Apply suggestions from code review

Co-authored-by: robbi5 <maxi@richt.name>

CONTRIBUTING.md

@@ -1,11 +1,16 @@
 Contributing to pretix
 ======================
 
-Hey there and welcome to pretix!
+Welcome to pretix, we are happy that you would like to contribute.
+Before you do so, please make sure to read the following documents:
 
-* We've got a contributors guide in [our documentation](https://docs.pretix.eu/dev/development/contribution/) together with notes on the [development setup](https://docs.pretix.eu/dev/development/setup.html).
+- [Contribution workflow](https://docs.pretix.eu/dev/development/contribution/general.html)
+- [AI-assisted contribution policy](https://docs.pretix.eu/dev/development/contribution/ai.html)
+- [Coding style and quality](https://docs.pretix.eu/dev/development/contribution/style.html)
+- [Development setup](https://docs.pretix.eu/dev/development/setup.html)
+- [Code of Conduct](https://docs.pretix.eu/dev/development/contribution/codeofconduct.html)
 
-* Please note that we have a [Code of Conduct](https://docs.pretix.eu/dev/development/contribution/codeofconduct.html) in place that applies to all project contributions, including issues, pull requests, etc.
-
-* Before we can accept a PR from you we'll need you to sign [our CLA](https://pretix.eu/about/en/cla). You can find more information about the how and why in our [License FAQ](https://docs.pretix.eu/trust/licensing/faq/) and in our [license change blog post](https://pretix.eu/about/en/blog/20210412-license/).
+Before we can accept your first PR we'll need you to sign [our **Contributor License Agreement** (CLA)](https://pretix.eu/about/en/cla).
+You can find more information about the how and why in our [License FAQ](https://docs.pretix.eu/trust/licensing/faq/) and in our [license change blog post](https://pretix.eu/about/en/blog/20210412-license/).
 
+**Before contributing new functionality, always open a discussion first.**

doc/development/contribution/ai.rst

@@ -0,0 +1,24 @@
+.. _`aipolicy`:
+
+AI-assisted contribution policy
+===============================
+
+pretix is maintained by humans.
+Every discussion, issue, and pull request is read and reviewed by humans (and sometimes machines, too).
+We ask you to respect the time and effort put in by these humans by not sending low-effort, unqualified work, since it puts the burden of validation on the maintainer.
+
+Therefore, the pretix project has strict rules for AI usage:
+
+- **All AI usage in any form must be disclosed.** You must state the tool you used (e.g. Claude Code, Cursor, Amp) along with the extent that the work was AI-assisted.
+
+- **The human-in-the-loop must fully understand all code.** If you can't explain what your changes do and how they interact with the greater system without the aid of AI tools, do not contribute to this project.
+
+- **Issues and discussions can use AI assistance but must have a full human-in-the-loop.** This means that any content generated with AI must have been reviewed and edited by a human before submission. AI is very good at being overly verbose and including noise that distracts from the main point. Humans must do their research and trim this down.
+
+- **No AI-generated media is allowed (art, images, videos, audio, etc.).** Text and code are the only acceptable AI-generated content, per the other rules in this policy.
+
+- **Bad AI drivers will be excluded from the project.** People who produce bad contributions that are clearly AI (slop) will be blocked from our organization without warning.
+
+This policy was inspired by the `ghostty project`_.
+
+.. _ghostty project: https://github.com/ghostty-org/ghostty/blob/main/AI_POLICY.md

doc/development/contribution/general.rst

@@ -1,23 +1,39 @@
-General remarks
-===============
+Contribution workflow
+=====================
 
 You are interested in contributing to pretix? That is awesome!
 
 If you’re new to contributing to open source software, don’t be afraid. We’ll happily review your code and give you
-constructive and friendly feedback on your changes.
+constructive and friendly feedback on your changes. Every contribution should go through the following steps.
 
-First of all, you'll need pretix running locally on your machine. Head over to :ref:`devsetup` to learn how to do this.
+Discussion & Design
+-------------------
+
+pretix is a large and mature project with more of a decade of history and hopefully many more decades to come.
+Keeping pretix in good shape over long timeframes is first and foremost a fight against complexity.
+With every additional feature, complexity grows, and both features and complexity are hard to remove.
+
+Even if you are doing the initial work of the contribution, accepting the contribution is not free for us.
+Not only will we need to maintain the feature, but every feature adds cost to the maintenance of every other feature it interacts with, and every feature adds effort for users to understand how pretix works.
+Therefore, we must carefully select what features we add, based on how well they fit the system in general and of how much use they will be to our larger user base.
+
+We strongly ask you to **create a discussion on GitHub for every new feature idea** outlining the use case and the proposed implementation design.
+Pull requests without prior discussion will likely just be closed.
+
+For bug fixes and very minor changes, you can skip this step and open a PR right away.
+
+Development
+-----------
+
+To develop your contribution, you'll need pretix running locally on your machine. Head over to :ref:`devsetup` to learn how to do this.
 If you run into any problems on your way, please do not hesitate to ask us anytime!
 
-Please note that we bound ourselves to a :ref:`coc` that applies to all communication around the project. You can be
-assured that we will not tolerate any form of harassment.
+While developing, please have a look at our :ref:`aipolicy` and our guidelines on :ref:`codestyle`.
 
 Sending a patch
 ---------------
 
-If you improved pretix in any way, we'd be very happy if you contribute it
-back to the main code base! The easiest way to do so is to `create a pull request`_
-on our `GitHub repository`_.
+Once you have a first draft of your changes, please `create a pull request`_ on our `GitHub repository`_.
 
 We recommend that you create a feature branch for every issue you work on so the changes can
 be reviewed individually.
@@ -25,14 +41,17 @@ Please use the test suite to check whether your changes break any existing featu
 the code style checks to confirm you are consistent with pretix's coding style. You'll
 find instructions on this in the :ref:`checksandtests` section of the development setup guide.
 
-We automatically run the tests and the code style check on every pull request on Travis CI and we won’t
+We automatically run the tests and the code style check on every pull request through GitHub Actions and we won’t
 accept any pull requests without all tests passing. However, if you don't find out *why* they are not passing,
 just send the pull request and tell us – we'll be glad to help.
 
 If you add a new feature, please include appropriate documentation into your patch. If you fix a bug,
 please include a regression test, i.e. a test that fails without your changes and passes after applying your changes.
 
-Again: If you get stuck, do not hesitate to contact any of us, or Raphael personally at mail@raphaelmichel.de.
+Again: If you get stuck, do not hesitate to contact us through GitHub discussions.
+
+Please note that we bound ourselves to a :ref:`coc` that applies to all communication around the project. You can be
+assured that we will not tolerate any form of harassment.
 
 .. _create a pull request: https://help.github.com/articles/creating-a-pull-request/
 .. _GitHub repository: https://github.com/pretix/pretix

doc/development/contribution/index.rst

@@ -6,4 +6,5 @@ Contributing to pretix
 
    general
    style
+   ai
    codeofconduct

doc/development/contribution/style.rst

@@ -1,5 +1,7 @@
 .. spelling:word-list:: Rebase rebasing
 
+.. _`codestyle`:
+
 Coding style and quality
 ========================
 
@@ -28,8 +30,6 @@ Code
 Commits and Pull Requests
 -------------------------
 
-
-
 Most commits should start as pull requests, therefore this applies to the titles of pull requests as well since
 the pull request title will become the commit message on merge. We prefer merging with GitHub's "Squash and merge"
 feature if the PR contains multiple commits that do not carry value to keep. If there is value in keeping the

pyproject.toml

@@ -33,9 +33,9 @@ dependencies = [
   "bleach==6.3.*",
   "celery==5.6.*",
   "chardet==5.2.*",
-  "cryptography>=44.0.0",
+  "cryptography>=46.0.7",
   "css-inline==0.20.*",
-  "defusedcsv>=1.1.0",
+  "defusedcsv>=3.0.0",
   "dnspython==2.*",
   "Django[argon2]==5.2.*",
   "django-bootstrap3==26.1",
@@ -93,11 +93,11 @@ dependencies = [
   "redis==7.4.*",
   "reportlab==4.4.*",
   "requests==2.32.*",
-  "sentry-sdk==2.57.*",
+  "sentry-sdk==2.58.*",
   "sepaxml==2.7.*",
   "stripe==7.9.*",
   "text-unidecode==1.*",
-  "tlds>=2020041600",
+  "tlds>=2026041800",
   "tqdm==4.*",
   "ua-parser==1.0.*",
   "vobject==0.9.*",
@@ -117,7 +117,7 @@ dev = [
   "isort==8.0.*",
   "pep8-naming==0.15.*",
   "potypo",
-  "pytest-asyncio>=0.24",
+  "pytest-asyncio>=1.3.0",
   "pytest-cache",
   "pytest-cov",
   "pytest-django==4.*",

src/pretix/api/serializers/event.py

@@ -871,6 +871,7 @@ class EventSettingsSerializer(SettingsSerializer):
         'og_image',
         'name_scheme',
         'reusable_media_active',
+        'reusable_media_usage_enforced',
         'reusable_media_type_barcode',
         'reusable_media_type_barcode_identifier_length',
         'reusable_media_type_nfc_uid',
@@ -885,6 +886,7 @@ class EventSettingsSerializer(SettingsSerializer):
     readonly_fields = [
         # These are read-only since they are currently only settable on organizers, not events
         'reusable_media_active',
+        'reusable_media_usage_enforced',
         'reusable_media_type_barcode',
         'reusable_media_type_barcode_identifier_length',
         'reusable_media_type_nfc_uid',

src/pretix/api/serializers/media.py

@@ -31,7 +31,9 @@ from pretix.api.serializers.order import OrderPositionSerializer
 from pretix.api.serializers.organizer import (
     CustomerSerializer, GiftCardSerializer,
 )
-from pretix.base.models import Order, OrderPosition, ReusableMedium
+from pretix.base.models import (
+    Device, Order, OrderPosition, ReusableMedium, TeamAPIToken,
+)
 
 logger = logging.getLogger(__name__)
 
@@ -80,8 +82,7 @@ class ReusableMediaSerializer(I18nAwareModelSerializer):
             )
 
         if 'linked_orderposition' in self.context['request'].query_params.getlist('expand'):
-            # No additional permission check performed, documented limitation of the permission system
-            # Would get to complex/unusable otherwise since the permission depends on the event
+            # Permission Check performed in to_representation
             self.fields['linked_orderposition'] = NestedOrderPositionSerializer(read_only=True)
         else:
             self.fields['linked_orderposition'] = serializers.PrimaryKeyRelatedField(
@@ -117,6 +118,27 @@ class ReusableMediaSerializer(I18nAwareModelSerializer):
                 )
         return data
 
+    def to_representation(self, instance):
+        r = super().to_representation(instance)
+        request = self.context.get('request')
+        # late permission evaluations for checks that depend on the actual linked events
+        expand_nested = self.context['request'].query_params.getlist('expand')
+        perm_holder = request.auth if isinstance(request.auth, (Device, TeamAPIToken)) else request.user
+        if 'linked_orderposition' in expand_nested:
+            if instance.linked_orderposition is not None:
+                event = instance.linked_orderposition.order.event
+                if not perm_holder.has_event_permission(event.organizer, event, 'event.orders:read', request):
+                    r['linked_orderposition'] = {'id': instance.linked_orderposition.id}
+
+        if 'linked_giftcard.owner_ticket' in expand_nested:
+            gc = instance.linked_giftcard
+            if gc is not None and gc.owner_ticket is not None:
+                event = gc.owner_ticket.order.event
+                if not perm_holder.has_event_permission(event.organizer, event, 'event.orders:read', request):
+                    r['linked_giftcard']['owner_ticket'] = {'id': instance.linked_giftcard.owner_ticket.id}
+
+        return r
+
     class Meta:
         model = ReusableMedium
         fields = (

src/pretix/api/serializers/organizer.py

@@ -286,6 +286,19 @@ class GiftCardSerializer(I18nAwareModelSerializer):
                 )
         return data
 
+    def to_representation(self, instance):
+        r = super().to_representation(instance)
+        request = self.context.get('request')
+        # late permission evaluations for checks that depend on the actual linked events
+        if 'owner_ticket' in self.context['request'].query_params.getlist('expand'):
+            owner_ticket = instance.owner_ticket
+            if owner_ticket:
+                event = owner_ticket.order.event
+                perm_holder = request.auth if isinstance(request.auth, (Device, TeamAPIToken)) else request.user
+                if not perm_holder.has_event_permission(event.organizer, event, 'event.orders:read', request):
+                    r['owner_ticket'] = {'id': instance.owner_ticket.id}
+        return r
+
     class Meta:
         model = GiftCard
         fields = ('id', 'secret', 'issuance', 'value', 'currency', 'testmode', 'expires', 'conditions', 'owner_ticket',
@@ -592,6 +605,7 @@ class OrganizerSettingsSerializer(SettingsSerializer):
         'cookie_consent_dialog_button_yes',
         'cookie_consent_dialog_button_no',
         'reusable_media_active',
+        'reusable_media_usage_enforced',
         'reusable_media_type_barcode',
         'reusable_media_type_barcode_identifier_length',
         'reusable_media_type_nfc_uid',

src/pretix/api/views/checkin.py

@@ -69,7 +69,8 @@ from pretix.base.models import (
 from pretix.base.models.orders import PrintLog
 from pretix.base.permissions import AnyPermissionOf
 from pretix.base.services.checkin import (
-    CheckInError, RequiredQuestionsError, SQLLogic, perform_checkin,
+    CheckInError, RequiredMediaExchangeError, RequiredQuestionsError, SQLLogic,
+    perform_checkin,
 )
 from pretix.base.signals import checkin_annulled
 from pretix.helpers import OF_SELF
@@ -454,7 +455,8 @@ def _checkin_list_position_queryset(checkinlists, ignore_status=False, ignore_pr
 
 def _redeem_process(*, checkinlists, raw_barcode, answers_data, datetime, force, checkin_type, ignore_unpaid, nonce,
                     untrusted_input, user, auth, expand, pdf_data, request, questions_supported, canceled_supported,
-                    source_type='barcode', legacy_url_support=False, simulate=False, gate=None, use_order_locale=False):
+                    media_exchange_supported, source_type='barcode', legacy_url_support=False, simulate=False,
+                    gate=None, use_order_locale=False):
     if not checkinlists:
         raise ValidationError('No check-in list passed.')
 
@@ -463,6 +465,7 @@ def _redeem_process(*, checkinlists, raw_barcode, answers_data, datetime, force,
 
     device = auth if isinstance(auth, Device) else None
     gate = gate or (auth.gate if isinstance(auth, Device) else None)
+    media = None
 
     context = {
         'request': request,
@@ -744,6 +747,7 @@ def _redeem_process(*, checkinlists, raw_barcode, answers_data, datetime, force,
                 datetime=datetime,
                 questions_supported=questions_supported,
                 canceled_supported=canceled_supported,
+                media_exchange_supported=media_exchange_supported,
                 user=user,
                 auth=auth,
                 type=checkin_type,
@@ -752,6 +756,7 @@ def _redeem_process(*, checkinlists, raw_barcode, answers_data, datetime, force,
                 from_revoked_secret=from_revoked_secret,
                 simulate=simulate,
                 gate=gate,
+                reusable_media=media,
             )
         except RequiredQuestionsError as e:
             return Response({
@@ -764,6 +769,16 @@ def _redeem_process(*, checkinlists, raw_barcode, answers_data, datetime, force,
                 ],
                 'list': MiniCheckinListSerializer(list_by_event[op.order.event_id]).data,
             }, status=400)
+        except RequiredMediaExchangeError as e:
+            return Response({
+                'status': 'exchange',
+                'require_attention': op.require_checkin_attention,
+                'checkin_texts': op.checkin_texts,
+                'position': CheckinListOrderPositionSerializer(op, context=_make_context(context, op.order.event)).data,
+                'media_policy': e.media_policy,
+                'media_type': e.media_type,
+                'list': MiniCheckinListSerializer(list_by_event[op.order.event_id]).data,
+            }, status=400)
         except CheckInError as e:
             if not simulate:
                 op.order.log_action('pretix.event.checkin.denied', data={
@@ -913,6 +928,7 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
             pdf_data=self.request.query_params.get('pdf_data', 'false').lower() == 'true',
             questions_supported=self.request.data.get('questions_supported', True),
             canceled_supported=self.request.data.get('canceled_supported', False),
+            media_exchange_supported=self.request.data.get('media_exchange_supported', False),
             request=self.request,  # this is not clean, but we need it in the serializers for URL generation
             legacy_url_support=True,
         )
@@ -949,6 +965,7 @@ class CheckinRPCRedeemView(views.APIView):
             questions_supported=s.validated_data['questions_supported'],
             use_order_locale=s.validated_data['use_order_locale'],
             canceled_supported=True,
+            media_exchange_supported=s.validated_data.get('media_exchange_supported', False),
             request=self.request,  # this is not clean, but we need it in the serializers for URL generation
             legacy_url_support=False,
         )

src/pretix/api/views/order.py

@@ -381,12 +381,15 @@ class EventOrderViewSet(OrderViewSetMixin, viewsets.ModelViewSet):
                 resp = HttpResponse(ct.file.file.read(), content_type='text/uri-list')
                 return resp
             else:
-                resp = FileResponse(ct.file.file, content_type=ct.type)
-                resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}{}"'.format(
-                    self.request.event.slug.upper(), order.code,
-                    provider.identifier, ct.extension
+                return FileResponse(
+                    ct.file.file,
+                    filename='{}-{}-{}{}'.format(
+                        self.request.event.slug.upper(), order.code,
+                        provider.identifier, ct.extension
+                    ),
+                    as_attachment=True,
+                    content_type=ct.type
                 )
-                return resp
 
     @action(detail=True, methods=['POST'])
     def mark_paid(self, request, **kwargs):
@@ -1303,14 +1306,17 @@ class EventOrderPositionViewSet(OrderPositionViewSetMixin, viewsets.ModelViewSet
             raise NotFound()
 
         ftype, ignored = mimetypes.guess_type(answer.file.name)
-        resp = FileResponse(answer.file, content_type=ftype or 'application/binary')
-        resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}-{}"'.format(
-            self.request.event.slug.upper(),
-            pos.order.code,
-            pos.positionid,
-            os.path.basename(answer.file.name).split('.', 1)[1]
+        return FileResponse(
+            answer.file,
+            filename='{}-{}-{}-{}'.format(
+                self.request.event.slug.upper(),
+                pos.order.code,
+                pos.positionid,
+                os.path.basename(answer.file.name).split('.', 1)[1]
+            ),
+            as_attachment=True,
+            content_type=ftype or 'application/binary'
         )
-        return resp
 
     @action(detail=True, url_name="printlog", url_path="printlog", methods=["POST"])
     def printlog(self, request, **kwargs):
@@ -1365,15 +1371,18 @@ class EventOrderPositionViewSet(OrderPositionViewSetMixin, viewsets.ModelViewSet
             if hasattr(image_file, 'seek'):
                 image_file.seek(0)
 
-        resp = FileResponse(image_file, content_type=ftype or 'application/binary')
-        resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}-{}.{}"'.format(
-            self.request.event.slug.upper(),
-            pos.order.code,
-            pos.positionid,
-            key,
-            extension,
+        return FileResponse(
+            image_file,
+            filename='{}-{}-{}-{}.{}'.format(
+                self.request.event.slug.upper(),
+                pos.order.code,
+                pos.positionid,
+                key,
+                extension,
+            ),
+            as_attachment=True,
+            content_type=ftype or 'application/binary'
         )
-        return resp
 
     @action(detail=True, url_name='download', url_path='download/(?P<output>[^/]+)')
     def download(self, request, output, **kwargs):
@@ -1399,12 +1408,15 @@ class EventOrderPositionViewSet(OrderPositionViewSetMixin, viewsets.ModelViewSet
                 resp = HttpResponse(ct.file.file.read(), content_type='text/uri-list')
                 return resp
             else:
-                resp = FileResponse(ct.file.file, content_type=ct.type)
-                resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}-{}{}"'.format(
-                    self.request.event.slug.upper(), pos.order.code, pos.positionid,
-                    provider.identifier, ct.extension
+                return FileResponse(
+                    ct.file.file,
+                    filename='{}-{}-{}-{}{}'.format(
+                        self.request.event.slug.upper(), pos.order.code, pos.positionid,
+                        provider.identifier, ct.extension
+                    ),
+                    as_attachment=True,
+                    content_type=ct.type
                 )
-                return resp
 
     @action(detail=True, methods=['POST'])
     def regenerate_secrets(self, request, **kwargs):
@@ -1986,9 +1998,12 @@ class InvoiceViewSet(viewsets.ReadOnlyModelViewSet):
         if not invoice.file:
             raise RetryException()
 
-        resp = FileResponse(invoice.file.file, content_type='application/pdf')
-        resp['Content-Disposition'] = 'attachment; filename="{}.pdf"'.format(invoice.number)
-        return resp
+        return FileResponse(
+            invoice.file.file,
+            filename='{}.pdf'.format(invoice.number),
+            as_attachment=True,
+            content_type='application/pdf'
+        )
 
     @action(detail=True, methods=['POST'])
     def transmit(self, request, **kwargs):

src/pretix/base/email.py

@@ -251,7 +251,7 @@ def create_connection(address, timeout=socket.getdefaulttimeout(),
     for res in socket.getaddrinfo(host, port, 0, socket.SOCK_STREAM):
         af, socktype, proto, canonname, sa = res
 
-        if not settings.get("MAIL_CUSTOM_SMTP_ALLOW_PRIVATE_NETWORKS", False):
+        if not getattr(settings, "MAIL_CUSTOM_SMTP_ALLOW_PRIVATE_NETWORKS", False):
             ip_addr = ipaddress.ip_address(sa[0])
             if ip_addr.is_multicast:
                 raise socket.error(f"Request to multicast address {sa[0]} blocked")

src/pretix/base/exporters/orderlist.py

@@ -1103,13 +1103,25 @@ class PaymentListExporter(ListExporter):
     def iterate_list(self, form_data):
         provider_names = dict(get_all_payment_providers())
 
+        i_numbers = Invoice.objects.filter(
+            order=OuterRef('order_id'),
+        ).values('order').annotate(
+            m=GroupConcat('full_invoice_no', delimiter=', ')
+        ).values(
+            'm'
+        ).order_by()
+
         payments = OrderPayment.objects.filter(
             order__event__in=self.events,
             state__in=form_data.get('payment_states', [])
+        ).annotate(
+            order_invoice_numbers=Subquery(i_numbers, output_field=CharField()),
         ).select_related('order').prefetch_related('order__event').order_by('created')
         refunds = OrderRefund.objects.filter(
             order__event__in=self.events,
             state__in=form_data.get('refund_states', [])
+        ).annotate(
+            order_invoice_numbers=Subquery(i_numbers, output_field=CharField()),
         ).select_related('order').prefetch_related('order__event').order_by('created')
 
         if form_data.get('end_date_range'):
@@ -1135,6 +1147,7 @@ class PaymentListExporter(ListExporter):
         headers = [
             _('Event slug'), _('Order'), _('Payment ID'), _('Creation date'), _('Completion date'), _('Status'),
             _('Status code'), _('Amount'), _('Payment method'), _('Comment'), _('Matching ID'), _('Payment details'),
+            _('Invoice numbers'),
         ]
         yield headers
 
@@ -1172,6 +1185,7 @@ class PaymentListExporter(ListExporter):
                 obj.comment if isinstance(obj, OrderRefund) else "",
                 matching_id,
                 payment_details,
+                obj.order_invoice_numbers,
             ]
             yield row
 

src/pretix/base/forms/questions.py

@@ -90,7 +90,7 @@ from pretix.base.settings import (
     COUNTRIES_WITH_STATE_IN_ADDRESS, COUNTRY_STATE_LABEL,
     PERSON_NAME_SALUTATIONS, PERSON_NAME_SCHEMES, PERSON_NAME_TITLE_GROUPS,
 )
-from pretix.base.templatetags.rich_text import rich_text
+from pretix.base.templatetags.rich_text import URL_RE, rich_text
 from pretix.base.timemachine import time_machine_now
 from pretix.control.forms import (
     ExtFileField, ExtValidationMixin, SizeValidationMixin, SplitDateTimeField,
@@ -227,9 +227,15 @@ class NamePartsFormField(forms.MultiValueField):
                     # bots.
                     r'^[^$€/%§{}<>~]*$',
                     message=_('Please do not use special characters in names.')
+                ),
+                RegexValidator(
+                    URL_RE,
+                    inverse_match=True,
+                    message=_('Please do not use special characters in names.')
                 )
             ]
         }
+        self.max_length = defaults['max_length']
         self.scheme_name = kwargs.pop('scheme')
         self.titles = kwargs.pop('titles')
         self.scheme = PERSON_NAME_SCHEMES.get(self.scheme_name)
@@ -287,7 +293,7 @@ class NamePartsFormField(forms.MultiValueField):
         if self.require_all_fields and not all(v for v in value):
             raise forms.ValidationError(self.error_messages['incomplete'], code='required')
 
-        if sum(len(v) for v in value.values() if v) > 250:
+        if sum(len(v) for v in value.values() if v) > (self.max_length or 250):
             raise forms.ValidationError(_('Please enter a shorter name.'), code='max_length')
 
         if value.get("salutation") == "empty":

src/pretix/base/media.py

@@ -89,7 +89,7 @@ class NfcUidMediaType(BaseMediaType):
     icon = 'pretixbase/img/media/nfc_uid.svg'
     medium_created_by_server = False
     supports_giftcard = True
-    supports_orderposition = False
+    supports_orderposition = True
 
     def handle_unknown(self, organizer, identifier, user, auth):
         from pretix.base.models import GiftCard, ReusableMedium
@@ -129,7 +129,7 @@ class NfcMf0aesMediaType(BaseMediaType):
     icon = 'pretixbase/img/media/nfc_secure.svg'
     medium_created_by_server = False
     supports_giftcard = True
-    supports_orderposition = False
+    supports_orderposition = True
 
     def handle_new(self, organizer, medium, user, auth):
         from pretix.base.models import GiftCard

src/pretix/base/models/checkin.py

@@ -351,6 +351,7 @@ class Checkin(models.Model):
     REASON_UNAPPROVED = 'unapproved'
     REASON_INVALID_TIME = 'invalid_time'
     REASON_ANNULLED = 'annulled'
+    REASON_ALREADY_EXCHANGED = 'already_exchanged'
     REASONS = (
         (REASON_CANCELED, _('Order canceled')),
         (REASON_INVALID, _('Unknown ticket')),
@@ -366,6 +367,7 @@ class Checkin(models.Model):
         (REASON_UNAPPROVED, _('Order not approved')),
         (REASON_INVALID_TIME, _('Ticket not valid at this time')),
         (REASON_ANNULLED, _('Check-in annulled')),
+        (REASON_ALREADY_EXCHANGED, _('Ticket already exchanged')),
     )
 
     successful = models.BooleanField(

src/pretix/base/services/checkin.py

@@ -867,6 +867,15 @@ class RequiredQuestionsError(Exception):
         super().__init__(msg)
 
 
+class RequiredMediaExchangeError(Exception):
+    def __init__(self, msg, code, media_policy, media_type):
+        self.msg = msg
+        self.code = code
+        self.media_policy = media_policy
+        self.media_type = media_type
+        super().__init__(msg)
+
+
 def _save_answers(op, answers, given_answers):
     def _create_answer(question, answer):
         try:
@@ -939,7 +948,7 @@ def perform_checkin(op: OrderPosition, clist: CheckinList, given_answers: dict,
                     ignore_unpaid=False, nonce=None, datetime=None, questions_supported=True,
                     user=None, auth=None, canceled_supported=False, type=Checkin.TYPE_ENTRY,
                     raw_barcode=None, raw_source_type=None, from_revoked_secret=False, simulate=False,
-                    gate=None):
+                    gate=None, media_exchange_supported=False, reusable_media=None):
     """
     Create a checkin for this particular order position and check-in list. Fails with CheckInError if the check in is
     not valid at this time.
@@ -951,6 +960,8 @@ def perform_checkin(op: OrderPosition, clist: CheckinList, given_answers: dict,
         questions are not filled out.
     :param ignore_unpaid: When set to True, this will succeed even when the order is unpaid.
     :param questions_supported: When set to False, questions are ignored
+    :param media_exchange_supported: When set to False, media exchanges are ignored and access with un-exchanged media
+        might be permitted
     :param nonce: A random nonce to prevent race conditions.
     :param datetime: The datetime of the checkin, defaults to now.
     :param simulate: If true, the check-in is not saved.
@@ -1101,6 +1112,33 @@ def perform_checkin(op: OrderPosition, clist: CheckinList, given_answers: dict,
                 require_answers
             )
 
+        required_media_policy = op.item.media_policy
+        required_media_type = op.item.media_type
+        linked_media = op.linked_media
+        require_media_exchange = required_media_policy and required_media_type and not linked_media.exists()
+        if require_media_exchange and not force and media_exchange_supported:
+            raise RequiredMediaExchangeError(
+                _('You need to exchange your ticket to complete this check-in.'),
+                'exchange',
+                required_media_policy,
+                required_media_type
+            )
+
+        require_reusable_media_usage = required_media_policy and required_media_type and op.organizer.settings.reusable_media_usage_enforced
+        if require_reusable_media_usage and not force:
+            if not reusable_media and not linked_media.exists() and media_exchange_supported:
+                raise RequiredMediaExchangeError(
+                    _('You need to exchange your ticket to complete this check-in.'),
+                    'exchange',
+                    required_media_policy,
+                    required_media_type
+                )
+            elif not reusable_media and linked_media.exists():
+                raise CheckInError(
+                    _('This ticket has already been exchanged - use the reusable medium instead.'),
+                    'already_exchanged',
+                )
+
         device = None
         if isinstance(auth, Device):
             device = auth

src/pretix/base/services/currencies.py

@@ -38,6 +38,7 @@ SOURCE_NAMES = {
     None: _('European Central Bank'),  # backwards-compatibility
     'eu:ecb:eurofxref-daily': _('European Central Bank'),
     'cz:cnb:rate-fixing-daily': _('Czech National Bank'),
+    'pl:nbp:table-a': _('National Bank of Poland'),
 }
 
 
@@ -49,6 +50,7 @@ def fetch_rates(sender, **kwargs):
     source_tasks = {
         'eu:ecb:eurofxref-daily': fetch_ecb_rates,
         'cz:cnb:rate-fixing-daily': fetch_cnb_cz_rates,
+        'pl:nbp:table-a': fetch_nbp_pl_rates,
     }
 
     for source_name, task in source_tasks.items():
@@ -144,3 +146,29 @@ def fetch_cnb_cz_rates():
                 rate=rate,
             )
         )
+
+
+@app.task()
+def fetch_nbp_pl_rates():
+    """
+    Fetches currency rates from the Polish National Bank.
+    """
+    r = requests.get("https://api.nbp.pl/api/exchangerates/tables/A/", headers={
+        "Accept": "application/json",
+    })
+    r.raise_for_status()
+    data = r.json()[0]
+
+    source_date = datetime.strptime(data["effectiveDate"], "%Y-%m-%d").date()
+
+    for r in data["rates"]:
+        rate = Decimal(r["mid"]).quantize(Decimal('0.000001'))
+        ExchangeRate.objects.update_or_create(
+            source='pl:nbp:table-a',
+            source_currency=r["code"],
+            other_currency='PLN',
+            defaults=dict(
+                source_date=source_date,
+                rate=rate,
+            )
+        )

src/pretix/base/services/invoices.py

@@ -58,6 +58,7 @@ from pretix.base.invoicing.transmission import (
 from pretix.base.models import (
     ExchangeRate, Invoice, InvoiceAddress, InvoiceLine, Order, OrderFee,
 )
+from pretix.base.models.orders import OrderPayment
 from pretix.base.models.tax import EU_CURRENCIES
 from pretix.base.services.tasks import (
     TransactionAwareProfiledEventTask, TransactionAwareTask,
@@ -102,7 +103,7 @@ def build_invoice(invoice: Invoice) -> Invoice:
         introductory = invoice.event.settings.get('invoice_introductory_text', as_type=LazyI18nString)
         additional = invoice.event.settings.get('invoice_additional_text', as_type=LazyI18nString)
         footer = invoice.event.settings.get('invoice_footer_text', as_type=LazyI18nString)
-        if lp and lp.payment_provider:
+        if lp and lp.payment_provider and lp.state not in (OrderPayment.PAYMENT_STATE_FAILED, OrderPayment.PAYMENT_STATE_CANCELED):
             if 'payment' in inspect.signature(lp.payment_provider.render_invoice_text).parameters:
                 payment = str(lp.payment_provider.render_invoice_text(invoice.order, lp))
             else:
@@ -204,6 +205,19 @@ def build_invoice(invoice: Invoice) -> Invoice:
                         invoice.foreign_currency_rate = rate.rate.quantize(Decimal('0.0001'), ROUND_HALF_UP)
                         invoice.foreign_currency_rate_date = rate.source_date
                         invoice.foreign_currency_source = 'cz:cnb:rate-fixing-daily'
+            elif invoice.event.settings.invoice_eu_currencies == 'PLN' and invoice.event.currency != 'PLN':
+                invoice.foreign_currency_display = 'PLN'
+                if settings.FETCH_ECB_RATES:
+                    rate = ExchangeRate.objects.filter(
+                        source='pl:nbp:table-a',
+                        source_currency=invoice.event.currency,
+                        other_currency=invoice.foreign_currency_display,
+                        source_date__gt=now().date() - timedelta(days=7)
+                    ).first()
+                    if rate:
+                        invoice.foreign_currency_rate = rate.rate.quantize(Decimal('0.0001'), ROUND_HALF_UP)
+                        invoice.foreign_currency_rate_date = rate.source_date
+                        invoice.foreign_currency_source = 'pl:nbp:table-a'
 
         except InvoiceAddress.DoesNotExist:
             ia = None

src/pretix/base/settings.py

@@ -217,6 +217,19 @@ DEFAULTS = {
                         "later.")
         )
     },
+    'reusable_media_usage_enforced': {
+        'default': 'False',
+        'type': bool,
+        'form_class': forms.BooleanField,
+        'serializer_class': serializers.BooleanField,
+        'form_kwargs': dict(
+            label=_("Enforce the usage of issued re-usable media for check-in"),
+            help_text=_("If enabled, a ticket barcode will not be accepted anymore, if a re-usable medium has been "
+                        "created and linked to a ticket. Keeping this option turned off will treat the re-usable "
+                        "medium and ticket as equals."),
+            widget=forms.CheckboxInput(attrs={'data-display-dependency': '#id_settings-reusable_media_active'}),
+        )
+    },
     'reusable_media_type_barcode': {
         'default': 'False',
         'type': bool,
@@ -574,6 +587,7 @@ DEFAULTS = {
                 ('True', _('Based on European Central Bank daily rates, whenever the invoice recipient is in an EU '
                            'country that uses a different currency.')),
                 ('CZK', _('Based on Czech National Bank daily rates, whenever the invoice amount is not in CZK.')),
+                ('PLN', _('Based on National Bank of Poland daily rates, whenever the invoice amount is not in PLN.')),
             ),
         ),
         'serializer_kwargs': dict(
@@ -582,6 +596,7 @@ DEFAULTS = {
                 ('True', _('Based on European Central Bank daily rates, whenever the invoice recipient is in an EU '
                            'country that uses a different currency.')),
                 ('CZK', _('Based on Czech National Bank daily rates, whenever the invoice amount is not in CZK.')),
+                ('PLN', _('Based on National Bank of Poland daily rates, whenever the invoice amount is not in PLN.')),
             ),
         ),
     },

src/pretix/control/forms/checkin.py

@@ -192,6 +192,11 @@ class CheckinListSimulatorForm(forms.Form):
         initial=True,
         required=False,
     )
+    media_exchange_supported = forms.BooleanField(
+        label=_("Support for media exchange"),
+        initial=True,
+        required=False,
+    )
     gate = SafeModelChoiceField(
         label=_('Gate'),
         empty_label=_('All gates'),

src/pretix/control/forms/organizer.py

@@ -627,6 +627,7 @@ class OrganizerSettingsForm(SettingsForm):
         'cookie_consent_dialog_button_yes',
         'cookie_consent_dialog_button_no',
         'reusable_media_active',
+        'reusable_media_usage_enforced',
         'reusable_media_type_barcode',
         'reusable_media_type_barcode_identifier_length',
         'reusable_media_type_nfc_uid',

src/pretix/control/templates/pretixcontrol/checkin/simulator.html

@@ -34,6 +34,7 @@
         {% bootstrap_field form.gate layout="control" %}
         {% bootstrap_field form.ignore_unpaid layout="control" %}
         {% bootstrap_field form.questions_supported layout="control" %}
+        {% bootstrap_field form.media_exchange_supported layout="control" %}
         <div class="row">
             <div class="col-md-9 col-md-offset-3">
                 <button type="submit" class="btn btn-primary">
@@ -53,6 +54,8 @@
                     <span class="fa fa-check-circle"></span>
                 {% elif result.status == "incomplete" %}
                     <span class="fa fa-question-circle"></span>
+                {% elif result.status == "exchange" %}
+                    <span class="fa fa-recycle"></span>
                 {% elif result.status == "error" %}
                     {% if result.reason == "already_redeemed" %}
                         <span class="fa fa-warning"></span>
@@ -78,6 +81,14 @@
                             </li>
                         {% endfor %}
                     </ul>
+                {% elif result.status == "exchange" %}
+                    <h3 class="nomargin-top">{% trans "Media exchange required" %}</h3>
+                    <p>
+                        {% blocktrans trimmed with media_policy=media_policies|getitem:result.media_policy media_type=media_types|getitem:result.media_type %}
+                            This ticket needs to be exchanged into a <strong>{{ media_type }}</strong> re-usable medium.
+                            <strong>{{ media_policy }}</strong>.
+                        {% endblocktrans %}
+                    </p>
                 {% elif result.status == "error" %}
                     <h3 class="nomargin-top">{{ reason_labels|getitem:result.reason }}</h3>
                     {% if result.reason_explanation %}

src/pretix/control/templates/pretixcontrol/organizers/edit.html

@@ -222,6 +222,7 @@
                     <fieldset>
                         <legend>{% trans "Reusable media" %}</legend>
                         {% bootstrap_field sform.reusable_media_active layout="control" %}
+                        {% bootstrap_field sform.reusable_media_usage_enforced layout="control" %}
                         <div data-display-dependency="#{{ sform.reusable_media_active.id_for_label }}">
 
                             <div class="panel panel-default">

src/pretix/control/views/checkin.py

@@ -50,7 +50,7 @@ from i18nfield.strings import LazyI18nString
 
 from pretix.api.views.checkin import _redeem_process
 from pretix.base.media import MEDIA_TYPES
-from pretix.base.models import Checkin, LogEntry, Order, OrderPosition
+from pretix.base.models import Checkin, Item, LogEntry, Order, OrderPosition
 from pretix.base.models.checkin import CheckinList
 from pretix.base.models.orders import PrintLog
 from pretix.base.permissions import AnyPermissionOf
@@ -532,6 +532,8 @@ class CheckInListSimulator(EventPermissionRequiredMixin, FormView):
             checkinlist=self.list,
             result=self.result,
             reason_labels=dict(Checkin.REASONS),
+            media_policies=dict(Item.MEDIA_POLICIES),
+            media_types=dict(MEDIA_TYPES),
         )
 
     def form_valid(self, form):
@@ -551,6 +553,7 @@ class CheckInListSimulator(EventPermissionRequiredMixin, FormView):
             pdf_data=False,
             questions_supported=form.cleaned_data["questions_supported"],
             canceled_supported=False,
+            media_exchange_supported=form.cleaned_data["media_exchange_supported"],
             request=self.request,  # this is not clean, but we need it in the serializers for URL generation
             legacy_url_support=False,
             simulate=True,

src/pretix/control/views/event.py

@@ -763,12 +763,7 @@ class InvoicePreview(EventPermissionRequiredMixin, View):
     def get(self, request, *args, **kwargs):
         fname, ftype, fcontent = build_preview_invoice_pdf(request.event)
         resp = HttpResponse(fcontent, content_type=ftype)
-        if settings.DEBUG:
-            # attachment is more secure as we're dealing with user-generated stuff here, but inline is much more convenient during debugging
-            resp['Content-Disposition'] = 'inline; filename="{}"'.format(fname)
-            resp._csp_ignore = True
-        else:
-            resp['Content-Disposition'] = 'attachment; filename="{}"'.format(fname)
+        resp['Content-Disposition'] = 'inline; filename="{}"'.format(fname)
         return resp
 
 

src/pretix/control/views/global_settings.py

@@ -300,5 +300,4 @@ class SysReportView(AdministratorPermissionRequiredMixin, TemplateView):
             resp = HttpResponse(data)
             resp['Content-Type'] = mime
             resp['Content-Disposition'] = 'inline; filename="{}"'.format(name)
-            resp._csp_ignore = True
             return resp

src/pretix/control/views/orders.py

@@ -710,22 +710,26 @@ class OrderDownload(AsyncAction, OrderView):
                 resp = HttpResponseRedirect(value.file.file.read())
                 return resp
             else:
-                resp = FileResponse(value.file.file, content_type=value.type)
-                resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}-{}{}"'.format(
-                    self.request.event.slug.upper(), self.order.code, self.order_position.positionid,
-                    self.output.identifier, value.extension
+                return FileResponse(
+                    value.file.file,
+                    filename='{}-{}-{}-{}{}'.format(
+                        self.request.event.slug.upper(), self.order.code, self.order_position.positionid,
+                        self.output.identifier, value.extension
+                    ),
+                    content_type=value.type
                 )
-                return resp
         elif isinstance(value, CachedCombinedTicket):
             if value.type == 'text/uri-list':
                 resp = HttpResponseRedirect(value.file.file.read())
                 return resp
             else:
-                resp = FileResponse(value.file.file, content_type=value.type)
-                resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}{}"'.format(
-                    self.request.event.slug.upper(), self.order.code, self.output.identifier, value.extension
+                return FileResponse(
+                    value.file.file,
+                    filename='{}-{}-{}{}'.format(
+                        self.request.event.slug.upper(), self.order.code, self.output.identifier, value.extension
+                    ),
+                    content_type=value.type
                 )
-                return resp
         else:
             return redirect(self.get_self_url())
 
@@ -1831,15 +1835,15 @@ class InvoiceDownload(EventPermissionRequiredMixin, View):
             return redirect(self.get_order_url())
 
         try:
-            resp = FileResponse(self.invoice.file.file, content_type='application/pdf')
+            return FileResponse(
+                self.invoice.file.file,
+                filename='{}.pdf'.format(re.sub("[^a-zA-Z0-9-_.]+", "_", self.invoice.number)),
+                content_type='application/pdf'
+            )
         except FileNotFoundError:
             invoice_pdf_task.apply(args=(self.invoice.pk,))
             return self.get(request, *args, **kwargs)
 
-        resp['Content-Disposition'] = 'inline; filename="{}.pdf"'.format(re.sub("[^a-zA-Z0-9-_.]+", "_", self.invoice.number))
-        resp._csp_ignore = True  # Some browser's PDF readers do not work with CSP
-        return resp
-
 
 class OrderExtend(OrderView):
     permission = 'event.orders:write'

src/pretix/control/views/pdf.py

@@ -263,12 +263,7 @@ class BaseEditorView(EventPermissionRequiredMixin, TemplateView):
 
             resp = HttpResponse(data, content_type=mimet)
             ftype = fname.split(".")[-1]
-            if settings.DEBUG:
-                # attachment is more secure as we're dealing with user-generated stuff here, but inline is much more convenient during debugging
-                resp['Content-Disposition'] = 'inline; filename="ticket-preview.{}"'.format(ftype)
-                resp._csp_ignore = True
-            else:
-                resp['Content-Disposition'] = 'attachment; filename="ticket-preview.{}"'.format(ftype)
+            resp['Content-Disposition'] = 'inline; filename="ticket-preview.{}"'.format(ftype)
             return resp
         elif "data" in request.POST:
             if cf:
@@ -309,6 +304,5 @@ class FontsCSSView(TemplateView):
 class PdfView(TemplateView):
     def get(self, request, *args, **kwargs):
         cf = get_object_or_404(CachedFile, id=kwargs.get("filename"), filename="background_preview.pdf")
-        resp = FileResponse(cf.file, content_type='application/pdf')
-        resp['Content-Disposition'] = 'attachment; filename="{}"'.format(cf.filename)
+        resp = FileResponse(cf.file, filename=cf.filename, content_type='application/pdf')
         return resp

src/pretix/control/views/typeahead.py

@@ -619,7 +619,7 @@ def checkinlist_select2(request, **kwargs):
 
     qs = request.event.checkin_lists.select_related('subevent').filter(
         qf
-    ).order_by('name')
+    ).order_by('subevent__date_from', 'name', 'pk')
 
     total = qs.count()
     pagesize = 20

src/pretix/locale/es/LC_MESSAGES/django.po

@@ -8,8 +8,8 @@ msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2026-03-30 11:22+0000\n"
-"PO-Revision-Date: 2026-03-31 17:00+0000\n"
-"Last-Translator: CVZ-es <damien.bremont@casadevelazquez.org>\n"
+"PO-Revision-Date: 2026-04-17 03:00+0000\n"
+"Last-Translator: Tim <plicnetwork@gmail.com>\n"
 "Language-Team: Spanish <https://translate.pretix.eu/projects/pretix/pretix/"
 "es/>\n"
 "Language: es\n"
@@ -17,7 +17,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=n != 1;\n"
-"X-Generator: Weblate 5.16.2\n"
+"X-Generator: Weblate 5.17\n"
 
 #: pretix/_base_settings.py:87
 msgid "English"
@@ -4150,7 +4150,7 @@ msgstr "Se encontraron varios productos coincidentes."
 #: pretix/base/modelimport_vouchers.py:205 pretix/base/models/items.py:1257
 #: pretix/base/models/vouchers.py:266 pretix/base/models/waitinglist.py:99
 msgid "Product variation"
-msgstr "Variación del producto"
+msgstr "Variante de producto"
 
 #: pretix/base/modelimport_orders.py:161
 msgid "The variation can be specified by its internal ID or full name."
@@ -4312,7 +4312,7 @@ msgstr "Ya existe un vale de compra con este código."
 #: pretix/base/models/vouchers.py:199 pretix/control/views/vouchers.py:121
 #: pretix/presale/templates/pretixpresale/organizers/customer_membership.html:52
 msgid "Maximum usages"
-msgstr "Usos máximos"
+msgstr "Número máximo de usos"
 
 #: pretix/base/modelimport_vouchers.py:79
 msgid "The maximum number of usages must be set."
@@ -4333,14 +4333,14 @@ msgstr "Reservar entrada con cargo a la cuota"
 
 #: pretix/base/modelimport_vouchers.py:127 pretix/base/models/vouchers.py:236
 msgid "Allow to bypass quota"
-msgstr "Permitir que se anule la cuota"
+msgstr "Permitir omitir la cuota"
 
 #: pretix/base/modelimport_vouchers.py:135 pretix/base/models/vouchers.py:242
 #: pretix/control/templates/pretixcontrol/vouchers/bulk.html:44
 #: pretix/control/templates/pretixcontrol/vouchers/detail.html:70
 #: pretix/control/views/vouchers.py:121
 msgid "Price effect"
-msgstr "Efecto sobre los precios"
+msgstr "Efecto en el precio"
 
 #: pretix/base/modelimport_vouchers.py:150
 #, python-brace-format
@@ -4351,7 +4351,7 @@ msgstr ""
 
 #: pretix/base/modelimport_vouchers.py:160 pretix/base/models/vouchers.py:248
 msgid "Voucher value"
-msgstr "Valor del vale de compra"
+msgstr "Valor del vale"
 
 #: pretix/base/modelimport_vouchers.py:165
 msgid "It is pointless to set a value without a price effect."
@@ -4394,7 +4394,7 @@ msgstr "Etiqueta"
 
 #: pretix/base/modelimport_vouchers.py:334 pretix/base/models/vouchers.py:300
 msgid "Shows hidden products that match this voucher"
-msgstr "Mostrar los ocultados productos válidos con este vale de compra"
+msgstr "Muestra los productos ocultos vinculados a este vale"
 
 #: pretix/base/modelimport_vouchers.py:343 pretix/base/models/vouchers.py:304
 msgid "Offer all add-on products for free when redeeming this voucher"
@@ -7322,8 +7322,8 @@ msgid ""
 "If activated, a holder of this voucher code can buy tickets, even if there "
 "are none left."
 msgstr ""
-"Si se activa, un titular de este vale de compra puede comprar entradas, "
-"incluso si no queda ninguna."
+"Si se activa, el poseedor de este código de vale podrá comprar entradas "
+"incluso si no quedan existencias."
 
 #: pretix/base/models/vouchers.py:257 pretix/control/forms/vouchers.py:69
 msgid ""
@@ -7338,14 +7338,14 @@ msgstr ""
 
 #: pretix/base/models/vouchers.py:268
 msgid "This variation of the product select above is being used."
-msgstr "Esta variación del producto seleccionado arriba está siendo utilizada."
+msgstr "Se aplica a la variante del producto seleccionado arriba."
 
 #: pretix/base/models/vouchers.py:277
 msgid ""
 "If enabled, the voucher is valid for any product affected by this quota."
 msgstr ""
-"Si está habilitado, el vale de compra es válido para cualquier producto "
-"afectado por esta cuota."
+"Si se activa, el vale será válido para cualquier producto incluido en esta "
+"cuota."
 
 #: pretix/base/models/vouchers.py:284
 msgid "Specific seat"
@@ -7357,16 +7357,16 @@ msgid ""
 "same value for multiple vouchers, you can get statistics on how many of them "
 "have been redeemed etc."
 msgstr ""
-"Puede utilizar este campo para agrupar múltiples vales de compra. Si "
-"introduce el mismo valor para varios vales de compra, puede obtener "
-"estadísticas sobre cuántos de ellos se han canjeado, etc."
+"Puedes usar este campo para agrupar varios vales. Si introduces el mismo "
+"valor en distintos vales, podrás obtener estadísticas sobre cuántos se han "
+"canjeado, etc."
 
 #: pretix/base/models/vouchers.py:316 pretix/base/permissions.py:242
 #: pretix/control/navigation.py:289
 #: pretix/control/templates/pretixcontrol/vouchers/index.html:6
 #: pretix/control/templates/pretixcontrol/vouchers/index.html:8
 msgid "Vouchers"
-msgstr "Vales de compra"
+msgstr "Vales"
 
 #: pretix/base/models/vouchers.py:342
 msgid "You cannot select a quota that belongs to a different event."
@@ -13365,7 +13365,7 @@ msgstr "Esto eliminará todos los números de teléfono de los pedidos."
 
 #: pretix/base/shredder.py:290
 msgid "Emails"
-msgstr "Correos electrónicos"
+msgstr "Correos"
 
 #: pretix/base/shredder.py:292
 msgid ""
@@ -15170,7 +15170,7 @@ msgstr "Todos los productos"
 #: pretix/control/views/typeahead.py:780
 #, python-brace-format
 msgid "{product} – Any variation"
-msgstr "{product} - Cualquier variación"
+msgstr "{product} – Cualquier variación"
 
 #: pretix/control/forms/filter.py:566 pretix/control/forms/orders.py:862
 msgctxt "subevent"
@@ -15469,7 +15469,7 @@ msgstr "Buscar vale de compra"
 #: pretix/control/views/vouchers.py:133
 #, python-brace-format
 msgid "Any product in quota \"{quota}\""
-msgstr "Cualquier producto del contingente \"{quota}\""
+msgstr "Cualquier producto en la cuota \"{quota}\""
 
 #: pretix/control/forms/filter.py:2440
 msgid "Refund status"
@@ -17068,15 +17068,15 @@ msgstr "ID de butaca específico"
 
 #: pretix/control/forms/vouchers.py:200 pretix/presale/forms/waitinglist.py:103
 msgid "Invalid product selected."
-msgstr "Producto no válido seleccionado."
+msgstr "Se ha seleccionado un producto no válido."
 
 #: pretix/control/forms/vouchers.py:225
 msgid ""
 "The voucher only matches hidden products but you have not selected that it "
 "should show them."
 msgstr ""
-"El vale de compra solo coincide con productos ocultos pero no has "
-"seleccionado que los muestre."
+"El vale solo coincide con productos ocultos, pero no has seleccionado que "
+"deba mostrarlos."
 
 #: pretix/control/forms/vouchers.py:271
 msgid "Codes"
@@ -21474,7 +21474,7 @@ msgstr ""
 #: pretix/plugins/ticketoutputpdf/views.py:172
 #: pretix/presale/views/customer.py:544 pretix/presale/views/customer.py:597
 msgid "Your changes have been saved."
-msgstr "Los cambios se han guardado."
+msgstr "Se han guardado los cambios."
 
 #: pretix/control/templates/pretixcontrol/event/plugins.html:34
 #: pretix/control/templates/pretixcontrol/organizers/plugins.html:34
@@ -28698,7 +28698,7 @@ msgstr "Se ha creado la nueva lista de asistentes."
 #: pretix/plugins/ticketoutputpdf/views.py:132
 msgid "We could not save your changes. See below for details."
 msgstr ""
-"No hemos podido guardar los cambios. Consulte los detalles a continuación."
+"No se pudieron guardar los cambios. Consulta los detalles a continuación."
 
 #: pretix/control/views/checkin.py:421 pretix/control/views/checkin.py:458
 msgid "The requested list does not exist."
@@ -30864,7 +30864,7 @@ msgstr ""
 
 #: pretix/plugins/badges/forms.py:33
 msgid "Template"
-msgstr "Plantilla"
+msgstr "Template"
 
 #: pretix/plugins/badges/forms.py:34
 msgid ""

src/pretix/locale/ja/LC_MESSAGES/django.po

@@ -8,8 +8,8 @@ msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2026-03-30 11:22+0000\n"
-"PO-Revision-Date: 2026-04-08 18:00+0000\n"
-"Last-Translator: Hijiri Umemoto <hijiri@umemoto.org>\n"
+"PO-Revision-Date: 2026-04-20 08:07+0000\n"
+"Last-Translator: Yasunobu YesNo Kawaguchi <kawaguti@gmail.com>\n"
 "Language-Team: Japanese <https://translate.pretix.eu/projects/pretix/pretix/"
 "ja/>\n"
 "Language: ja\n"
@@ -17,7 +17,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=1; plural=0;\n"
-"X-Generator: Weblate 5.16.2\n"
+"X-Generator: Weblate 5.17\n"
 
 #: pretix/_base_settings.py:87
 msgid "English"
@@ -664,7 +664,7 @@ msgstr "ギフトカードを取引で使用済み"
 #: pretix/plugins/banktransfer/payment.py:483
 #: pretix/presale/forms/customer.py:152
 msgid "This field is required."
-msgstr "この項目は必須です。"
+msgstr "このフィールドは必須です。"
 
 #: pretix/base/addressvalidation.py:213
 msgid "Enter a postal code in the format XXX."
@@ -3800,7 +3800,7 @@ msgstr "単価：{net_price} 税抜 / {gross_price} 税込"
 #, python-brace-format
 msgctxt "invoice"
 msgid "Single price: {price}"
-msgstr "単価：{price}"
+msgstr "単価: {price}"
 
 #: pretix/base/invoicing/pdf.py:947 pretix/base/invoicing/pdf.py:952
 msgctxt "invoice"
@@ -8206,7 +8206,7 @@ msgstr "参加者の呼びかけに使う名前"
 #: pretix/base/services/placeholders.py:732
 #: pretix/control/forms/organizer.py:799
 msgid "Mr Doe"
-msgstr "山田様"
+msgstr "山田 太郎"
 
 #: pretix/base/pdf.py:672 pretix/base/pdf.py:679
 #: pretix/plugins/badges/exporters.py:501
@@ -11001,7 +11001,7 @@ msgstr ""
 #: pretix/base/settings.py:1869 pretix/base/settings.py:1877
 #: pretix/presale/templates/pretixpresale/fragment_calendar_nav.html:8
 msgid "List"
-msgstr "リスト"
+msgstr "一覧"
 
 #: pretix/base/settings.py:1870 pretix/base/settings.py:1878
 msgid "Week calendar"
@@ -12855,7 +12855,7 @@ msgstr "Dr"
 
 #: pretix/base/settings.py:3819 pretix/base/settings.py:3836
 msgid "First name"
-msgstr "名(First Name)"
+msgstr "名"
 
 #: pretix/base/settings.py:3820 pretix/base/settings.py:3837
 msgid "Middle name"
@@ -19423,7 +19423,7 @@ msgstr "カスタムチェックインルール"
 #: pretix/control/templates/pretixcontrol/vouchers/bulk.html:117
 #: pretix/plugins/sendmail/templates/pretixplugins/sendmail/send_form.html:85
 msgid "Edit"
-msgstr "編集する"
+msgstr "編集"
 
 #: pretix/control/templates/pretixcontrol/checkin/list_edit.html:89
 msgid "Visualize"
@@ -20280,7 +20280,7 @@ msgstr "地理座標"
 #: pretix/control/templates/pretixcontrol/subevents/bulk.html:271
 #: pretix/control/templates/pretixcontrol/subevents/bulk.html:275
 msgid "Optional"
-msgstr "オプション（必須でない項目）"
+msgstr "任意"
 
 #: pretix/control/templates/pretixcontrol/event/fragment_geodata.html:22
 #: pretix/control/templates/pretixcontrol/subevents/bulk_edit.html:58
@@ -23636,8 +23636,8 @@ msgid ""
 "this product was part of the discount calculation for a different product in "
 "this order."
 msgstr ""
-"この製品の価格は自動割引により減額されたか、この製品がこの注文の別の製品の割"
-"引計算の一部になっています。"
+"自動割引によりこの商品の価格が引き下げられたか、同じ注文内の別の商品に対する"
+"割引計算の対象になっています。"
 
 #: pretix/control/templates/pretixcontrol/order/index.html:496
 #: pretix/presale/templates/pretixpresale/event/fragment_cart.html:103
@@ -25008,7 +25008,7 @@ msgstr "デバイスの概要"
 
 #: pretix/control/templates/pretixcontrol/organizers/device_edit.html:6
 msgid "Device:"
-msgstr "デバイス:"
+msgstr "デバイス："
 
 #: pretix/control/templates/pretixcontrol/organizers/device_edit.html:8
 msgid "Connect a new device"
@@ -25897,7 +25897,7 @@ msgstr "二要素認証が無効です"
 
 #: pretix/control/templates/pretixcontrol/organizers/team_members.html:57
 msgid "invited, pending response"
-msgstr "招待済み、返答待ち"
+msgstr "招待済み、応答待ち"
 
 #: pretix/control/templates/pretixcontrol/organizers/team_members.html:59
 msgid "resend invite"
@@ -33303,7 +33303,7 @@ msgstr "本当にStripeアカウントを切断しますか？"
 
 #: pretix/plugins/stripe/templates/pretixplugins/stripe/oauth_disconnect.html:16
 msgid "Disconnect"
-msgstr "切断します"
+msgstr "切断"
 
 #: pretix/plugins/stripe/templates/pretixplugins/stripe/pending.html:6
 msgid "Payment instructions"

src/pretix/plugins/paypal2/views.py

@@ -216,7 +216,7 @@ class PayView(PaypalOrderView, TemplateView):
 
 
 @scopes_disabled()
-@event_permission_required('event.settings.general:write')
+@event_permission_required('event.settings.payment:write')
 def isu_return(request, *args, **kwargs):
     getparams = ['merchantId', 'merchantIdInPayPal', 'permissionsGranted', 'accountStatus', 'consentStatus', 'productIntentID', 'isEmailConfirmed']
     sessionparams = ['payment_paypal_isu_event', 'payment_paypal_isu_tracking_id']
@@ -526,7 +526,7 @@ def webhook(request, *args, **kwargs):
     return HttpResponse(status=200)
 
 
-@event_permission_required('event.settings.general:write')
+@event_permission_required('event.settings.payment:write')
 @require_POST
 def isu_disconnect(request, **kwargs):
     del request.event.settings.payment_paypal_connect_refresh_token

src/pretix/presale/forms/checkout.py

@@ -32,11 +32,8 @@
 # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations under the License.
 
-from itertools import chain
-
 from django import forms
 from django.core.exceptions import ValidationError
-from django.utils.encoding import force_str
 from django.utils.formats import date_format
 from django.utils.html import escape
 from django.utils.safestring import mark_safe
@@ -168,46 +165,6 @@ class QuestionsForm(BaseQuestionsForm):
             )
 
 
-class AddOnRadioSelect(forms.RadioSelect):
-    option_template_name = 'pretixpresale/forms/addon_choice_option.html'
-
-    def optgroups(self, name, value, attrs=None):
-        attrs = attrs or {}
-        groups = []
-        has_selected = False
-        for index, (option_value, option_label, option_desc) in enumerate(chain(self.choices)):
-            if option_value is None:
-                option_value = ''
-            if isinstance(option_label, (list, tuple)):
-                raise TypeError('Choice groups are not supported here')
-            group_name = None
-            subgroup = []
-            groups.append((group_name, subgroup, index))
-
-            selected = (
-                force_str(option_value) in value and
-                (has_selected is False or self.allow_multiple_selected)
-            )
-            if selected is True and has_selected is False:
-                has_selected = True
-            attrs['description'] = option_desc
-            subgroup.append(self.create_option(
-                name, option_value, option_label, selected, index,
-                subindex=None, attrs=attrs,
-            ))
-
-        return groups
-
-
-class AddOnVariationField(forms.ChoiceField):
-    def valid_value(self, value):
-        text_value = force_str(value)
-        for k, v, d in self.choices:
-            if value == k or text_value == force_str(k):
-                return True
-        return False
-
-
 class MembershipForm(forms.Form):
     required_css_class = 'required'
 

src/pretix/presale/forms/customer.py

@@ -172,7 +172,7 @@ class RegistrationForm(forms.Form):
             )
 
         self.fields['name_parts'] = NamePartsFormField(
-            max_length=255,
+            max_length=70,
             required=True,
             scheme=request.organizer.settings.name_scheme,
             titles=request.organizer.settings.name_scheme_titles,

src/pretix/presale/templates/pretixpresale/forms/addon_choice_option.html

@@ -1,3 +0,0 @@
-{% load rich_text %}
-<label{% if widget.attrs.id %} for="{{ widget.attrs.id }}"{% endif %}>{% include "django/forms/widgets/input.html" %} {{ widget.label }}</label> {% if widget.attrs.description %}<span class="fa fa-info-circle toggle-variation-description" aria-hidden="true"></span>
-<div class="variation-description addon-variation-description">{{ widget.attrs.description|rich_text }}</div>{% endif %}

src/pretix/presale/urls.py

@@ -91,6 +91,9 @@ event_patterns = [
     re_path(r'w/(?P<cart_namespace>[a-zA-Z0-9]{16})/cart/add',
             csrf_exempt(pretix.presale.views.cart.CartAdd.as_view()),
             name='event.cart.add'),
+    re_path(r'w/(?P<cart_namespace>[a-zA-Z0-9]{16})/cart/create',
+            csrf_exempt(pretix.presale.views.cart.CartCreate.as_view()),
+            name='event.cart.create'),
 
     re_path(r'unlock/(?P<hash>[a-z0-9]{64})/$', pretix.presale.views.user.UnlockHashView.as_view(),
             name='event.payment.unlock'),

src/pretix/presale/views/__init__.py

@@ -114,8 +114,10 @@ class CartMixin:
         return cached_invoice_address(self.request)
 
     def get_cart(self, answers=False, queryset=None, order=None, downloads=False, payments=None):
-        if not self.request.session.session_key and not order:
-            # The user has not even a session ID yet, so they can't have a cart and we can save a lot of work
+        from pretix.presale.views.cart import get_or_create_cart_id
+
+        if not get_or_create_cart_id(self.request, create=False) and not order:
+            # The user has no cart, so we can save a lot of work
             return {
                 'positions': [],
                 # Other keys are not used on non-checkout pages
@@ -377,9 +379,13 @@ def cart_exists(request):
     from pretix.presale.views.cart import get_or_create_cart_id
 
     if not hasattr(request, '_cart_cache'):
-        return CartPosition.objects.filter(
-            cart_id=get_or_create_cart_id(request), event=request.event
-        ).exists()
+        cid = get_or_create_cart_id(request, create=False)
+        if cid:
+            return CartPosition.objects.filter(
+                cart_id=cid, event=request.event
+            ).exists()
+        else:
+            return False
     return bool(request._cart_cache)
 
 

src/pretix/presale/views/cart.py

@@ -555,6 +555,18 @@ class CartClear(EventViewMixin, CartActionMixin, AsyncAction, View):
                        request.sales_channel.identifier, time_machine_now(default=None))
 
 
+@method_decorator(allow_cors_if_namespaced, 'dispatch')
+class CartCreate(EventViewMixin, CartActionMixin, View):
+    def get(self, request, *args, **kwargs):
+        if 'ajax' in self.request.GET:
+            cart_id = get_or_create_cart_id(self.request, create=True)
+            return JsonResponse({
+                'cart_id': cart_id,
+            })
+        else:
+            return redirect_to_url(self.get_success_url())
+
+
 @method_decorator(allow_frame_if_namespaced, 'dispatch')
 class CartExtendReservation(EventViewMixin, CartActionMixin, AsyncAction, View):
     task = extend_cart_reservation
@@ -843,9 +855,13 @@ class AnswerDownload(EventViewMixin, View):
             return Http404()
 
         ftype, _ = mimetypes.guess_type(answer.file.name)
-        resp = FileResponse(answer.file, content_type=ftype or 'application/binary')
-        resp['Content-Disposition'] = 'attachment; filename="{}-cart-{}"'.format(
+        filename = '{}-cart-{}'.format(
             self.request.event.slug.upper(),
             os.path.basename(answer.file.name).split('.', 1)[1]
-        ).encode("ascii", "ignore")
+        )
+        resp = FileResponse(
+            answer.file,
+            filename=filename,
+            content_type=ftype or 'application/binary'
+        )
         return resp

src/pretix/presale/views/order.py

@@ -1220,30 +1220,26 @@ class OrderDownloadMixin:
                 resp = HttpResponseRedirect(value.file.file.read())
                 return resp
             else:
-                resp = FileResponse(value.file.file, content_type=value.type)
-                if self.order_position.subevent:
-                    # Subevent date in filename improves accessibility e.g. for screen reader users
-                    resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}-{}-{}{}"'.format(
-                        self.request.event.slug.upper(), self.order.code, self.order_position.positionid,
-                        self.order_position.subevent.date_from.strftime('%Y_%m_%d'),
-                        self.output.identifier, value.extension
-                    )
-                else:
-                    resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}-{}{}"'.format(
-                        self.request.event.slug.upper(), self.order.code, self.order_position.positionid,
-                        self.output.identifier, value.extension
-                    )
-                return resp
+                name_parts = (
+                    self.request.event.slug.upper(),
+                    self.order.code,
+                    str(self.order_position.positionid),
+                    self.order_position.subevent.date_from.strftime('%Y_%m_%d') if self.order_position.subevent else None,
+                    self.output.identifier
+                )
+                filename = "-".join(filter(None, name_parts)) + value.extension
+                return FileResponse(value.file.file, filename=filename, content_type=value.type)
         elif isinstance(value, CachedCombinedTicket):
             if value.type == 'text/uri-list':
                 resp = HttpResponseRedirect(value.file.file.read())
                 return resp
             else:
-                resp = FileResponse(value.file.file, content_type=value.type)
-                resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}{}"'.format(
-                    self.request.event.slug.upper(), self.order.code, self.output.identifier, value.extension
+                return FileResponse(
+                    value.file.file,
+                    filename="{}-{}-{}{}".format(
+                        self.request.event.slug.upper(), self.order.code, self.output.identifier, value.extension),
+                    content_type=value.type
                 )
-                return resp
         else:
             return redirect(self.get_self_url())
 
@@ -1383,13 +1379,14 @@ class InvoiceDownload(EventViewMixin, OrderDetailMixin, View):
             return redirect(self.get_order_url())
 
         try:
-            resp = FileResponse(invoice.file.file, content_type='application/pdf')
+            return FileResponse(
+                invoice.file.file,
+                filename='{}.pdf'.format(re.sub("[^a-zA-Z0-9-_.]+", "_", invoice.number)),
+                content_type='application/pdf'
+            )
         except FileNotFoundError:
             invoice_pdf_task.apply(args=(invoice.pk,))
             return self.get(request, *args, **kwargs)
-        resp['Content-Disposition'] = 'inline; filename="{}.pdf"'.format(re.sub("[^a-zA-Z0-9-_.]+", "_", invoice.number))
-        resp._csp_ignore = True  # Some browser's PDF readers do not work with CSP
-        return resp
 
 
 class OrderChangeMixin:

src/pretix/static/pretixcontrol/js/ui/main.js

@@ -71,6 +71,7 @@ $(document).ajaxError(function (event, jqXHR, settings, thrownError) {
 });
 
 var form_handlers = function (el) {
+    el.trigger("rescan.areYouSure");
     el.find("[data-formset]").formset(
         {
             animateForms: true,

src/pretix/static/pretixcontrol/scss/main.scss

@@ -864,6 +864,9 @@ tbody th {
 .checkin-sim-result-status-incomplete {
     background: $brand-primary;
 }
+.checkin-sim-result-status-exchange {
+    background: $brand-primary;
+}
 .checkin-sim-result-status-error {
     background: $brand-danger;
 }

src/pretix/static/pretixpresale/js/widget/widget.js

@@ -110,6 +110,10 @@ var setCookie = function (cname, cvalue, exdays) {
     var d = new Date();
     d.setTime(d.getTime() + (exdays * 24 * 60 * 60 * 1000));
     var expires = "expires=" + d.toUTCString();
+    if (!cvalue) {
+        var expires = "expires=Thu, 01 Jan 1970 00:00:00 GMT";
+        cvalue = "";
+    }
     document.cookie = cname + "=" + cvalue + ";" + expires + ";path=/";
 };
 var getCookie = function (name) {
@@ -726,17 +730,16 @@ var shared_methods = {
     buy_callback: function (data) {
         if (data.redirect) {
             if (data.cart_id) {
-                this.$root.cart_id = data.cart_id;
-                setCookie(this.$root.cookieName, data.cart_id, 30);
+                this.$root.set_cart_id(data.cart_id);
             }
             if (data.redirect.substr(0, 1) === '/') {
                 data.redirect = this.$root.target_url.replace(/^([^\/]+:\/\/[^\/]+)\/.*$/, "$1") + data.redirect;
             }
             var url = data.redirect;
             if (url.indexOf('?')) {
-                url = url + '&iframe=1&locale=' + lang + '&take_cart_id=' + this.$root.cart_id;
+                url = url + '&iframe=1&locale=' + lang + '&take_cart_id=' + encodeURIComponent(this.$root.get_cart_id());
             } else {
-                url = url + '?iframe=1&locale=' + lang + '&take_cart_id=' + this.$root.cart_id;
+                url = url + '?iframe=1&locale=' + lang + '&take_cart_id=' + encodeURIComponent(this.$root.get_cart_id());
             }
             url += this.$root.consent_parameter;
             if (this.$root.additionalURLParams) {
@@ -779,15 +782,24 @@ var shared_methods = {
         }
     },
     resume: function () {
+        if (!this.$root.get_cart_id() && this.$root.keep_cart) {
+            // create an empty cart whose id we can persist
+            this.$root.create_cart(this.resume)
+            return;
+        }
         var redirect_url;
         redirect_url = this.$root.target_url + 'w/' + widget_id + '/';
-        if (this.$root.subevent && !this.$root.cart_id) {
+        if (this.$root.subevent && this.$root.is_button && this.$root.items.length === 0) {
             // button with subevent but no items
             redirect_url += this.$root.subevent + '/';
         }
         redirect_url += '?iframe=1&locale=' + lang;
-        if (this.$root.cart_id) {
-            redirect_url += '&take_cart_id=' + this.$root.cart_id;
+        if (this.$root.get_cart_id()) {
+            redirect_url += '&take_cart_id=' + encodeURIComponent(this.$root.get_cart_id());
+            if (this.$root.keep_cart) {
+                // make sure the cart-id is used, even if the cart is currently empty
+                redirect_url += '&ajax=1'
+            }
         }
         if (this.$root.widget_data) {
             redirect_url += '&widget_data=' + encodeURIComponent(this.$root.widget_data_json);
@@ -1864,12 +1876,11 @@ var shared_root_methods = {
         if (this.$root.variation_filter) {
             url += '&variations=' + encodeURIComponent(this.$root.variation_filter);
         }
-        var cart_id = getCookie(this.cookieName);
         if (this.$root.voucher_code) {
             url += '&voucher=' + encodeURIComponent(this.$root.voucher_code);
         }
-        if (cart_id) {
-            url += "&cart_id=" + encodeURIComponent(cart_id);
+        if (this.$root.get_cart_id()) {
+            url += "&cart_id=" + encodeURIComponent(this.$root.get_cart_id());
         }
         if (this.$root.date !== null) {
             url += "&date=" + this.$root.date.substr(0, 7);
@@ -1939,7 +1950,6 @@ var shared_root_methods = {
                 root.display_add_to_cart = data.display_add_to_cart;
                 root.waiting_list_enabled = data.waiting_list_enabled;
                 root.show_variations_expanded = data.show_variations_expanded || !!root.variation_filter;
-                root.cart_id = cart_id;
                 root.cart_exists = data.cart_exists;
                 root.vouchers_exist = data.vouchers_exist;
                 root.has_seating_plan = data.has_seating_plan;
@@ -2004,8 +2014,8 @@ var shared_root_methods = {
         if (this.$root.voucher_code) {
             redirect_url += '&voucher=' + encodeURIComponent(this.$root.voucher_code);
         }
-        if (this.$root.cart_id) {
-            redirect_url += '&take_cart_id=' + this.$root.cart_id;
+        if (this.$root.get_cart_id()) {
+            redirect_url += '&take_cart_id=' + encodeURIComponent(this.$root.get_cart_id());
         }
         if (this.$root.widget_data) {
             redirect_url += '&widget_data=' + encodeURIComponent(this.$root.widget_data_json);
@@ -2027,7 +2037,28 @@ var shared_root_methods = {
         this.$root.subevent = event.subevent;
         this.$root.loading++;
         this.$root.reload();
-    }
+    },
+    create_cart: function(callback) {
+        var url = this.$root.target_url + 'w/' + widget_id + '/cart/create?ajax=1';
+
+        this.$root.overlay.frame_loading = true;
+        api._getJSON(url, (data) => {
+            this.$root.set_cart_id(data.cart_id);
+            this.$root.overlay.frame_loading = false;
+            callback()
+        }, () => {
+            this.$root.overlay.error_message = strings['cart_error'];
+            this.$root.overlay.frame_loading = false;
+        })
+    },
+    get_cart_id: function() {
+        if (this.$root.keep_cart) {
+            return getCookie(this.$root.cookieName);
+        }
+    },
+    set_cart_id: function(newValue) {
+        setCookie(this.$root.cookieName, newValue, 30);
+    },
 };
 
 var shared_root_computed = {
@@ -2049,9 +2080,8 @@ var shared_root_computed = {
     },
     voucherFormTarget: function () {
         var form_target = this.target_url + 'w/' + widget_id + '/redeem?iframe=1&locale=' + lang;
-        var cookie = getCookie(this.cookieName);
-        if (cookie) {
-            form_target += "&take_cart_id=" + cookie;
+        if (this.get_cart_id()) {
+            form_target += "&take_cart_id=" + encodeURIComponent(this.get_cart_id());
         }
         if (this.subevent) {
             form_target += "&subevent=" + this.subevent;
@@ -2091,9 +2121,8 @@ var shared_root_computed = {
             checkout_url += '?' + this.$root.additionalURLParams;
         }
         var form_target = this.target_url + 'w/' + widget_id + '/cart/add?iframe=1&next=' + encodeURIComponent(checkout_url);
-        var cookie = getCookie(this.cookieName);
-        if (cookie) {
-            form_target += "&take_cart_id=" + cookie;
+        if (this.get_cart_id()) {
+            form_target += "&take_cart_id=" + encodeURIComponent(this.get_cart_id());
         }
         form_target += this.$root.consent_parameter
         return form_target
@@ -2329,6 +2358,7 @@ var create_widget = function (element, html_id=null) {
                 has_seating_plan: false,
                 has_seating_plan_waitinglist: false,
                 meta_filter_fields: [],
+                keep_cart: true,
             }
         },
         created: function () {
@@ -2366,6 +2396,7 @@ var create_button = function (element, html_id=null) {
     var raw_items = element.attributes.items ? element.attributes.items.value : "";
     var skip_ssl = element.attributes["skip-ssl-check"] ? true : false;
     var disable_iframe = element.attributes["disable-iframe"] ? true : false;
+    var keep_cart = element.attributes["keep-cart"] ? true : false;
     var button_text = element.innerHTML;
     var widget_data = JSON.parse(JSON.stringify(window.PretixWidget.widget_data));
     for (var i = 0; i < element.attributes.length; i++) {
@@ -2417,7 +2448,8 @@ var create_button = function (element, html_id=null) {
                 widget_data: widget_data,
                 widget_id: 'pretix-widget-' + widget_id,
                 html_id: html_id,
-                button_text: button_text
+                button_text: button_text,
+                keep_cart: keep_cart || items.length > 0,
             }
         },
         created: function () {
@@ -2426,7 +2458,7 @@ var create_button = function (element, html_id=null) {
             observer.observe(this.$el, observerOptions);
         },
         computed: shared_root_computed,
-        methods: shared_root_methods
+        methods: shared_root_methods,
     });
     create_overlay(app);
     return app;
@@ -2492,13 +2524,14 @@ window.PretixWidget.open = function (target_url, voucher, subevent, items, widge
                 frame_dismissed: false,
                 widget_data: all_widget_data,
                 widget_id: 'pretix-widget-' + widget_id,
-                button_text: ""
+                button_text: "",
+                keep_cart: true
             }
         },
         created: function () {
         },
         computed: shared_root_computed,
-        methods: shared_root_methods
+        methods: shared_root_methods,
     });
     create_overlay(app);
     app.$nextTick(function () {

src/pretix/static/pretixpresale/scss/widget.scss

@@ -966,6 +966,7 @@ $table-bg-accent: rgba(128, 128, 128, 0.05);
   width: 80vw;
   max-width: 1080px;
   height: 80vh;
+  max-height: 100dvh;
 }
 .pretix-widget-frame-inner iframe {
   width: 100% !important;

src/tests/api/test_giftcards.py

@@ -171,6 +171,35 @@ def test_giftcard_detail_expand(token_client, organizer, event, giftcard):
     }
 
 
+@pytest.mark.django_db
+def test_giftcard_detail_expand_without_permissions(team, token_client, organizer, event, giftcard):
+    with scopes_disabled():
+        o = Order.objects.create(
+            code='FOO', event=event, email='dummy@dummy.test',
+            status=Order.STATUS_PENDING, datetime=now(), expires=now() + timedelta(days=10),
+            sales_channel=event.organizer.sales_channels.get(identifier="web"),
+            total=14, locale='en'
+        )
+        ticket = event.items.create(name='Early-bird ticket', category=None, default_price=23, admission=True,
+                                    personalized=True)
+        op = o.positions.create(item=ticket, price=Decimal("14"))
+        giftcard.owner_ticket = op
+        giftcard.save()
+
+    team.all_event_permissions = False
+    team.save()
+
+    res = dict(TEST_GC_RES)
+    res["id"] = giftcard.pk
+    res["issuance"] = giftcard.issuance.isoformat().replace('+00:00', 'Z')
+    resp = token_client.get('/api/v1/organizers/{}/giftcards/{}/?expand=owner_ticket'.format(organizer.slug, giftcard.pk))
+    assert resp.status_code == 200
+
+    assert resp.data["owner_ticket"] == {
+        "id": op.pk,
+    }
+
+
 TEST_GIFTCARD_CREATE_PAYLOAD = {
     "secret": "DEFABC",
     "value": "12.00",

src/tests/api/test_reusable_media.py

@@ -252,6 +252,76 @@ def test_medium_detail(token_client, organizer, event, medium, giftcard, custome
         }
 
 
+@pytest.mark.django_db
+def test_medium_detail_event_permission_missing(token_client, organizer, event, medium, giftcard, customer, team):
+    team.all_organizer_permissions = False
+    team.limit_organizer_permissions = {
+        "organizer.reusablemedia:read": True,
+        "organizer.customers:read": True,
+        "organizer.giftcards:read": True,
+    }
+    team.all_event_permissions = False
+    team.save()
+
+    with scopes_disabled():
+        o = Order.objects.create(
+            code='FOO', event=event, email='dummy@dummy.test',
+            status=Order.STATUS_PENDING, datetime=now(), expires=now() + timedelta(days=10),
+            sales_channel=event.organizer.sales_channels.get(identifier="web"),
+            total=14, locale='en'
+        )
+        ticket = event.items.create(name='Early-bird ticket', category=None, default_price=23, admission=True,
+                                    personalized=True)
+        op = o.positions.create(item=ticket, price=Decimal("14"))
+        medium.linked_orderposition = op
+        medium.linked_giftcard = giftcard
+        medium.customer = customer
+        medium.save()
+        giftcard.owner_ticket = op
+        giftcard.save()
+
+        resp = token_client.get(
+            '/api/v1/organizers/{}/reusablemedia/{}/?expand=linked_giftcard&expand='
+            'linked_giftcard.owner_ticket&expand=linked_orderposition&expand=customer'.format(
+                organizer.slug, medium.pk
+            )
+        )
+        assert resp.status_code == 200
+
+        assert resp.data["linked_orderposition"] == {
+            "id": op.pk,
+        }
+
+        assert resp.data["linked_giftcard"] == {
+            "id": giftcard.pk,
+            "secret": "ABCDEF",
+            "issuance": giftcard.issuance.isoformat().replace("+00:00", "Z"),
+            "value": "23.00",
+            "currency": "EUR",
+            "testmode": False,
+            "expires": None,
+            "conditions": None,
+            "owner_ticket": {"id": op.pk},
+            "issuer": "dummy",
+        }
+
+        assert resp.data["customer"] == {
+            "identifier": customer.identifier,
+            "external_identifier": None,
+            "email": "foo@example.org",
+            "phone": None,
+            "name": "Foo",
+            "name_parts": {"_legacy": "Foo"},
+            "is_active": True,
+            "is_verified": False,
+            "last_login": None,
+            "date_joined": customer.date_joined.isoformat().replace("+00:00", "Z"),
+            "locale": "en",
+            "last_modified": customer.last_modified.isoformat().replace("+00:00", "Z"),
+            "notes": None
+        }
+
+
 TEST_MEDIUM_CREATE_PAYLOAD = {
     "type": "barcode",
     "identifier": "FOOBAR",

src/tests/base/test_invoices.py

@@ -123,6 +123,8 @@ def env():
             ExchangeRate.objects.create(source_date=date.today(), source='eu:ecb:eurofxref-daily', source_currency='EUR', other_currency=currency, rate=rate)
         ExchangeRate.objects.create(source_date=date.today(), source='cz:cnb:rate-fixing-daily', source_currency='EUR',
                                     other_currency='CZK', rate=Decimal('25.0000'))
+        ExchangeRate.objects.create(source_date=date.today(), source='pl:nbp:table-a', source_currency='EUR',
+                                    other_currency='PLN', rate=Decimal('4.2355'))
         yield event, o
 
 
@@ -347,6 +349,23 @@ def test_invoice_indirect_currency_conversion(env):
     assert inv.foreign_currency_source == 'eu:ecb:eurofxref-daily'
 
 
+@pytest.mark.django_db
+def test_invoice_pln_currency_conversion(env):
+    event, order = env
+    event.settings.invoice_eu_currencies = 'PLN'
+
+    event.settings.set('invoice_language', 'en')
+    InvoiceAddress.objects.create(company='Acme Company', street='221B Baker Street', zipcode='12345', city='Warsaw',
+                                  country=Country('PL'), vat_id='PL123456780', vat_id_validated=True, order=order,
+                                  is_business=True)
+
+    inv = generate_invoice(order)
+    assert inv.foreign_currency_display == "PLN"
+    assert inv.foreign_currency_rate == Decimal("4.2355")
+    assert inv.foreign_currency_rate_date == date.today()
+    assert inv.foreign_currency_source == 'pl:nbp:table-a'
+
+
 @pytest.mark.django_db
 def test_invoice_czk_currency_conversion(env):
     event, order = env

src/tests/base/test_mail.py

@@ -610,7 +610,7 @@ PRIVATE_IPS_RES = [
 
 
 @contextmanager
-def test_mail_connection(res, should_connect, use_ssl):
+def assert_mail_connection(res, should_connect, use_ssl):
     with (
         mock.patch('socket.socket') as mock_socket,
         mock.patch('socket.getaddrinfo', return_value=res),
@@ -638,14 +638,14 @@ def test_mail_connection(res, should_connect, use_ssl):
 def test_private_smtp_ip(res, use_ssl, settings):
     settings.EMAIL_CUSTOM_SMTP_BACKEND = 'pretix.base.email.CheckPrivateNetworkSmtpBackend'
     settings.MAIL_CUSTOM_SMTP_ALLOW_PRIVATE_NETWORKS = False
-    with test_mail_connection(res=res, should_connect=False, use_ssl=use_ssl), pytest.raises(match="Request to .* blocked"):
+    with assert_mail_connection(res=res, should_connect=False, use_ssl=use_ssl), pytest.raises(match="Request to .* blocked"):
         connection = djmail.get_connection(backend=settings.EMAIL_CUSTOM_SMTP_BACKEND,
                                            host="localhost",
                                            use_ssl=use_ssl)
         connection.open()
 
     settings.MAIL_CUSTOM_SMTP_ALLOW_PRIVATE_NETWORKS = True
-    with test_mail_connection(res=res, should_connect=True, use_ssl=use_ssl):
+    with assert_mail_connection(res=res, should_connect=True, use_ssl=use_ssl):
         connection = djmail.get_connection(backend=settings.EMAIL_CUSTOM_SMTP_BACKEND,
                                            host="localhost",
                                            use_ssl=use_ssl)
@@ -662,7 +662,7 @@ def test_public_smtp_ip(use_ssl, allow_private, settings):
     settings.EMAIL_CUSTOM_SMTP_BACKEND = 'pretix.base.email.CheckPrivateNetworkSmtpBackend'
     settings.MAIL_CUSTOM_SMTP_ALLOW_PRIVATE_NETWORKS = allow_private
 
-    with test_mail_connection(res=[(socket.AF_INET, socket.SOCK_STREAM, 6, '', ('8.8.8.8', 443))], should_connect=True, use_ssl=use_ssl):
+    with assert_mail_connection(res=[(socket.AF_INET, socket.SOCK_STREAM, 6, '', ('8.8.8.8', 443))], should_connect=True, use_ssl=use_ssl):
         connection = djmail.get_connection(backend=settings.EMAIL_CUSTOM_SMTP_BACKEND,
                                            host="localhost",
                                            use_ssl=use_ssl)
@@ -702,7 +702,7 @@ def test_send_mail_private_ip(res, use_ssl, allow_private_networks, env):
         m.refresh_from_db()
         return m
 
-    with test_mail_connection(res=res, should_connect=allow_private_networks, use_ssl=use_ssl):
+    with assert_mail_connection(res=res, should_connect=allow_private_networks, use_ssl=use_ssl):
         m = send_mail()
         if allow_private_networks:
             assert m.status == OutgoingMail.STATUS_SENT

src/tests/presale/test_checkout.py

@@ -33,7 +33,7 @@ from django.conf import settings
 from django.core import mail as djmail
 from django.core.files.uploadedfile import SimpleUploadedFile
 from django.core.signing import dumps
-from django.test import TestCase, TransactionTestCase
+from django.test import Client, TestCase, TransactionTestCase
 from django.utils.crypto import get_random_string
 from django.utils.timezone import now
 from django_countries.fields import Country
@@ -4413,6 +4413,18 @@ class CheckoutTestCase(BaseCheckoutTestCase, TimemachineTestMixin, TestCase):
             assert len(djmail.outbox) == 1
             assert any(["Invoice_" in a[0] for a in djmail.outbox[0].attachments])
 
+    def test_checkout_empty_session_valid_cart(self):
+        client = Client()
+        with scopes_disabled():
+            api_cid = "{}@api".format(get_random_string(48))
+            CartPosition.objects.create(
+                event=self.event, cart_id=api_cid, item=self.ticket,
+                price=23, expires=now() + timedelta(minutes=10)
+            )
+
+        response = client.get('/%s/%s/w/1234567890abcdef/checkout/questions/' % (self.orga.slug, self.event.slug), query_params={"take_cart_id": api_cid})
+        assert '€23.00' in response.content.decode()
+
 
 class CheckoutTransactionTestCase(BaseCheckoutTestCase, TransactionTestCase):
     def test_order_confirmation_mail_invoice_sent_somewhere_else(self):