Stripe: isort

Stripe: Add Wero as a hidden payment method (private beta; requires MoR)
Security hardening for 2FA configuration (#5685 )
2026-02-20 09:02:27 +00:00 · 2026-02-19 14:43:27 +01:00 · 2026-02-19 14:40:01 +01:00 · 2026-02-19 12:43:23 +01:00 · 2026-02-19 10:00:11 +01:00 · 2026-02-19 09:42:00 +01:00
22 changed files with 157 additions and 53 deletions
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -92,7 +92,7 @@ dependencies = [
  "redis==7.1.*",
  "reportlab==4.4.*",
  "requests==2.32.*",
-  "sentry-sdk==2.52.*",
+  "sentry-sdk==2.53.*",
  "sepaxml==2.7.*",
  "stripe==7.9.*",
  "text-unidecode==1.*",
@@ -110,7 +110,7 @@ dev = [
  "aiohttp==3.13.*",
  "coverage",
  "coveralls",
-  "fakeredis==2.33.*",
+  "fakeredis==2.34.*",
  "flake8==7.3.*",
  "freezegun",
  "isort==7.0.*",
--- a/src/pretix/api/views/checkin.py
+++ b/src/pretix/api/views/checkin.py
@@ -188,11 +188,15 @@ class CheckinListViewSet(viewsets.ModelViewSet):
        clist = self.get_object()
        if serializer.validated_data.get('nonce'):
            if kwargs.get('position'):
-                prev = kwargs['position'].all_checkins.filter(nonce=serializer.validated_data['nonce']).first()
+                prev = kwargs['position'].all_checkins.filter(
+                    nonce=serializer.validated_data['nonce'],
+                    successful=False
+                ).first()
            else:
                prev = clist.checkins.filter(
                    nonce=serializer.validated_data['nonce'],
                    raw_barcode=serializer.validated_data['raw_barcode'],
+                    successful=False
                ).first()
            if prev:
                # Ignore because nonce is already handled
--- a/src/pretix/api/views/organizer.py
+++ b/src/pretix/api/views/organizer.py
@@ -259,7 +259,14 @@ class GiftCardViewSet(viewsets.ModelViewSet):
            action='pretix.giftcards.transaction.manual',
            user=self.request.user,
            auth=self.request.auth,
-            data=merge_dicts(self.request.data, {'id': inst.pk, 'acceptor_id': self.request.organizer.id})
+            data=merge_dicts(
+                self.request.data,
+                {
+                    'id': inst.pk,
+                    'acceptor_id': self.request.organizer.id,
+                    'acceptor_slug': self.request.organizer.slug
+                }
+            )
        )

    @transaction.atomic()
@@ -290,7 +297,11 @@ class GiftCardViewSet(viewsets.ModelViewSet):
                action='pretix.giftcards.transaction.manual',
                user=self.request.user,
                auth=self.request.auth,
-                data={'value': diff, 'acceptor_id': self.request.organizer.id}
+                data={
+                    'value': diff,
+                    'acceptor_id': self.request.organizer.id,
+                    'acceptor_slug': self.request.organizer.slug
+                }
            )

        return inst
@@ -320,7 +331,8 @@ class GiftCardViewSet(viewsets.ModelViewSet):
            data={
                'value': value,
                'text': text,
-                'acceptor_id': self.request.organizer.id
+                'acceptor_id': self.request.organizer.id,
+                'acceptor_slug': self.request.organizer.slug
            }
        )
        return Response(GiftCardSerializer(gc, context=self.get_serializer_context()).data, status=status.HTTP_200_OK)
--- a/src/pretix/api/webhooks.py
+++ b/src/pretix/api/webhooks.py
@@ -198,6 +198,7 @@ class ParametrizedGiftcardTransactionWebhookEvent(ParametrizedWebhookEvent):
            'notification_id': logentry.pk,
            'issuer_id': logentry.organizer_id,
            'acceptor_id': logentry.parsed_data.get('acceptor_id'),
+            'acceptor_slug': logentry.parsed_data.get('acceptor_slug'),
            'giftcard': giftcard.pk,
            'action': logentry.action_type,
        }
--- a/src/pretix/base/exporters/orderlist.py
+++ b/src/pretix/base/exporters/orderlist.py
@@ -651,6 +651,7 @@ class OrderListExporter(MultiSheetListExporter):
            pgettext('address', 'State'),
            _('Voucher'),
            _('Voucher budget usage'),
+            _('Voucher tag'),
            _('Pseudonymization ID'),
            _('Ticket secret'),
            _('Seat ID'),
@@ -769,6 +770,7 @@ class OrderListExporter(MultiSheetListExporter):
                    op.state_for_address or '',
                    op.voucher.code if op.voucher else '',
                    op.voucher_budget_use if op.voucher_budget_use else '',
+                    op.voucher.tag if op.voucher else '',
                    op.pseudonymization_id,
                    op.secret,
                ]
--- a/src/pretix/base/invoicing/pdf.py
+++ b/src/pretix/base/invoicing/pdf.py
@@ -148,10 +148,6 @@ class NumberedCanvas(Canvas):
        self.restoreState()


-class InvoiceNotReadyException(Exception):
-    pass
-
-
 class BaseInvoiceRenderer:
    """
    This is the base class for all invoice renderers.
--- a/src/pretix/base/modelimport_vouchers.py
+++ b/src/pretix/base/modelimport_vouchers.py
@@ -132,7 +132,7 @@ class AllowIgnoreQuotaColumn(BooleanColumnMixin, ImportColumn):

 class PriceModeColumn(ImportColumn):
    identifier = 'price_mode'
-    verbose_name = gettext_lazy('Price mode')
+    verbose_name = gettext_lazy('Price effect')
    default_value = None
    initial = 'static:none'

@@ -147,7 +147,7 @@ class PriceModeColumn(ImportColumn):
        elif value in reverse:
            return reverse[value]
        else:
-            raise ValidationError(_("Could not parse {value} as a price mode, use one of {options}.").format(
+            raise ValidationError(_("Could not parse {value} as a price effect, use one of {options}.").format(
                value=value, options=', '.join(d.keys())
            ))

@@ -162,7 +162,7 @@ class ValueColumn(DecimalColumnMixin, ImportColumn):
    def clean(self, value, previous_values):
        value = super().clean(value, previous_values)
        if value and previous_values.get("price_mode") == "none":
-            raise ValidationError(_("It is pointless to set a value without a price mode."))
+            raise ValidationError(_("It is pointless to set a value without a price effect."))
        return value

    def assign(self, value, obj: Voucher, **kwargs):
--- a/src/pretix/base/models/vouchers.py
+++ b/src/pretix/base/models/vouchers.py
@@ -239,7 +239,7 @@ class Voucher(LoggedModel):
        )
    )
    price_mode = models.CharField(
-        verbose_name=_("Price mode"),
+        verbose_name=_("Price effect"),
        max_length=100,
        choices=PRICE_MODES,
        default='none'
--- a/src/pretix/base/payment.py
+++ b/src/pretix/base/payment.py
@@ -1650,7 +1650,8 @@ class GiftCardPayment(BasePaymentProvider):
                    action='pretix.giftcards.transaction.payment',
                    data={
                        'value': trans.value,
-                        'acceptor_id': self.event.organizer.id
+                        'acceptor_id': self.event.organizer.id,
+                        'acceptor_slug': self.event.organizer.slug
                    }
                )
        except PaymentException as e:
@@ -1682,6 +1683,7 @@ class GiftCardPayment(BasePaymentProvider):
            data={
                'value': refund.amount,
                'acceptor_id': self.event.organizer.id,
+                'acceptor_slug': self.event.organizer.slug,
                'text': refund.comment,
            }
        )
--- a/src/pretix/base/services/invoices.py
+++ b/src/pretix/base/services/invoices.py
@@ -51,7 +51,6 @@ from django_scopes import scope, scopes_disabled
 from i18nfield.strings import LazyI18nString

 from pretix.base.i18n import language
-from pretix.base.invoicing.pdf import InvoiceNotReadyException
 from pretix.base.invoicing.transmission import (
    get_transmission_types, transmission_providers,
 )
@@ -505,7 +504,7 @@ def generate_invoice(order: Order, trigger_pdf=True):
    return invoice


-@app.task(base=TransactionAwareTask, throws=(InvoiceNotReadyException,))
+@app.task(base=TransactionAwareTask)
 def invoice_pdf_task(invoice: int):
    with scopes_disabled():
        i = Invoice.objects.get(pk=invoice)
--- a/src/pretix/base/services/orders.py
+++ b/src/pretix/base/services/orders.py
@@ -253,7 +253,8 @@ def reactivate_order(order: Order, force: bool=False, user: User=None, auth=None
                        auth=auth,
                        data={
                            'value': position.price,
-                            'acceptor_id': order.event.organizer.id
+                            'acceptor_id': order.event.organizer.id,
+                            'acceptor_slug': order.event.organizer.slug
                        }
                    )
                    break
@@ -563,6 +564,7 @@ def _cancel_order(order, user=None, send_mail: bool=True, api_token=None, device
                        data={
                            'value': -position.price,
                            'acceptor_id': order.event.organizer.id,
+                            'acceptor_slug': order.event.organizer.slug
                        }
                    )

@@ -2457,7 +2459,8 @@ class OrderChangeManager:
                            auth=self.auth,
                            data={
                                'value': -position.price,
-                                'acceptor_id': self.order.event.organizer.id
+                                'acceptor_id': self.order.event.organizer.id,
+                                'acceptor_slug': self.order.event.organizer.slug
                            }
                        )

@@ -2483,7 +2486,8 @@ class OrderChangeManager:
                                auth=self.auth,
                                data={
                                    'value': -opa.position.price,
-                                    'acceptor_id': self.order.event.organizer.id
+                                    'acceptor_id': self.order.event.organizer.id,
+                                    'acceptor_slug': self.order.event.organizer.slug
                                }
                            )

@@ -3453,6 +3457,7 @@ def signal_listener_issue_giftcards(sender: Event, order: Order, **kwargs):
                    data={
                        'value': trans.value,
                        'acceptor_id': order.event.organizer.id,
+                        'acceptor_slug': order.event.organizer.slug
                    }
                )
                any_giftcards = True
--- a/src/pretix/base/templates/404.html
+++ b/src/pretix/base/templates/404.html
@@ -8,9 +8,6 @@
        <h1>{% trans "Not found" %}</h1>
        <p>{% trans "I'm afraid we could not find the the resource you requested." %}</p>
        <p>{{ exception }}</p>
-        <p class="links">
-            <a id='goback' href='#'>{% trans "Take a step back" %}</a>
-        </p>
        {% if request.user.is_staff and not staff_session %}
            <form action="{% url 'control:user.sudo' %}?next={{ request.path|add:"?"|add:request.GET.urlencode|urlencode }}" method="post">
                <p>
--- a/src/pretix/control/templates/pretixcontrol/user/2fa_main.html
+++ b/src/pretix/control/templates/pretixcontrol/user/2fa_main.html
@@ -144,14 +144,23 @@
        </div>
        <div class="panel-body">
            <p>
-                {% trans "If you lose access to your devices, you can use one of the following keys to log in. We recommend to store them in a safe place, e.g. printed out or in a password manager. Every token can be used at most once." %}
+                {% blocktrans trimmed %}
+                    If you lose access to your devices, you can use one of your emergency tokens to log in.
+                    We recommend to store them in a safe place, e.g. printed out or in a password manager.
+                    Every token can be used at most once.
+                {% endblocktrans %}
            </p>
-            <p>{% trans "Unused tokens:" %}</p>
-            <ul>
-                {% for t in static_tokens %}
-                    <li><code>{{ t.token }}</code></li>
-                {% endfor %}
-            </ul>
+            {% if static_tokens_device %}
+                <p>
+                    {% blocktrans trimmed with generation_date_time=static_tokens_device.created_at %}
+                        You generated your emergency tokens on {{ generation_date_time }}.
+                    {% endblocktrans %}
+                </p>
+            {% else %}
+                <p>
+                    {% trans "You don't have any emergency tokens yet." %}
+                </p>
+            {% endif %}
            <a href="{% url "control:user.settings.2fa.regenemergency" %}" class="btn btn-default">
                <span class="fa fa-refresh"></span>
                {% trans "Generate new emergency tokens" %}
--- a/src/pretix/control/views/organizer.py
+++ b/src/pretix/control/views/organizer.py
@@ -1850,7 +1850,8 @@ class GiftCardDetailView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMi
                        data={
                            'value': value,
                            'text': request.POST.get('text'),
-                            'acceptor_id': self.request.organizer.id
+                            'acceptor_id': self.request.organizer.id,
+                            'acceptor_slug': self.request.organizer.slug
                        },
                        user=self.request.user,
                    )
@@ -1913,7 +1914,8 @@ class GiftCardCreateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMi
                user=self.request.user,
                data={
                    'value': form.cleaned_data['value'],
-                    'acceptor_id': self.request.organizer.id
+                    'acceptor_id': self.request.organizer.id,
+                    'acceptor_slug': self.request.organizer.slug
                }
            )
        return redirect(reverse(
--- a/src/pretix/control/views/user.py
+++ b/src/pretix/control/views/user.py
@@ -49,12 +49,14 @@ from django.db import transaction
 from django.shortcuts import get_object_or_404, redirect
 from django.urls import reverse
 from django.utils.crypto import get_random_string
+from django.utils.decorators import method_decorator
 from django.utils.functional import cached_property
 from django.utils.html import format_html
 from django.utils.http import url_has_allowed_host_and_scheme
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
 from django.views import View
+from django.views.decorators.cache import never_cache
 from django.views.generic import FormView, ListView, TemplateView, UpdateView
 from django_otp.plugins.otp_static.models import StaticDevice
 from django_otp.plugins.otp_totp.models import TOTPDevice
@@ -85,8 +87,9 @@ logger = logging.getLogger(__name__)


 class RecentAuthenticationRequiredMixin:
-    max_time = 3600
+    max_time = 900

+    @method_decorator(never_cache)
    def dispatch(self, request, *args, **kwargs):
        tdelta = time.time() - request.session.get('pretix_auth_login_time', 0)
        if tdelta > self.max_time:
@@ -289,16 +292,13 @@ class User2FAMainView(RecentAuthenticationRequiredMixin, TemplateView):
        ctx = super().get_context_data()

        try:
-            ctx['static_tokens'] = StaticDevice.objects.get(user=self.request.user, name='emergency').token_set.all()
+            ctx['static_tokens_device'] = StaticDevice.objects.get(user=self.request.user, name='emergency')
        except StaticDevice.MultipleObjectsReturned:
-            ctx['static_tokens'] = StaticDevice.objects.filter(
+            ctx['static_tokens_device'] = StaticDevice.objects.filter(
                user=self.request.user, name='emergency'
-            ).first().token_set.all()
+            ).first()
        except StaticDevice.DoesNotExist:
-            d = StaticDevice.objects.create(user=self.request.user, name='emergency')
-            for i in range(10):
-                d.token_set.create(token=get_random_string(length=12, allowed_chars='1234567890'))
-            ctx['static_tokens'] = d.token_set.all()
+            ctx['static_tokens_device'] = None

        ctx['devices'] = []
        for dt in REAL_DEVICE_TYPES:
@@ -631,7 +631,8 @@ class User2FARegenerateEmergencyView(RecentAuthenticationRequiredMixin, Template
        self.request.user.update_session_token()
        update_session_auth_hash(self.request, self.request.user)
        messages.success(request, _('Your emergency codes have been newly generated. Remember to store them in a safe '
-                                    'place in case you lose access to your devices.'))
+                                    'place in case you lose access to your devices. You will not be able to view them '
+                                    'again here.\n\nYour emergency codes:\n- ' + '\n- '.join(t.token for t in d.token_set.all())))
        return redirect(reverse('control:user.settings.2fa'))


--- a/src/pretix/helpers/cookies.py
+++ b/src/pretix/helpers/cookies.py
@@ -34,7 +34,10 @@ def set_cookie_without_samesite(request, response, key, *args, **kwargs):
    if not is_secure:
        # https://www.chromestatus.com/feature/5633521622188032
        return
-    if should_send_same_site_none(request.headers.get('User-Agent', '')):
+
+    useragent = request.headers.get('User-Agent', '')
+
+    if should_send_same_site_none(useragent):
        # Chromium is rolling out SameSite=Lax as a default
        # https://www.chromestatus.com/feature/5088147346030592
        # This however breaks all pretix-in-an-iframe things, such as the pretix Widget.
@@ -44,8 +47,29 @@ def set_cookie_without_samesite(request, response, key, *args, **kwargs):
        # This will only work on secure cookies as well
        # https://www.chromestatus.com/feature/5633521622188032
        response.cookies[key]['secure'] = is_secure
-        # CHIPS
-        response.cookies[key]['Partitioned'] = True
+
+        if can_send_partitioned_cookie(useragent):
+            # CHIPS
+            response.cookies[key]['Partitioned'] = True
+
+
+def can_send_partitioned_cookie(useragent):
+    # Safari currently exhibits a bug where Partitioned cookies (CHIPS) are not
+    # sent back to the originating site after multi-hop cross-site redirects,
+    # breaking SSO login flows in pretix.
+    #
+    # Partitioned cookies were initially introduced in Safari 18.4, removed
+    # again in 18.5 due to a bug, and reintroduced in Safari 26.2, where the
+    # current issue is present.
+    #
+    # Once the Safari issue is fixed, this check should be refined to be
+    # conditional on the affected versions only.
+    #
+    # WebKit issues:
+    #
+    #   - https://bugs.webkit.org/show_bug.cgi?id=292975
+    #   - https://bugs.webkit.org/show_bug.cgi?id=306194
+    return not is_safari(useragent)


 # Based on https://www.chromium.org/updates/same-site/incompatible-clients
--- a/src/pretix/plugins/banktransfer/templates/pretixplugins/banktransfer/pending.html
+++ b/src/pretix/plugins/banktransfer/templates/pretixplugins/banktransfer/pending.html
@@ -21,10 +21,10 @@
            <dt>{% trans "Reference code (important):" %}</dt><dd><b>{{ code }}</b></dd>
            <dt>{% trans "Amount:" %}</dt><dd>{{ amount|money:event.currency }}</dd>
            {% if settings.bank_details_type == "sepa" %}
-                <dt>{% trans "Account holder" %}:</dt><dd>{{ settings.bank_details_sepa_name }}</dt>
-                <dt>{% trans "IBAN" %}:</dt><dd>{{ settings.bank_details_sepa_iban|ibanformat }}</dt>
-                <dt>{% trans "BIC" %}:</dt><dd>{{ settings.bank_details_sepa_bic }}</dt>
-                <dt>{% trans "Bank" %}:</dt><dd>{{ settings.bank_details_sepa_bank }}</dt>
+                <dt>{% trans "Account holder" %}:</dt><dd>{{ settings.bank_details_sepa_name }}</dd>
+                <dt>{% trans "IBAN" %}:</dt><dd>{{ settings.bank_details_sepa_iban|ibanformat }}</dd>
+                <dt>{% trans "BIC" %}:</dt><dd>{{ settings.bank_details_sepa_bic }}</dd>
+                <dt>{% trans "Bank" %}:</dt><dd>{{ settings.bank_details_sepa_bank }}</dd>
            {% endif %}
        </dl>
        {% if details %}
@@ -38,4 +38,4 @@
    {% if payment_qr_codes %}
        {% include "pretixpresale/event/payment_qr_codes.html" %}
    {% endif %}
-</div>
+</div>
--- a/src/pretix/plugins/stripe/payment.py
+++ b/src/pretix/plugins/stripe/payment.py
@@ -118,6 +118,7 @@ logger = logging.getLogger('pretix.plugins.stripe')
 # - UPI: ✗
 # - Netbanking: ✗
 # - TWINT: ✓
+# - Wero: ✓ (No settings UI yet)
 #
 # Bank transfers
 # - ACH Bank Transfer: ✗
@@ -509,6 +510,15 @@ class StripeSettingsHolder(BasePaymentProvider):
                                 'before they work properly.'),
                     required=False,
                 )),
+                # Disabled for now, since still in closed Beta and only available to dedicated boarded accounts.
+                # ('method_wero',
+                #  forms.BooleanField(
+                #     label=_('Wero'),
+                #      disabled=self.event.currency not in 'EUR',
+                #      help_text=_('Some payment methods might need to be enabled in the settings of your Stripe account '
+                #                  'before they work properly.'),
+                #      required=False,
+                #  )),
            ] + extra_fields + list(super().settings_form_fields.items()) + moto_settings
        )
        if not self.settings.connect_client_id or self.settings.secret_key:
@@ -1946,3 +1956,15 @@ class StripeMobilePay(StripeRedirectMethod):
                "type": "mobilepay",
            },
        }
+
+
+class StripeWero(StripeRedirectMethod):
+    identifier = 'stripe_wero'
+    verbose_name = _('WERO via Stripe')
+    public_name = 'WERO'
+    method = 'wero'
+    confirmation_method = 'automatic'
+    explanation = _(
+        'This payment method is available to European online banking users, whose banking institutions support WERO '
+        'either through their native banking apps or through the WERO wallet app. Please have you app ready.'
+    )
--- a/src/pretix/plugins/stripe/signals.py
+++ b/src/pretix/plugins/stripe/signals.py
@@ -49,14 +49,14 @@ def register_payment_provider(sender, **kwargs):
        StripeMultibanco, StripePayByBank, StripePayPal, StripePromptPay,
        StripePrzelewy24, StripeRevolutPay, StripeSEPADirectDebit,
        StripeSettingsHolder, StripeSofort, StripeSwish, StripeTwint,
-        StripeWeChatPay,
+        StripeWeChatPay, StripeWero,
    )

    return [
        StripeSettingsHolder, StripeCC, StripeGiropay, StripeIdeal, StripeAlipay, StripeBancontact,
        StripeSofort, StripeEPS, StripeMultibanco, StripePayByBank, StripePrzelewy24, StripePromptPay, StripeRevolutPay,
        StripeWeChatPay, StripeSEPADirectDebit, StripeAffirm, StripeKlarna, StripePayPal, StripeSwish,
-        StripeTwint, StripeMobilePay
+        StripeTwint, StripeMobilePay, StripeWero
    ]


--- a/src/tests/api/test_checkin.py
+++ b/src/tests/api/test_checkin.py
@@ -1177,6 +1177,30 @@ def test_store_failed(token_client, organizer, clist, event, order):
    assert resp.status_code == 400


+@pytest.mark.django_db
+def test_store_failed_after_success(token_client, organizer, clist, event, order):
+    with scopes_disabled():
+        p = order.positions.first()
+        p.all_checkins.create(
+            type=Checkin.TYPE_ENTRY,
+            nonce='foobar',
+            successful=True,
+            list=clist,
+            raw_barcode=p.secret
+        )
+    resp = token_client.post('/api/v1/organizers/{}/events/{}/checkinlists/{}/failed_checkins/'.format(
+        organizer.slug, event.slug, clist.pk,
+    ), {
+        'raw_barcode': p.secret,
+        'nonce': 'foobar',
+        'position': p.pk,
+        'error_reason': 'unpaid'
+    }, format='json')
+    assert resp.status_code == 201
+    with scopes_disabled():
+        assert Checkin.all.filter(position=p).count() == 2
+
+
@pytest.mark.django_db
 def test_redeem_unknown(token_client, organizer, clist, event, order):
    resp = _redeem(token_client, organizer, clist, 'unknown_secret', {'force': True})
--- a/src/tests/base/test_modelimport_vouchers.py
+++ b/src/tests/base/test_modelimport_vouchers.py
@@ -170,7 +170,7 @@ def test_price_mode_validation(event, item, user):
        import_vouchers.apply(
            args=(event.pk, inputfile_factory().id, settings, 'en', user.pk)
        ).get()
-    assert 'It is pointless to set a value without a price mode.' in str(excinfo.value)
+    assert 'It is pointless to set a value without a price effect.' in str(excinfo.value)

    settings['price_mode'] = 'static:percent'
    import_vouchers.apply(
--- a/src/tests/control/test_user.py
+++ b/src/tests/control/test_user.py
@@ -339,13 +339,17 @@ class UserSettings2FATest(SoupTest):

    def test_gen_emergency(self):
        self.client.get('/control/settings/2fa/')
+        assert not StaticDevice.objects.filter(user=self.user, name='emergency').exists()
+
+        self.client.post('/control/settings/2fa/regenemergency')
        d = StaticDevice.objects.get(user=self.user, name='emergency')
        assert d.token_set.count() == 10
        old_tokens = set(t.token for t in d.token_set.all())
+
        self.client.post('/control/settings/2fa/regenemergency')
-        new_tokens = set(t.token for t in d.token_set.all())
        d = StaticDevice.objects.get(user=self.user, name='emergency')
        assert d.token_set.count() == 10
+        new_tokens = set(t.token for t in d.token_set.all())
        assert old_tokens != new_tokens

    def test_delete_u2f(self):
Author	SHA1	Message	Date
Martin Gross	3d53c03906	Stripe: isort	2026-02-19 14:43:27 +01:00
Martin Gross	59d1d2cb16	Stripe: Add Wero as a hidden payment method (private beta; requires MoR)	2026-02-19 14:40:01 +01:00
luelista	7e45837295	Security hardening for 2FA configuration (#5685 ) * reduce default RecentAuthenticationRequiredMixin timeout to 15 min * never cache pages with RecentAuthenticationRequiredMixin * show emergency codes only once after generating	2026-02-19 12:43:23 +01:00
Lukas Bockstaller	fd9ed15065	include acceptor slug in log/webhook event (#5906 )	2026-02-19 10:00:11 +01:00
Richard Schreiber	2df3d9206b	Add voucher tag to orderlist positions export	2026-02-19 09:42:00 +01:00
Kian Cross	fbd8bbbeaa	Disable partitioned cookies for Safari due to WebKit bugs (#5843 ) Safari currently exhibits a bug where Partitioned cookies (CHIPS) are not sent back to the originating site after multi-hop cross-site redirects, breaking SSO login flows in pretix. Partitioned cookies were initially introduced in Safari 18.4, removed again in 18.5 due to a bug, and reintroduced in Safari 26.2, where the current issue is present. As a mitigation, disable sending the `Partitioned` attribute for Safari user agents. This is intentionally conservative; once the Safari issue is fixed, this check should be refined to be conditional on the affected versions only. WebKit issues: - https://bugs.webkit.org/show_bug.cgi?id=292975 - https://bugs.webkit.org/show_bug.cgi?id=306194	2026-02-18 09:19:14 +01:00
Kara Engelhardt	1c305e4b30	Store failed offline checkin if successful online checkin with same nonce exists	2026-02-17 10:41:05 +01:00
KarlKeu00	ea114b4f64	Fix HTML closing tags in pending.html (#5893 )	2026-02-17 10:20:28 +01:00
dependabot[bot]	0342613635	Update fakeredis requirement from ==2.33.* to ==2.34.* (#5899 ) Updates the requirements on [fakeredis](https://github.com/cunla/fakeredis-py) to permit the latest version. - [Release notes](https://github.com/cunla/fakeredis-py/releases) - [Commits](https://github.com/cunla/fakeredis-py/compare/v2.33.0...v2.34.0) --- updated-dependencies: - dependency-name: fakeredis dependency-version: 2.34.0 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-02-17 10:16:35 +01:00
dependabot[bot]	743c4b796b	Update sentry-sdk requirement from ==2.52.* to ==2.53.* (#5898 ) Updates the requirements on [sentry-sdk](https://github.com/getsentry/sentry-python) to permit the latest version. - [Release notes](https://github.com/getsentry/sentry-python/releases) - [Changelog](https://github.com/getsentry/sentry-python/blob/master/CHANGELOG.md) - [Commits](https://github.com/getsentry/sentry-python/compare/2.52.0a1...2.53.0) --- updated-dependencies: - dependency-name: sentry-sdk dependency-version: 2.53.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-02-17 10:16:27 +01:00
Raphael Michel	8a7f54795e	Vouchers: Fix field label inconsistency (Z#23222887) (#5902 ) The field Voucher.price_mode is sometimes called "Price mode" and sometimes "Price effect" in the UI, which is inconsistent. I think "price effect" is a little clearer, but I don't really care as long as it is consistent.	2026-02-17 10:16:12 +01:00
Raphael Michel	cb464ad597	Remove back link from 404 error page (#23222967 ) (#5901 ) I've kept it for 400/403/500/csrffail for now, because they also have a "try again" link. Yes, both things have browser buttons, but they make it a little clearer to technical users what one could to next, and especially on csrffail, "step back" is always possible and possibly actually helpful.	2026-02-17 10:16:05 +01:00