reopen' in request.POST:
@@ -1085,7 +1085,7 @@ class QuotaUpdate(EventPermissionRequiredMixin, UpdateView):
     model = Quota
     form_class = QuotaForm
     template_name = 'pretixcontrol/items/quota_edit.html'
-    permission = 'can_change_items'
+    permission = 'event.items:write'
     context_object_name = 'quota'
 
     def get_context_data(self, *args, **kwargs):
@@ -1143,7 +1143,7 @@ class QuotaUpdate(EventPermissionRequiredMixin, UpdateView):
 class QuotaDelete(EventPermissionRequiredMixin, CompatDeleteView):
     model = Quota
     template_name = 'pretixcontrol/items/quota_delete.html'
-    permission = 'can_change_items'
+    permission = 'event.items:write'
     context_object_name = 'quota'
 
     def get_object(self, queryset=None) -> Quota:
@@ -1246,7 +1246,7 @@ class MetaDataEditorMixin:
 class ItemCreate(EventPermissionRequiredMixin, MetaDataEditorMixin, CreateView):
     form_class = ItemCreateForm
     template_name = 'pretixcontrol/item/create.html'
-    permission = 'can_change_items'
+    permission = 'event.items:write'
 
     def get_success_url(self) -> str:
         return reverse('control:event.item', kwargs={
@@ -1322,7 +1322,7 @@ class ItemCreate(EventPermissionRequiredMixin, MetaDataEditorMixin, CreateView):
 class ItemUpdateGeneral(ItemDetailMixin, EventPermissionRequiredMixin, MetaDataEditorMixin, UpdateView):
     form_class = ItemUpdateForm
     template_name = 'pretixcontrol/item/index.html'
-    permission = 'can_change_items'
+    permission = 'event.items:write'
 
     @cached_property
     def plugin_forms(self):
@@ -1584,7 +1584,7 @@ class ItemUpdateGeneral(ItemDetailMixin, EventPermissionRequiredMixin, MetaDataE
 class ItemDelete(EventPermissionRequiredMixin, CompatDeleteView):
     model = Item
     template_name = 'pretixcontrol/item/delete.html'
-    permission = 'can_change_items'
+    permission = 'event.items:write'
     context_object_name = 'item'
 
     def get_context_data(self, *args, **kwargs) -> dict:

src/pretix/control/views/main.py

@@ -51,6 +51,7 @@ from i18nfield.strings import LazyI18nString
 from pretix.base.forms import SafeSessionWizardView
 from pretix.base.i18n import language
 from pretix.base.models import Event, EventMetaValue, Organizer, Quota, Team
+from pretix.base.models.organizer import TeamQuerySet
 from pretix.base.services.quotas import QuotaAvailability
 from pretix.control.forms.event import (
     EventWizardBasicsForm, EventWizardCopyForm, EventWizardFoundationForm,
@@ -190,7 +191,9 @@ class EventWizard(SafeSessionWizardView):
                     qs = Organizer.objects.all()
                     if not self.request.user.has_active_staff_session(self.request.session.session_key):
                         qs = qs.filter(
-                            id__in=self.request.user.teams.filter(can_create_events=True).values_list('organizer', flat=True)
+                            id__in=self.request.user.teams.filter(
+                                TeamQuerySet.organizer_permission_q("organizer.events:create"),
+                            ).values_list('organizer', flat=True)
                         )
                     organizer = qs.get(slug=self.request.GET.get('organizer'))
                     initial['organizer'] = organizer
@@ -210,9 +213,9 @@ class EventWizard(SafeSessionWizardView):
             else:
                 allow = (
                     request.user.has_event_permission(clone_from.organizer, clone_from,
-                                                      'can_change_event_settings', request)
+                                                      'event.settings.general:write', request)
                     and request.user.has_event_permission(clone_from.organizer, clone_from,
-                                                          'can_change_items', request)
+                                                          'event.items:write', request)
                 )
             if not allow:
                 messages.error(self.request, _('You do not have permission to clone this event.'))
@@ -222,7 +225,7 @@ class EventWizard(SafeSessionWizardView):
 
     def get_context_data(self, form, **kwargs):
         ctx = super().get_context_data(form, **kwargs)
-        ctx['has_organizer'] = self.request.user.teams.filter(can_create_events=True).exists()
+        ctx['has_organizer'] = self.request.user.teams.filter(TeamQuerySet.organizer_permission_q("organizer.events:create")).exists()
         if self.steps.current == 'basics':
             ctx['organizer'] = self.get_cleaned_data_for_step('foundation').get('organizer')
         return ctx
@@ -284,21 +287,16 @@ class EventWizard(SafeSessionWizardView):
                         name=_('Team {event}').format(
                             event=str(event.name)[:100] + "…" if len(str(event.name)) > 100 else str(event.name)
                         ),
-                        can_change_event_settings=True, can_change_items=True,
-                        can_view_orders=True, can_change_orders=True, can_view_vouchers=True,
-                        can_change_vouchers=True
+                        all_organizer_permissions=False,
+                        all_event_permissions=True,
                     )
                     t.members.add(self.request.user)
                     t.limit_events.add(event)
                     t.log_action('pretix.team.created', user=self.request.user, data={
                         '_created_by_event_wizard': True,
                         'name': t.name,
-                        'can_change_event_settings': True,
-                        'can_change_items': True,
-                        'can_view_orders': True,
-                        'can_change_orders': True,
-                        'can_view_vouchers': True,
-                        'can_change_vouchers': True,
+                        'all_organizer_permissions': False,
+                        'all_event_permissions': True,
                         'limit_events': [event.pk],
                     })
 

src/pretix/control/views/modelimport.py

@@ -214,7 +214,7 @@ class BaseProcessView(AsyncAction, FormView):
 
 class OrderImportView(EventPermissionRequiredMixin, BaseImportView):
     template_name = 'pretixcontrol/orders/import_start.html'
-    permission = 'can_change_orders'
+    permission = 'event.orders:write'
 
     def get_process_url(self, request, cf, charset):
         return reverse('control:event.orders.import.process', kwargs={
@@ -225,7 +225,7 @@ class OrderImportView(EventPermissionRequiredMixin, BaseImportView):
 
 
 class OrderProcessView(EventPermissionRequiredMixin, BaseProcessView):
-    permission = 'can_change_orders'
+    permission = 'event.orders:write'
     template_name = 'pretixcontrol/orders/import_process.html'
     form_class = OrdersProcessForm
     task = import_orders
@@ -257,7 +257,7 @@ class OrderProcessView(EventPermissionRequiredMixin, BaseProcessView):
 
 class VoucherImportView(EventPermissionRequiredMixin, BaseImportView):
     template_name = 'pretixcontrol/vouchers/import_start.html'
-    permission = 'can_change_vouchers'
+    permission = 'event.vouchers:write'
 
     def get_process_url(self, request, cf, charset):
         return reverse('control:event.vouchers.import.process', kwargs={
@@ -268,7 +268,7 @@ class VoucherImportView(EventPermissionRequiredMixin, BaseImportView):
 
 
 class VoucherProcessView(EventPermissionRequiredMixin, BaseProcessView):
-    permission = 'can_change_vouchers'
+    permission = 'event.vouchers:write'
     template_name = 'pretixcontrol/vouchers/import_process.html'
     form_class = VouchersProcessForm
     task = import_vouchers

src/pretix/control/views/orders.py

@@ -170,7 +170,7 @@ class OrderSearchMixin:
 
 class OrderSearch(OrderSearchMixin, EventPermissionRequiredMixin, TemplateView):
     template_name = 'pretixcontrol/orders/search.html'
-    permission = 'can_view_orders'
+    permission = 'event.orders:read'
 
     def get_context_data(self, **kwargs):
         ctx = super().get_context_data(**kwargs)
@@ -200,7 +200,7 @@ class OrderSearch(OrderSearchMixin, EventPermissionRequiredMixin, TemplateView):
 
 class BaseOrderBulkActionView(OrderSearchMixin, EventPermissionRequiredMixin, AsyncFormView):
     template_name = 'pretixcontrol/orders/bulk_action.html'
-    permission = 'can_change_orders'
+    permission = 'event.orders:write'
     form_class = forms.Form
 
     def get_queryset(self):
@@ -403,7 +403,7 @@ class OrderList(OrderSearchMixin, EventPermissionRequiredMixin, PaginationMixin,
     model = Order
     context_object_name = 'orders'
     template_name = 'pretixcontrol/orders/index.html'
-    permission = 'can_view_orders'
+    permission = 'event.orders:read'
 
     def get_queryset(self):
         qs = Order.objects.filter(
@@ -526,7 +526,7 @@ class OrderView(EventPermissionRequiredMixin, DetailView):
 
 class OrderDetail(OrderView):
     template_name = 'pretixcontrol/order/index.html'
-    permission = 'can_view_orders'
+    permission = 'event.orders:read'
 
     def get_context_data(self, **kwargs):
         ctx = super().get_context_data(**kwargs)
@@ -626,7 +626,7 @@ class OrderDetail(OrderView):
 
 class OrderTransactions(OrderView):
     template_name = 'pretixcontrol/order/transactions.html'
-    permission = 'can_view_orders'
+    permission = 'event.orders:read'
 
     def get_context_data(self, **kwargs):
         ctx = super().get_context_data(**kwargs)
@@ -645,7 +645,7 @@ class OrderTransactions(OrderView):
 
 class OrderDownload(AsyncAction, OrderView):
     task = generate
-    permission = 'can_view_orders'
+    permission = 'event.orders:read'
 
     def get_success_url(self, value):
         return self.get_self_url()
@@ -744,7 +744,7 @@ class OrderDownload(AsyncAction, OrderView):
 
 
 class OrderComment(OrderView):
-    permission = 'can_change_orders'
+    permission = 'event.orders:write'
 
     def post(self, *args, **kwargs):
         form = CommentForm(self.request.POST)
@@ -784,7 +784,7 @@ class OrderComment(OrderView):
 
 
 class OrderApprove(OrderView):
-    permission = 'can_change_orders'
+    permission = 'event.orders:write'
 
     def post(self, *args, **kwargs):
         if self.order.require_approval:
@@ -803,7 +803,7 @@ class OrderApprove(OrderView):
 
 
 class OrderDelete(OrderView):
-    permission = 'can_change_orders'
+    permission = 'event.orders:write'
 
     def post(self, *args, **kwargs):
         if self.order.testmode:
@@ -833,7 +833,7 @@ class OrderDelete(OrderView):
 
 
 class OrderDeny(OrderView):
-    permission = 'can_change_orders'
+    permission = 'event.orders:write'
 
     def post(self, request, *args, **kwargs):
         if self.order.require_approval:
@@ -859,7 +859,7 @@ class OrderDeny(OrderView):
 
 
 class OrderPaymentCancel(OrderView):
-    permission = 'can_change_orders'
+    permission = 'event.orders:write'
 
     @cached_property
     def payment(self):
@@ -898,7 +898,7 @@ class OrderPaymentCancel(OrderView):
 
 
 class OrderRefundCancel(OrderView):
-    permission = 'can_change_orders'
+    permission = 'event.orders:write'
 
     @cached_property
     def refund(self):
@@ -928,7 +928,7 @@ class OrderRefundCancel(OrderView):
 
 
 class OrderRefundProcess(OrderView):
-    permission = 'can_change_orders'
+    permission = 'event.orders:write'
 
     @cached_property
     def refund(self):
@@ -967,7 +967,7 @@ class OrderRefundProcess(OrderView):
 
 
 class OrderRefundDone(OrderView):
-    permission = 'can_change_orders'
+    permission = 'event.orders:write'
 
     @cached_property
     def refund(self):
@@ -990,7 +990,7 @@ class OrderRefundDone(OrderView):
 
 
 class OrderCancellationRequestDelete(OrderView):
-    permission = 'can_change_orders'
+    permission = 'event.orders:write'
 
     @cached_property
     def req(self):
@@ -1024,7 +1024,7 @@ class OrderCancellationRequestDelete(OrderView):
 
 
 class OrderPaymentConfirm(OrderView):
-    permission = 'can_change_orders'
+    permission = 'event.orders:write'
 
     @cached_property
     def payment(self):
@@ -1082,7 +1082,7 @@ class OrderPaymentConfirm(OrderView):
 
 
 class OrderRefundView(OrderView):
-    permission = 'can_change_orders'
+    permission = 'event.orders:write'
 
     @cached_property
     def start_form(self):
@@ -1427,7 +1427,7 @@ class OrderRefundView(OrderView):
 
 
 class OrderTransition(OrderView):
-    permission = 'can_change_orders'
+    permission = 'event.orders:write'
 
     @cached_property
     def req(self):
@@ -1595,7 +1595,7 @@ class OrderTransition(OrderView):
 
 
 class OrderInvoiceCreate(OrderView):
-    permission = 'can_change_orders'
+    permission = 'event.orders:write'
 
     def post(self, *args, **kwargs):
         with transaction.atomic():
@@ -1621,7 +1621,7 @@ class OrderInvoiceCreate(OrderView):
 
 
 class OrderCheckVATID(OrderView):
-    permission = 'can_change_orders'
+    permission = 'event.orders:write'
 
     def post(self, *args, **kwargs):
         try:
@@ -1661,7 +1661,7 @@ class OrderCheckVATID(OrderView):
 
 
 class OrderInvoiceRegenerate(OrderView):
-    permission = 'can_change_orders'
+    permission = 'event.orders:write'
 
     def post(self, *args, **kwargs):
         try:
@@ -1694,7 +1694,7 @@ class OrderInvoiceRegenerate(OrderView):
 
 
 class OrderInvoiceRetransmit(OrderView):
-    permission = 'can_change_orders'
+    permission = 'event.orders:write'
 
     def post(self, *args, **kwargs):
         with transaction.atomic(durable=True):
@@ -1725,7 +1725,7 @@ class OrderInvoiceRetransmit(OrderView):
 
 
 class OrderInvoiceReissue(OrderView):
-    permission = 'can_change_orders'
+    permission = 'event.orders:write'
 
     def post(self, *args, **kwargs):
         with transaction.atomic():
@@ -1775,7 +1775,7 @@ class OrderInvoiceInspect(AdministratorPermissionRequiredMixin, OrderView):
 
 
 class OrderResendLink(OrderView):
-    permission = 'can_change_orders'
+    permission = 'event.orders:write'
 
     def post(self, *args, **kwargs):
         try:
@@ -1796,7 +1796,7 @@ class OrderResendLink(OrderView):
 
 
 class InvoiceDownload(EventPermissionRequiredMixin, View):
-    permission = 'can_view_orders'
+    permission = 'event.orders:read'
 
     def get_order_url(self):
         return reverse('control:event.order', kwargs={
@@ -1840,7 +1840,7 @@ class InvoiceDownload(EventPermissionRequiredMixin, View):
 
 
 class OrderExtend(OrderView):
-    permission = 'can_change_orders'
+    permission = 'event.orders:write'
 
     def post(self, *args, **kwargs):
         if self.form.is_valid():
@@ -1888,7 +1888,7 @@ class OrderExtend(OrderView):
 
 
 class OrderReactivate(OrderView):
-    permission = 'can_change_orders'
+    permission = 'event.orders:write'
 
     @cached_property
     def reactivate_form(self):
@@ -1938,7 +1938,7 @@ class OrderReactivate(OrderView):
 
 
 class OrderChange(OrderView):
-    permission = 'can_change_orders'
+    permission = 'event.orders:write'
     template_name = 'pretixcontrol/order/change.html'
 
     @cached_property
@@ -2195,7 +2195,7 @@ class OrderChange(OrderView):
 
 
 class OrderModifyInformation(OrderQuestionsViewMixin, OrderView):
-    permission = 'can_change_orders'
+    permission = 'event.orders:write'
     template_name = 'pretixcontrol/order/change_questions.html'
     only_user_visible = False
     all_optional = True
@@ -2248,7 +2248,7 @@ class OrderModifyInformation(OrderQuestionsViewMixin, OrderView):
 
 
 class OrderContactChange(OrderView):
-    permission = 'can_change_orders'
+    permission = 'event.orders:write'
     template_name = 'pretixcontrol/order/change_contact.html'
 
     def get_context_data(self, **kwargs):
@@ -2263,7 +2263,7 @@ class OrderContactChange(OrderView):
             data=self.request.POST if self.request.method == "POST" else None,
             customers=self.request.organizer.settings.customer_accounts and (
                 self.request.user.has_organizer_permission(
-                    self.request.organizer, 'can_manage_customers', request=self.request
+                    self.request.organizer, 'organizer.customers:write', request=self.request
                 )
             )
         )
@@ -2332,7 +2332,7 @@ class OrderContactChange(OrderView):
 
 
 class OrderLocaleChange(OrderView):
-    permission = 'can_change_orders'
+    permission = 'event.orders:write'
     template_name = 'pretixcontrol/order/change_locale.html'
 
     def get_context_data(self, **kwargs):
@@ -2388,7 +2388,7 @@ class OrderViewMixin:
 
 class OrderSendMail(EventPermissionRequiredMixin, OrderViewMixin, FormView):
     template_name = 'pretixcontrol/order/sendmail.html'
-    permission = 'can_change_orders'
+    permission = 'event.orders:write'
     form_class = OrderMailForm
 
     def get_form_kwargs(self):
@@ -2522,7 +2522,7 @@ class OrderPositionSendMail(OrderSendMail):
 
 class OrderEmailHistory(EventPermissionRequiredMixin, OrderViewMixin, ListView):
     template_name = 'pretixcontrol/order/mail_history.html'
-    permission = 'can_view_orders'
+    permission = 'event.orders:read'
     model = LogEntry
     context_object_name = 'logs'
     paginate_by = 10
@@ -2559,7 +2559,7 @@ class OrderEmailHistory(EventPermissionRequiredMixin, OrderViewMixin, ListView):
 
 
 class AnswerDownload(EventPermissionRequiredMixin, OrderViewMixin, ListView):
-    permission = 'can_view_orders'
+    permission = 'event.orders:read'
 
     def get(self, request, *args, **kwargs):
         answid = kwargs.get('answer')
@@ -2583,7 +2583,7 @@ class AnswerDownload(EventPermissionRequiredMixin, OrderViewMixin, ListView):
 
 class OverView(EventPermissionRequiredMixin, TemplateView):
     template_name = 'pretixcontrol/orders/overview.html'
-    permission = 'can_view_orders'
+    permission = 'event.orders:read'
 
     @cached_property
     def filter_form(self):
@@ -2622,7 +2622,7 @@ class OverView(EventPermissionRequiredMixin, TemplateView):
 
 
 class OrderGo(EventPermissionRequiredMixin, View):
-    permission = 'can_view_orders'
+    permission = 'event.orders:read'
 
     def get_order(self, code):
         try:
@@ -2707,7 +2707,7 @@ class ExportMixin:
             return ex
 
     def get_scheduled_queryset(self):
-        if not self.request.user.has_event_permission(self.request.organizer, self.request.event, 'can_change_event_settings',
+        if not self.request.user.has_event_permission(self.request.organizer, self.request.event, 'event.settings.general:write',
                                                       request=self.request):
             qs = self.request.event.scheduled_exports.filter(owner=self.request.user)
         else:
@@ -2729,7 +2729,7 @@ class ExportMixin:
 
 
 class ExportDoView(EventPermissionRequiredMixin, ExportMixin, AsyncAction, TemplateView):
-    permission = 'can_view_orders'
+    permission = 'event.orders:read'
     known_errortypes = ['ExportError', 'ExportEmptyError']
     task = export
     template_name = 'pretixcontrol/orders/export_form.html'
@@ -2778,7 +2778,7 @@ class ExportDoView(EventPermissionRequiredMixin, ExportMixin, AsyncAction, Templ
 
 
 class ExportView(EventPermissionRequiredMixin, ExportMixin, ListView):
-    permission = 'can_view_orders'
+    permission = 'event.orders:read'
     paginate_by = 25
     context_object_name = 'scheduled'
 
@@ -2864,7 +2864,7 @@ class ExportView(EventPermissionRequiredMixin, ExportMixin, ListView):
         return self.get_scheduled_queryset()
 
     def has_permission(self):
-        return self.request.user.has_event_permission(self.request.organizer, self.request.event, "can_view_orders")
+        return self.request.user.has_event_permission(self.request.organizer, self.request.event, "event.orders:read")
 
     def get_context_data(self, **kwargs):
         ctx = super().get_context_data(**kwargs)
@@ -2890,7 +2890,7 @@ class ExportView(EventPermissionRequiredMixin, ExportMixin, ListView):
 
 
 class DeleteScheduledExportView(EventPermissionRequiredMixin, ExportMixin, CompatDeleteView):
-    permission = 'can_view_orders'
+    permission = 'event.orders:read'
     template_name = 'pretixcontrol/orders/export_delete.html'
     context_object_name = 'export'
 
@@ -2939,7 +2939,7 @@ class RefundList(EventPermissionRequiredMixin, PaginationMixin, ListView):
     model = OrderRefund
     context_object_name = 'refunds'
     template_name = 'pretixcontrol/orders/refunds.html'
-    permission = 'can_view_orders'
+    permission = 'event.orders:read'
 
     def get_queryset(self):
         qs = OrderRefund.objects.filter(
@@ -2964,7 +2964,7 @@ class RefundList(EventPermissionRequiredMixin, PaginationMixin, ListView):
 
 class EventCancel(EventPermissionRequiredMixin, AsyncAction, FormView):
     template_name = 'pretixcontrol/orders/cancel.html'
-    permission = 'can_change_orders'
+    permission = 'event:cancel'
     form_class = EventCancelForm
     task = cancel_event
     known_errortypes = ['OrderError']
@@ -3049,7 +3049,7 @@ class EventCancel(EventPermissionRequiredMixin, AsyncAction, FormView):
 
 class EventCancelConfirm(EventPermissionRequiredMixin, AsyncAction, FormView):
     template_name = 'pretixcontrol/orders/cancel_confirm.html'
-    permission = 'can_change_orders'
+    permission = 'event.orders:write'
     form_class = EventCancelConfirmForm
     task = cancel_event
     known_errortypes = ['OrderError']

src/pretix/control/views/organizer.py

@@ -95,7 +95,9 @@ from pretix.base.models.giftcards import (
     GiftCardAcceptance, GiftCardTransaction, gen_giftcard_secret,
 )
 from pretix.base.models.orders import CancellationRequest
-from pretix.base.models.organizer import SalesChannel, TeamAPIToken
+from pretix.base.models.organizer import (
+    SalesChannel, TeamAPIToken, TeamQuerySet,
+)
 from pretix.base.payment import PaymentException
 from pretix.base.plugins import (
     PLUGIN_LEVEL_EVENT, PLUGIN_LEVEL_EVENT_ORGANIZER_HYBRID,
@@ -242,13 +244,13 @@ class OrganizerDetail(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin
 class OrganizerTeamView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, DetailView):
     model = Organizer
     template_name = 'pretixcontrol/organizers/teams.html'
-    permission = 'can_change_permissions'
+    permission = 'organizer.teams:write'
     context_object_name = 'organizer'
 
 
 class OrganizerSettingsFormView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, FormView):
     model = Organizer
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
 
     def get_form_kwargs(self):
         kwargs = super().get_form_kwargs()
@@ -279,7 +281,7 @@ class OrganizerSettingsFormView(OrganizerDetailViewMixin, OrganizerPermissionReq
 class OrganizerMailSettings(OrganizerSettingsFormView):
     form_class = MailSettingsForm
     template_name = 'pretixcontrol/organizers/mail.html'
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
 
     def get_success_url(self):
         return reverse('control:organizer.settings.mail', kwargs={
@@ -305,7 +307,7 @@ class OrganizerMailSettings(OrganizerSettingsFormView):
 
 
 class MailSettingsSetup(OrganizerPermissionRequiredMixin, MailSettingsSetupView):
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
     basetpl = 'pretixcontrol/base.html'
 
     def get_success_url(self):
@@ -320,7 +322,7 @@ class MailSettingsSetup(OrganizerPermissionRequiredMixin, MailSettingsSetupView)
 
 
 class MailSettingsPreview(OrganizerPermissionRequiredMixin, View):
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
 
     # return the origin text if key is missing in dict
     class SafeDict(dict):
@@ -452,7 +454,7 @@ class OrganizerUpdate(OrganizerPermissionRequiredMixin, UpdateView):
     model = Organizer
     form_class = OrganizerUpdateForm
     template_name = 'pretixcontrol/organizers/edit.html'
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
     context_object_name = 'organizer'
 
     @cached_property
@@ -580,10 +582,7 @@ class OrganizerCreate(CreateView):
         ret = super().form_valid(form)
         t = Team.objects.create(
             organizer=form.instance, name=_('Administrators'),
-            all_events=True, can_create_events=True, can_change_teams=True, can_manage_gift_cards=True,
-            can_change_organizer_settings=True, can_change_event_settings=True, can_change_items=True,
-            can_manage_customers=True, can_manage_reusable_media=True,
-            can_view_orders=True, can_change_orders=True, can_view_vouchers=True, can_change_vouchers=True
+            all_events=True, all_event_permissions=True, all_organizer_permissions=True,
         )
         t.members.add(self.request.user)
         return ret
@@ -597,7 +596,7 @@ class OrganizerCreate(CreateView):
 class OrganizerPlugins(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, TemplateView, SingleObjectMixin):
     model = Organizer
     context_object_name = 'organizer'
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
     template_name = 'pretixcontrol/organizers/plugins.html'
 
     def get_object(self, queryset=None) -> Organizer:
@@ -769,14 +768,14 @@ class OrganizerPlugins(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixi
 class OrganizerPluginEvents(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, FormView):
     model = Organizer
     context_object_name = 'organizer'
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
     template_name = 'pretixcontrol/organizers/plugin_events.html'
     form_class = OrganizerPluginEventsForm
 
     def get_form_kwargs(self):
         kwargs = super().get_form_kwargs()
         kwargs["events"] = self.request.user.get_events_with_permission(
-            "can_change_event_settings", request=self.request
+            "event.settings.general:write", request=self.request
         ).filter(organizer=self.request.organizer)
         kwargs["initial"] = {
             "events": self.request.organizer.events.filter(plugins__regex='(^|,)' + self.plugin.module + '(,|$)')
@@ -854,7 +853,7 @@ class OrganizerPluginEvents(OrganizerDetailViewMixin, OrganizerPermissionRequire
 class TeamListView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, PaginationMixin, ListView):
     model = Team
     template_name = 'pretixcontrol/organizers/teams.html'
-    permission = 'can_change_teams'
+    permission = 'organizer.teams:write'
     context_object_name = 'teams'
 
     def get_queryset(self):
@@ -880,7 +879,7 @@ class TeamListView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, P
 class TeamCreateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, CreateView):
     model = Team
     template_name = 'pretixcontrol/organizers/team_edit.html'
-    permission = 'can_change_teams'
+    permission = 'organizer.teams:write'
     form_class = TeamForm
 
     def get_form_kwargs(self):
@@ -917,7 +916,7 @@ class TeamCreateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin,
 class TeamUpdateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, UpdateView):
     model = Team
     template_name = 'pretixcontrol/organizers/team_edit.html'
-    permission = 'can_change_teams'
+    permission = 'organizer.teams:write'
     context_object_name = 'team'
     form_class = TeamForm
 
@@ -953,7 +952,7 @@ class TeamUpdateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin,
 class TeamDeleteView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, CompatDeleteView):
     model = Team
     template_name = 'pretixcontrol/organizers/team_delete.html'
-    permission = 'can_change_teams'
+    permission = 'organizer.teams:write'
     context_object_name = 'team'
 
     def get_object(self, queryset=None):
@@ -971,7 +970,8 @@ class TeamDeleteView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin,
 
     def is_allowed(self) -> bool:
         return self.request.organizer.teams.exclude(pk=self.kwargs.get('team')).filter(
-            can_change_teams=True, members__isnull=False
+            TeamQuerySet.organizer_permission_q("organizer.teams:write"),
+            members__isnull=False
         ).exists() or self.request.user.has_active_staff_session(self.request.session.session_key)
 
     @transaction.atomic
@@ -1012,7 +1012,7 @@ class TeamDeleteView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin,
 class TeamMemberView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, DetailView):
     template_name = 'pretixcontrol/organizers/team_members.html'
     context_object_name = 'team'
-    permission = 'can_change_teams'
+    permission = 'organizer.teams:write'
     model = Team
 
     def get_object(self, queryset=None):
@@ -1066,9 +1066,10 @@ class TeamMemberView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin,
                 pass
             else:
                 other_admin_teams = self.request.organizer.teams.exclude(pk=self.object.pk).filter(
-                    can_change_teams=True, members__isnull=False
+                    TeamQuerySet.organizer_permission_q("organizer.teams:write"),
+                    members__isnull=False
                 ).exists() or self.request.user.has_active_staff_session(self.request.session.session_key)
-                if not other_admin_teams and self.object.can_change_teams and self.object.members.count() == 1:
+                if not other_admin_teams and self.object.has_organizer_permission("organizer.teams:write") and self.object.members.count() == 1:
                     messages.error(self.request, _('You cannot remove the last member from this team as no one would '
                                                    'be left with the permission to change teams.'))
                     return redirect(self.get_success_url())
@@ -1232,7 +1233,7 @@ class DeviceQueryMixin:
 class DeviceListView(DeviceQueryMixin, OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, ListView):
     model = Device
     template_name = 'pretixcontrol/organizers/devices.html'
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.devices:read'
     context_object_name = 'devices'
     paginate_by = 100
 
@@ -1245,7 +1246,7 @@ class DeviceListView(DeviceQueryMixin, OrganizerDetailViewMixin, OrganizerPermis
 class DeviceCreateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, CreateView):
     model = Device
     template_name = 'pretixcontrol/organizers/device_edit.html'
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.devices:write'
     form_class = DeviceForm
 
     def get_form_kwargs(self):
@@ -1276,7 +1277,7 @@ class DeviceCreateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixi
 
 class DeviceLogView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, ListView):
     template_name = 'pretixcontrol/organizers/device_logs.html'
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.devices:read'
     model = LogEntry
     context_object_name = 'logs'
     paginate_by = 20
@@ -1304,7 +1305,7 @@ class DeviceLogView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin,
 class DeviceUpdateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, UpdateView):
     model = Device
     template_name = 'pretixcontrol/organizers/device_edit.html'
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.devices:write'
     context_object_name = 'device'
     form_class = DeviceForm
 
@@ -1347,7 +1348,7 @@ class DeviceUpdateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixi
 
 class DeviceBulkUpdateView(DeviceQueryMixin, OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, FormView):
     template_name = 'pretixcontrol/organizers/device_bulk_edit.html'
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.devices:write'
     context_object_name = 'device'
     form_class = DeviceBulkEditForm
 
@@ -1461,7 +1462,7 @@ class DeviceBulkUpdateView(DeviceQueryMixin, OrganizerDetailViewMixin, Organizer
 class DeviceConnectView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, DetailView):
     model = Device
     template_name = 'pretixcontrol/organizers/device_connect.html'
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.devices:write'
     context_object_name = 'device'
 
     def get_object(self, queryset=None):
@@ -1493,7 +1494,7 @@ class DeviceConnectView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMix
 class DeviceRevokeView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, DetailView):
     model = Device
     template_name = 'pretixcontrol/organizers/device_revoke.html'
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.devices:write'
     context_object_name = 'device'
 
     def get_object(self, queryset=None):
@@ -1523,7 +1524,7 @@ class DeviceRevokeView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixi
 class WebHookListView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, ListView):
     model = WebHook
     template_name = 'pretixcontrol/organizers/webhooks.html'
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
     context_object_name = 'webhooks'
 
     def get_queryset(self):
@@ -1533,7 +1534,7 @@ class WebHookListView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin
 class WebHookCreateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, CreateView):
     model = WebHook
     template_name = 'pretixcontrol/organizers/webhook_edit.html'
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
     form_class = WebHookForm
 
     def get_form_kwargs(self):
@@ -1567,7 +1568,7 @@ class WebHookCreateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMix
 class WebHookUpdateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, UpdateView):
     model = WebHook
     template_name = 'pretixcontrol/organizers/webhook_edit.html'
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
     context_object_name = 'webhook'
     form_class = WebHookForm
 
@@ -1610,7 +1611,7 @@ class WebHookUpdateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMix
 class WebHookLogsView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, ListView):
     model = WebHook
     template_name = 'pretixcontrol/organizers/webhook_logs.html'
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
     context_object_name = 'calls'
     paginate_by = 50
 
@@ -1652,7 +1653,7 @@ class WebHookLogsView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin
 class GiftCardAcceptanceInviteView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, FormView):
     model = GiftCardAcceptance
     template_name = 'pretixcontrol/organizers/giftcard_acceptance_invite.html'
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
     form_class = GiftCardAcceptanceInviteForm
 
     def get_form_kwargs(self):
@@ -1682,7 +1683,7 @@ class GiftCardAcceptanceInviteView(OrganizerDetailViewMixin, OrganizerPermission
 class GiftCardAcceptanceListView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, ListView):
     model = GiftCardAcceptance
     template_name = 'pretixcontrol/organizers/giftcard_acceptance_list.html'
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
     context_object_name = 'acceptor_acceptance'
     paginate_by = 50
 
@@ -1742,7 +1743,7 @@ class GiftCardAcceptanceListView(OrganizerDetailViewMixin, OrganizerPermissionRe
 class GiftCardListView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, ListView):
     model = GiftCard
     template_name = 'pretixcontrol/organizers/giftcards.html'
-    permission = 'can_manage_gift_cards'
+    permission = 'organizer.giftcards:read'
     context_object_name = 'giftcards'
     paginate_by = 50
 
@@ -1765,7 +1766,7 @@ class GiftCardListView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixi
         ctx = super().get_context_data(**kwargs)
         ctx['filter_form'] = self.filter_form
         ctx['other_organizers'] = self.request.user.get_organizers_with_permission(
-            'can_manage_gift_cards', self.request
+            'organizer.giftcards:write', self.request
         ).exclude(pk=self.request.organizer.pk)
         return ctx
 
@@ -1776,7 +1777,7 @@ class GiftCardListView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixi
 
 class GiftCardDetailView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, DetailView):
     template_name = 'pretixcontrol/organizers/giftcard.html'
-    permission = 'can_manage_gift_cards'
+    permission = 'organizer.giftcards:read'
     context_object_name = 'card'
 
     def get_object(self, queryset=None) -> Organizer:
@@ -1787,6 +1788,8 @@ class GiftCardDetailView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMi
 
     @transaction.atomic()
     def post(self, request, *args, **kwargs):
+        if not request.user.has_organizer_permission(request.organizer, "organizer.giftcards:write", request=request):
+            raise PermissionDenied()
         self.object = GiftCard.objects.select_for_update(of=OF_SELF).get(pk=self.get_object().pk)
         if 'revert' in request.POST:
             t = get_object_or_404(self.object.transactions.all(), pk=request.POST.get('revert'), order__isnull=False)
@@ -1866,7 +1869,7 @@ class GiftCardDetailView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMi
 
 class GiftCardCreateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, CreateView):
     template_name = 'pretixcontrol/organizers/giftcard_create.html'
-    permission = 'can_manage_gift_cards'
+    permission = 'organizer.giftcards:write'
     form_class = GiftCardCreateForm
     success_url = 'invalid'
 
@@ -1908,7 +1911,7 @@ class GiftCardCreateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMi
 
 class GiftCardUpdateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, UpdateView):
     template_name = 'pretixcontrol/organizers/giftcard_edit.html'
-    permission = 'can_manage_gift_cards'
+    permission = 'organizer.giftcards:write'
     form_class = GiftCardUpdateForm
     success_url = 'invalid'
     context_object_name = 'card'
@@ -1999,7 +2002,7 @@ class ExportMixin:
 
     @cached_property
     def events(self):
-        return self.request.user.get_events_with_permission('can_view_orders', request=self.request).filter(
+        return self.request.user.get_events_with_permission('event.orders:read', request=self.request).filter(
             organizer=self.request.organizer
         )
 
@@ -2033,7 +2036,7 @@ class ExportMixin:
         return ctx
 
     def get_scheduled_queryset(self):
-        if not self.request.user.has_organizer_permission(self.request.organizer, 'can_change_organizer_settings',
+        if not self.request.user.has_organizer_permission(self.request.organizer, 'organizer.settings.general:write',
                                                           request=self.request):
             qs = self.request.organizer.scheduled_exports.filter(owner=self.request.user)
         else:
@@ -2267,7 +2270,7 @@ class RunScheduledExportView(OrganizerPermissionRequiredMixin, ExportMixin, View
 class GateListView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, ListView):
     model = Gate
     template_name = 'pretixcontrol/organizers/gates.html'
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.devices:read'
     context_object_name = 'gates'
 
     def get_queryset(self):
@@ -2277,7 +2280,7 @@ class GateListView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, L
 class GateCreateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, CreateView):
     model = Gate
     template_name = 'pretixcontrol/organizers/gate_edit.html'
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.devices:write'
     form_class = GateForm
 
     def get_form_kwargs(self):
@@ -2311,7 +2314,7 @@ class GateCreateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin,
 class GateUpdateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, UpdateView):
     model = Gate
     template_name = 'pretixcontrol/organizers/gate_edit.html'
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.devices:write'
     context_object_name = 'gate'
     form_class = GateForm
 
@@ -2346,7 +2349,7 @@ class GateUpdateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin,
 class GateDeleteView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, CompatDeleteView):
     model = Gate
     template_name = 'pretixcontrol/organizers/gate_delete.html'
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.devices:write'
     context_object_name = 'gate'
 
     def get_object(self, queryset=None):
@@ -2370,7 +2373,7 @@ class GateDeleteView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin,
 class EventMetaPropertyListView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, ListView):
     model = EventMetaProperty
     template_name = 'pretixcontrol/organizers/properties.html'
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
     context_object_name = 'properties'
 
     def get_queryset(self):
@@ -2421,7 +2424,7 @@ class EventMetaPropertyEditorMixin:
 
 class EventMetaPropertyCreateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, EventMetaPropertyEditorMixin, CreateView):
     model = EventMetaProperty
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
 
     def get_object(self, queryset=None):
         return EventMetaProperty()
@@ -2451,7 +2454,7 @@ class EventMetaPropertyCreateView(OrganizerDetailViewMixin, OrganizerPermissionR
 
 class EventMetaPropertyUpdateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, EventMetaPropertyEditorMixin, UpdateView):
     model = EventMetaProperty
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
     context_object_name = 'property'
 
     def get_object(self, queryset=None):
@@ -2483,7 +2486,7 @@ class EventMetaPropertyUpdateView(OrganizerDetailViewMixin, OrganizerPermissionR
 class EventMetaPropertyDeleteView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, CompatDeleteView):
     model = EventMetaProperty
     template_name = 'pretixcontrol/organizers/property_delete.html'
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
     context_object_name = 'property'
 
     def get_object(self, queryset=None):
@@ -2527,7 +2530,7 @@ def meta_property_move(request, property, up=True):
     messages.success(request, _('The order of properties has been updated.'))
 
 
-@organizer_permission_required("can_change_organizer_settings")
+@organizer_permission_required("organizer.settings.general:write")
 @require_http_methods(["POST"])
 def meta_property_move_up(request, organizer, property):
     meta_property_move(request, property, up=True)
@@ -2535,7 +2538,7 @@ def meta_property_move_up(request, organizer, property):
                     organizer=request.organizer.slug)
 
 
-@organizer_permission_required("can_change_organizer_settings")
+@organizer_permission_required("organizer.settings.general:write")
 @require_http_methods(["POST"])
 def meta_property_move_down(request, organizer, property):
     meta_property_move(request, property, up=False)
@@ -2544,7 +2547,7 @@ def meta_property_move_down(request, organizer, property):
 
 
 @transaction.atomic
-@organizer_permission_required("can_change_organizer_settings")
+@organizer_permission_required("organizer.settings.general:write")
 @require_http_methods(["POST"])
 def reorder_meta_properties(request, organizer):
     try:
@@ -2576,7 +2579,7 @@ def reorder_meta_properties(request, organizer):
 
 class LogView(OrganizerPermissionRequiredMixin, PaginationMixin, ListView):
     template_name = 'pretixcontrol/organizers/logs.html'
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
     model = LogEntry
     context_object_name = 'logs'
 
@@ -2601,7 +2604,7 @@ class LogView(OrganizerPermissionRequiredMixin, PaginationMixin, ListView):
 class MembershipTypeListView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, ListView):
     model = MembershipType
     template_name = 'pretixcontrol/organizers/membershiptypes.html'
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
     context_object_name = 'types'
 
     def get_queryset(self):
@@ -2611,7 +2614,7 @@ class MembershipTypeListView(OrganizerDetailViewMixin, OrganizerPermissionRequir
 class MembershipTypeCreateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, CreateView):
     model = MembershipType
     template_name = 'pretixcontrol/organizers/membershiptype_edit.html'
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
     form_class = MembershipTypeForm
 
     def get_object(self, queryset=None):
@@ -2645,7 +2648,7 @@ class MembershipTypeCreateView(OrganizerDetailViewMixin, OrganizerPermissionRequ
 class MembershipTypeUpdateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, UpdateView):
     model = MembershipType
     template_name = 'pretixcontrol/organizers/membershiptype_edit.html'
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
     context_object_name = 'type'
     form_class = MembershipTypeForm
 
@@ -2680,7 +2683,7 @@ class MembershipTypeUpdateView(OrganizerDetailViewMixin, OrganizerPermissionRequ
 class MembershipTypeDeleteView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, CompatDeleteView):
     model = MembershipType
     template_name = 'pretixcontrol/organizers/membershiptype_delete.html'
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
     context_object_name = 'type'
 
     def get_object(self, queryset=None):
@@ -2710,7 +2713,7 @@ class MembershipTypeDeleteView(OrganizerDetailViewMixin, OrganizerPermissionRequ
 class SSOProviderListView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, ListView):
     model = CustomerSSOProvider
     template_name = 'pretixcontrol/organizers/ssoproviders.html'
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
     context_object_name = 'providers'
 
     def get_queryset(self):
@@ -2720,7 +2723,7 @@ class SSOProviderListView(OrganizerDetailViewMixin, OrganizerPermissionRequiredM
 class SSOProviderCreateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, CreateView):
     model = CustomerSSOProvider
     template_name = 'pretixcontrol/organizers/ssoprovider_edit.html'
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
     form_class = SSOProviderForm
 
     def get_object(self, queryset=None):
@@ -2754,7 +2757,7 @@ class SSOProviderCreateView(OrganizerDetailViewMixin, OrganizerPermissionRequire
 class SSOProviderUpdateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, UpdateView):
     model = CustomerSSOProvider
     template_name = 'pretixcontrol/organizers/ssoprovider_edit.html'
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
     context_object_name = 'provider'
     form_class = SSOProviderForm
 
@@ -2796,7 +2799,7 @@ class SSOProviderUpdateView(OrganizerDetailViewMixin, OrganizerPermissionRequire
 class SSOProviderDeleteView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, CompatDeleteView):
     model = CustomerSSOProvider
     template_name = 'pretixcontrol/organizers/ssoprovider_delete.html'
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
     context_object_name = 'provider'
 
     def get_object(self, queryset=None):
@@ -2826,7 +2829,7 @@ class SSOProviderDeleteView(OrganizerDetailViewMixin, OrganizerPermissionRequire
 class SSOClientListView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, ListView):
     model = CustomerSSOClient
     template_name = 'pretixcontrol/organizers/ssoclients.html'
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
     context_object_name = 'clients'
 
     def get_queryset(self):
@@ -2836,7 +2839,7 @@ class SSOClientListView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMix
 class SSOClientCreateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, CreateView):
     model = CustomerSSOClient
     template_name = 'pretixcontrol/organizers/ssoclient_edit.html'
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
     form_class = SSOClientForm
 
     def get_object(self, queryset=None):
@@ -2876,7 +2879,7 @@ class SSOClientCreateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredM
 class SSOClientUpdateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, UpdateView):
     model = CustomerSSOClient
     template_name = 'pretixcontrol/organizers/ssoclient_edit.html'
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
     context_object_name = 'client'
     form_class = SSOClientForm
 
@@ -2926,7 +2929,7 @@ class SSOClientUpdateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredM
 class SSOClientDeleteView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, CompatDeleteView):
     model = CustomerSSOClient
     template_name = 'pretixcontrol/organizers/ssoclient_delete.html'
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
     context_object_name = 'client'
 
     def get_object(self, queryset=None):
@@ -2956,7 +2959,7 @@ class SSOClientDeleteView(OrganizerDetailViewMixin, OrganizerPermissionRequiredM
 class CustomerListView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, PaginationMixin, ListView):
     model = Customer
     template_name = 'pretixcontrol/organizers/customers.html'
-    permission = 'can_manage_customers'
+    permission = 'organizer.customers:read'
     context_object_name = 'customers'
 
     def get_queryset(self):
@@ -2977,7 +2980,7 @@ class CustomerListView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixi
 
 class CustomerDetailView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, PaginationMixin, ListView):
     template_name = 'pretixcontrol/organizers/customer.html'
-    permission = 'can_manage_customers'
+    permission = 'organizer.customers:read'
     context_object_name = 'orders'
 
     def get_queryset(self):
@@ -3092,7 +3095,7 @@ class CustomerDetailView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMi
 
 class CustomerCreateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, CreateView):
     template_name = 'pretixcontrol/organizers/customer_edit.html'
-    permission = 'can_manage_customers'
+    permission = 'organizer.customers:write'
     context_object_name = 'customer'
     form_class = CustomerCreateForm
 
@@ -3122,7 +3125,7 @@ class CustomerCreateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMi
 
 class CustomerUpdateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, UpdateView):
     template_name = 'pretixcontrol/organizers/customer_edit.html'
-    permission = 'can_manage_customers'
+    permission = 'organizer.customers:write'
     context_object_name = 'customer'
     form_class = CustomerUpdateForm
 
@@ -3151,7 +3154,7 @@ class CustomerUpdateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMi
 
 class MembershipUpdateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, UpdateView):
     template_name = 'pretixcontrol/organizers/customer_membership.html'
-    permission = 'can_manage_customers'
+    permission = 'organizer.customers:write'
     context_object_name = 'membership'
     form_class = MembershipUpdateForm
 
@@ -3191,7 +3194,7 @@ class MembershipUpdateView(OrganizerDetailViewMixin, OrganizerPermissionRequired
 
 class MembershipDeleteView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, CompatDeleteView):
     template_name = 'pretixcontrol/organizers/customer_membership_delete.html'
-    permission = 'can_manage_customers'
+    permission = 'organizer.customers:write'
     context_object_name = 'membership'
 
     def get_object(self, queryset=None):
@@ -3229,7 +3232,7 @@ class MembershipDeleteView(OrganizerDetailViewMixin, OrganizerPermissionRequired
 
 class MembershipCreateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, CreateView):
     template_name = 'pretixcontrol/organizers/customer_membership.html'
-    permission = 'can_manage_customers'
+    permission = 'organizer.customers:write'
     context_object_name = 'membership'
     form_class = MembershipUpdateForm
 
@@ -3268,7 +3271,7 @@ class MembershipCreateView(OrganizerDetailViewMixin, OrganizerPermissionRequired
 
 class CustomerAnonymizeView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, DetailView):
     template_name = 'pretixcontrol/organizers/customer_anonymize.html'
-    permission = 'can_manage_customers'
+    permission = 'organizer.customers:write'
     context_object_name = 'customer'
 
     def get_object(self, queryset=None):
@@ -3295,7 +3298,7 @@ class CustomerAnonymizeView(OrganizerDetailViewMixin, OrganizerPermissionRequire
 class ReusableMediaListView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, PaginationMixin, ListView):
     model = ReusableMedium
     template_name = 'pretixcontrol/organizers/reusable_media.html'
-    permission = 'can_manage_reusable_media'
+    permission = 'organizer.reusablemedia:read'
     context_object_name = 'media'
 
     def get_queryset(self):
@@ -3319,7 +3322,7 @@ class ReusableMediaListView(OrganizerDetailViewMixin, OrganizerPermissionRequire
 
 class ReusableMediumDetailView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, TemplateView):
     template_name = 'pretixcontrol/organizers/reusable_medium.html'
-    permission = 'can_manage_reusable_media'
+    permission = 'organizer.reusablemedia:read'
 
     @cached_property
     def medium(self):
@@ -3336,7 +3339,7 @@ class ReusableMediumDetailView(OrganizerDetailViewMixin, OrganizerPermissionRequ
 
 class ReusableMediumCreateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, CreateView):
     template_name = 'pretixcontrol/organizers/reusable_medium_edit.html'
-    permission = 'can_manage_reusable_media'
+    permission = 'organizer.reusablemedia:write'
     context_object_name = 'medium'
     form_class = ReusableMediumCreateForm
 
@@ -3365,7 +3368,7 @@ class ReusableMediumCreateView(OrganizerDetailViewMixin, OrganizerPermissionRequ
 
 class ReusableMediumUpdateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, UpdateView):
     template_name = 'pretixcontrol/organizers/reusable_medium_edit.html'
-    permission = 'can_manage_reusable_media'
+    permission = 'organizer.reusablemedia:write'
     context_object_name = 'medium'
     form_class = ReusableMediumUpdateForm
 
@@ -3395,7 +3398,7 @@ class ReusableMediumUpdateView(OrganizerDetailViewMixin, OrganizerPermissionRequ
 class ChannelListView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, ListView):
     model = SalesChannel
     template_name = 'pretixcontrol/organizers/channels.html'
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
     context_object_name = 'channels'
 
     def get_queryset(self):
@@ -3414,7 +3417,7 @@ class ChannelEditorMixin:
 
 class ChannelCreateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, ChannelEditorMixin, CreateView):
     model = SalesChannel
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
     template_name = 'pretixcontrol/organizers/channel_add.html'
 
     def get_object(self, queryset=None):
@@ -3486,7 +3489,7 @@ class ChannelCreateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMix
 
 class ChannelUpdateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, ChannelEditorMixin, UpdateView):
     model = SalesChannel
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
     context_object_name = 'channel'
     template_name = 'pretixcontrol/organizers/channel_edit.html'
 
@@ -3531,7 +3534,7 @@ class ChannelUpdateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMix
 class ChannelDeleteView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, CompatDeleteView):
     model = SalesChannel
     template_name = 'pretixcontrol/organizers/channel_delete.html'
-    permission = 'can_change_organizer_settings'
+    permission = 'organizer.settings.general:write'
     context_object_name = 'channel'
 
     def get_object(self, queryset=None):
@@ -3587,7 +3590,7 @@ def channel_move(request, channel, up=True):
     messages.success(request, _('The order of sales channels has been updated.'))
 
 
-@organizer_permission_required("can_change_organizer_settings")
+@organizer_permission_required("organizer.settings.general:write")
 @require_http_methods(["POST"])
 def channel_move_up(request, organizer, channel):
     channel_move(request, channel, up=True)
@@ -3595,7 +3598,7 @@ def channel_move_up(request, organizer, channel):
                     organizer=request.organizer.slug)
 
 
-@organizer_permission_required("can_change_organizer_settings")
+@organizer_permission_required("organizer.settings.general:write")
 @require_http_methods(["POST"])
 def channel_move_down(request, organizer, channel):
     channel_move(request, channel, up=False)
@@ -3604,7 +3607,7 @@ def channel_move_down(request, organizer, channel):
 
 
 @transaction.atomic
-@organizer_permission_required("can_change_organizer_settings")
+@organizer_permission_required("organizer.settings.general:write")
 @require_http_methods(["POST"])
 def reorder_channels(request, organizer):
     try:

src/pretix/control/views/pdf.py

@@ -58,7 +58,7 @@ logger = logging.getLogger(__name__)
 
 class BaseEditorView(EventPermissionRequiredMixin, TemplateView):
     template_name = 'pretixcontrol/pdf/index.html'
-    permission = 'can_change_settings'
+    permission = 'event.settings.general:write'
     accepted_formats = (
         'application/pdf',
     )

src/pretix/control/views/search.py

@@ -85,7 +85,7 @@ class OrderSearch(PaginationMixin, ListView):
 
         if not self.request.user.has_active_staff_session(self.request.session.session_key):
             qs = qs.filter(
-                Q(event_id__in=self.request.user.get_events_with_permission('can_view_orders').values_list('id', flat=True))
+                Q(event_id__in=self.request.user.get_events_with_permission('event.orders:read').values_list('id', flat=True))
             )
 
         if self.filter_form.is_valid():
@@ -159,7 +159,7 @@ class PaymentSearch(PaginationMixin, ListView):
 
         if not self.request.user.has_active_staff_session(self.request.session.session_key):
             qs = qs.filter(
-                Q(order__event_id__in=self.request.user.get_events_with_permission('can_view_orders').values_list('id', flat=True))
+                Q(order__event_id__in=self.request.user.get_events_with_permission('event.orders:read').values_list('id', flat=True))
             )
 
         if self.filter_form.is_valid():

src/pretix/control/views/shredder.py

@@ -76,7 +76,7 @@ class ShredderMixin:
 
 
 class StartShredView(RecentAuthenticationRequiredMixin, EventPermissionRequiredMixin, ShredderMixin, TemplateView):
-    permission = 'can_change_orders'
+    permission = 'event.orders:write'
     template_name = 'pretixcontrol/shredder/index.html'
 
     def get_context_data(self, **kwargs):
@@ -87,7 +87,7 @@ class StartShredView(RecentAuthenticationRequiredMixin, EventPermissionRequiredM
 
 
 class ShredDownloadView(RecentAuthenticationRequiredMixin, EventPermissionRequiredMixin, ShredderMixin, TemplateView):
-    permission = 'can_change_orders'
+    permission = 'event.orders:write'
     template_name = 'pretixcontrol/shredder/download.html'
 
     def get_context_data(self, **kwargs):
@@ -119,7 +119,7 @@ class ShredDownloadView(RecentAuthenticationRequiredMixin, EventPermissionRequir
 
 
 class ShredExportView(RecentAuthenticationRequiredMixin, EventPermissionRequiredMixin, ShredderMixin, AsyncAction, View):
-    permission = 'can_change_orders'
+    permission = 'event.orders:write'
     task = export
     known_errortypes = ['ShredError']
 
@@ -148,7 +148,7 @@ class ShredExportView(RecentAuthenticationRequiredMixin, EventPermissionRequired
 
 
 class ShredDoView(RecentAuthenticationRequiredMixin, EventPermissionRequiredMixin, ShredderMixin, AsyncAction, View):
-    permission = 'can_change_orders'
+    permission = 'event.orders:write'
     task = shred
     known_errortypes = ['ShredError']
 

src/pretix/control/views/subevents.py

@@ -117,7 +117,7 @@ class SubEventList(EventPermissionRequiredMixin, PaginationMixin, SubEventQueryM
     model = SubEvent
     context_object_name = 'subevents'
     template_name = 'pretixcontrol/subevents/index.html'
-    permission = 'can_change_settings'
+    permission = None
 
     def get_queryset(self):
         return super().get_queryset(True).prefetch_related(
@@ -156,7 +156,7 @@ class SubEventList(EventPermissionRequiredMixin, PaginationMixin, SubEventQueryM
 class SubEventDelete(EventPermissionRequiredMixin, CompatDeleteView):
     model = SubEvent
     template_name = 'pretixcontrol/subevents/delete.html'
-    permission = 'can_change_settings'
+    permission = 'event.subevents:write'
     context_object_name = 'subevents'
 
     def get_object(self, queryset=None) -> SubEvent:
@@ -241,7 +241,7 @@ class SubEventEditorMixin(MetaDataEditorMixin):
             property=p,
             disabled=(
                 p.protected and
-                not self.request.user.has_organizer_permission(self.request.organizer, 'can_change_organizer_settings', request=self.request)
+                not self.request.user.has_organizer_permission(self.request.organizer, 'organizer.settings.general:write', request=self.request)
             ),
             default=self._default_meta.get(p.name, ''),
             instance=val_instances.get(p.pk, self.meta_model(property=p, subevent=self.object)),
@@ -508,7 +508,7 @@ class SubEventEditorMixin(MetaDataEditorMixin):
 class SubEventUpdate(EventPermissionRequiredMixin, SubEventEditorMixin, UpdateView):
     model = SubEvent
     template_name = 'pretixcontrol/subevents/detail.html'
-    permission = 'can_change_settings'
+    permission = 'event.subevents:write'
     context_object_name = 'subevent'
     form_class = SubEventForm
 
@@ -575,7 +575,7 @@ class SubEventUpdate(EventPermissionRequiredMixin, SubEventEditorMixin, UpdateVi
 class SubEventCreate(SubEventEditorMixin, EventPermissionRequiredMixin, CreateView):
     model = SubEvent
     template_name = 'pretixcontrol/subevents/detail.html'
-    permission = 'can_change_settings'
+    permission = 'event.subevents:write'
     context_object_name = 'subevent'
     form_class = SubEventForm
 
@@ -669,7 +669,7 @@ class SubEventCreate(SubEventEditorMixin, EventPermissionRequiredMixin, CreateVi
 
 
 class SubEventBulkAction(SubEventQueryMixin, EventPermissionRequiredMixin, View):
-    permission = 'can_change_settings'
+    permission = 'event.subevents:write'
 
     @transaction.atomic
     def post(self, request, *args, **kwargs):
@@ -740,7 +740,7 @@ class SubEventBulkAction(SubEventQueryMixin, EventPermissionRequiredMixin, View)
 class SubEventBulkCreate(SubEventEditorMixin, EventPermissionRequiredMixin, AsyncFormView):
     model = SubEvent
     template_name = 'pretixcontrol/subevents/bulk.html'
-    permission = 'can_change_settings'
+    permission = 'event.subevents:write'
     context_object_name = 'subevent'
     form_class = SubEventBulkForm
     itemformclass = BulkSubEventItemForm
@@ -1065,7 +1065,7 @@ class SubEventBulkCreate(SubEventEditorMixin, EventPermissionRequiredMixin, Asyn
 
 
 class SubEventBulkEdit(SubEventQueryMixin, EventPermissionRequiredMixin, FormView):
-    permission = 'can_change_settings'
+    permission = 'event.subevents:write'
     form_class = SubEventBulkEditForm
     template_name = 'pretixcontrol/subevents/bulk_edit.html'
     context_object_name = 'subevent'
@@ -1170,7 +1170,10 @@ class SubEventBulkEdit(SubEventQueryMixin, EventPermissionRequiredMixin, FormVie
         kwargs = {}
 
         if self.sampled_quotas is not None:
-            kwargs['instance'] = self.get_queryset()[0]
+            try:
+                kwargs['instance'] = self.get_queryset()[0]
+            except IndexError:
+                raise Http404("No matching dates")
 
         formsetclass = inlineformset_factory(
             SubEvent, Quota,

src/pretix/control/views/typeahead.py

@@ -51,6 +51,7 @@ from pretix.base.models import (
     ItemVariation, ItemVariationMetaValue, Order, OrderPosition, Organizer,
     SubEventMetaValue, User, Voucher,
 )
+from pretix.base.models.organizer import TeamQuerySet
 from pretix.control.forms.event import EventWizardCopyForm
 from pretix.control.permissions import (
     event_permission_required, organizer_permission_required,
@@ -172,7 +173,7 @@ def event_list(request):
     return JsonResponse(doc)
 
 
-@organizer_permission_required(("can_manage_gift_cards", "can_manage_reusable_media"))
+@organizer_permission_required(("organizer.giftcards:read", "organizer.reusablemedia:write"))
 def giftcard_select2(request, **kwargs):
     query = request.GET.get('query', '')
     try:
@@ -180,7 +181,7 @@ def giftcard_select2(request, **kwargs):
     except ValueError:
         page = 1
 
-    if request.user.has_organizer_permission(request.organizer, 'can_manage_gift_cards', request):
+    if request.user.has_organizer_permission(request.organizer, 'organizer.giftcards:write', request):
         qs = request.organizer.issued_gift_cards.filter(
             Q(secret__icontains=query)
         ).order_by('secret')
@@ -210,7 +211,7 @@ def giftcard_select2(request, **kwargs):
     return JsonResponse(doc)
 
 
-@organizer_permission_required(("can_manage_reusable_media", "can_manage_gift_cards"))
+@organizer_permission_required(("organizer.reusablemedia:write", "organizer.giftcards:write"))
 def ticket_select2(request, **kwargs):
     query = request.GET.get('query', '')
     try:
@@ -240,8 +241,13 @@ def ticket_select2(request, **kwargs):
         qs_orders = qs_orders.filter(
             exact_match | (
                 soft_match & (
-                    Q(order__event__organizer_id__in=request.user.teams.filter(all_events=True, can_view_orders=True).values_list('organizer', flat=True))
-                    | Q(order__event_id__in=request.user.teams.filter(can_view_orders=True).values_list('limit_events__id', flat=True))
+                    Q(order__event__organizer_id__in=request.user.teams.filter(
+                        TeamQuerySet.event_permission_q("event.orders:read"),
+                        all_events=True,
+                    ).values_list('organizer', flat=True))
+                    | Q(order__event_id__in=request.user.teams.filter(
+                        TeamQuerySet.event_permission_q("event.orders:read")
+                    ).values_list('limit_events__id', flat=True))
                 )
             )
         )
@@ -270,7 +276,7 @@ def ticket_select2(request, **kwargs):
     return JsonResponse(doc)
 
 
-@organizer_permission_required("can_manage_customers")
+@organizer_permission_required("organizer.customers:write")
 def customer_select2(request, **kwargs):
     query = request.GET.get('query', '')
     try:
@@ -337,9 +343,9 @@ def nav_context_list(request):
         if not request.user.has_active_staff_session(request.session.session_key):
             qs_orders = qs_orders.filter(
                 Q(event__organizer_id__in=request.user.teams.filter(
-                    all_events=True, can_view_orders=True).values_list('organizer', flat=True))
+                    TeamQuerySet.event_permission_q("event.orders:read"), all_events=True).values_list('organizer', flat=True))
                 | Q(event_id__in=request.user.teams.filter(
-                    can_view_orders=True).values_list('limit_events__id', flat=True))
+                    TeamQuerySet.event_permission_q("event.orders:read")).values_list('limit_events__id', flat=True))
             )
 
         qs_vouchers = Voucher.objects.filter(
@@ -348,9 +354,9 @@ def nav_context_list(request):
         if not request.user.has_active_staff_session(request.session.session_key):
             qs_vouchers = qs_vouchers.filter(
                 Q(event__organizer_id__in=request.user.teams.filter(
-                    all_events=True, can_view_vouchers=True).values_list('organizer', flat=True))
+                    TeamQuerySet.event_permission_q("event.vouchers:read"), all_events=True).values_list('organizer', flat=True))
                 | Q(event_id__in=request.user.teams.filter(
-                    can_view_vouchers=True).values_list('limit_events__id', flat=True))
+                    TeamQuerySet.event_permission_q("event.vouchers:read")).values_list('limit_events__id', flat=True))
             )
     else:
         qs_vouchers = Voucher.objects.none()
@@ -813,7 +819,7 @@ def organizer_select2(request):
         qs = qs.filter(Q(name__icontains=term) | Q(slug__icontains=term))
     if not request.user.has_active_staff_session(request.session.session_key):
         if 'can_create' in request.GET:
-            qs = qs.filter(pk__in=request.user.teams.filter(can_create_events=True).values_list('organizer', flat=True))
+            qs = qs.filter(pk__in=request.user.teams.filter(TeamQuerySet.organizer_permission_q("organizer.events:create")).values_list('organizer', flat=True))
         else:
             qs = qs.filter(pk__in=request.user.teams.values_list('organizer', flat=True))
 
@@ -976,21 +982,21 @@ def item_meta_values(request, organizer, event):
     var_matches = var_matches.filter(variation__item__event__organizer_id=organizer.pk)
     all_access = (
         request.user.has_active_staff_session(request.session.session_key)
-        or request.user.teams.filter(all_events=True, organizer=organizer, can_change_items=True).exists()
+        or request.user.teams.filter(TeamQuerySet.event_permission_q("event.items:write"), all_events=True, organizer=organizer).exists()
     )
     if not all_access:
         defaults = defaults.filter(
-            event__id__in=request.user.teams.filter(can_change_items=True).values_list(
+            event__id__in=request.user.teams.filter(TeamQuerySet.event_permission_q("event.items:write")).values_list(
                 'limit_events__id', flat=True
             )
         )
         matches = matches.filter(
-            item__event__id__in=request.user.teams.filter(can_change_items=True).values_list(
+            item__event__id__in=request.user.teams.filter(TeamQuerySet.event_permission_q("event.items:write")).values_list(
                 'limit_events__id', flat=True
             )
         )
         var_matches = var_matches.filter(
-            variation__item__event__id__in=request.user.teams.filter(can_change_items=True).values_list(
+            variation__item__event__id__in=request.user.teams.filter(TeamQuerySet.event_permission_q("event.items:write")).values_list(
                 'limit_events__id', flat=True
             )
         )
@@ -1007,10 +1013,16 @@ def item_meta_values(request, organizer, event):
     })
 
 
-@organizer_permission_required(("can_view_orders", "can_change_organizer_settings"))
-# This decorator is a bit of a hack since this is not technically an organizer permission, but it does the job here --
-# anyone who can see orders for any event can see the check-in log view where this is used as a filter
 def devices_select2(request, **kwargs):
+    allowed = (
+        # This check is a bit of a hack since this is not technically an organizer permission, but it does the job here --
+        # anyone who can see orders for any event can see the check-in log view where this is used as a filter
+        request.user.has_organizer_permission(request.organizer, "organizer.devices:read", request=request) or
+        request.user.get_events_with_permission("event.orders:read").filter(organizer=request.organizer).exists()
+    )
+    if not allowed:
+        raise PermissionDenied()
+
     query = request.GET.get('query', '')
     try:
         page = int(request.GET.get('page', '1'))
@@ -1045,10 +1057,16 @@ def devices_select2(request, **kwargs):
     return JsonResponse(doc)
 
 
-@organizer_permission_required(("can_view_orders", "can_change_event_settings", "can_change_organizer_settings"))
-# This decorator is a bit of a hack since this is not technically an organizer permission, but it does the job here --
-# anyone who can see orders for any event can see the check-in log view where this is used as a filter
 def gate_select2(request, **kwargs):
+    allowed = (
+        # This check is a bit of a hack since this is not technically an organizer permission, but it does the job here --
+        # anyone who can see orders for any event can see the check-in log view where this is used as a filter
+        request.user.has_organizer_permission(request.organizer, "organizer.devices:read", request=request) or
+        request.user.get_events_with_permission("event.orders:read").filter(organizer=request.organizer).exists()
+    )
+    if not allowed:
+        raise PermissionDenied()
+
     query = request.GET.get('query', '')
     try:
         page = int(request.GET.get('page', '1'))