draft html rendering

pyproject.toml

@@ -92,7 +92,7 @@ dependencies = [
   "redis==7.1.*",
   "reportlab==4.4.*",
   "requests==2.32.*",
-  "sentry-sdk==2.53.*",
+  "sentry-sdk==2.52.*",
   "sepaxml==2.7.*",
   "stripe==7.9.*",
   "text-unidecode==1.*",
@@ -110,7 +110,7 @@ dev = [
   "aiohttp==3.13.*",
   "coverage",
   "coveralls",
-  "fakeredis==2.34.*",
+  "fakeredis==2.33.*",
   "flake8==7.3.*",
   "freezegun",
   "isort==7.0.*",

src/pretix/api/views/checkin.py

@@ -188,15 +188,11 @@ class CheckinListViewSet(viewsets.ModelViewSet):
         clist = self.get_object()
         if serializer.validated_data.get('nonce'):
             if kwargs.get('position'):
-                prev = kwargs['position'].all_checkins.filter(
-                    nonce=serializer.validated_data['nonce'],
-                    successful=False
-                ).first()
+                prev = kwargs['position'].all_checkins.filter(nonce=serializer.validated_data['nonce']).first()
             else:
                 prev = clist.checkins.filter(
                     nonce=serializer.validated_data['nonce'],
                     raw_barcode=serializer.validated_data['raw_barcode'],
-                    successful=False
                 ).first()
             if prev:
                 # Ignore because nonce is already handled

src/pretix/api/views/organizer.py

@@ -259,14 +259,7 @@ class GiftCardViewSet(viewsets.ModelViewSet):
             action='pretix.giftcards.transaction.manual',
             user=self.request.user,
             auth=self.request.auth,
-            data=merge_dicts(
-                self.request.data,
-                {
-                    'id': inst.pk,
-                    'acceptor_id': self.request.organizer.id,
-                    'acceptor_slug': self.request.organizer.slug
-                }
-            )
+            data=merge_dicts(self.request.data, {'id': inst.pk, 'acceptor_id': self.request.organizer.id})
         )
 
     @transaction.atomic()
@@ -297,11 +290,7 @@ class GiftCardViewSet(viewsets.ModelViewSet):
                 action='pretix.giftcards.transaction.manual',
                 user=self.request.user,
                 auth=self.request.auth,
-                data={
-                    'value': diff,
-                    'acceptor_id': self.request.organizer.id,
-                    'acceptor_slug': self.request.organizer.slug
-                }
+                data={'value': diff, 'acceptor_id': self.request.organizer.id}
             )
 
         return inst
@@ -331,8 +320,7 @@ class GiftCardViewSet(viewsets.ModelViewSet):
             data={
                 'value': value,
                 'text': text,
-                'acceptor_id': self.request.organizer.id,
-                'acceptor_slug': self.request.organizer.slug
+                'acceptor_id': self.request.organizer.id
             }
         )
         return Response(GiftCardSerializer(gc, context=self.get_serializer_context()).data, status=status.HTTP_200_OK)

src/pretix/api/webhooks.py

@@ -198,7 +198,6 @@ class ParametrizedGiftcardTransactionWebhookEvent(ParametrizedWebhookEvent):
             'notification_id': logentry.pk,
             'issuer_id': logentry.organizer_id,
             'acceptor_id': logentry.parsed_data.get('acceptor_id'),
-            'acceptor_slug': logentry.parsed_data.get('acceptor_slug'),
             'giftcard': giftcard.pk,
             'action': logentry.action_type,
         }

src/pretix/base/email.py

@@ -22,7 +22,7 @@
 import logging
 from itertools import groupby
 from smtplib import SMTPResponseException
-from typing import TypeVar
+from typing import TypeVar, Union
 
 import bleach
 import css_inline
@@ -31,6 +31,7 @@ from django.core.mail.backends.smtp import EmailBackend
 from django.db.models import Count
 from django.dispatch import receiver
 from django.template.loader import get_template
+from django.utils.safestring import mark_safe
 from django.utils.translation import get_language, gettext_lazy as _
 
 from pretix.base.models import Event
@@ -39,7 +40,9 @@ from pretix.base.templatetags.rich_text import (
     DEFAULT_CALLBACKS, EMAIL_RE, URL_RE, abslink_callback,
     markdown_compile_email, truelink_callback,
 )
-from pretix.helpers.format import FormattedString, SafeFormatter, format_map
+from pretix.helpers.format import (
+    FormattedString, PlainHtmlAlternativeString, SafeFormatter, format_map,
+)
 
 from pretix.base.services.placeholders import (  # noqa
     get_available_placeholders, PlaceholderContext
@@ -83,8 +86,8 @@ class BaseHTMLMailRenderer:
     def __str__(self):
         return self.identifier
 
-    def render(self, plain_body: str, plain_signature: str, subject: str, order=None,
-               position=None, context=None) -> str:
+    def render(self, content: Union[str, FormattedString, PlainHtmlAlternativeString], plain_signature: str,
+               subject: str, order=None, position=None, context=None) -> str:
         """
         This method should generate the HTML part of the email.
 
@@ -140,27 +143,37 @@ class TemplateBasedMailRenderer(BaseHTMLMailRenderer):
     def compile_markdown(self, plaintext, context=None):
         return markdown_compile_email(plaintext, context=context)
 
-    def render(self, plain_body: str, plain_signature: str, subject: str, order, position, context) -> str:
-        apply_format_map = not isinstance(plain_body, FormattedString)
-        body_md = self.compile_markdown(plain_body, context)
-        if context:
-            linker = bleach.Linker(
-                url_re=URL_RE,
-                email_re=EMAIL_RE,
-                callbacks=DEFAULT_CALLBACKS + [truelink_callback, abslink_callback],
-                parse_email=True
-            )
-            if apply_format_map:
-                body_md = format_map(
-                    body_md,
+    def render(self, content: Union[str, FormattedString, PlainHtmlAlternativeString], plain_signature: str,
+               subject: str, order=None, position=None, context=None) -> str:
+        if isinstance(content, FormattedString):
+            # Raw string that is already formatted but not markdown-rendered
+            body_content_html = self.compile_markdown(content, context)
+
+        elif isinstance(content, PlainHtmlAlternativeString):
+            # HTML already rendered by Django templates
+            body_content_html = content.html
+
+        else:
+            # Raw string that is not yet formatted or markdown-rendered
+            body_content_html = self.compile_markdown(content, context)
+            if context:
+                linker = bleach.Linker(
+                    url_re=URL_RE,
+                    email_re=EMAIL_RE,
+                    callbacks=DEFAULT_CALLBACKS + [truelink_callback, abslink_callback],
+                    parse_email=True
+                )
+                body_content_html = format_map(
+                    body_content_html,
                     context=context,
                     mode=SafeFormatter.MODE_RICH_TO_HTML,
                     linkifier=linker
                 )
+
         htmlctx = {
             'site': settings.PRETIX_INSTANCE_NAME,
             'site_url': settings.SITE_URL,
-            'body': body_md,
+            'body': mark_safe(body_content_html),
             'subject': str(subject),
             'color': settings.PRETIX_PRIMARY_COLOR,
             'rtl': get_language() in settings.LANGUAGES_RTL or get_language().split('-')[0] in settings.LANGUAGES_RTL,

src/pretix/base/exporters/orderlist.py

@@ -651,7 +651,6 @@ class OrderListExporter(MultiSheetListExporter):
             pgettext('address', 'State'),
             _('Voucher'),
             _('Voucher budget usage'),
-            _('Voucher tag'),
             _('Pseudonymization ID'),
             _('Ticket secret'),
             _('Seat ID'),
@@ -770,7 +769,6 @@ class OrderListExporter(MultiSheetListExporter):
                     op.state_for_address or '',
                     op.voucher.code if op.voucher else '',
                     op.voucher_budget_use if op.voucher_budget_use else '',
-                    op.voucher.tag if op.voucher else '',
                     op.pseudonymization_id,
                     op.secret,
                 ]

src/pretix/base/invoicing/email.py

@@ -33,8 +33,7 @@ from pretix.base.invoicing.transmission import (
     transmission_types,
 )
 from pretix.base.models import Invoice, InvoiceAddress
-from pretix.base.services.mail import mail, render_mail
-from pretix.helpers.format import format_map
+from pretix.base.services.mail import mail
 
 
 @transmission_types.new()
@@ -134,9 +133,7 @@ class EmailTransmissionProvider(TransmissionProvider):
             subject = invoice.order.event.settings.get('mail_subject_order_invoice', as_type=LazyI18nString)
 
             # Do not set to completed because that is done by the email sending task
-            subject = format_map(subject, context)
-            email_content = render_mail(template, context)
-            mail(
+            outgoing_mail = mail(
                 [recipient],
                 subject,
                 template,
@@ -151,19 +148,10 @@ class EmailTransmissionProvider(TransmissionProvider):
                 plain_text_only=True,
                 no_order_links=True,
             )
-            invoice.order.log_action(
-                'pretix.event.order.email.invoice',
-                user=None,
-                auth=None,
-                data={
-                    'subject': subject,
-                    'message': email_content,
-                    'position': None,
-                    'recipient': recipient,
-                    'invoices': [invoice.pk],
-                    'attach_tickets': False,
-                    'attach_ical': False,
-                    'attach_other_files': [],
-                    'attach_cached_files': [],
-                }
-            )
+            if outgoing_mail:
+                invoice.order.log_action(
+                    'pretix.event.order.email.invoice',
+                    user=None,
+                    auth=None,
+                    data=outgoing_mail.log_data()
+                )

src/pretix/base/modelimport_vouchers.py

@@ -132,7 +132,7 @@ class AllowIgnoreQuotaColumn(BooleanColumnMixin, ImportColumn):
 
 class PriceModeColumn(ImportColumn):
     identifier = 'price_mode'
-    verbose_name = gettext_lazy('Price effect')
+    verbose_name = gettext_lazy('Price mode')
     default_value = None
     initial = 'static:none'
 
@@ -147,7 +147,7 @@ class PriceModeColumn(ImportColumn):
         elif value in reverse:
             return reverse[value]
         else:
-            raise ValidationError(_("Could not parse {value} as a price effect, use one of {options}.").format(
+            raise ValidationError(_("Could not parse {value} as a price mode, use one of {options}.").format(
                 value=value, options=', '.join(d.keys())
             ))
 
@@ -162,7 +162,7 @@ class ValueColumn(DecimalColumnMixin, ImportColumn):
     def clean(self, value, previous_values):
         value = super().clean(value, previous_values)
         if value and previous_values.get("price_mode") == "none":
-            raise ValidationError(_("It is pointless to set a value without a price effect."))
+            raise ValidationError(_("It is pointless to set a value without a price mode."))
         return value
 
     def assign(self, value, obj: Voucher, **kwargs):

src/pretix/base/models/mail.py

@@ -220,3 +220,20 @@ class OutgoingMail(models.Model):
             error_log_action_type = 'pretix.email.error'
             log_target = None
         return log_target, error_log_action_type
+
+    def log_data(self):
+        return {
+            "subject": self.subject,
+            "message": self.body_plain,
+            "to": self.to,
+            "cc": self.cc,
+            "bcc": self.bcc,
+
+            "invoices": [i.pk for i in self.should_attach_invoices.all()],
+            "attach_tickets": self.should_attach_tickets,
+            "attach_ical": self.should_attach_ical,
+            "attach_other_files": self.should_attach_other_files,
+            "attach_cached_files": [cf.filename for cf in self.should_attach_cached_files.all()],
+
+            "position": self.orderposition.positionid if self.orderposition else None,
+        }

src/pretix/base/models/orders.py

@@ -87,7 +87,6 @@ from pretix.base.timemachine import time_machine_now
 
 from ...helpers import OF_SELF
 from ...helpers.countries import CachedCountries, FastCountryField
-from ...helpers.format import FormattedString, format_map
 from ...helpers.names import build_name
 from ...testutils.middleware import debugflags_var
 from ._transactions import (
@@ -1167,7 +1166,7 @@ class Order(LockModel, LoggedModel):
                          only be attached for this position and child positions, the link will only point to the
                          position and the attendee email will be used if available.
         """
-        from pretix.base.services.mail import mail, render_mail
+        from pretix.base.services.mail import mail
 
         if not self.email and not (position and position.attendee_email):
             return
@@ -1177,32 +1176,20 @@ class Order(LockModel, LoggedModel):
             if position and position.attendee_email:
                 recipient = position.attendee_email
 
-            email_content = render_mail(template, context)
-            if not isinstance(subject, FormattedString):
-                subject = format_map(subject, context)
-            mail(
+            outgoing_mail = mail(
                 recipient, subject, template, context,
                 self.event, self.locale, self, headers=headers, sender=sender,
                 invoices=invoices, attach_tickets=attach_tickets,
                 position=position, auto_email=auto_email, attach_ical=attach_ical,
                 attach_other_files=attach_other_files, attach_cached_files=attach_cached_files,
             )
-            self.log_action(
-                log_entry_type,
-                user=user,
-                auth=auth,
-                data={
-                    'subject': subject,
-                    'message': email_content,
-                    'position': position.positionid if position else None,
-                    'recipient': recipient,
-                    'invoices': [i.pk for i in invoices] if invoices else [],
-                    'attach_tickets': attach_tickets,
-                    'attach_ical': attach_ical,
-                    'attach_other_files': attach_other_files,
-                    'attach_cached_files': [cf.filename for cf in attach_cached_files] if attach_cached_files else [],
-                }
-            )
+            if outgoing_mail:
+                self.log_action(
+                    log_entry_type,
+                    user=user,
+                    auth=auth,
+                    data=outgoing_mail.log_data(),
+                )
 
     def resend_link(self, user=None, auth=None):
         with language(self.locale, self.event.settings.region):
@@ -2900,17 +2887,14 @@ class OrderPosition(AbstractPosition):
         :param attach_tickets: Attach tickets of this order, if they are existing and ready to download
         :param attach_ical: Attach relevant ICS files
         """
-        from pretix.base.services.mail import mail, render_mail
+        from pretix.base.services.mail import mail
 
         if not self.attendee_email:
             return
 
         with language(self.order.locale, self.order.event.settings.region):
             recipient = self.attendee_email
-            email_content = render_mail(template, context)
-            if not isinstance(subject, FormattedString):
-                subject = format_map(subject, context)
-            mail(
+            outgoing_mail = mail(
                 recipient, subject, template, context,
                 self.event, self.order.locale, order=self.order, headers=headers, sender=sender,
                 position=self,
@@ -2919,21 +2903,13 @@ class OrderPosition(AbstractPosition):
                 attach_ical=attach_ical,
                 attach_other_files=attach_other_files,
             )
-            self.order.log_action(
-                log_entry_type,
-                user=user,
-                auth=auth,
-                data={
-                    'subject': subject,
-                    'message': email_content,
-                    'recipient': recipient,
-                    'invoices': [i.pk for i in invoices] if invoices else [],
-                    'attach_tickets': attach_tickets,
-                    'attach_ical': attach_ical,
-                    'attach_other_files': attach_other_files,
-                    'attach_cached_files': [],
-                }
-            )
+            if outgoing_mail:
+                self.order.log_action(
+                    log_entry_type,
+                    user=user,
+                    auth=auth,
+                    data=outgoing_mail.log_data(),
+                )
 
     def resend_link(self, user=None, auth=None):
 

src/pretix/base/models/vouchers.py

@@ -239,7 +239,7 @@ class Voucher(LoggedModel):
         )
     )
     price_mode = models.CharField(
-        verbose_name=_("Price effect"),
+        verbose_name=_("Price mode"),
         max_length=100,
         choices=PRICE_MODES,
         default='none'

src/pretix/base/models/waitinglist.py

@@ -34,10 +34,9 @@ from phonenumber_field.modelfields import PhoneNumberField
 from pretix.base.email import get_email_context
 from pretix.base.i18n import language
 from pretix.base.models import User, Voucher
-from pretix.base.services.mail import mail, render_mail
+from pretix.base.services.mail import mail
 from pretix.helpers import OF_SELF
 
-from ...helpers.format import format_map
 from ...helpers.names import build_name
 from .base import LoggedModel
 from .event import Event, SubEvent
@@ -272,9 +271,7 @@ class WaitingListEntry(LoggedModel):
         with language(self.locale, self.event.settings.region):
             recipient = self.email
 
-            email_content = render_mail(template, context)
-            subject = format_map(subject, context)
-            mail(
+            outgoing_mail = mail(
                 recipient, subject, template, context,
                 self.event,
                 self.locale,
@@ -284,18 +281,13 @@ class WaitingListEntry(LoggedModel):
                 attach_other_files=attach_other_files,
                 attach_cached_files=attach_cached_files,
             )
-            self.log_action(
-                log_entry_type,
-                user=user,
-                auth=auth,
-                data={
-                    'subject': subject,
-                    'message': email_content,
-                    'recipient': recipient,
-                    'attach_other_files': attach_other_files,
-                    'attach_cached_files': [cf.filename for cf in attach_cached_files] if attach_cached_files else [],
-                }
-            )
+            if outgoing_mail:
+                self.log_action(
+                    log_entry_type,
+                    user=user,
+                    auth=auth,
+                    data=outgoing_mail.log_data(),
+                )
 
     @staticmethod
     def clean_itemvar(event, item, variation):

src/pretix/base/payment.py

@@ -1295,6 +1295,7 @@ class ManualPayment(BasePaymentProvider):
 
     def format_map(self, order, payment):
         return {
+            # Possible placeholder injection, we should make sure to never include user-controlled variables here
             'order': order.code,
             'amount': payment.amount,
             'currency': self.event.currency,
@@ -1650,8 +1651,7 @@ class GiftCardPayment(BasePaymentProvider):
                     action='pretix.giftcards.transaction.payment',
                     data={
                         'value': trans.value,
-                        'acceptor_id': self.event.organizer.id,
-                        'acceptor_slug': self.event.organizer.slug
+                        'acceptor_id': self.event.organizer.id
                     }
                 )
         except PaymentException as e:
@@ -1683,7 +1683,6 @@ class GiftCardPayment(BasePaymentProvider):
             data={
                 'value': refund.amount,
                 'acceptor_id': self.event.organizer.id,
-                'acceptor_slug': self.event.organizer.slug,
                 'text': refund.comment,
             }
         )

src/pretix/base/services/cancelevent.py

@@ -45,7 +45,6 @@ from pretix.base.services.tax import split_fee_for_taxes
 from pretix.base.templatetags.money import money_filter
 from pretix.celery_app import app
 from pretix.helpers import OF_SELF
-from pretix.helpers.format import format_map
 
 logger = logging.getLogger(__name__)
 
@@ -55,7 +54,7 @@ def _send_wle_mail(wle: WaitingListEntry, subject: LazyI18nString, message: Lazy
         email_context = get_email_context(event_or_subevent=subevent or wle.event, event=wle.event)
         mail(
             wle.email,
-            format_map(subject, email_context),
+            str(subject),
             message,
             email_context,
             wle.event,
@@ -73,9 +72,8 @@ def _send_mail(order: Order, subject: LazyI18nString, message: LazyI18nString, s
 
         email_context = get_email_context(event_or_subevent=subevent or order.event, refund_amount=refund_amount,
                                           order=order, position_or_address=ia, event=order.event)
-        real_subject = format_map(subject, email_context)
         order.send_mail(
-            real_subject, message, email_context,
+            subject, message, email_context,
             'pretix.event.order.email.event_canceled',
             user,
         )
@@ -85,14 +83,13 @@ def _send_mail(order: Order, subject: LazyI18nString, message: LazyI18nString, s
                 continue
 
             if p.addon_to_id is None and p.attendee_email and p.attendee_email != order.email:
-                real_subject = format_map(subject, email_context)
                 email_context = get_email_context(event_or_subevent=p.subevent or order.event,
                                                   event=order.event,
                                                   refund_amount=refund_amount,
                                                   position_or_address=p,
                                                   order=order, position=p)
                 order.send_mail(
-                    real_subject, message, email_context,
+                    subject, message, email_context,
                     'pretix.event.order.email.event_canceled',
                     position=p,
                     user=user

src/pretix/base/services/mail.py

@@ -58,6 +58,7 @@ from django.core.mail.message import SafeMIMEText
 from django.db import connection, transaction
 from django.db.models import Q
 from django.dispatch import receiver
+from django.template import Context
 from django.template.loader import get_template
 from django.utils.html import escape
 from django.utils.timezone import now, override
@@ -149,13 +150,13 @@ def prefix_subject(settings_holder, subject, highlight=False):
     return subject
 
 
-def mail(email: Union[str, Sequence[str]], subject: str, template: Union[str, LazyI18nString],
+def mail(email: Union[str, Sequence[str]], subject: Union[str, FormattedString], template: Union[str, LazyI18nString],
          context: Dict[str, Any] = None, event: Event = None, locale: str = None, order: Order = None,
          position: OrderPosition = None, *, headers: dict = None, sender: str = None, organizer: Organizer = None,
          customer: Customer = None, invoices: Sequence = None, attach_tickets=False, auto_email=True, user=None,
          attach_ical=False, attach_cached_files: Sequence = None, attach_other_files: list=None,
          plain_text_only=False, no_order_links=False, cc: Sequence[str]=None, bcc: Sequence[str]=None,
-         sensitive: bool=False):
+         sensitive: bool=False) -> Optional[OutgoingMail]:
     """
     Sends out an email to a user. The mail will be sent synchronously or asynchronously depending on the installation.
 
@@ -261,17 +262,22 @@ def mail(email: Union[str, Sequence[str]], subject: str, template: Union[str, La
             _autoextend_context(context, order)
 
         # Build raw content
-        content_plain = render_mail(template, context, placeholder_mode=None)
+        content = render_mail(template, context, placeholder_mode=None)
         if settings_holder:
             signature = str(settings_holder.settings.get('mail_text_signature'))
         else:
             signature = ""
 
         # Build full plain-text body
-        if not isinstance(content_plain, FormattedString):
-            body_plain = format_map(content_plain, context, mode=SafeFormatter.MODE_RICH_TO_PLAIN)
+        if isinstance(content, FormattedString):
+            # Already formatted by render_mail() from format_values
+            body_plain = content
+        elif isinstance(content, PlainHtmlAlternativeString):
+            # Already formatted by render_mail() form a django template
+            body_plain = content.plain
         else:
-            body_plain = content_plain
+            # Not yet formatted
+            body_plain = format_map(content, context, mode=SafeFormatter.MODE_RICH_TO_PLAIN)
         body_plain = _wrap_plain_body(body_plain, signature, event, order, position, no_order_links)
 
         # Build subject
@@ -298,19 +304,19 @@ def mail(email: Union[str, Sequence[str]], subject: str, template: Union[str, La
 
             try:
                 if 'context' in inspect.signature(renderer.render).parameters:
-                    body_html = renderer.render(content_plain, signature, raw_subject, order, position, context)
+                    body_html = renderer.render(content, signature, raw_subject, order, position, context)
                 elif 'position' in inspect.signature(renderer.render).parameters:
                     # Backwards compatibility
                     warnings.warn('Email renderer called without context argument because context argument is not '
                                   'supported.',
                                   DeprecationWarning)
-                    body_html = renderer.render(content_plain, signature, raw_subject, order, position)
+                    body_html = renderer.render(content, signature, raw_subject, order, position)
                 else:
                     # Backwards compatibility
                     warnings.warn('Email renderer called without position argument because position argument is not '
                                   'supported.',
                                   DeprecationWarning)
-                    body_html = renderer.render(content_plain, signature, raw_subject, order)
+                    body_html = renderer.render(content, signature, raw_subject, order)
             except:
                 logger.exception('Could not render HTML body')
                 body_html = None
@@ -335,14 +341,26 @@ def mail(email: Union[str, Sequence[str]], subject: str, template: Union[str, La
             should_attach_other_files=attach_other_files or [],
             sensitive=sensitive,
         )
+        m._prefetched_objects_cache = {}
         if invoices and not position:
             m.should_attach_invoices.add(*invoices)
+            # Hack: For logging, we'll later make a `should_attach_invoices.all()` call. We can prevent a useless
+            # DB query by filling the cache
+            m._prefetched_objects_cache[m.should_attach_invoices.prefetch_cache_name] = invoices
+        else:
+            m._prefetched_objects_cache[m.should_attach_invoices.prefetch_cache_name] = Invoice.objects.none()
         if attach_cached_files:
+            cf_list = []
             for cf in attach_cached_files:
                 if not isinstance(cf, CachedFile):
-                    m.should_attach_cached_files.add(CachedFile.objects.get(pk=cf))
-                else:
-                    m.should_attach_cached_files.add(cf)
+                    cf = CachedFile.objects.get(pk=cf)
+                m.should_attach_cached_files.add(cf)
+                cf_list.append(cf)
+            # Hack: For logging, we'll later make a `should_attach_cached_files.all()` call. We can prevent a useless
+            # DB query by filling the cache
+            m._prefetched_objects_cache[m.should_attach_cached_files.prefetch_cache_name] = cf_list
+        else:
+            m._prefetched_objects_cache[m.should_attach_cached_files.prefetch_cache_name] = CachedFile.objects.none()
 
         send_task = mail_send_task.si(
             outgoing_mail=m.id
@@ -364,6 +382,8 @@ def mail(email: Union[str, Sequence[str]], subject: str, template: Union[str, La
                 lambda: chain(*task_chain).apply_async()
             )
 
+    return m
+
 
 class CustomEmail(EmailMultiAlternatives):
     def _create_mime_attachment(self, content, mimetype):
@@ -796,15 +816,22 @@ def render_mail(template, context, placeholder_mode: Optional[int]=SafeFormatter
         body = str(template)
         if context and placeholder_mode:
             body = format_map(body, context, mode=placeholder_mode)
+        return body
     else:
         tpl = get_template(template)
-        context = {
-            # Known bug, should behave differently for plain and HTML but we'll fix after security release
+
+        plain_context = Context({
+            k: v.plain if isinstance(v, PlainHtmlAlternativeString) else v
+            for k, v in context.items()
+        } | {"to_html": False}, autoescape=False)
+        html_context = Context({
             k: v.html if isinstance(v, PlainHtmlAlternativeString) else v
             for k, v in context.items()
-        }
-        body = FormattedString(tpl.render(context))
-    return body
+        } | {"to_html": True}, autoescape=True)
+        return PlainHtmlAlternativeString(
+            plain=tpl.template.render(plain_context),
+            html=tpl.template.render(html_context),
+        )
 
 
 def replace_images_with_cid_paths(body_html):

src/pretix/base/services/orders.py

@@ -253,8 +253,7 @@ def reactivate_order(order: Order, force: bool=False, user: User=None, auth=None
                         auth=auth,
                         data={
                             'value': position.price,
-                            'acceptor_id': order.event.organizer.id,
-                            'acceptor_slug': order.event.organizer.slug
+                            'acceptor_id': order.event.organizer.id
                         }
                     )
                     break
@@ -564,7 +563,6 @@ def _cancel_order(order, user=None, send_mail: bool=True, api_token=None, device
                         data={
                             'value': -position.price,
                             'acceptor_id': order.event.organizer.id,
-                            'acceptor_slug': order.event.organizer.slug
                         }
                     )
 
@@ -2459,8 +2457,7 @@ class OrderChangeManager:
                             auth=self.auth,
                             data={
                                 'value': -position.price,
-                                'acceptor_id': self.order.event.organizer.id,
-                                'acceptor_slug': self.order.event.organizer.slug
+                                'acceptor_id': self.order.event.organizer.id
                             }
                         )
 
@@ -2486,8 +2483,7 @@ class OrderChangeManager:
                                 auth=self.auth,
                                 data={
                                     'value': -opa.position.price,
-                                    'acceptor_id': self.order.event.organizer.id,
-                                    'acceptor_slug': self.order.event.organizer.slug
+                                    'acceptor_id': self.order.event.organizer.id
                                 }
                             )
 
@@ -3457,7 +3453,6 @@ def signal_listener_issue_giftcards(sender: Event, order: Order, **kwargs):
                     data={
                         'value': trans.value,
                         'acceptor_id': order.event.organizer.id,
-                        'acceptor_slug': order.event.organizer.slug
                     }
                 )
                 any_giftcards = True

src/pretix/base/services/vouchers.py

@@ -39,7 +39,7 @@ def vouchers_send(event: Event, vouchers: list, subject: str, message: str, reci
         with language(event.settings.locale):
             email_context = get_email_context(event=event, name=r.get('name') or '',
                                               voucher_list=[v.code for v in voucher_list])
-            mail(
+            outgoing_mail = mail(
                 r['email'],
                 subject,
                 LazyI18nString(message),
@@ -60,8 +60,8 @@ def vouchers_send(event: Event, vouchers: list, subject: str, message: str, reci
                     data={
                         'recipient': r['email'],
                         'name': r.get('name'),
-                        'subject': subject,
-                        'message': message,
+                        'subject': outgoing_mail.subject,
+                        'message': outgoing_mail.body_plain,
                     },
                     save=False
                 ))

src/pretix/base/shredder.py

@@ -363,7 +363,7 @@ class EmailAddressShredder(BaseDataShredder):
                     le.save(update_fields=['data', 'shredded'])
             else:
                 shred_log_fields(le, banlist=[
-                    'recipient', 'message', 'subject', 'full_mail', 'old_email', 'new_email'
+                    'recipient', 'message', 'subject', 'full_mail', 'old_email', 'new_email', 'bcc', 'cc',
                 ])
 
 

src/pretix/base/templates/404.html

@@ -8,6 +8,9 @@
         <h1>{% trans "Not found" %}</h1>
         <p>{% trans "I'm afraid we could not find the the resource you requested." %}</p>
         <p>{{ exception }}</p>
+        <p class="links">
+            <a id='goback' href='#'>{% trans "Take a step back" %}</a>
+        </p>
         {% if request.user.is_staff and not staff_session %}
             <form action="{% url 'control:user.sudo' %}?next={{ request.path|add:"?"|add:request.GET.urlencode|urlencode }}" method="post">
                 <p>

src/pretix/control/templates/pretixcontrol/order/mail_history.html

@@ -24,7 +24,9 @@
                         {% if log.display %}
                             <br/><span class="fa fa-fw fa-comment-o"></span> {{ log.display }}
                         {% endif %}
-                        {% if log.parsed_data.recipient %}
+                        {% if log.parsed_data.to %}
+                            <br/><span class="fa fa-fw fa-envelope-o"></span> {{ log.parsed_data.to|join:", " }}
+                        {% elif log.parsed_data.recipient %} {# legacy #}
                             <br/><span class="fa fa-fw fa-envelope-o"></span> {{ log.parsed_data.recipient }}
                         {% endif %}
                     </p>

src/pretix/control/templates/pretixcontrol/user/2fa_main.html

@@ -144,23 +144,14 @@
         </div>
         <div class="panel-body">
             <p>
-                {% blocktrans trimmed %}
-                    If you lose access to your devices, you can use one of your emergency tokens to log in.
-                    We recommend to store them in a safe place, e.g. printed out or in a password manager.
-                    Every token can be used at most once.
-                {% endblocktrans %}
+                {% trans "If you lose access to your devices, you can use one of the following keys to log in. We recommend to store them in a safe place, e.g. printed out or in a password manager. Every token can be used at most once." %}
             </p>
-            {% if static_tokens_device %}
-                <p>
-                    {% blocktrans trimmed with generation_date_time=static_tokens_device.created_at %}
-                        You generated your emergency tokens on {{ generation_date_time }}.
-                    {% endblocktrans %}
-                </p>
-            {% else %}
-                <p>
-                    {% trans "You don't have any emergency tokens yet." %}
-                </p>
-            {% endif %}
+            <p>{% trans "Unused tokens:" %}</p>
+            <ul>
+                {% for t in static_tokens %}
+                    <li><code>{{ t.token }}</code></li>
+                {% endfor %}
+            </ul>
             <a href="{% url "control:user.settings.2fa.regenemergency" %}" class="btn btn-default">
                 <span class="fa fa-refresh"></span>
                 {% trans "Generate new emergency tokens" %}

src/pretix/control/views/orders.py

@@ -2413,9 +2413,9 @@ class OrderSendMail(EventPermissionRequiredMixin, OrderViewMixin, FormView):
         with language(order.locale, self.request.event.settings.region):
             email_context = get_email_context(event=order.event, order=order)
         email_template = LazyI18nString(form.cleaned_data['message'])
-        email_subject = format_map(str(form.cleaned_data['subject']), email_context)
-        email_content = render_mail(email_template, email_context)
         if self.request.POST.get('action') == 'preview':
+            email_subject = format_map(str(form.cleaned_data['subject']), email_context)
+            email_content = render_mail(email_template, email_context)
             self.preview_output = {
                 'subject': mark_safe(_('Subject: {subject}').format(
                     subject=prefix_subject(order.event, escape(email_subject), highlight=True)
@@ -2477,9 +2477,9 @@ class OrderPositionSendMail(OrderSendMail):
         with language(position.order.locale, self.request.event.settings.region):
             email_context = get_email_context(event=position.order.event, order=position.order, position=position)
         email_template = LazyI18nString(form.cleaned_data['message'])
-        email_subject = format_map(str(form.cleaned_data['subject']), email_context)
-        email_content = render_mail(email_template, email_context)
         if self.request.POST.get('action') == 'preview':
+            email_subject = format_map(str(form.cleaned_data['subject']), email_context)
+            email_content = render_mail(email_template, email_context)
             self.preview_output = {
                 'subject': mark_safe(_('Subject: {subject}').format(
                     subject=prefix_subject(position.order.event, escape(email_subject), highlight=True))

src/pretix/control/views/organizer.py

@@ -1850,8 +1850,7 @@ class GiftCardDetailView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMi
                         data={
                             'value': value,
                             'text': request.POST.get('text'),
-                            'acceptor_id': self.request.organizer.id,
-                            'acceptor_slug': self.request.organizer.slug
+                            'acceptor_id': self.request.organizer.id
                         },
                         user=self.request.user,
                     )
@@ -1914,8 +1913,7 @@ class GiftCardCreateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMi
                 user=self.request.user,
                 data={
                     'value': form.cleaned_data['value'],
-                    'acceptor_id': self.request.organizer.id,
-                    'acceptor_slug': self.request.organizer.slug
+                    'acceptor_id': self.request.organizer.id
                 }
             )
         return redirect(reverse(

src/pretix/control/views/user.py

@@ -49,14 +49,12 @@ from django.db import transaction
 from django.shortcuts import get_object_or_404, redirect
 from django.urls import reverse
 from django.utils.crypto import get_random_string
-from django.utils.decorators import method_decorator
 from django.utils.functional import cached_property
 from django.utils.html import format_html
 from django.utils.http import url_has_allowed_host_and_scheme
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
 from django.views import View
-from django.views.decorators.cache import never_cache
 from django.views.generic import FormView, ListView, TemplateView, UpdateView
 from django_otp.plugins.otp_static.models import StaticDevice
 from django_otp.plugins.otp_totp.models import TOTPDevice
@@ -87,9 +85,8 @@ logger = logging.getLogger(__name__)
 
 
 class RecentAuthenticationRequiredMixin:
-    max_time = 900
+    max_time = 3600
 
-    @method_decorator(never_cache)
     def dispatch(self, request, *args, **kwargs):
         tdelta = time.time() - request.session.get('pretix_auth_login_time', 0)
         if tdelta > self.max_time:
@@ -292,13 +289,16 @@ class User2FAMainView(RecentAuthenticationRequiredMixin, TemplateView):
         ctx = super().get_context_data()
 
         try:
-            ctx['static_tokens_device'] = StaticDevice.objects.get(user=self.request.user, name='emergency')
+            ctx['static_tokens'] = StaticDevice.objects.get(user=self.request.user, name='emergency').token_set.all()
         except StaticDevice.MultipleObjectsReturned:
-            ctx['static_tokens_device'] = StaticDevice.objects.filter(
+            ctx['static_tokens'] = StaticDevice.objects.filter(
                 user=self.request.user, name='emergency'
-            ).first()
+            ).first().token_set.all()
         except StaticDevice.DoesNotExist:
-            ctx['static_tokens_device'] = None
+            d = StaticDevice.objects.create(user=self.request.user, name='emergency')
+            for i in range(10):
+                d.token_set.create(token=get_random_string(length=12, allowed_chars='1234567890'))
+            ctx['static_tokens'] = d.token_set.all()
 
         ctx['devices'] = []
         for dt in REAL_DEVICE_TYPES:
@@ -631,8 +631,7 @@ class User2FARegenerateEmergencyView(RecentAuthenticationRequiredMixin, Template
         self.request.user.update_session_token()
         update_session_auth_hash(self.request, self.request.user)
         messages.success(request, _('Your emergency codes have been newly generated. Remember to store them in a safe '
-                                    'place in case you lose access to your devices. You will not be able to view them '
-                                    'again here.\n\nYour emergency codes:\n- ' + '\n- '.join(t.token for t in d.token_set.all())))
+                                    'place in case you lose access to your devices.'))
         return redirect(reverse('control:user.settings.2fa'))
 
 

src/pretix/helpers/cookies.py

@@ -34,10 +34,7 @@ def set_cookie_without_samesite(request, response, key, *args, **kwargs):
     if not is_secure:
         # https://www.chromestatus.com/feature/5633521622188032
         return
-
-    useragent = request.headers.get('User-Agent', '')
-
-    if should_send_same_site_none(useragent):
+    if should_send_same_site_none(request.headers.get('User-Agent', '')):
         # Chromium is rolling out SameSite=Lax as a default
         # https://www.chromestatus.com/feature/5088147346030592
         # This however breaks all pretix-in-an-iframe things, such as the pretix Widget.
@@ -47,29 +44,8 @@ def set_cookie_without_samesite(request, response, key, *args, **kwargs):
         # This will only work on secure cookies as well
         # https://www.chromestatus.com/feature/5633521622188032
         response.cookies[key]['secure'] = is_secure
-
-        if can_send_partitioned_cookie(useragent):
-            # CHIPS
-            response.cookies[key]['Partitioned'] = True
-
-
-def can_send_partitioned_cookie(useragent):
-    # Safari currently exhibits a bug where Partitioned cookies (CHIPS) are not
-    # sent back to the originating site after multi-hop cross-site redirects,
-    # breaking SSO login flows in pretix.
-    #
-    # Partitioned cookies were initially introduced in Safari 18.4, removed
-    # again in 18.5 due to a bug, and reintroduced in Safari 26.2, where the
-    # current issue is present.
-    #
-    # Once the Safari issue is fixed, this check should be refined to be
-    # conditional on the affected versions only.
-    #
-    # WebKit issues:
-    #
-    #   - https://bugs.webkit.org/show_bug.cgi?id=292975
-    #   - https://bugs.webkit.org/show_bug.cgi?id=306194
-    return not is_safari(useragent)
+        # CHIPS
+        response.cookies[key]['Partitioned'] = True
 
 
 # Based on https://www.chromium.org/updates/same-site/incompatible-clients

src/pretix/plugins/banktransfer/templates/pretixplugins/banktransfer/pending.html

@@ -21,10 +21,10 @@
             <dt>{% trans "Reference code (important):" %}</dt><dd><b>{{ code }}</b></dd>
             <dt>{% trans "Amount:" %}</dt><dd>{{ amount|money:event.currency }}</dd>
             {% if settings.bank_details_type == "sepa" %}
-                <dt>{% trans "Account holder" %}:</dt><dd>{{ settings.bank_details_sepa_name }}</dd>
-                <dt>{% trans "IBAN" %}:</dt><dd>{{ settings.bank_details_sepa_iban|ibanformat }}</dd>
-                <dt>{% trans "BIC" %}:</dt><dd>{{ settings.bank_details_sepa_bic }}</dd>
-                <dt>{% trans "Bank" %}:</dt><dd>{{ settings.bank_details_sepa_bank }}</dd>
+                <dt>{% trans "Account holder" %}:</dt><dd>{{ settings.bank_details_sepa_name }}</dt>
+                <dt>{% trans "IBAN" %}:</dt><dd>{{ settings.bank_details_sepa_iban|ibanformat }}</dt>
+                <dt>{% trans "BIC" %}:</dt><dd>{{ settings.bank_details_sepa_bic }}</dt>
+                <dt>{% trans "Bank" %}:</dt><dd>{{ settings.bank_details_sepa_bank }}</dt>
             {% endif %}
         </dl>
         {% if details %}
@@ -38,4 +38,4 @@
     {% if payment_qr_codes %}
         {% include "pretixpresale/event/payment_qr_codes.html" %}
     {% endif %}
-</div>
+</div>

src/pretix/plugins/paypal2/payment.py

@@ -786,29 +786,23 @@ class PaypalMethod(BasePaymentProvider):
                 else:
                     pp_captured_order = response.result
 
+                for purchaseunit in pp_captured_order.purchase_units:
+                    for capture in purchaseunit.payments.captures:
+                        try:
+                            ReferencedPayPalObject.objects.get_or_create(order=payment.order, payment=payment, reference=capture.id)
+                        except ReferencedPayPalObject.MultipleObjectsReturned:
+                            pass
+
+                        if capture.status != 'COMPLETED':
+                            messages.warning(request, _('PayPal has not yet approved the payment. We will inform you as '
+                                                        'soon as the payment completed.'))
+                            payment.info = json.dumps(pp_captured_order.dict())
+                            payment.state = OrderPayment.PAYMENT_STATE_PENDING
+                            payment.save()
+                            return
+
             payment.refresh_from_db()
 
-            any_captures = False
-            all_captures_completed = True
-            for purchaseunit in pp_captured_order.purchase_units:
-                for capture in purchaseunit.payments.captures:
-                    try:
-                        ReferencedPayPalObject.objects.get_or_create(order=payment.order, payment=payment, reference=capture.id)
-                    except ReferencedPayPalObject.MultipleObjectsReturned:
-                        pass
-
-                    if capture.status != 'COMPLETED':
-                        all_captures_completed = False
-                    else:
-                        any_captures = True
-            if not (any_captures and all_captures_completed):
-                messages.warning(request, _('PayPal has not yet approved the payment. We will inform you as '
-                                            'soon as the payment completed.'))
-                payment.info = json.dumps(pp_captured_order.dict())
-                payment.state = OrderPayment.PAYMENT_STATE_PENDING
-                payment.save()
-                return
-
             if pp_captured_order.status != 'COMPLETED':
                 payment.fail(info=pp_captured_order.dict())
                 logger.error('Invalid state: %s' % repr(pp_captured_order.dict()))

src/pretix/plugins/sendmail/tasks.py

@@ -38,13 +38,10 @@ from i18nfield.strings import LazyI18nString
 
 from pretix.base.email import get_email_context
 from pretix.base.i18n import language
-from pretix.base.models import (
-    CachedFile, Checkin, Event, InvoiceAddress, Order, User,
-)
+from pretix.base.models import Checkin, Event, InvoiceAddress, Order, User
 from pretix.base.services.mail import mail
 from pretix.base.services.tasks import ProfiledEventTask
 from pretix.celery_app import app
-from pretix.helpers.format import format_map
 
 
 def _chunks(lst, n):
@@ -64,7 +61,6 @@ def send_mails_to_orders(event: Event, user: int, subject: dict, message: dict,
     user = User.objects.get(pk=user) if user else None
     subject = LazyI18nString(subject)
     message = LazyI18nString(message)
-    attachments_for_log = [cf.filename for cf in CachedFile.objects.filter(pk__in=attachments)] if attachments else []
 
     def _send_to_order(o):
         send_to_order = recipients in ('both', 'orders')
@@ -122,7 +118,7 @@ def send_mails_to_orders(event: Event, user: int, subject: dict, message: dict,
 
                 with language(o.locale, event.settings.region):
                     email_context = get_email_context(event=event, order=o, invoice_address=ia, position=p)
-                    mail(
+                    outgoing_mail = mail(
                         p.attendee_email,
                         subject,
                         message,
@@ -135,25 +131,17 @@ def send_mails_to_orders(event: Event, user: int, subject: dict, message: dict,
                         attach_ical=attach_ical,
                         attach_cached_files=attachments
                     )
-                    o.log_action(
-                        'pretix.plugins.sendmail.order.email.sent.attendee',
-                        user=user,
-                        data={
-                            'position': p.positionid,
-                            'subject': format_map(subject.localize(o.locale), email_context),
-                            'message': format_map(message.localize(o.locale), email_context),
-                            'recipient': p.attendee_email,
-                            'attach_tickets': attach_tickets,
-                            'attach_ical': attach_ical,
-                            'attach_other_files': [],
-                            'attach_cached_files': attachments_for_log,
-                        }
-                    )
+                    if outgoing_mail:
+                        o.log_action(
+                            'pretix.plugins.sendmail.order.email.sent.attendee',
+                            user=user,
+                            data=outgoing_mail.log_data(),
+                        )
 
         if send_to_order and o.email:
             with language(o.locale, event.settings.region):
                 email_context = get_email_context(event=event, order=o, invoice_address=ia)
-                mail(
+                outgoing_mail = mail(
                     o.email,
                     subject,
                     message,
@@ -165,19 +153,12 @@ def send_mails_to_orders(event: Event, user: int, subject: dict, message: dict,
                     attach_ical=attach_ical,
                     attach_cached_files=attachments,
                 )
-                o.log_action(
-                    'pretix.plugins.sendmail.order.email.sent',
-                    user=user,
-                    data={
-                        'subject': format_map(subject.localize(o.locale), email_context),
-                        'message': format_map(message.localize(o.locale), email_context),
-                        'recipient': o.email,
-                        'attach_tickets': attach_tickets,
-                        'attach_ical': attach_ical,
-                        'attach_other_files': [],
-                        'attach_cached_files': attachments_for_log,
-                    }
-                )
+                if outgoing_mail:
+                    o.log_action(
+                        'pretix.plugins.sendmail.order.email.sent',
+                        user=user,
+                        data=outgoing_mail.log_data(),
+                    )
 
     for chunk in _chunks(objects, 1000):
         orders = Order.objects.filter(pk__in=chunk, event=event)

src/pretix/plugins/stripe/payment.py

@@ -118,7 +118,6 @@ logger = logging.getLogger('pretix.plugins.stripe')
 # - UPI: ✗
 # - Netbanking: ✗
 # - TWINT: ✓
-# - Wero: ✓ (No settings UI yet)
 #
 # Bank transfers
 # - ACH Bank Transfer: ✗
@@ -510,15 +509,6 @@ class StripeSettingsHolder(BasePaymentProvider):
                                  'before they work properly.'),
                      required=False,
                  )),
-                # Disabled for now, since still in closed Beta and only available to dedicated boarded accounts.
-                # ('method_wero',
-                #  forms.BooleanField(
-                #     label=_('Wero'),
-                #      disabled=self.event.currency not in 'EUR',
-                #      help_text=_('Some payment methods might need to be enabled in the settings of your Stripe account '
-                #                  'before they work properly.'),
-                #      required=False,
-                #  )),
             ] + extra_fields + list(super().settings_form_fields.items()) + moto_settings
         )
         if not self.settings.connect_client_id or self.settings.secret_key:
@@ -1956,15 +1946,3 @@ class StripeMobilePay(StripeRedirectMethod):
                 "type": "mobilepay",
             },
         }
-
-
-class StripeWero(StripeRedirectMethod):
-    identifier = 'stripe_wero'
-    verbose_name = _('WERO via Stripe')
-    public_name = 'WERO'
-    method = 'wero'
-    confirmation_method = 'automatic'
-    explanation = _(
-        'This payment method is available to European online banking users, whose banking institutions support WERO '
-        'either through their native banking apps or through the WERO wallet app. Please have you app ready.'
-    )

src/pretix/plugins/stripe/signals.py

@@ -49,14 +49,14 @@ def register_payment_provider(sender, **kwargs):
         StripeMultibanco, StripePayByBank, StripePayPal, StripePromptPay,
         StripePrzelewy24, StripeRevolutPay, StripeSEPADirectDebit,
         StripeSettingsHolder, StripeSofort, StripeSwish, StripeTwint,
-        StripeWeChatPay, StripeWero,
+        StripeWeChatPay,
     )
 
     return [
         StripeSettingsHolder, StripeCC, StripeGiropay, StripeIdeal, StripeAlipay, StripeBancontact,
         StripeSofort, StripeEPS, StripeMultibanco, StripePayByBank, StripePrzelewy24, StripePromptPay, StripeRevolutPay,
         StripeWeChatPay, StripeSEPADirectDebit, StripeAffirm, StripeKlarna, StripePayPal, StripeSwish,
-        StripeTwint, StripeMobilePay, StripeWero
+        StripeTwint, StripeMobilePay
     ]
 
 

src/pretix/presale/templates/pretixpresale/event/resend_link.html

@@ -1,14 +1,14 @@
 {% extends "pretixpresale/event/base.html" %}
 {% load i18n %}
 {% load bootstrap3 %}
-{% block title %}{% trans "Resend order link" %}{% endblock %}
+{% block title %}{% trans "Resend order links" %}{% endblock %}
 {% block custom_header %}
     {{ block.super }}
     <meta name="robots" content="noindex, nofollow">
 {% endblock %}
 {% block content %}
     <h2>
-        {% trans "Resend order link" %}
+        {% trans "Resend order links" %}
     </h2>
     <p>
         {% blocktrans trimmed %}

src/pretix/presale/views/order.py

@@ -1510,10 +1510,7 @@ class OrderChangeMixin:
                             'max_count': iao.max_count,
                             'iao': iao,
                             'items': [i for i in items if not i.require_voucher],
-                            'items_missing': {
-                                k: v for k, v in current_addon_products_missing.items()
-                                if v and k[0].category_id == iao.addon_category_id
-                            },
+                            'items_missing': {k: v for k, v in current_addon_products_missing.items() if v},
                         })
 
         return positions

src/tests/api/test_checkin.py

@@ -1177,30 +1177,6 @@ def test_store_failed(token_client, organizer, clist, event, order):
     assert resp.status_code == 400
 
 
-@pytest.mark.django_db
-def test_store_failed_after_success(token_client, organizer, clist, event, order):
-    with scopes_disabled():
-        p = order.positions.first()
-        p.all_checkins.create(
-            type=Checkin.TYPE_ENTRY,
-            nonce='foobar',
-            successful=True,
-            list=clist,
-            raw_barcode=p.secret
-        )
-    resp = token_client.post('/api/v1/organizers/{}/events/{}/checkinlists/{}/failed_checkins/'.format(
-        organizer.slug, event.slug, clist.pk,
-    ), {
-        'raw_barcode': p.secret,
-        'nonce': 'foobar',
-        'position': p.pk,
-        'error_reason': 'unpaid'
-    }, format='json')
-    assert resp.status_code == 201
-    with scopes_disabled():
-        assert Checkin.all.filter(position=p).count() == 2
-
-
 @pytest.mark.django_db
 def test_redeem_unknown(token_client, organizer, clist, event, order):
     resp = _redeem(token_client, organizer, clist, 'unknown_secret', {'force': True})

src/tests/base/test_mail.py

@@ -42,7 +42,6 @@ import pytest
 from django.conf import settings
 from django.core import mail as djmail
 from django.test import override_settings
-from django.utils.html import escape
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
 from django_scopes import scope, scopes_disabled
@@ -332,13 +331,14 @@ def test_placeholder_html_rendering_from_template(env):
 
     assert len(djmail.outbox) == 1
     assert djmail.outbox[0].to == [user.email]
-    # Known bug for now: These should not have HTML for the plain body, but we'll fix this safter the security release
-    assert escape('Event name: <strong>event & co. kg</strong> {currency}') in djmail.outbox[0].body
-    assert '<strong>IBAN</strong>: 123<br>\n<strong>BIC</strong>: 456' in djmail.outbox[0].body
-    assert '**Meta**: <em>Beep</em>' in djmail.outbox[0].body
-    assert escape('Event website: [<strong>event & co. kg</strong> {currency}](https://example.org/dummy)') in djmail.outbox[0].body
-    # todo: assert '&lt;' not in djmail.outbox[0].body
-    # todo: assert '&amp;' not in djmail.outbox[0].body
+    assert 'Event name: <strong>event & co. kg</strong> {currency}' in djmail.outbox[0].body
+    assert 'Event: <strong>event & co. kg</strong> {currency}' in djmail.outbox[0].body
+    assert '**IBAN**: 123  \n**BIC**: 456' in djmail.outbox[0].body
+    assert '**Meta**: *Beep*' in djmail.outbox[0].body
+    assert 'Event website: [<strong>event & co. kg</strong> {currency}](https://example.org/dummy)' in djmail.outbox[0].body
+    assert '<a ' not in djmail.outbox[0].body
+    assert '&lt;' not in djmail.outbox[0].body
+    assert '&amp;' not in djmail.outbox[0].body
     assert 'Unevaluated placeholder: {currency}' in djmail.outbox[0].body
     assert 'EUR' not in djmail.outbox[0].body
     html = _extract_html(djmail.outbox[0])
@@ -346,11 +346,13 @@ def test_placeholder_html_rendering_from_template(env):
     assert '<strong>event' not in html
     assert 'Event name: &lt;strong&gt;event &amp; co. kg&lt;/strong&gt; {currency}' in html
     assert '<strong>IBAN</strong>: 123<br/>\n<strong>BIC</strong>: 456' in html
-    assert '<strong>Meta</strong>: <em>Beep</em>' in html
+    assert '**Meta**: <em>Beep</em>' in html
     assert 'Unevaluated placeholder: {currency}' in html
     assert 'EUR' not in html
+    assert 'Event website: [&lt;strong&gt;event &amp; co. kg&lt;/strong&gt; {currency}](https://example.org/dummy)' in html
+    # Links are from raw HTML and therefore trusted, rel and target is not added automatically
     assert re.search(
-        r'Event website: <a href="https://example.org/dummy" rel="noopener" style="[^"]+" target="_blank">'
+        r'Event: <a href="https://example.com/dummy" style="[^"]+">'
         r'&lt;strong&gt;event &amp; co. kg&lt;/strong&gt; {currency}</a>',
         html
     )

src/tests/base/test_modelimport_vouchers.py

@@ -170,7 +170,7 @@ def test_price_mode_validation(event, item, user):
         import_vouchers.apply(
             args=(event.pk, inputfile_factory().id, settings, 'en', user.pk)
         ).get()
-    assert 'It is pointless to set a value without a price effect.' in str(excinfo.value)
+    assert 'It is pointless to set a value without a price mode.' in str(excinfo.value)
 
     settings['price_mode'] = 'static:percent'
     import_vouchers.apply(

src/tests/control/test_user.py

@@ -339,17 +339,13 @@ class UserSettings2FATest(SoupTest):
 
     def test_gen_emergency(self):
         self.client.get('/control/settings/2fa/')
-        assert not StaticDevice.objects.filter(user=self.user, name='emergency').exists()
-
-        self.client.post('/control/settings/2fa/regenemergency')
         d = StaticDevice.objects.get(user=self.user, name='emergency')
         assert d.token_set.count() == 10
         old_tokens = set(t.token for t in d.token_set.all())
-
         self.client.post('/control/settings/2fa/regenemergency')
+        new_tokens = set(t.token for t in d.token_set.all())
         d = StaticDevice.objects.get(user=self.user, name='emergency')
         assert d.token_set.count() == 10
-        new_tokens = set(t.token for t in d.token_set.all())
         assert old_tokens != new_tokens
 
     def test_delete_u2f(self):

src/tests/templates/mailtest.txt

@@ -1,13 +1,29 @@
 {% load i18n %}
 This is a test file for sending mails.
+
+Django variables will get evaluated:
+
 Event name: {{ event }}
+
+pretix variables will not in a template rendering:
+
 Unevaluated placeholder: {currency}
+
+We can use advanced Django things:
+
 {% get_current_language as LANGUAGE_CODE %}
 The language code used for rendering this email is {{ LANGUAGE_CODE }}.
 
+Custom content is rendered safely without HTML/Markdown/parameter injection
+unless the parameter is marked as "HTML-safe":
+
 Payment info:
 {{ payment_info }}
 
 **Meta**: {{ meta_Test }}
 
-Event website: [{{event}}](https://example.org/{{event_slug}})
+Markdown will not be evaluated when coming from a template file!
+
+Event website: [{{event}}](https://example.org/{{event_slug}})
+
+Event: {% if to_html %}<a href="https://example.com/{{event_slug}}">{% endif %}{{ event }}{% if to_html %}</a>{% endif %}