Bump to 3.12.1

Co-authored-by: Raphael Michel <michel@rami.io>
Co-authored-by: Raphael Michel <mail@raphaelmichel.de>

deployment/docker/pretix.bash

@@ -33,8 +33,8 @@ if [ "$1" == "webworker" ]; then
 fi
 
 if [ "$1" == "taskworker" ]; then
-    export C_FORCE_ROOT=True
-    exec celery -A pretix.celery_app worker -l info
+    shift
+    exec celery -A pretix.celery_app worker -l info "$@"
 fi
 
 if [ "$1" == "shell" ]; then
@@ -45,5 +45,4 @@ if [ "$1" == "upgrade" ]; then
     exec python3 -m pretix updatestyles
 fi
 
-echo "Specify argument: all|cron|webworker|taskworker|shell|upgrade"
-exit 1
+exec python3 -m pretix "$@"

doc/_themes/pretix_theme/static/css/pretix.css

@@ -6099,3 +6099,6 @@ img.screenshot, a.screenshot img {
 .versionchanged p:last-child {
     margin-bottom: 0;
 }
+.rst-content td > .line-block {
+    margin-left: 0 !important;
+}

doc/admin/config.rst

@@ -99,7 +99,7 @@ Example::
     Log violations of the Content Security Policy (CSP). Defaults to ``on``.
     
 ``loglevel``
-    Set console and file loglevel (``DEBUG``, ``INFO``, ``WARNING``, ``ERROR`` or ``CRITICAL``). Defaults to ``INFO``.
+    Set console and file log level (``DEBUG``, ``INFO``, ``WARNING``, ``ERROR`` or ``CRITICAL``). Defaults to ``INFO``.
 
 Locale settings
 ---------------

doc/api/deviceauth.rst

@@ -49,11 +49,15 @@ information on your device as well as your API token:
        "device_id": 5,
        "unique_serial": "HHZ9LW9JWP390VFZ",
        "api_token": "1kcsh572fonm3hawalrncam4l1gktr2rzx25a22l8g9hx108o9oi0rztpcvwnfnd",
-       "name": "Bar"
+       "name": "Bar",
+       "gate": {
+           "id": 3,
+           "name": "South entrance"
+       }
    }
 
 Please make sure that you store this ``api_token`` value. We also recommend storing your device ID, your assigned
-``unique_serial``, and the ``organizer`` you have access to, but that's up to you.
+``unique_serial``, and the ``organizer`` you have access to, but that's up to you. ``gate`` might be ``null``.
 
 In case of an error, the response will look like this:
 
@@ -98,6 +102,8 @@ following endpoint:
        "software_version": "4.1.0"
    }
 
+You will receive a response equivalent to the response of your initialization request.
+
 Creating a new API key
 ----------------------
 
@@ -126,12 +132,65 @@ invalidate your API key. There is no way to reverse this operation.
 
 This can also be done by the user through the web interface.
 
-Permissions
------------
+Permissions & security profiles
+-------------------------------
 
 Device authentication is currently hardcoded to grant the following permissions:
 
 * View event meta data and products etc.
-* View and change orders
+* View orders
+* Change orders
+* Manage gift cards
 
 Devices cannot change events or products and cannot access vouchers.
+
+Additionally, when creating a device through the user interface or API, a user can specify a "security profile" for
+the device. These include an allow list of specific API calls that may be made by the device. pretix ships with security
+policies for official pretix apps like pretixSCAN and pretixPOS.
+
+Removing a device
+-----------------
+
+If you want implement a way to to deprovision a device in your software, you can call the ``revoke`` endpoint to
+invalidate your API key. There is no way to reverse this operation.
+
+.. sourcecode:: http
+
+   POST /api/v1/device/revoke HTTP/1.1
+   Host: pretix.eu
+   Authorization: Device 1kcsh572fonm3hawalrncam4l1gktr2rzx25a22l8g9hx108o9oi0rztpcvwnfnd
+
+This can also be done by the user through the web interface.
+
+Event selection
+---------------
+
+In most cases, your application should allow the user to select the event and check-in list they work with manually
+from a list. However, in some cases it is required to automatically configure the device for the correct event, for
+example in a kiosk-like situation where nobody is operating the device. In this case, the app can query the server
+for a suggestion which event should be used. You can also submit the configuration that is currently in use via
+query parameters:
+
+.. sourcecode:: http
+
+   GET /api/v1/device/eventselection?current_event=democon&current_subevent=42&current_checkinlist=542 HTTP/1.1
+   Host: pretix.eu
+   Authorization: Device 1kcsh572fonm3hawalrncam4l1gktr2rzx25a22l8g9hx108o9oi0rztpcvwnfnd
+
+You can get three response codes:
+
+* ``304`` The server things you already selected a good event
+* ``404`` The server has not found a suggestion for you
+* ``200`` The server suggests a new event (body see below)
+
+.. sourcecode:: http
+
+   HTTP/1.1 200 OK
+   Content-Type: application/json
+
+   {
+      "event": "democon",
+      "subevent": 23,
+      "checkinlist": 5
+   }
+

doc/api/oauth.rst

@@ -49,7 +49,7 @@ On a failed registration, a query string like ``?error=access_denied`` will be a
 
 .. note:: By default, the user is asked to give permission on every call to this URL. If you **only** request the
           ``profile`` scope, i.e. no access to organizer data, you can pass the ``approval_prompt=auto`` parameter
-          to skip user interaction on subsequen calls.
+          to skip user interaction on subsequent calls.
 
 Getting an access token
 -----------------------

doc/api/resources/checkinlists.rst

@@ -33,6 +33,7 @@ auto_checkin_sales_channels           list of strings            All items on th
 allow_multiple_entries                boolean                    If ``true``, subsequent scans of a ticket on this list should not show a warning but instead be stored as an additional check-in.
 allow_entry_after_exit                boolean                    If ``true``, subsequent scans of a ticket on this list are valid if the last scan of the ticket was an exit scan.
 rules                                 object                     Custom check-in logic. The contents of this field are currently not considered a stable API and modifications through the API are highly discouraged.
+exit_all_at                           datetime                   Automatically check out (i.e. perform an exit scan) at this point in time. After this happened, this property will automatically be set exactly one day into the future. Note that this field is considered "internal configuration" and if you pull the list with ``If-Modified-Since``, the daily change in this field will not trigger a response.
 ===================================== ========================== =======================================================
 
 .. versionchanged:: 1.10
@@ -60,6 +61,10 @@ rules                                 object                     Custom check-in
 
     The ``subevent_match`` and ``exclude`` query parameters have been added.
 
+.. versionchanged:: 3.12
+
+    The ``exit_all_at`` attribute has been added.
+
 Endpoints
 ---------
 
@@ -103,6 +108,7 @@ Endpoints
             "subevent": null,
             "allow_multiple_entries": false,
             "allow_entry_after_exit": true,
+            "exit_all_at": null,
             "rules": {},
             "auto_checkin_sales_channels": [
               "pretixpos"
@@ -152,6 +158,7 @@ Endpoints
         "subevent": null,
         "allow_multiple_entries": false,
         "allow_entry_after_exit": true,
+        "exit_all_at": null,
         "rules": {},
         "auto_checkin_sales_channels": [
           "pretixpos"
@@ -188,6 +195,7 @@ Endpoints
       {
         "checkin_count": 17,
         "position_count": 42,
+        "inside_count": 12,
         "event": {
           "name": "Demo Conference"
         },

doc/api/resources/devices.rst

@@ -216,7 +216,7 @@ Device endpoints
       }
 
    :param organizer: The ``slug`` field of the organizer to modify
-   :param device_id: The ``device_id`` field of the deviec to modify
+   :param device_id: The ``device_id`` field of the device to modify
    :statuscode 200: no error
    :statuscode 400: The device could not be modified due to invalid submitted data
    :statuscode 401: Authentication failure

doc/api/resources/events.rst

@@ -44,6 +44,9 @@ seat_category_mapping                 object                     An object mappi
                                                                  (strings) to items in the event (integers or ``null``).
 timezone                              string                     Event timezone name
 item_meta_properties                  object                     Item-specific meta data parameters and default values.
+valid_keys                            object                     Cryptographic keys for non-default signature schemes.
+                                                                 For performance reason, value is omitted in lists and
+                                                                 only contained in detail views. Value can be cached.
 ===================================== ========================== =======================================================
 
 
@@ -84,6 +87,10 @@ item_meta_properties                  object                     Item-specific m
 
    The attribute ``item_meta_properties`` has been added.
 
+.. versionchanged:: 3.12
+
+   The attribute ``valid_keys`` has been added.
+
 Endpoints
 ---------
 
@@ -144,7 +151,7 @@ Endpoints
               "pretix.plugins.stripe"
               "pretix.plugins.paypal"
               "pretix.plugins.ticketoutputpdf"
-            ]
+            ],
           }
         ]
       }
@@ -216,7 +223,12 @@ Endpoints
           "pretix.plugins.stripe"
           "pretix.plugins.paypal"
           "pretix.plugins.ticketoutputpdf"
-        ]
+        ],
+        "valid_keys": {
+          "pretix_sig1": [
+            "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUNvd0JRWURLMlZ3QXlFQTdBRDcvdkZBMzNFc1k0ejJQSHI3aVpQc1o4bjVkaDBhalA4Z3l6Tm1tSXM9Ci0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQo="
+          ]
+        }
       }
 
    :param organizer: The ``slug`` field of the organizer to fetch
@@ -472,7 +484,7 @@ Endpoints
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create this resource.
 
 
-.. http:delete:: /api/v1/organizers/(organizer)/events/(event)/items/(id)/
+.. http:delete:: /api/v1/organizers/(organizer)/events/(event)/
 
    Delete an event. Note that events with orders cannot be deleted to ensure data integrity.
 

doc/api/resources/orders.rst

@@ -2263,3 +2263,57 @@ Order refund endpoints
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
    :statuscode 404: The requested order or refund does not exist.
+
+Revoked ticket secrets
+----------------------
+
+With some non-default ticket secret generation methods, a list of revoked ticket secrets is required for proper validation.
+
+.. versionchanged:: 3.12
+
+   Added revocation lists.
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/revokedsecrets/
+
+   Returns a list of all revoked secrets within a given event.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/revokedsecrets/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+      X-Page-Generated: 2017-12-01T10:00:00Z
+
+      {
+        "count": 1,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id": 1234,
+            "secret": "k24fiuwvu8kxz3y1",
+            "created": "2017-12-01T10:00:00Z",
+          }
+        ]
+      }
+
+   :query integer page: The page number in case of a multi-page result set, default is 1
+   :query string ordering: Manually set the ordering of results. Valid fields to be used are ``secret`` and ``created``. Default: ``-created``
+   :query datetime created_since: Only return revocations that have been created since the given date.
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param event: The ``slug`` field of the event to fetch
+   :resheader X-Page-Generated: The server time at the beginning of the operation. If you're using this API to fetch
+                                differences, this is the value you want to use as ``created_since`` in your next call.
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.

doc/api/resources/subevents.rst

@@ -51,6 +51,7 @@ seating_plan                          integer                    If reserved sea
                                                                  plan. Otherwise ``null``.
 seat_category_mapping                 object                     An object mapping categories of the seating plan
                                                                  (strings) to items in the event (integers or ``null``).
+last_modified                         datetime                   Last modification of this object
 ===================================== ========================== =======================================================
 
 .. versionchanged:: 1.7
@@ -80,6 +81,10 @@ seat_category_mapping                 object                     An object mappi
 
    The ``disabled`` attribute has been added to ``item_price_overrides`` and ``variation_price_overrides``.
 
+.. versionchanged:: 3.12
+
+   The ``last_modified`` attribute has been added.
+
 Endpoints
 ---------
 
@@ -148,6 +153,8 @@ Endpoints
    :query ends_after: If set to a date and time, only events that happen during of after the given time are returned.
    :param organizer: The ``slug`` field of a valid organizer
    :param event: The ``slug`` field of the main event
+   :query datetime modified_since: Only return objects that have changed since the given date. Be careful: This does not
+       allow you to know if a subevent was deleted.
    :query array attr[meta_data_key]: By providing the key and value of a meta data attribute, the list of sub-events
         will only contain the sub-events matching the set criteria. Providing ``?attr[Format]=Seminar`` would return
         only those sub-events having set their ``Format`` meta data to ``Seminar``, ``?attr[Format]=`` only those, that

doc/conf.py

@@ -52,6 +52,7 @@ extensions = [
     'sphinx.ext.coverage',
     'sphinxcontrib.httpdomain',
     'sphinxcontrib.images',
+    'sphinxemoji.sphinxemoji',
 ]
 if HAS_PYENCHANT:
     extensions.append('sphinxcontrib.spelling')

doc/development/api/general.rst

@@ -12,7 +12,8 @@ Core
 
 .. automodule:: pretix.base.signals
    :members: periodic_task, event_live_issues, event_copy_data, email_filter, register_notification_types,
-      item_copy_data, register_sales_channels, register_global_settings, quota_availability, global_email_filter
+      item_copy_data, register_sales_channels, register_global_settings, quota_availability, global_email_filter,
+      register_ticket_secret_generators
 
 Order events
 """"""""""""
@@ -33,7 +34,7 @@ Frontend
 --------
 
 .. automodule:: pretix.presale.signals
-   :members: html_head, html_footer, footer_link, front_page_top, front_page_bottom, front_page_bottom_widget, fee_calculation_for_cart, contact_form_fields, question_form_fields, checkout_confirm_messages, checkout_confirm_page_content, checkout_all_optional, html_page_header, sass_preamble, sass_postamble, render_seating_plan, checkout_flow_steps, position_info, position_info_top, item_description, global_html_head, global_html_footer, global_html_page_header
+   :members: html_head, html_footer, footer_link, front_page_top, front_page_bottom, front_page_bottom_widget, fee_calculation_for_cart, contact_form_fields, question_form_fields, contact_form_fields_overrides, question_form_fields_overrides, checkout_confirm_messages, checkout_confirm_page_content, checkout_all_optional, html_page_header, sass_preamble, sass_postamble, render_seating_plan, checkout_flow_steps, position_info, position_info_top, item_description, global_html_head, global_html_footer, global_html_page_header
 
 
 .. automodule:: pretix.presale.signals

doc/development/setup.rst

@@ -117,7 +117,7 @@ for example, to check for any errors in any staged files when committing::
     export GIT_WORK_TREE=../
     export GIT_DIR=../.git
     source ../env/bin/activate  # Adjust to however you activate your virtual environment
-    for file in $(git diff --cached --name-only | grep -E '\.py$' | grep -Ev "migrations|mt940\.py|pretix/settings\.py|make_testdata\.py|testutils/settings\.py|tests/settings\.py|pretix/base/models/__init__\.py")
+    for file in $(git diff --cached --name-only | grep -E '\.py$' | grep -Ev "migrations|mt940\.py|pretix/settings\.py|make_testdata\.py|testutils/settings\.py|tests/settings\.py|pretix/base/models/__init__\.py|.*_pb2\.py")
     do
       echo $file
       git show ":$file" | flake8 - --stdin-display-name="$file" || exit 1 # we only want to lint the staged changes, not any un-staged changes

doc/plugins/banktransfer.rst

@@ -34,6 +34,8 @@ transactions                          list of objects            Transactions in
 ├ payer                               string                     Payment source
 ├ reference                           string                     Payment reference
 ├ amount                              string                     Payment amount
+├ iban                                string                     Payment IBAN
+├ bic                                 string                     Payment BIC
 ├ date                                string                     Payment date (in **user-inputted** format)
 ├ order                               string                     Associated order code (or ``null``)
 └ comment                             string                     Internal comment
@@ -83,6 +85,8 @@ Endpoints
                 "date": "26.06.2017",
                 "payer": "John Doe",
                 "order": null,
+                "iban": "",
+                "bic": "",
                 "checksum": "5de03a601644dfa63420dacfd285565f8375a8f2",
                 "reference": "GUTSCHRIFT\r\nSAMPLECONF-NAB12 EREF: SAMPLECONF-NAB12\r\nIBAN: DE1234556…",
                 "state": "nomatch",
@@ -132,6 +136,8 @@ Endpoints
             "comment": "",
             "date": "26.06.2017",
             "payer": "John Doe",
+            "iban": "",
+            "bic": "",
             "order": null,
             "checksum": "5de03a601644dfa63420dacfd285565f8375a8f2",
             "reference": "GUTSCHRIFT\r\nSAMPLECONF-NAB12 EREF: SAMPLECONF-NAB12\r\nIBAN: DE1234556…",

doc/requirements.txt

@@ -3,7 +3,8 @@ sphinx==2.3.*
 sphinx-rtd-theme
 sphinxcontrib-httpdomain
 sphinxcontrib-images
-sphinxcontrib-spelling
+sphinxcontrib-spelling==4.*
+sphinxemoji
 pygments-markdown-lexer
 # See https://github.com/rfk/pyenchant/pull/130
 git+https://github.com/raphaelm/pyenchant.git@patch-1#egg=pyenchant

doc/spelling_wordlist.txt

@@ -10,7 +10,11 @@ availabilities
 backend
 backends
 banktransfer
+barcode
+barcodes
 Bcc
+bic
+BIC
 boolean
 booleans
 cancelled
@@ -47,12 +51,15 @@ gunicorn
 guid
 hardcoded
 hostname
+iban
+IBAN
 ics
 idempotency
 iframe
 incrementing
 inofficial
 invalidations
+iOS
 iterable
 Jimdo
 jwt
@@ -91,7 +98,9 @@ prepending
 preprocessor
 presale
 pretix
+pretixSCAN
 pretixdroid
+pretixPOS
 pretixpresale
 prometheus
 proxied

doc/user/events/giftcards.rst

@@ -3,6 +3,8 @@
    Warengutschein
    Wertgutschein
 
+.. _giftcards:
+
 Gift cards
 ==========
 

doc/user/events/ticket_secrets.rst

@@ -0,0 +1,93 @@
+Ticket secret generators
+========================
+
+pretix allows you to change the way in which ticket secrets (also known as "ticket codes", "barcodes", …)
+are generated. This affects the value of the QR code in any tickets issued by pretix, regardless of ticket
+format.
+
+.. note:: This is intended for highly advanced use cases, usually when huge numbers of tickets (> 25k per event)
+          are involved. **If you don't know whether you need this, you probably don't.**
+
+Default: Random secrets
+-----------------------
+
+By default, pretix generates a random code for every ticket, consisting of 32 lower case characters and
+numbers. The characters ``oO1il`` are avoided to reduce confusion when ticket codes are printed and need to
+be typed in manually.
+
+Choosing random codes has a number of advantages:
+
+* Ticket codes are short, which makes QR codes easier to scan. At the same time, it is absolutely impossible to
+  guess or forge a valid ticket code.
+
+* The code does not need to change if the ticket changes. For example, if an attendee is re-booked to a
+  different product or date, they can keep their ticket and it is just mapped to the new product in the
+  database.
+
+This approach works really well for 99 % or events running with pretix.
+The big caveat is that the scanner needs to access a database of all ticket codes in order to know whether a ticket
+code is valid and what kind of ticket it represents.
+
+When scanning online this is no problem at all, since the pretix server always has such a database. In case your local
+internet connection is interrupted or the pretix server goes down, though, there needs to be a database locally on the
+scanner.
+
+Therefore, our pretixSCAN apps by default download the database of all valid tickets onto the device itself. This makes
+it possible to seamlessly switch into offline mode when the connection is lost and continue scanning with the maximum
+possible feature set.
+
+There are a few situations in which this approach is not ideal:
+
+* When running a single event with 25k or more valid tickets, downloading all ticket data onto the scanner may just
+  take too much time and resources.
+
+* When the risk of losing sensible data by losing one of the scanner devices is not acceptable.
+
+* When offline mode needs to be used regularly and newly-purchased tickets need to be valid immediately after purchase,
+  without being able to tolerate a few minutes of delay.
+
+Signature schemes
+-----------------
+
+The alternative approach that is included with pretix is to choose a signature-based ticket code generation scheme.
+These secrets include the most important information that is required for verifying their validity and use modern
+cryptography to make sure they cannot be forged.
+
+Currently, pretix ships with one such scheme ("pretix signature scheme 1") which encodes the product, the product
+variation, and the date (if inside an event series) into the ticket code and signs the code with a `EdDSA`_ signature.
+This allows to verify whether a ticket is allowed to enter without any database or connection to the server, but has
+a few important drawbacks:
+
+* Whenever the product, variation or date of a ticket changes or the ticket is canceled, the ticket code needs to be
+  changed and the old code needs to be put on a revocation list. This revocation list again needs to be downloaded by
+  all scanning devices (but is usually much smaller than the ticket database). The main downside is that the attendee
+  needs to download their new ticket and can no longer use the old one.
+
+* Scanning in offline mode is much more limited, since the scanner has no information about previous usages of the
+  ticket, attendee names, seating information, etc.
+
+Comparison of scanning behavior
+-------------------------------
+
+=============================================== =================================== =================================== =================================== ================================= =====================================
+Scan mode                                       Online                                                                  Offline
+----------------------------------------------- ----------------------------------- -----------------------------------------------------------------------------------------------------------------------------------------------
+Synchronization setting                         any                                 Synchronize orders                                                      Don't synchronize orders
+----------------------------------------------- ----------------------------------- ----------------------------------------------------------------------- -----------------------------------------------------------------------
+Ticket secrets                                  any                                 Random                              Signed                              Random                            Signed
+=============================================== =================================== =================================== =================================== ================================= =====================================
+Scenario supported on platforms                 Android, Desktop, iOS               Android, Desktop, iOS               Android, Desktop                    Android, Desktop                  Android, Desktop
+Synchronization speed for large data sets                                           slow                                slow                                fast                              fast
+Tickets can be scanned                          yes                                 yes                                 yes                                 no                                yes
+Ticket is valid after sale                      immediately                         next sync (~5 minutes)              immediately                         never                             immediately
+Same ticket can be scanned multiple times       no                                  yes, before data is synced          yes, before data is synced          n/a                               yes, always
+Custom check-in rules                           yes                                 yes                                 yes (limited directly after sale)   n/a                               yes, but only based on product,
+                                                                                                                                                                                              variation and date, not on previous
+                                                                                                                                                                                              scans
+Name and seat visible on scanner                yes                                 yes                                 yes (except directly after sale)    n/a                               no
+Order-specific check-in attention flag          yes                                 yes                                 yes (except directly after sale)    n/a                               no
+Ticket search by order code or name             yes                                 yes                                 yes (except directly after sale)    no                                no
+Check-in statistics on scanner                  yes                                 yes                                 mostly accurate                     no                                no
+=============================================== =================================== =================================== =================================== ================================= =====================================
+
+.. _EdDSA: https://en.wikipedia.org/wiki/EdDSA#Ed25519

doc/user/events/tickets.rst

@@ -9,26 +9,33 @@ At "Settings" → "Tickets", you can configure the ticket download options that
 
 The top of this page shows a short list of options relevant for all download formats:
 
-Use feature
+Allow users to download tickets
   This can be used to completely enable or disable ticket downloads all over your ticket shop.
 
+Generate tickets for add-on products
+  By default, tickets can not be downloaded for order positions which are only an add-on to other order positions. If
+  you enable this, this behavior will be changed and add-on products will get their own tickets as well. If disabled,
+  you can still print a list of chosen add-ons e.g. on the PDF tickets.
+
+Generate tickets for all products
+  By default, tickets will only be generated for products that are marked as admission products. Enable this option to
+  generate tickets for all products instead.
+
+Generate tickets for pending orders
+  By default, ticket download is only possible for paid orders. If you run an event where people usually pay only after
+  the event, you can check this box to enable ticket download even before.
+
 Download date
   If you set a date here, no ticket download will be offered before this date. If no date is set, tickets can be
   downloaded immediately after the payment for an order has been received.
 
-Offer to download tickets separately for add-on products
-  By default, tickets can not be downloaded for order positions which are only an add-on to other order positions. If
-  you enable this, this behavior will be changed and add-on products will get their own tickets as well. If disabled,
-  you can still print a list of chosen add-ons e.g. on the PDF tickets.
-
-Generate tickets for non-admission products
-  By default, tickets will only be generated for products that are marked as admission products. Enable this option to
-  generate tickets for all products instead.
-
-Offer to download tickets even before an order is paid
-  By default, ticket download is only possible for paid orders. If you run an event where people usually pay only after
-  the event, you can check this box to enable ticket download even before.
-
 Below these settings, the detail settings for the various ticket file formats are offered. They differ from format to
 format and only share the common "Enable" setting that can be used to turn them on. By default, pretix ships with
-a PDF output plugin that you can configure through a visual design editor.
+a PDF output plugin that you can configure through a visual design editor.
+
+**Advanced topics:**
+
+.. toctree::
+   :maxdepth: 1
+
+   ticket_secrets

doc/user/events/widget.rst

@@ -1,3 +1,5 @@
+.. _widget:
+
 Embeddable Widget
 =================
 

doc/user/glossary.rst

@@ -0,0 +1,181 @@
+Glossary
+========
+
+This page gives definitions of domain-specific terms that we use a lot inside pretix and that might be used slightly
+differently elsewhere, as well as their official translations to other languages. In some cases, things have a different
+name internally, which is noted with a |:wrench:| symbol. If you only use pretix, you'll never see these, but if you're
+going to develop around pretix, for example connect to pretix through our API, you need to know these as well.
+
+
+
+.. rst-class:: rest-resource-table
+
+.. list-table:: Glossary
+   :widths: 15 30
+   :header-rows: 1
+
+   * - Term
+     - Definition
+   * - | |:gb:| **Organizer**
+       | |:de:| Veranstalter
+     - An organizer represents the entity using pretix, usually the company or institution running one or multiple events.
+       In terms of navigation in the system, organizers are the "middle layer" between the system itself and the specific
+       events.
+       Multiple organizers on the same pretix system are fully separated from each other with very few exceptions.
+   * - | |:gb:| **Event**
+       | |:de:| Veranstaltung
+     - An event is the central entity in pretix that you and your customers interact with all the time. An event
+       represents one **shop** in which things like tickets can be bought. Since the introduction of event series (see
+       below), this might include multiple events in the real world.
+
+       Every purchase needs to be connected to an event, and most things are completely separate between different
+       events, i.e. most actions and configurations in pretix are done per-event.
+   * - | |:gb:| **Event series**
+       | |:de:| Veranstaltungsreihe
+     - An event series is one of two types of events. Unlike a non-series event, an event series groups together
+       multiple real-world events into one pretix shop. Examples are time-slot-based booking for a museum, a band on
+       tour, a theater group playing the same play multiple times, etc.
+   * - | |:gb:| **Date**
+       | |:de:| Termin
+       | |:wrench:| Subevent
+     - A date represents a single real-world event inside an event series. Dates can differ from each other in name,
+       date, time, location, pricing, capacity, and seating plans, but otherwise share the same configuration.
+   * - | |:gb:| **Product**
+       | |:de:| Produkt
+       | |:wrench:| Item
+     - A product is anything that can be sold, such as a specific type of ticket or merchandise.
+   * - | |:gb:| **Admission product**
+       | |:de:| Zutrittsprodukt
+     - A product is considered an **admission product** if its purchase represents a person being granted access to your
+       event. This applies to most ticketing products, but not e.g. to merchandise.
+   * - | |:gb:| **Variation**
+       | |:de:| Variante
+       | |:wrench:| Item variation
+     - Some products come in multiple variations that can differ in description, price and capacity. Examples would
+       include "Adult" and "Child" in case of a concert ticket, or "S", "M", "L", … in case of a t-shirt product.
+   * - | |:gb:| **Category**
+       | |:de:| Kategorie
+     - Products can be grouped together in categories. This is mostly to organize them cleanly in the frontend if you
+       have lots of them.
+   * - | |:gb:| **Quota**
+       | |:de:| Kontingent
+     - A quota is a capacity pool that defines how many times a product can be sold. A quota can be connected to multiple
+       products, in which case all of them are counted together. This is useful e.g. if you have full-price and reduced
+       tickets and only want to sell a certain number of tickets in total. The same way, multiple quotas can be connected
+       to the same product, in which case the ticket will be available as long as all of them have capacity left.
+   * - | |:gb:| **Add-on product**
+       | |:de:| Zusatzprodukt
+     - An add-on product is a product that is purchased as an upgrade or optional addition to a different product.
+       Examples would be include a conference ticket that optionally allows to buy a public transport ticket for the
+       same day, or a family ticket for 4 persons that allows you to add additional persons at a small cost, or a
+       "two workshops" package that allows you to select two of a larger number of workshops at a discounted price.
+       In all cases, there is a "main product" (the conference ticket, the family ticket) and a number of "add-on products"
+       that can be chosen from.
+   * - | |:gb:| **Bundled product**
+       | |:de:| Enthaltenes Produkt
+     - A bundled product is a product that is automatically put into the cart when another product is purchased. It's
+       similar to an add-on product, except that the customer has no choice between whether it is added or which of a
+       set of product is added.
+   * - | |:gb:| **Question**
+       | |:de:| Frage
+     - A question is a custom field that customers need to fill in when purchasing a specific product.
+   * - | |:gb:| **Voucher**
+       | |:de:| Gutschein
+     - A voucher is a code that can be used for multiple purposes: To grant a discount to specific customers, to only
+       show certain products to certain customers, or to keep a seat open for someone specific even though you are
+       sold out. If a voucher is used to apply a discount, the price of the purchased product is reduced by the
+       discounted amount. Vouchers are connected to a specific event.
+   * - | |:gb:| **Gift card**
+       | |:de:| Geschenkgutschein
+     - A :ref:`gift card <giftcards>` is a coupon representing an exact amount of money that can be used for purchases
+       of any kind. Gift cards can be sold, created manually, or used as a method to refund your customer without paying
+       them back directly.
+       Unlike a voucher, it does not reduce the price of the purchased products when redeemed, but instead works as a
+       payment method to lower the amount that needs to be paid through other methods. Gift cards are specific to an
+       organizer by default but can even by shared between organizers.
+   * - | |:gb:| **Cart**
+       | |:de:| Warenkorb
+     - A cart is a collection of products that are reserved by a customer who is currently completing the checkout
+       process, but has not yet finished it.
+   * - | |:gb:| **Order**
+       | |:de:| Bestellung
+     - An order is a purchase by a client, containing multiple different products. An order goes through various
+       states and can change during its lifetime.
+   * - | |:gb:| **Order code**
+       | |:de:| Bestellnummer
+     - An order code is the unique identifier of an order, usually consisting of 5 numbers and letters.
+   * - | |:gb:| **Order position**
+       | |:de:| Bestellposition
+     - An order position is a single line inside an order, representing the purchase of one specific product. If the
+       product is an admission product, this represents an attendee.
+   * - | |:gb:| **Attendees**
+       | |:de:| Teilnehmende
+     - An attendee is the person designated to use a specific order position to access the event.
+   * - | |:gb:| **Fee**
+       | |:de:| Gebühr
+     - A fee is an additional type of line inside an order that represents a cost that needs to be paid by the customer,
+       but is not related to a specific product. A typical example is a shipping fee.
+   * - | |:gb:| **Invoice** and **Cancellation**
+       | |:de:| Rechnung und Rechnungskorrektur
+     - An invoice refers to a legal document created to document a purchase for tax purposes. Invoices have individual
+       numbers and no longer change after they have been issued. Every invoice is connected to an order, but an order
+       can have multiple invoices: If an order changes, a cancellation document is created for the old invoice and a
+       new invoice is created.
+   * - | |:gb:| **Check-in**
+       | |:de:| Check-in
+     - A check-in is the event of someone being successfully scanned at an entry or exit of the event.
+   * - | |:gb:| **Check-in list**
+       | |:de:| Check-in-Liste
+     - A check-in list is used to configure who can be scanned at a specific entry or exit of the event. Check-in lists
+       are isolated from each other, so by default each ticket is valid once on every check-in list individually. They
+       are therefore often used to represent *parts* of an event, either time-wise (e.g. conference days) or space-wise
+       (e.g. rooms).
+   * - | |:gb:| **Plugin**
+       | |:de:| Erweiterung
+     - A plugin is an optional software module that contains additional functionality and can be turned on and off per
+       event. If you host pretix on your own server, most plugins need to be installed separately.
+   * - | |:gb:| **Tax rule**
+       | |:de:| Steuer-Regel
+     - A tax rule defines how sales taxes are calculated for a product, possibly depending on type and country of the
+       customer.
+   * - | |:gb:| **Ticket**
+       | |:de:| Ticket
+     - A ticket usually refers to the actual file presented to the customer to be used at check-in, i.e. the PDF or
+       Passbook file carrying the QR code. In some cases, "ticket" may also be used to refer to an order position,
+       especially in case of admission products.
+   * - | |:gb:| **Ticket secret**
+       | |:de:| Ticket-Code
+     - The ticket secret (sometimes "ticket code") is what's contained in the QR code on the ticket.
+   * - | |:gb:| **Badge**
+       | |:de:| Badge
+     - A badge refers to the file used as a name tag for an attendee of your event.
+   * - | |:gb:| **User**
+       | |:de:| Benutzer
+     - A user is anyone who can sign into the backend interface of pretix.
+   * - | |:gb:| **Team**
+       | |:de:| Team
+     - A :ref:`team <user-teams>` is a collection of users who are granted some level of access to a set of events.
+   * - | |:gb:| **Device**
+       | |:de:| Gerät
+     - A device is something that talks to pretix but does not run on a server. Usually a device refers to an
+       installation of pretixSCAN, pretixPOS or some compatible third-party app on one of your computing devices.
+   * - | |:gb:| **Gate**
+       | |:de:| Station
+     - A gate is a location at your event where people are being scanned, e.g. an entry or exit door. You can configure
+       gates in pretix to group multiple devices together that are used in the same location, mostly for statistical
+       purposes.
+   * - | |:gb:| **Widget**
+       | |:de:| Widget
+     - The :ref:`widget` is a JavaScript component that can be used to embed the shop of an event or a list of events
+       into a third-party web page.
+   * - | |:gb:| **Sales channel**
+       | |:de:| Verkaufskanal
+     - A sales channel refers to the type in which a purchase arrived in the system, e.g. through pretix' web shop itself,
+       or through other channels like box office or reseller sales.
+   * - | |:gb:| **Box office**
+       | |:de:| Abendkasse
+     - Box office purchases refer to all purchases made in-person from the organizer directly, through a point of sale
+       system like pretixPOS.
+   * - | |:gb:| **Reseller**
+       | |:de:| Vorverkaufsstelle
+     - Resellers are third-party entities offering in-person sales of events to customers.

doc/user/index.rst

@@ -15,3 +15,4 @@ wanting to use pretix to sell tickets.
    events/giftcards
    faq
    markdown
+   glossary

src/MANIFEST.in

@@ -1,5 +1,6 @@
 include LICENSE
 include README.rst
+global-include *.proto
 recursive-include pretix/static *
 recursive-include pretix/static.dist *
 recursive-include pretix/locale *

src/pretix/__init__.py

@@ -1 +1 @@
-__version__ = "3.12.0.dev0"
+__version__ = "3.12.1"

src/pretix/api/auth/devicesecurity.py

@@ -3,7 +3,7 @@ from django.utils.translation import ugettext_lazy as _
 
 class FullAccessSecurityProfile:
     identifier = 'full'
-    verbose_name = _('Full access')
+    verbose_name = _('Full device access (reading and changing orders and gift cards, reading of products and settings)')
 
     def is_allowed(self, request):
         return True
@@ -22,8 +22,10 @@ class PretixScanSecurityProfile(AllowListSecurityProfile):
     verbose_name = _('pretixSCAN')
     allowlist = (
         ('GET', 'api-v1:version'),
-        ('GET', 'api-v1:device.update'),
-        ('GET', 'api-v1:device.revoke'),
+        ('GET', 'api-v1:device.eventselection'),
+        ('POST', 'api-v1:device.update'),
+        ('POST', 'api-v1:device.revoke'),
+        ('POST', 'api-v1:device.roll'),
         ('GET', 'api-v1:event-list'),
         ('GET', 'api-v1:event-detail'),
         ('GET', 'api-v1:subevent-list'),
@@ -37,6 +39,7 @@ class PretixScanSecurityProfile(AllowListSecurityProfile):
         ('GET', 'api-v1:checkinlist-status'),
         ('GET', 'api-v1:checkinlistpos-list'),
         ('POST', 'api-v1:checkinlistpos-redeem'),
+        ('GET', 'api-v1:revokedsecrets-list'),
         ('GET', 'api-v1:order-list'),
         ('GET', 'api-v1:event.settings'),
     )
@@ -47,8 +50,10 @@ class PretixScanNoSyncSecurityProfile(AllowListSecurityProfile):
     verbose_name = _('pretixSCAN (kiosk mode, online only)')
     allowlist = (
         ('GET', 'api-v1:version'),
-        ('GET', 'api-v1:device.update'),
-        ('GET', 'api-v1:device.revoke'),
+        ('GET', 'api-v1:device.eventselection'),
+        ('POST', 'api-v1:device.update'),
+        ('POST', 'api-v1:device.revoke'),
+        ('POST', 'api-v1:device.roll'),
         ('GET', 'api-v1:event-list'),
         ('GET', 'api-v1:event-detail'),
         ('GET', 'api-v1:subevent-list'),
@@ -61,6 +66,7 @@ class PretixScanNoSyncSecurityProfile(AllowListSecurityProfile):
         ('GET', 'api-v1:checkinlist-list'),
         ('GET', 'api-v1:checkinlist-status'),
         ('POST', 'api-v1:checkinlistpos-redeem'),
+        ('GET', 'api-v1:revokedsecrets-list'),
         ('GET', 'api-v1:event.settings'),
     )
 
@@ -70,8 +76,10 @@ class PretixPosSecurityProfile(AllowListSecurityProfile):
     verbose_name = _('pretixPOS')
     allowlist = (
         ('GET', 'api-v1:version'),
-        ('GET', 'api-v1:device.update'),
-        ('GET', 'api-v1:device.revoke'),
+        ('GET', 'api-v1:device.eventselection'),
+        ('POST', 'api-v1:device.update'),
+        ('POST', 'api-v1:device.revoke'),
+        ('POST', 'api-v1:device.roll'),
         ('GET', 'api-v1:event-list'),
         ('GET', 'api-v1:event-detail'),
         ('GET', 'api-v1:subevent-list'),
@@ -98,6 +106,7 @@ class PretixPosSecurityProfile(AllowListSecurityProfile):
         ('POST', 'plugins:pretix_posbackend:posclosing-list'),
         ('POST', 'plugins:pretix_posbackend:posdebugdump-list'),
         ('POST', 'plugins:pretix_posbackend:stripeterminal.token'),
+        ('GET', 'api-v1:revokedsecrets-list'),
         ('GET', 'api-v1:event.settings'),
     )
 

src/pretix/api/serializers/checkin.py

@@ -15,7 +15,7 @@ class CheckinListSerializer(I18nAwareModelSerializer):
         model = CheckinList
         fields = ('id', 'name', 'all_products', 'limit_products', 'subevent', 'checkin_count', 'position_count',
                   'include_pending', 'auto_checkin_sales_channels', 'allow_multiple_entries', 'allow_entry_after_exit',
-                  'rules')
+                  'rules', 'exit_all_at')
 
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)

src/pretix/api/serializers/event.py

@@ -95,19 +95,41 @@ class TimeZoneField(ChoiceField):
         )
 
 
+class ValidKeysField(Field):
+    def to_representation(self, value):
+        return value.cache.get_or_set(
+            'ticket_secret_valid_keys',
+            lambda: self._get(value),
+            120
+        )
+
+    def _get(self, value):
+        return {
+            'pretix_sig1': [
+                value.settings.ticket_secrets_pretix_sig1_pubkey
+            ] if value.settings.ticket_secrets_pretix_sig1_pubkey else []
+        }
+
+
 class EventSerializer(I18nAwareModelSerializer):
     meta_data = MetaDataField(required=False, source='*')
     item_meta_properties = MetaPropertyField(required=False, source='*')
     plugins = PluginsField(required=False, source='*')
     seat_category_mapping = SeatCategoryMappingField(source='*', required=False)
     timezone = TimeZoneField(required=False, choices=[(a, a) for a in common_timezones])
+    valid_keys = ValidKeysField(source='*', read_only=True)
 
     class Meta:
         model = Event
         fields = ('name', 'slug', 'live', 'testmode', 'currency', 'date_from',
                   'date_to', 'date_admission', 'is_public', 'presale_start',
                   'presale_end', 'location', 'geo_lat', 'geo_lon', 'has_subevents', 'meta_data', 'seating_plan',
-                  'plugins', 'seat_category_mapping', 'timezone', 'item_meta_properties')
+                  'plugins', 'seat_category_mapping', 'timezone', 'item_meta_properties', 'valid_keys')
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        if not hasattr(self.context['request'], 'event'):
+            self.fields.pop('valid_keys')
 
     def validate(self, data):
         data = super().validate(data)
@@ -369,7 +391,7 @@ class SubEventSerializer(I18nAwareModelSerializer):
         fields = ('id', 'name', 'date_from', 'date_to', 'active', 'date_admission',
                   'presale_start', 'presale_end', 'location', 'geo_lat', 'geo_lon', 'event', 'is_public',
                   'seating_plan', 'item_price_overrides', 'variation_price_overrides', 'meta_data',
-                  'seat_category_mapping')
+                  'seat_category_mapping', 'last_modified')
 
     def validate(self, data):
         data = super().validate(data)
@@ -589,6 +611,7 @@ class EventSettingsSerializer(serializers.Serializer):
         'ticket_download_addons',
         'ticket_download_nonadm',
         'ticket_download_pending',
+        'ticket_download_require_validated_email',
         'mail_prefix',
         'mail_from',
         'mail_from_name',

src/pretix/api/serializers/order.py

@@ -21,7 +21,7 @@ from pretix.base.models import (
     OrderPosition, Question, QuestionAnswer, Seat, SubEvent, TaxRule, Voucher,
 )
 from pretix.base.models.orders import (
-    CartPosition, OrderFee, OrderPayment, OrderRefund,
+    CartPosition, OrderFee, OrderPayment, OrderRefund, RevokedTicketSecret,
 )
 from pretix.base.pdf import get_variables
 from pretix.base.services.cart import error_messages
@@ -1209,3 +1209,10 @@ class OrderRefundCreateSerializer(I18nAwareModelSerializer):
         order = OrderRefund(order=self.context['order'], payment=p, **validated_data)
         order.save()
         return order
+
+
+class RevokedTicketSecretSerializer(I18nAwareModelSerializer):
+
+    class Meta:
+        model = RevokedTicketSecret
+        fields = ('id', 'secret', 'created')

src/pretix/api/urls.py

@@ -39,6 +39,7 @@ event_router.register(r'vouchers', voucher.VoucherViewSet)
 event_router.register(r'orders', order.OrderViewSet)
 event_router.register(r'orderpositions', order.OrderPositionViewSet)
 event_router.register(r'invoices', order.InvoiceViewSet)
+event_router.register(r'revokedsecrets', order.RevokedSecretViewSet, basename='revokedsecrets')
 event_router.register(r'taxrules', event.TaxRuleViewSet)
 event_router.register(r'waitinglistentries', waitinglist.WaitingListViewSet)
 event_router.register(r'checkinlists', checkin.CheckinListViewSet)
@@ -85,6 +86,7 @@ urlpatterns = [
     url(r"^device/update$", device.UpdateView.as_view(), name="device.update"),
     url(r"^device/roll$", device.RollKeyView.as_view(), name="device.roll"),
     url(r"^device/revoke$", device.RevokeKeyView.as_view(), name="device.revoke"),
+    url(r"^device/eventselection$", device.EventSelectionView.as_view(), name="device.eventselection"),
     url(r"^me$", user.MeView.as_view(), name="user.me"),
     url(r"^version$", version.VersionView.as_view(), name="version"),
 ]

src/pretix/api/views/checkin.py

@@ -1,6 +1,8 @@
 import django_filters
 from django.core.exceptions import ValidationError
-from django.db.models import Count, F, Max, OuterRef, Prefetch, Q, Subquery
+from django.db.models import (
+    Count, Exists, F, Max, OuterRef, Prefetch, Q, Subquery,
+)
 from django.db.models.functions import Coalesce
 from django.http import Http404
 from django.shortcuts import get_object_or_404
@@ -90,20 +92,12 @@ class CheckinListViewSet(viewsets.ModelViewSet):
     def status(self, *args, **kwargs):
         with language(self.request.event.settings.locale):
             clist = self.get_object()
-            cqs = Checkin.objects.filter(
-                position__order__event=clist.event,
-                position__order__status__in=[Order.STATUS_PAID] + ([Order.STATUS_PENDING] if clist.include_pending else []),
-                list=clist
+            cqs = clist.positions.annotate(
+                checkedin=Exists(Checkin.objects.filter(list_id=clist.pk, position=OuterRef('pk'), type=Checkin.TYPE_ENTRY))
+            ).filter(
+                checkedin=True,
             )
-            pqs = OrderPosition.objects.filter(
-                order__event=clist.event,
-                order__status__in=[Order.STATUS_PAID] + ([Order.STATUS_PENDING] if clist.include_pending else []),
-            )
-            if clist.subevent:
-                pqs = pqs.filter(subevent=clist.subevent)
-            if not clist.all_products:
-                pqs = pqs.filter(item__in=clist.limit_products.values_list('id', flat=True))
-                cqs = cqs.filter(position__item__in=clist.limit_products.values_list('id', flat=True))
+            pqs = clist.positions
 
             ev = clist.subevent or clist.event
             response = {
@@ -111,7 +105,8 @@ class CheckinListViewSet(viewsets.ModelViewSet):
                     'name': str(ev.name),
                 },
                 'checkin_count': cqs.count(),
-                'position_count': pqs.count()
+                'position_count': pqs.count(),
+                'inside_count': clist.inside_count,
             }
 
             op_by_item = {
@@ -123,12 +118,12 @@ class CheckinListViewSet(viewsets.ModelViewSet):
                 for p in pqs.order_by().values('variation').annotate(cnt=Count('id'))
             }
             c_by_item = {
-                p['position__item']: p['cnt']
-                for p in cqs.order_by().values('position__item').annotate(cnt=Count('id'))
+                p['item']: p['cnt']
+                for p in cqs.order_by().values('item').annotate(cnt=Count('id'))
             }
             c_by_variation = {
-                p['position__variation']: p['cnt']
-                for p in cqs.order_by().values('position__variation').annotate(cnt=Count('id'))
+                p['variation']: p['cnt']
+                for p in cqs.order_by().values('variation').annotate(cnt=Count('id'))
             }
 
             if not clist.all_products:
@@ -262,7 +257,7 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
 
         return qs
 
-    @action(detail=False, methods=['POST'], url_name='redeem', url_path='(?P<pk>[^/]+)/redeem')
+    @action(detail=False, methods=['POST'], url_name='redeem', url_path='(?P<pk>.*)/redeem')
     def redeem(self, *args, **kwargs):
         force = bool(self.request.data.get('force', False))
         type = self.request.data.get('type', None) or Checkin.TYPE_ENTRY
@@ -283,13 +278,23 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
             else:
                 op = queryset.get(secret=self.kwargs['pk'])
         except OrderPosition.DoesNotExist:
-            self.request.event.log_action('pretix.event.checkin.unknown', data={
+            revoked_matches = list(self.request.event.revoked_secrets.filter(secret=self.kwargs['pk']))
+            if len(revoked_matches) == 0 or not force:
+                self.request.event.log_action('pretix.event.checkin.unknown', data={
+                    'datetime': dt,
+                    'type': type,
+                    'list': self.checkinlist.pk,
+                    'barcode': self.kwargs['pk']
+                }, user=self.request.user, auth=self.request.auth)
+                raise Http404()
+
+            op = revoked_matches[0].position
+            op.order.log_action('pretix.event.checkin.revoked', data={
                 'datetime': dt,
                 'type': type,
                 'list': self.checkinlist.pk,
                 'barcode': self.kwargs['pk']
             }, user=self.request.user, auth=self.request.auth)
-            raise Http404()
 
         given_answers = {}
         if 'answers' in self.request.data:
@@ -330,6 +335,7 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
                 'position': op.id,
                 'positionid': op.positionid,
                 'errorcode': e.code,
+                'force': force,
                 'datetime': dt,
                 'type': type,
                 'list': self.checkinlist.pk

src/pretix/api/views/device.py

@@ -1,14 +1,16 @@
 import logging
 
+from django.db.models import Exists, OuterRef, Q
+from django.db.models.functions import Coalesce
 from django.utils.timezone import now
-from rest_framework import serializers
+from rest_framework import serializers, status
 from rest_framework.exceptions import ValidationError
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
 from pretix.api.auth.device import DeviceTokenAuthentication
-from pretix.base.models import Device
-from pretix.base.models.devices import generate_api_token
+from pretix.base.models import CheckinList, Device, SubEvent
+from pretix.base.models.devices import Gate, generate_api_token
 
 logger = logging.getLogger(__name__)
 
@@ -28,14 +30,25 @@ class UpdateRequestSerializer(serializers.Serializer):
     software_version = serializers.CharField(max_length=190)
 
 
+class GateSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = Gate
+        fields = [
+            'id',
+            'name',
+            'identifier',
+        ]
+
+
 class DeviceSerializer(serializers.ModelSerializer):
     organizer = serializers.SlugRelatedField(slug_field='slug', read_only=True)
+    gate = GateSerializer(read_only=True)
 
     class Meta:
         model = Device
         fields = [
             'organizer', 'device_id', 'unique_serial', 'api_token',
-            'name', 'security_profile'
+            'name', 'security_profile', 'gate'
         ]
 
 
@@ -111,3 +124,156 @@ class RevokeKeyView(APIView):
 
         serializer = DeviceSerializer(device)
         return Response(serializer.data)
+
+
+class EventSelectionView(APIView):
+    authentication_classes = (DeviceTokenAuthentication,)
+
+    @property
+    def base_event_qs(self):
+        qs = self.request.auth.organizer.events.annotate(
+            first_date=Coalesce('date_admission', 'date_from'),
+            last_date=Coalesce('date_to', 'date_from'),
+        ).filter(
+            live=True,
+            has_subevents=False
+        ).order_by('first_date')
+        if self.request.auth.gate:
+            has_cl = CheckinList.objects.filter(
+                event=OuterRef('pk'),
+                gates__in=[self.request.auth.gate]
+            )
+            qs = qs.annotate(has_cl=Exists(has_cl)).filter(has_cl=True)
+        return qs
+
+    @property
+    def base_subevent_qs(self):
+        qs = SubEvent.objects.annotate(
+            first_date=Coalesce('date_admission', 'date_from'),
+            last_date=Coalesce('date_to', 'date_from'),
+        ).filter(
+            event__organizer=self.request.auth.organizer,
+            event__live=True,
+            active=True,
+        ).select_related('event').order_by('first_date')
+        if self.request.auth.gate:
+            has_cl = CheckinList.objects.filter(
+                Q(subevent__isnull=True) | Q(subevent=OuterRef('pk')),
+                event_id=OuterRef('event_id'),
+                gates__in=[self.request.auth.gate]
+            )
+            qs = qs.annotate(has_cl=Exists(has_cl)).filter(has_cl=True)
+        return qs
+
+    def get(self, request, format=None):
+        device = request.auth
+        current_event = None
+        current_subevent = None
+        if 'current_event' in request.query_params:
+            current_event = device.organizer.events.filter(slug=request.query_params['current_event']).first()
+            if current_event and 'current_subevent' in request.query_params:
+                current_subevent = current_event.subevents.filter(pk=request.query_params['current_subevent']).first()
+            if current_event and current_event.has_subevents and not current_subevent:
+                current_event = None
+
+        if current_event:
+            current_ev = current_subevent or current_event
+            current_ev_start = current_ev.date_admission or current_ev.date_from
+            tz = current_event.timezone
+            if current_ev.date_to and current_ev_start < now() < current_ev.date_to:
+                # The event that is selected is currently running. Good enough.
+                return Response(status=status.HTTP_304_NOT_MODIFIED)
+
+        # The event that is selected is not currently running. We cannot rely on all events having a proper end date.
+        # In any case, we'll need to decide between the event that last started (and might still be running) and the
+        # event that starts next (and might already be letting people in), so let's get these two!
+        last_started_ev = self.base_event_qs.filter(first_date__lte=now()).last() or self.base_subevent_qs.filter(
+            first_date__lte=now()).last()
+
+        upcoming_event = self.base_event_qs.filter(first_date__gt=now()).first()
+        upcoming_subevent = self.base_subevent_qs.filter(first_date__gt=now()).first()
+        if upcoming_event and upcoming_subevent:
+            if upcoming_event.first_date > upcoming_subevent.first_date:
+                upcoming_ev = upcoming_subevent
+            else:
+                upcoming_ev = upcoming_event
+        else:
+            upcoming_ev = upcoming_event or upcoming_subevent
+
+        if not upcoming_ev and not last_started_ev:
+            # Ooops, no events here
+            return Response(status=status.HTTP_404_NOT_FOUND)
+        elif upcoming_ev and not last_started_ev:
+            # No event running, so let's take the next one
+            return self._suggest_event(current_event, upcoming_ev)
+        elif last_started_ev and not upcoming_ev:
+            # No event upcoming, so let's take the next one
+            return self._suggest_event(current_event, last_started_ev)
+
+        if last_started_ev.date_to and now() < last_started_ev.date_to:
+            # The event that last started is currently running. Good enough.
+            return self._suggest_event(current_event, last_started_ev)
+
+        if not current_event:
+            tz = (upcoming_event or last_started_ev).timezone
+
+        lse_d = last_started_ev.date_from.astimezone(tz).date()
+        upc_d = upcoming_ev.date_from.astimezone(tz).date()
+        now_d = now().astimezone(tz).date()
+        if lse_d == now_d and upc_d != now_d:
+            # Last event was today, next is tomorrow, stick with today
+            return self._suggest_event(current_event, last_started_ev)
+        elif lse_d != now_d and upc_d == now_d:
+            # Last event was yesterday, next is today, stick with today
+            return self._suggest_event(current_event, upcoming_ev)
+
+        # Both last and next event are today, we switch over in the middle
+        if now() > last_started_ev.last_date + (upcoming_ev.first_date - last_started_ev.last_date) / 2:
+            return self._suggest_event(current_event, upcoming_ev)
+        else:
+            return self._suggest_event(current_event, last_started_ev)
+
+    def _suggest_event(self, current_event, ev):
+        current_checkinlist = None
+        if current_event and 'current_checkinlist' in self.request.query_params:
+            current_checkinlist = current_event.checkin_lists.filter(
+                pk=self.request.query_params['current_checkinlist']
+            ).first()
+        if isinstance(ev, SubEvent):
+            checkinlist_qs = ev.event.checkin_lists.filter(Q(subevent__isnull=True) | Q(subevent=ev))
+        else:
+            checkinlist_qs = ev.checkin_lists
+
+        if self.request.auth.gate:
+            checkinlist_qs = checkinlist_qs.filter(gates__in=[self.request.auth.gate])
+
+        checkinlist = None
+        if current_checkinlist:
+            checkinlist = checkinlist_qs.filter(Q(name=current_checkinlist.name) | Q(pk=current_checkinlist.pk)).first()
+        if not checkinlist:
+            checkinlist = checkinlist_qs.first()
+        r = {
+            'event': {
+                'slug': ev.event.slug if isinstance(ev, SubEvent) else ev.slug,
+                'name': str(ev.event.name) if isinstance(ev, SubEvent) else str(ev.name),
+            },
+            'subevent': ev.pk if isinstance(ev, SubEvent) else None,
+            'checkinlist': checkinlist.pk if checkinlist else None,
+        }
+
+        if r == {
+            'event': {
+                'slug': current_event.slug if current_event else None,
+                'name': str(current_event.name) if current_event else None,
+            },
+            'subevent': (
+                int(self.request.query_params.get('current_subevent'))
+                if self.request.query_params.get('current_subevent') else None
+            ),
+            'checkinlist': (
+                int(self.request.query_params.get('current_checkinlist'))
+                if self.request.query_params.get('current_checkinlist') else None
+            ),
+        }:
+            return Response(status=status.HTTP_304_NOT_MODIFIED)
+        return Response(r)

src/pretix/api/views/event.py

@@ -4,7 +4,7 @@ from django.db.models import ProtectedError, Q
 from django.utils.timezone import now
 from django_filters.rest_framework import DjangoFilterBackend, FilterSet
 from django_scopes import scopes_disabled
-from rest_framework import filters, views, viewsets
+from rest_framework import filters, serializers, views, viewsets
 from rest_framework.exceptions import PermissionDenied
 from rest_framework.response import Response
 
@@ -89,7 +89,6 @@ class EventViewSet(viewsets.ModelViewSet):
             )
 
         qs = filter_qs_by_attr(qs, self.request)
-
         return qs.prefetch_related(
             'meta_values', 'meta_values__property', 'seat_category_mappings'
         )
@@ -194,6 +193,7 @@ with scopes_disabled():
         is_past = django_filters.rest_framework.BooleanFilter(method='is_past_qs')
         is_future = django_filters.rest_framework.BooleanFilter(method='is_future_qs')
         ends_after = django_filters.rest_framework.IsoDateTimeFilter(method='ends_after_qs')
+        modified_since = django_filters.IsoDateTimeFilter(field_name='last_modified', lookup_expr='gte')
 
         class Meta:
             model = SubEvent
@@ -233,6 +233,8 @@ class SubEventViewSet(ConditionalListView, viewsets.ModelViewSet):
     write_permission = 'can_change_event_settings'
     filter_backends = (DjangoFilterBackend, filters.OrderingFilter)
     filterset_class = SubEventFilter
+    ordering = ('date_from',)
+    ordering_fields = ('id', 'date_from', 'last_modified')
 
     def get_queryset(self):
         if getattr(self.request, 'event', None):
@@ -254,6 +256,20 @@ class SubEventViewSet(ConditionalListView, viewsets.ModelViewSet):
             'subeventitem_set', 'subeventitemvariation_set', 'seat_category_mappings'
         )
 
+    def list(self, request, **kwargs):
+        date = serializers.DateTimeField().to_representation(now())
+        queryset = self.filter_queryset(self.get_queryset())
+
+        page = self.paginate_queryset(queryset)
+        if page is not None:
+            serializer = self.get_serializer(page, many=True)
+            resp = self.get_paginated_response(serializer.data)
+            resp['X-Page-Generated'] = date
+            return resp
+
+        serializer = self.get_serializer(queryset, many=True)
+        return Response(serializer.data, headers={'X-Page-Generated': date})
+
     def perform_update(self, serializer):
         original_data = self.get_serializer(instance=serializer.instance).data
         super().perform_update(serializer)

src/pretix/api/views/order.py

@@ -26,15 +26,18 @@ from pretix.api.serializers.order import (
     InvoiceSerializer, OrderCreateSerializer, OrderPaymentCreateSerializer,
     OrderPaymentSerializer, OrderPositionSerializer,
     OrderRefundCreateSerializer, OrderRefundSerializer, OrderSerializer,
-    PriceCalcSerializer, SimulatedOrderSerializer,
+    PriceCalcSerializer, RevokedTicketSecretSerializer,
+    SimulatedOrderSerializer,
 )
 from pretix.base.i18n import language
 from pretix.base.models import (
     CachedCombinedTicket, CachedTicket, Device, Event, Invoice, InvoiceAddress,
     Order, OrderFee, OrderPayment, OrderPosition, OrderRefund, Quota, SubEvent,
-    TeamAPIToken, generate_position_secret, generate_secret,
+    TeamAPIToken, generate_secret,
 )
+from pretix.base.models.orders import RevokedTicketSecret
 from pretix.base.payment import PaymentException
+from pretix.base.secrets import assign_ticket_secret
 from pretix.base.services import tickets
 from pretix.base.services.invoices import (
     generate_cancellation, generate_invoice, invoice_pdf, invoice_qualified,
@@ -483,8 +486,9 @@ class OrderViewSet(viewsets.ModelViewSet):
         order = self.get_object()
         order.secret = generate_secret()
         for op in order.all_positions.all():
-            op.secret = generate_position_secret()
-            op.save()
+            assign_ticket_secret(
+                request.event, op, force_invalidate=True, save=True
+            )
         order.save(update_fields=['secret'])
         CachedTicket.objects.filter(order_position__order=order).delete()
         CachedCombinedTicket.objects.filter(order=order).delete()
@@ -1298,3 +1302,26 @@ class InvoiceViewSet(viewsets.ReadOnlyModelViewSet):
                 auth=self.request.auth,
             )
             return Response(status=204)
+
+
+with scopes_disabled():
+    class RevokedSecretFilter(FilterSet):
+        created_since = django_filters.IsoDateTimeFilter(field_name='created', lookup_expr='gte')
+
+        class Meta:
+            model = RevokedTicketSecret
+            fields = []
+
+
+class RevokedSecretViewSet(viewsets.ReadOnlyModelViewSet):
+    serializer_class = RevokedTicketSecretSerializer
+    queryset = RevokedTicketSecret.objects.none()
+    filter_backends = (DjangoFilterBackend, OrderingFilter)
+    ordering = ('-created',)
+    ordering_fields = ('created', 'secret')
+    filterset_class = RevokedSecretFilter
+    permission = 'can_view_orders'
+    write_permission = 'can_change_orders'
+
+    def get_queryset(self):
+        return RevokedTicketSecret.objects.filter(event=self.request.event)

src/pretix/base/exporters/orderlist.py

@@ -393,6 +393,7 @@ class OrderListExporter(MultiSheetListExporter):
             _('Seat zone'),
             _('Seat row'),
             _('Seat number'),
+            _('Order comment'),
         ]
 
         questions = list(Question.objects.filter(event__in=self.events))
@@ -488,6 +489,7 @@ class OrderListExporter(MultiSheetListExporter):
                 else:
                     row += ['', '', '', '', '']
 
+                row.append(order.comment)
                 acache = {}
                 for a in op.answers.all():
                     # We do not want to localize Date, Time and Datetime question answers, as those can lead
@@ -528,7 +530,7 @@ class OrderListExporter(MultiSheetListExporter):
                     row += [''] * (8 + (len(name_scheme['fields']) if name_scheme and len(name_scheme['fields']) > 1 else 0))
                 row += [
                     order.sales_channel,
-                    order.locale
+                    order.locale,
                 ]
                 row.append(', '.join([
                     str(self.providers.get(p, p)) for p in sorted(set((op.payment_providers or '').split(',')))

src/pretix/base/forms/auth.py

@@ -1,12 +1,17 @@
+import hashlib
+import ipaddress
+
 from django import forms
 from django.conf import settings
 from django.contrib.auth.password_validation import (
     password_validators_help_texts, validate_password,
 )
+from django.utils.functional import cached_property
 from django.utils.translation import gettext_lazy as _
 
 from pretix.base.models import User
 from pretix.helpers.dicts import move_to_end
+from pretix.helpers.http import get_client_ip
 
 
 class LoginForm(forms.Form):
@@ -18,6 +23,7 @@ class LoginForm(forms.Form):
 
     error_messages = {
         'invalid_login': _("This combination of credentials is not known to our system."),
+        'rate_limit': _("For security reasons, please wait 5 minutes before you try again."),
         'inactive': _("This account is inactive.")
     }
 
@@ -39,10 +45,36 @@ class LoginForm(forms.Form):
         else:
             move_to_end(self.fields, 'keep_logged_in')
 
+    @cached_property
+    def ratelimit_key(self):
+        if not settings.HAS_REDIS:
+            return None
+        client_ip = get_client_ip(self.request)
+        if not client_ip:
+            return None
+        try:
+            client_ip = ipaddress.ip_address(client_ip)
+        except ValueError:
+            # Web server not set up correctly
+            return None
+        if client_ip.is_private:
+            # This is the private IP of the server, web server not set up correctly
+            return None
+        return 'pretix_login_{}'.format(hashlib.sha1(str(client_ip).encode()).hexdigest())
+
     def clean(self):
         if all(k in self.cleaned_data for k, f in self.fields.items() if f.required):
+            if self.ratelimit_key:
+                from django_redis import get_redis_connection
+                rc = get_redis_connection("redis")
+                cnt = rc.get(self.ratelimit_key)
+                if cnt and int(cnt) > 10:
+                    raise forms.ValidationError(self.error_messages['rate_limit'], code='rate_limit')
             self.user_cache = self.backend.form_authenticate(self.request, self.cleaned_data)
             if self.user_cache is None:
+                if self.ratelimit_key:
+                    rc.incr(self.ratelimit_key)
+                    rc.expire(self.ratelimit_key, 300)
                 raise forms.ValidationError(
                     self.error_messages['invalid_login'],
                     code='invalid_login'

src/pretix/base/forms/user.py

@@ -1,4 +1,5 @@
 from django import forms
+from django.conf import settings
 from django.contrib.auth.hashers import check_password
 from django.contrib.auth.password_validation import (
     password_validators_help_texts, validate_password,
@@ -19,6 +20,7 @@ class UserSettingsForm(forms.ModelForm):
                         "address or password."),
         'pw_current_wrong': _("The current password you entered was not correct."),
         'pw_mismatch': _("Please enter the same password twice"),
+        'rate_limit': _("For security reasons, please wait 5 minutes before you try again."),
     }
 
     old_pw = forms.CharField(max_length=255,
@@ -64,6 +66,18 @@ class UserSettingsForm(forms.ModelForm):
 
     def clean_old_pw(self):
         old_pw = self.cleaned_data.get('old_pw')
+
+        if old_pw and settings.HAS_REDIS:
+            from django_redis import get_redis_connection
+            rc = get_redis_connection("redis")
+            cnt = rc.incr('pretix_pwchange_%s' % self.user.pk)
+            rc.expire('pretix_pwchange_%s' % self.user.pk, 300)
+            if cnt > 10:
+                raise forms.ValidationError(
+                    self.error_messages['rate_limit'],
+                    code='rate_limit',
+                )
+
         if old_pw and not check_password(old_pw, self.user.password):
             raise forms.ValidationError(
                 self.error_messages['pw_current_wrong'],

src/pretix/base/management/commands/runperiodic.py

@@ -13,6 +13,10 @@ from ...signals import periodic_task
 class Command(BaseCommand):
     help = "Run periodic tasks"
 
+    def add_arguments(self, parser):
+        parser.add_argument('--tasks', action='store', type=str, help='Only execute the tasks with this name '
+                                                                      '(dotted path, comma separation)')
+
     def handle(self, *args, **options):
         verbosity = int(options['verbosity'])
 
@@ -20,8 +24,13 @@ class Command(BaseCommand):
             return
 
         for receiver in periodic_task._live_receivers(self):
+            name = f'{receiver.__module__}.{receiver.__name__}'
+            if options.get('tasks'):
+                if name not in options.get('tasks').split(','):
+                    continue
+
             if verbosity > 1:
-                self.stdout.write(f'Running {receiver.__module__}.{receiver.__name__}…')
+                self.stdout.write(f'Running {name}…')
             t0 = time.time()
             try:
                 r = receiver(signal=periodic_task, sender=self)
@@ -38,6 +47,6 @@ class Command(BaseCommand):
             else:
                 if options.get('verbosity') > 1:
                     if r is SKIPPED:
-                        self.stdout.write(self.style.SUCCESS(f'Skipped {receiver.__module__}.{receiver.__name__}'))
+                        self.stdout.write(self.style.SUCCESS(f'Skipped {name}'))
                     else:
-                        self.stdout.write(self.style.SUCCESS(f'Completed {receiver.__module__}.{receiver.__name__} in {round(time.time() - t0, 3)}s'))
+                        self.stdout.write(self.style.SUCCESS(f'Completed {name} in {round(time.time() - t0, 3)}s'))

src/pretix/base/migrations/0001_squashed_0028_auto_20160816_1242.py

@@ -482,7 +482,7 @@ class Migration(migrations.Migration):
         migrations.AddField(
             model_name='orderposition',
             name='secret',
-            field=models.CharField(db_index=True, default=pretix.base.models.orders.generate_position_secret, max_length=64),
+            field=models.CharField(db_index=True, default="invalid", max_length=64),
         ),
         migrations.AddField(
             model_name='order',

src/pretix/base/migrations/0010_orderposition_secret.py

@@ -17,6 +17,6 @@ class Migration(migrations.Migration):
         migrations.AddField(
             model_name='orderposition',
             name='secret',
-            field=models.CharField(default=pretix.base.models.orders.generate_position_secret, max_length=64),
+            field=models.CharField(default="invalid", max_length=64),
         ),
     ]

src/pretix/base/migrations/0025_auto_20160802_2202.py

@@ -38,7 +38,7 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='orderposition',
             name='secret',
-            field=models.CharField(db_index=True, default=pretix.base.models.orders.generate_position_secret, max_length=64),
+            field=models.CharField(db_index=True, default="invalid", max_length=64),
         ),
         migrations.AlterField(
             model_name='voucher',

src/pretix/base/migrations/0162b_auto_20201218_1810.py

@@ -0,0 +1,23 @@
+# Generated by Django 3.0.11 on 2020-12-18 18:10
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0162_remove_seat_name'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='cachedfile',
+            name='session_key',
+            field=models.TextField(null=True),
+        ),
+        migrations.AddField(
+            model_name='cachedfile',
+            name='web_download',
+            field=models.BooleanField(default=True),
+        ),
+    ]

src/pretix/base/migrations/0164_subevent_last_modified.py

@@ -0,0 +1,18 @@
+# Generated by Django 3.0.9 on 2020-10-15 16:12
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0163_device_security_profile'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='subevent',
+            name='last_modified',
+            field=models.DateTimeField(auto_now=True, db_index=True),
+        ),
+    ]

src/pretix/base/migrations/0165_auto_20201015_1924.py

@@ -0,0 +1,29 @@
+# Generated by Django 3.0.10 on 2020-10-15 19:24
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0164_subevent_last_modified'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='orderposition',
+            name='secret',
+            field=models.CharField(db_index=True, max_length=64),
+        ),
+        migrations.CreateModel(
+            name='RevokedTicketSecret',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False)),
+                ('secret', models.TextField(db_index=True)),
+                ('created', models.DateTimeField(auto_now_add=True)),
+                ('event', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='revoked_secrets', to='pretixbase.Event')),
+                ('position', models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='revoked_secrets', to='pretixbase.OrderPosition')),
+            ],
+        ),
+    ]

src/pretix/base/migrations/0166_auto_20201015_2029.py

@@ -0,0 +1,18 @@
+# Generated by Django 3.0.10 on 2020-10-15 20:29
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0165_auto_20201015_1924'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='orderposition',
+            name='secret',
+            field=models.CharField(db_index=True, max_length=255),
+        ),
+    ]

src/pretix/base/migrations/0167_checkinlist_exit_all_at.py

@@ -0,0 +1,18 @@
+# Generated by Django 3.0.10 on 2020-10-20 06:24
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0166_auto_20201015_2029'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='checkinlist',
+            name='exit_all_at',
+            field=models.DateTimeField(blank=True, null=True),
+        ),
+    ]

src/pretix/base/migrations/0168_auto_20201023_1447.py

@@ -0,0 +1,33 @@
+# Generated by Django 3.0.9 on 2020-10-23 14:47
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0167_checkinlist_exit_all_at'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='Gate',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False)),
+                ('name', models.CharField(max_length=190)),
+                ('identifier', models.CharField(max_length=190)),
+                ('organizer', models.ForeignKey(on_delete=django.db.models.deletion.PROTECT, related_name='gates', to='pretixbase.Organizer')),
+            ],
+        ),
+        migrations.AddField(
+            model_name='checkin',
+            name='gate',
+            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='checkins', to='pretixbase.Gate'),
+        ),
+        migrations.AddField(
+            model_name='device',
+            name='gate',
+            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='devices', to='pretixbase.Gate'),
+        ),
+    ]

src/pretix/base/migrations/0169_checkinlist_gates.py

@@ -0,0 +1,18 @@
+# Generated by Django 3.0.10 on 2020-10-24 15:55
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0168_auto_20201023_1447'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='checkinlist',
+            name='gates',
+            field=models.ManyToManyField(to='pretixbase.Gate'),
+        ),
+    ]

src/pretix/base/migrations/0170_merge_20201222_1028.py

@@ -0,0 +1,14 @@
+# Generated by Django 3.0.11 on 2020-12-22 10:28
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0169_checkinlist_gates'),
+        ('pretixbase', '0162b_auto_20201218_1810'),
+    ]
+
+    operations = [
+    ]

src/pretix/base/models/__init__.py

@@ -2,7 +2,7 @@ from ..settings import GlobalSettingsObject_SettingsStore
 from .auth import U2FDevice, User, WebAuthnDevice
 from .base import CachedFile, LoggedModel, cachedfile_name
 from .checkin import Checkin, CheckinList
-from .devices import Device
+from .devices import Device, Gate
 from .event import (
     Event, Event_SettingsStore, EventLock, EventMetaProperty, EventMetaValue,
     RequiredAction, SubEvent, SubEventMetaValue, generate_invite_token,
@@ -19,8 +19,8 @@ from .notifications import NotificationSetting
 from .orders import (
     AbstractPosition, CachedCombinedTicket, CachedTicket, CartPosition,
     InvoiceAddress, Order, OrderFee, OrderPayment, OrderPosition, OrderRefund,
-    QuestionAnswer, cachedcombinedticket_name, cachedticket_name,
-    generate_position_secret, generate_secret,
+    QuestionAnswer, RevokedTicketSecret, cachedcombinedticket_name,
+    cachedticket_name, generate_position_secret, generate_secret,
 )
 from .organizer import (
     Organizer, Organizer_SettingsStore, Team, TeamAPIToken, TeamInvite,

src/pretix/base/models/base.py

@@ -28,6 +28,8 @@ class CachedFile(models.Model):
     filename = models.CharField(max_length=255)
     type = models.CharField(max_length=255)
     file = models.FileField(null=True, blank=True, upload_to=cachedfile_name, max_length=255)
+    web_download = models.BooleanField(default=True)  # allow web download, True for backwards compatibility in plugins
+    session_key = models.TextField(null=True, blank=True)  # only allow download in this session
 
 
 @receiver(post_delete, sender=CachedFile)

src/pretix/base/models/checkin.py

@@ -21,6 +21,11 @@ class CheckinList(LoggedModel):
                                           default=False,
                                           help_text=_('With this option, people will be able to check in even if the '
                                                       'order have not been paid.'))
+    gates = models.ManyToManyField(
+        'Gate', verbose_name=_("Gates"), blank=True,
+        help_text=_("Does not have any effect for the validation of tickets, only for the automatic configuration of "
+                    "check-in devices.")
+    )
     allow_entry_after_exit = models.BooleanField(
         verbose_name=_('Allow re-entering after an exit scan'),
         default=True
@@ -30,7 +35,10 @@ class CheckinList(LoggedModel):
         help_text=_('Use this option to turn off warnings if a ticket is scanned a second time.'),
         default=False
     )
-
+    exit_all_at = models.DateTimeField(
+        verbose_name=_('Automatically check out everyone at'),
+        null=True, blank=True
+    )
     auto_checkin_sales_channels = MultiStringField(
         default=[],
         blank=True,
@@ -62,7 +70,7 @@ class CheckinList(LoggedModel):
         return qs
 
     @property
-    def inside_count(self):
+    def positions_inside(self):
         return self.positions.annotate(
             last_entry=Subquery(
                 Checkin.objects.filter(
@@ -87,7 +95,11 @@ class CheckinList(LoggedModel):
             & Q(
                 Q(last_exit__isnull=True) | Q(last_exit__lt=F('last_entry'))
             )
-        ).count()
+        )
+
+    @property
+    def inside_count(self):
+        return self.positions_inside.count()
 
     @property
     @scopes_disabled()
@@ -152,6 +164,9 @@ class Checkin(models.Model):
     device = models.ForeignKey(
         'pretixbase.Device', related_name='checkins', on_delete=models.PROTECT, null=True, blank=True
     )
+    gate = models.ForeignKey(
+        'pretixbase.Gate', related_name='checkins', on_delete=models.SET_NULL, null=True, blank=True
+    )
     auto_checked_in = models.BooleanField(default=False)
 
     objects = ScopedManager(organizer='position__order__event__organizer')

src/pretix/base/models/devices.py

@@ -1,5 +1,6 @@
 import string
 
+from django.core.exceptions import ValidationError
 from django.db import models
 from django.db.models import Max
 from django.utils.crypto import get_random_string
@@ -34,12 +35,64 @@ def generate_api_token():
     return token
 
 
+class Gate(LoggedModel):
+    organizer = models.ForeignKey(
+        'pretixbase.Organizer',
+        on_delete=models.PROTECT,
+        related_name='gates'
+    )
+    name = models.CharField(
+        verbose_name=_("Name"),
+        max_length=190,
+    )
+    identifier = models.CharField(
+        max_length=190, blank=True,
+        verbose_name=_("Internal identifier"),
+        help_text=_('You can enter any value here to make it easier to match the data with other sources. If you do '
+                    'not input one, we will generate one automatically.')
+    )
+
+    class Meta:
+        ordering = ('name',)
+
+    def __str__(self):
+        return self.name
+
+    def clean_identifier(self, code):
+        Gate._clean_identifier(self.organizer, code, self)
+
+    @staticmethod
+    def _clean_identifier(organizer, code, instance=None):
+        qs = Gate.objects.filter(organizer=organizer, identifier__iexact=code)
+        if instance:
+            qs = qs.exclude(pk=instance.pk)
+        if qs.exists():
+            raise ValidationError(_('This identifier is already used for a different question.'))
+
+    def save(self, *args, **kwargs):
+        if not self.identifier:
+            charset = list('ABCDEFGHJKLMNPQRSTUVWXYZ3789')
+            while True:
+                code = get_random_string(length=8, allowed_chars=charset)
+                if not Gate.objects.filter(organizer=self.organizer, identifier=code).exists():
+                    self.identifier = code
+                    break
+        return super().save(*args, **kwargs)
+
+
 class Device(LoggedModel):
     organizer = models.ForeignKey(
         'pretixbase.Organizer',
         on_delete=models.PROTECT,
         related_name='devices'
     )
+    gate = models.ForeignKey(
+        'pretixbase.Gate',
+        verbose_name=_('Gate'),
+        on_delete=models.SET_NULL,
+        null=True, blank=True,
+        related_name='devices'
+    )
     device_id = models.PositiveIntegerField()
     unique_serial = models.CharField(max_length=190, default=generate_serial, unique=True)
     initialization_token = models.CharField(max_length=190, default=generate_initialization_token, unique=True)

src/pretix/base/models/event.py

@@ -662,7 +662,14 @@ class Event(EventMixin, LoggedModel):
                 s.product = item_map[s.product_id]
             s.save()
 
+        skip_settings = (
+            'ticket_secrets_pretix_sig1_pubkey',
+            'ticket_secrets_pretix_sig1_privkey',
+        )
         for s in other.settings._objects.all():
+            if s.key in skip_settings:
+                continue
+
             s.object = self
             s.pk = None
             if s.value.startswith('file://'):
@@ -754,6 +761,31 @@ class Event(EventMixin, LoggedModel):
                 renderers[pp.identifier] = pp
         return renderers
 
+    @cached_property
+    def ticket_secret_generators(self) -> dict:
+        """
+        Returns a dictionary of cached initialized ticket secret generators mapped by their identifiers.
+        """
+        from ..signals import register_ticket_secret_generators
+
+        responses = register_ticket_secret_generators.send(self)
+        renderers = {}
+        for receiver, response in responses:
+            if not isinstance(response, list):
+                response = [response]
+            for p in response:
+                pp = p(self)
+                renderers[pp.identifier] = pp
+        return renderers
+
+    @property
+    def ticket_secret_generator(self):
+        """
+        Returns the currently configured ticket secret generator.
+        """
+        tsgs = self.ticket_secret_generators
+        return tsgs[self.settings.ticket_secret_generator]
+
     def get_data_shredders(self) -> dict:
         """
         Returns a dictionary of initialized data shredders mapped by their identifiers.
@@ -1036,6 +1068,9 @@ class SubEvent(EventMixin, LoggedModel):
     )
     seating_plan = models.ForeignKey('SeatingPlan', on_delete=models.PROTECT, null=True, blank=True,
                                      related_name='subevents')
+    last_modified = models.DateTimeField(
+        auto_now=True, db_index=True
+    )
 
     items = models.ManyToManyField('Item', through='SubEventItem')
     variations = models.ManyToManyField('ItemVariation', through='SubEventItemVariation')

src/pretix/base/models/orders.py

@@ -57,8 +57,7 @@ def generate_secret():
 
 
 def generate_position_secret():
-    # Exclude o,0,1,i,l to avoid confusion with bad fonts/printers
-    return get_random_string(length=settings.ENTROPY['ticket_secret'], allowed_chars='abcdefghjkmnpqrstuvwxyz23456789')
+    raise TypeError("Function no longer exists, use secret generators")
 
 
 class Order(LockModel, LoggedModel):
@@ -1938,7 +1937,7 @@ class OrderPosition(AbstractPosition):
         max_digits=10, decimal_places=2,
         verbose_name=_('Tax value')
     )
-    secret = models.CharField(max_length=64, default=generate_position_secret, db_index=True)
+    secret = models.CharField(max_length=255, null=False, blank=False, db_index=True)
     web_secret = models.CharField(max_length=32, default=generate_secret, db_index=True)
     pseudonymization_id = models.CharField(
         max_length=16,
@@ -2031,13 +2030,18 @@ class OrderPosition(AbstractPosition):
             self.tax_rate = Decimal('0.00')
 
     def save(self, *args, **kwargs):
+        from pretix.base.secrets import assign_ticket_secret
+
         if self.tax_rate is None:
             self._calculate_tax()
         self.order.touch()
         if not self.pk:
-            while OrderPosition.all.filter(secret=self.secret,
-                                           order__event__organizer_id=self.order.event.organizer_id).exists():
-                self.secret = generate_position_secret()
+            while not self.secret or OrderPosition.all.filter(
+                secret=self.secret, order__event__organizer_id=self.order.event.organizer_id
+            ).exists():
+                assign_ticket_secret(
+                    event=self.order.event, position=self, force_invalidate=True, save=False
+                )
 
         if not self.pseudonymization_id:
             self.assign_pseudonymization_id()
@@ -2067,7 +2071,7 @@ class OrderPosition(AbstractPosition):
                   user: User=None, headers: dict=None, sender: str=None, invoices: list=None,
                   auth=None, attach_tickets=False):
         """
-        Sends an email to the user that placed this order. Basically, this method does two things:
+        Sends an email to the attendee. Basically, this method does two things:
 
         * Call ``pretix.base.services.mail.mail`` with useful values for the ``event``, ``locale``, ``recipient`` and
           ``order`` parameters.
@@ -2326,6 +2330,18 @@ class CancellationRequest(models.Model):
     refund_as_giftcard = models.BooleanField(default=False)
 
 
+class RevokedTicketSecret(models.Model):
+    event = models.ForeignKey(Event, on_delete=models.CASCADE, related_name='revoked_secrets')
+    position = models.ForeignKey(
+        OrderPosition,
+        on_delete=models.SET_NULL,
+        related_name='revoked_secrets',
+        null=True,
+    )
+    secret = models.TextField(db_index=True)
+    created = models.DateTimeField(auto_now_add=True)
+
+
 @receiver(post_delete, sender=CachedTicket)
 def cachedticket_delete(sender, instance, **kwargs):
     if instance.file:

src/pretix/base/orderimport.py

@@ -641,7 +641,7 @@ class QuestionColumn(ImportColumn):
                     for v in opt.answer.data.values():
                         self.option_resolve_cache[v.strip()].add(opt)
                 else:
-                    self.option_resolve_cache[opt.answer.strip()].add(opt)
+                    self.option_resolve_cache[opt.answer.data.strip()].add(opt)
 
             else:
                 self.option_resolve_cache[opt.answer.strip()].add(opt)
@@ -661,7 +661,7 @@ class QuestionColumn(ImportColumn):
                 if value not in self.option_resolve_cache:
                     raise ValidationError(_('Invalid option selected.'))
                 if len(self.option_resolve_cache[value]) > 1:
-                    raise ValidationError(_('Ambigous option selected.'))
+                    raise ValidationError(_('Ambiguous option selected.'))
                 return list(self.option_resolve_cache[value])[0]
 
             elif self.q.type == Question.TYPE_CHOICE_MULTIPLE:
@@ -669,7 +669,7 @@ class QuestionColumn(ImportColumn):
                 if any(v.strip() not in self.option_resolve_cache for v in values):
                     raise ValidationError(_('Invalid option selected.'))
                 if any(len(self.option_resolve_cache[v.strip()]) > 1 for v in values):
-                    raise ValidationError(_('Ambigous option selected.'))
+                    raise ValidationError(_('Ambiguous option selected.'))
                 return [list(self.option_resolve_cache[v.strip()])[0] for v in values]
 
             else:

src/pretix/base/payment.py

@@ -717,7 +717,7 @@ class BasePaymentProvider:
 
         The default implementation returns an empty string.
 
-        :param order: The order object
+        :param refund: The refund object
         """
         return ''
 

src/pretix/base/pdf.py

@@ -48,7 +48,9 @@ DEFAULT_VARIABLES = OrderedDict((
     ("secret", {
         "label": _("Ticket code (barcode content)"),
         "editor_sample": "tdmruoekvkpbv1o2mv8xccvqcikvr58u",
-        "evaluate": lambda orderposition, order, event: orderposition.secret
+        "evaluate": lambda orderposition, order, event: (
+            orderposition.secret[:30] + "…" if len(orderposition.secret) > 32 else orderposition.secret
+        )
     }),
     ("order", {
         "label": _("Order code"),
@@ -427,8 +429,13 @@ class Renderer:
         elif content == 'pseudonymization_id':
             content = op.pseudonymization_id
 
+        level = 'H'
+        if len(content) > 32:
+            level = 'M'
+        if len(content) > 128:
+            level = 'L'
         reqs = float(o['size']) * mm
-        qrw = QrCodeWidget(content, barLevel='H', barHeight=reqs, barWidth=reqs)
+        qrw = QrCodeWidget(content, barLevel=level, barHeight=reqs, barWidth=reqs)
         d = Drawing(reqs, reqs)
         d.add(qrw)
         qr_x = float(o['left']) * mm

src/pretix/base/secretgenerators/pretix_sig1.proto

@@ -0,0 +1,11 @@
+syntax = "proto3";
+
+option java_package = "eu.pretix.libpretixsync.crypto.sig1";
+option java_outer_classname = "TicketProtos";
+
+message Ticket {
+    string seed = 1;
+    int64 item = 2;
+    int64 variation = 3;
+    int64 subevent = 4;
+}

src/pretix/base/secretgenerators/pretix_sig1_pb2.py

@@ -0,0 +1,93 @@
+# -*- coding: utf-8 -*-
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: pretix_sig1.proto
+
+from google.protobuf import (
+    descriptor as _descriptor, message as _message, reflection as _reflection,
+    symbol_database as _symbol_database,
+)
+
+# @@protoc_insertion_point(imports)
+
+_sym_db = _symbol_database.Default()
+
+
+
+
+DESCRIPTOR = _descriptor.FileDescriptor(
+  name='pretix_sig1.proto',
+  package='',
+  syntax='proto3',
+  serialized_options=b'\n\026eu.pretix.secrets.sig1B\014TicketProtos',
+  create_key=_descriptor._internal_create_key,
+  serialized_pb=b'\n\x11pretix_sig1.proto\"I\n\x06Ticket\x12\x0c\n\x04seed\x18\x01 \x01(\t\x12\x0c\n\x04item\x18\x02 \x01(\x03\x12\x11\n\tvariation\x18\x03 \x01(\x03\x12\x10\n\x08subevent\x18\x04 \x01(\x03\x42&\n\x16\x65u.pretix.secrets.sig1B\x0cTicketProtosb\x06proto3'
+)
+
+
+
+
+_TICKET = _descriptor.Descriptor(
+  name='Ticket',
+  full_name='Ticket',
+  filename=None,
+  file=DESCRIPTOR,
+  containing_type=None,
+  create_key=_descriptor._internal_create_key,
+  fields=[
+    _descriptor.FieldDescriptor(
+      name='seed', full_name='Ticket.seed', index=0,
+      number=1, type=9, cpp_type=9, label=1,
+      has_default_value=False, default_value=b"".decode('utf-8'),
+      message_type=None, enum_type=None, containing_type=None,
+      is_extension=False, extension_scope=None,
+      serialized_options=None, file=DESCRIPTOR,  create_key=_descriptor._internal_create_key),
+    _descriptor.FieldDescriptor(
+      name='item', full_name='Ticket.item', index=1,
+      number=2, type=3, cpp_type=2, label=1,
+      has_default_value=False, default_value=0,
+      message_type=None, enum_type=None, containing_type=None,
+      is_extension=False, extension_scope=None,
+      serialized_options=None, file=DESCRIPTOR,  create_key=_descriptor._internal_create_key),
+    _descriptor.FieldDescriptor(
+      name='variation', full_name='Ticket.variation', index=2,
+      number=3, type=3, cpp_type=2, label=1,
+      has_default_value=False, default_value=0,
+      message_type=None, enum_type=None, containing_type=None,
+      is_extension=False, extension_scope=None,
+      serialized_options=None, file=DESCRIPTOR,  create_key=_descriptor._internal_create_key),
+    _descriptor.FieldDescriptor(
+      name='subevent', full_name='Ticket.subevent', index=3,
+      number=4, type=3, cpp_type=2, label=1,
+      has_default_value=False, default_value=0,
+      message_type=None, enum_type=None, containing_type=None,
+      is_extension=False, extension_scope=None,
+      serialized_options=None, file=DESCRIPTOR,  create_key=_descriptor._internal_create_key),
+  ],
+  extensions=[
+  ],
+  nested_types=[],
+  enum_types=[
+  ],
+  serialized_options=None,
+  is_extendable=False,
+  syntax='proto3',
+  extension_ranges=[],
+  oneofs=[
+  ],
+  serialized_start=21,
+  serialized_end=94,
+)
+
+DESCRIPTOR.message_types_by_name['Ticket'] = _TICKET
+_sym_db.RegisterFileDescriptor(DESCRIPTOR)
+
+Ticket = _reflection.GeneratedProtocolMessageType('Ticket', (_message.Message,), {
+  'DESCRIPTOR' : _TICKET,
+  '__module__' : 'pretix_sig1_pb2'
+  # @@protoc_insertion_point(class_scope:Ticket)
+  })
+_sym_db.RegisterMessage(Ticket)
+
+
+DESCRIPTOR._options = None
+# @@protoc_insertion_point(module_scope)

src/pretix/base/secrets.py

@@ -0,0 +1,202 @@
+import base64
+import struct
+
+from cryptography.hazmat.backends.openssl.backend import Backend
+from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey
+from cryptography.hazmat.primitives.serialization.base import (
+    Encoding, NoEncryption, PrivateFormat, PublicFormat, load_pem_private_key,
+    load_pem_public_key,
+)
+from django.conf import settings
+from django.dispatch import receiver
+from django.utils.crypto import get_random_string
+from django.utils.translation import ugettext_lazy as _
+
+from pretix.base.models import Item, ItemVariation, SubEvent
+from pretix.base.secretgenerators import pretix_sig1_pb2
+from pretix.base.signals import register_ticket_secret_generators
+
+
+class BaseTicketSecretGenerator:
+    """
+    This is the base class to be used for all ticket secret generators.
+    """
+
+    @property
+    def verbose_name(self) -> str:
+        """
+        A human-readable name for this generator. This should be short but self-explanatory.
+        """
+        raise NotImplementedError()  # NOQA
+
+    @property
+    def identifier(self) -> str:
+        """
+        A short and unique identifier for this renderer. This should only contain lowercase letters
+        and in most cases will be the same as your package name.
+        """
+        raise NotImplementedError()  # NOQA
+
+    def __init__(self, event):
+        self.event = event
+
+    @property
+    def use_revocation_list(self):
+        """
+        If this attribute is set to ``True``, the system will set all no-longer-used secrets on a revocation list.
+        This is not required for pretix' default method of just using random identifiers as ticket secrets
+        since all ticket scans will be compared to the database. However, if your secret generation method
+        is designed to allow offline verification without a ticket database, all invalidated/replaced
+        secrets as well as all secrets of canceled tickets will need to go to a revocation list.
+        """
+        return False
+
+    def generate_secret(self, item: Item, variation: ItemVariation = None, subevent: SubEvent = None,
+                        current_secret: str = None, force_invalidate=False) -> str:
+        """
+        Generate a new secret for a ticket with product ``item``, variation ``variation``, subevent ``subevent``,
+        and the current secret ``current_secret`` (if any).
+
+        The result must be a string that should only contain the characters ``A-Za-z0-9+/=``.
+
+        The algorithm is expected to conform to the following rules:
+
+        If ``force_invalidate`` is set to ``True``, the method MUST return a different secret than ``current_secret``,
+        such that ``current_secret`` can get revoked.
+
+        If ``force_invalidate`` is set to ``False`` and ``item``, ``variation`` and ``subevent`` have the same value
+        as when ``current_secret`` was generated, then this method MUST return ``current_secret`` unchanged.
+
+        If ``force_invalidate`` is set to ``False`` and ``item``, ``variation`` and ``subevent`` have a different value
+        as when ``current_secret`` was generated, then this method MAY OR MAY NOT return ``current_secret`` unchanged,
+        depending on the semantics of the method.
+        """
+        raise NotImplementedError()
+
+
+class RandomTicketSecretGenerator(BaseTicketSecretGenerator):
+    verbose_name = _('Random (default, works with all pretix apps)')
+    identifier = 'random'
+    use_revocation_list = False
+
+    def generate_secret(self, item: Item, variation: ItemVariation = None, subevent: SubEvent = None,
+                        current_secret: str = None, force_invalidate=False):
+        if current_secret and not force_invalidate:
+            return current_secret
+        return get_random_string(
+            length=settings.ENTROPY['ticket_secret'],
+            # Exclude o,0,1,i,l to avoid confusion with bad fonts/printers
+            allowed_chars='abcdefghjkmnpqrstuvwxyz23456789'
+        )
+
+
+class Sig1TicketSecretGenerator(BaseTicketSecretGenerator):
+    """
+    Secret generator for signed QR codes.
+
+    QR-code format:
+
+    - 1 Byte with the version of the scheme, currently 0x01
+    - 2 Bytes length of the payload (big-endian) => n
+    - 2 Bytes length of the signature (big-endian) => m
+    - n Bytes payload (with protobuf encoding)
+    - m Bytes ECDSA signature of Sign(payload)
+
+    The resulting string is REVERSED, to avoid all secrets of same length beginning with the same 10
+    characters, which would make it impossible to search for secrets manually.
+    """
+    verbose_name = _('pretix signature scheme 1 (for very large events, does not work with pretixSCAN on iOS and '
+                     'changes semantics of offline scanning – please refer to documentation or support for details)')
+    identifier = 'pretix_sig1'
+    use_revocation_list = True
+
+    def _generate_keys(self):
+        privkey = Ed25519PrivateKey.generate()
+        pubkey = privkey.public_key()
+        self.event.settings.ticket_secrets_pretix_sig1_privkey = base64.b64encode(privkey.private_bytes(
+            Encoding.PEM, PrivateFormat.PKCS8, NoEncryption()
+        )).decode()
+        self.event.settings.ticket_secrets_pretix_sig1_pubkey = base64.b64encode(pubkey.public_bytes(
+            Encoding.PEM, PublicFormat.SubjectPublicKeyInfo
+        )).decode()
+
+    def _sign_payload(self, payload):
+        if not self.event.settings.ticket_secrets_pretix_sig1_privkey:
+            self._generate_keys()
+        privkey = load_pem_private_key(
+            base64.b64decode(self.event.settings.ticket_secrets_pretix_sig1_privkey), None, Backend()
+        )
+        signature = privkey.sign(payload)
+        return (
+            bytes([0x01])
+            + struct.pack(">H", len(payload))
+            + struct.pack(">H", len(signature))
+            + payload
+            + signature
+        )
+
+    def _parse(self, secret):
+        try:
+            rawbytes = base64.b64decode(secret[::-1])
+            if rawbytes[0] != 1:
+                raise ValueError('Invalid version')
+
+            payload_len = struct.unpack(">H", rawbytes[1:3])[0]
+            sig_len = struct.unpack(">H", rawbytes[3:5])[0]
+            payload = rawbytes[5:5 + payload_len]
+            signature = rawbytes[5 + payload_len:5 + payload_len + sig_len]
+            pubkey = load_pem_public_key(
+                base64.b64decode(self.event.settings.ticket_secrets_pretix_sig1_pubkey), Backend()
+            )
+            pubkey.verify(signature, payload)
+            t = pretix_sig1_pb2.Ticket()
+            t.ParseFromString(payload)
+            return t
+        except:
+            return None
+
+    def generate_secret(self, item: Item, variation: ItemVariation = None, subevent: SubEvent = None,
+                        current_secret: str = None, force_invalidate=False):
+        if current_secret and not force_invalidate:
+            ticket = self._parse(current_secret)
+            if ticket:
+                unchanged = (
+                    ticket.item == item.pk and
+                    ticket.variation == (variation.pk if variation else 0) and
+                    ticket.subevent == (subevent.pk if subevent else 0)
+                )
+                if unchanged:
+                    return current_secret
+
+        t = pretix_sig1_pb2.Ticket()
+        t.seed = get_random_string(9)
+        t.item = item.pk
+        t.variation = variation.pk if variation else 0
+        t.subevent = subevent.pk if subevent else 0
+        payload = t.SerializeToString()
+        result = base64.b64encode(self._sign_payload(payload)).decode()[::-1]
+        return result
+
+
+@receiver(register_ticket_secret_generators, dispatch_uid="ticket_generator_default")
+def recv_classic(sender, **kwargs):
+    return [RandomTicketSecretGenerator, Sig1TicketSecretGenerator]
+
+
+def assign_ticket_secret(event, position, force_invalidate_if_revokation_list_used=False, force_invalidate=False, save=True):
+    gen = event.ticket_secret_generator
+    if gen.use_revocation_list and force_invalidate_if_revokation_list_used:
+        force_invalidate = True
+    secret = gen.generate_secret(
+        item=position.item,
+        variation=position.variation,
+        subevent=position.subevent,
+        current_secret=position.secret,
+        force_invalidate=force_invalidate
+    )
+    changed = position.secret != secret
+    if position.secret and changed and gen.use_revocation_list:
+        position.revoked_secrets.create(event=event, secret=position.secret)
+    position.secret = secret
+    if save and changed:
+        position.save()

src/pretix/base/services/checkin.py

@@ -7,11 +7,12 @@ from django.dispatch import receiver
 from django.utils.functional import cached_property
 from django.utils.timezone import now, override
 from django.utils.translation import gettext as _
+from django_scopes import scope, scopes_disabled
 
 from pretix.base.models import (
     Checkin, CheckinList, Device, Order, OrderPosition, QuestionOption,
 )
-from pretix.base.signals import checkin_created, order_placed
+from pretix.base.signals import checkin_created, order_placed, periodic_task
 from pretix.helpers.jsonlogic import Logic
 
 
@@ -229,6 +230,7 @@ def perform_checkin(op: OrderPosition, clist: CheckinList, given_answers: dict,
             list=clist,
             datetime=dt,
             device=device,
+            gate=device.gate if device else None,
             nonce=nonce,
             forced=force and not entry_allowed,
         )
@@ -262,5 +264,23 @@ def order_placed(sender, **kwargs):
         for cl in cls:
             if cl.all_products or op.item_id in {i.pk for i in cl.limit_products.all()}:
                 if not cl.subevent_id or cl.subevent_id == op.subevent_id:
-                    ci = Checkin.objects.create(position=op, list=cl, auto_checked_in=True)
+                    ci = Checkin.objects.create(position=op, list=cl, auto_checked_in=True, type=Checkin.TYPE_ENTRY)
                     checkin_created.send(event, checkin=ci)
+
+
+@receiver(periodic_task, dispatch_uid="autocheckin_exit_all")
+@scopes_disabled()
+def process_exit_all(sender, **kwargs):
+    qs = CheckinList.objects.filter(
+        exit_all_at__lte=now(),
+        exit_all_at__isnull=False
+    ).select_related('event', 'event__organizer')
+    for cl in qs:
+        for p in cl.positions_inside:
+            with scope(organizer=cl.event.organizer):
+                ci = Checkin.objects.create(
+                    position=p, list=cl, auto_checked_in=True, type=Checkin.TYPE_EXIT, datetime=cl.exit_all_at
+                )
+                checkin_created.send(cl.event, checkin=ci)
+        cl.exit_all_at = cl.exit_all_at + timedelta(days=1)
+        cl.save(update_fields=['exit_all_at'])

src/pretix/base/services/mail.py

@@ -231,7 +231,7 @@ def mail(email: Union[str, Sequence[str]], subject: str, template: Union[str, La
             attach_tickets=attach_tickets,
             attach_ical=attach_ical,
             user=user.pk if user else None,
-            attach_cached_files=[cf.id for cf in attach_cached_files] if attach_cached_files else [],
+            attach_cached_files=[(cf.id if isinstance(cf, CachedFile) else cf) for cf in attach_cached_files] if attach_cached_files else [],
         )
 
         if invoices:

src/pretix/base/services/orders.py

@@ -32,13 +32,13 @@ from pretix.base.models import (
 from pretix.base.models.event import SubEvent
 from pretix.base.models.items import ItemBundle
 from pretix.base.models.orders import (
-    InvoiceAddress, OrderFee, OrderRefund, generate_position_secret,
-    generate_secret,
+    InvoiceAddress, OrderFee, OrderRefund, generate_secret,
 )
 from pretix.base.models.organizer import TeamAPIToken
 from pretix.base.models.tax import TaxRule
 from pretix.base.payment import BasePaymentProvider, PaymentException
 from pretix.base.reldate import RelativeDateWrapper
+from pretix.base.secrets import assign_ticket_secret
 from pretix.base.services import tickets
 from pretix.base.services.invoices import (
     generate_cancellation, generate_invoice, invoice_qualified,
@@ -371,7 +371,10 @@ def _cancel_order(order, user=None, send_mail: bool=True, api_token=None, device
                     if position.voucher:
                         Voucher.objects.filter(pk=position.voucher.pk).update(redeemed=Greatest(0, F('redeemed') - 1))
                     position.canceled = True
-                    position.save(update_fields=['canceled'])
+                    assign_ticket_secret(
+                        event=order.event, position=position, force_invalidate_if_revokation_list_used=True, force_invalidate=False, save=False
+                    )
+                    position.save(update_fields=['canceled', 'secret'])
                 new_fee = cancellation_fee
                 for fee in order.fees.all():
                     if keep_fees and fee in keep_fees:
@@ -406,6 +409,9 @@ def _cancel_order(order, user=None, send_mail: bool=True, api_token=None, device
                 order.save(update_fields=['status', 'cancellation_date'])
 
             for position in order.positions.all():
+                assign_ticket_secret(
+                    event=order.event, position=position, force_invalidate_if_revokation_list_used=True, force_invalidate=False, save=True
+                )
                 if position.voucher:
                     Voucher.objects.filter(pk=position.voucher.pk).update(redeemed=Greatest(0, F('redeemed') - 1))
 
@@ -1564,6 +1570,9 @@ class OrderChangeManager:
                             invoice_address=self._invoice_address
                         ).gross
                     )
+                assign_ticket_secret(
+                    event=self.event, position=op.position, force_invalidate=False, save=False
+                )
                 op.position.save()
             elif isinstance(op, self.SeatOperation):
                 self.order.log_action('pretix.event.order.changed.seat', user=self.user, auth=self.auth, data={
@@ -1575,6 +1584,9 @@ class OrderChangeManager:
                     'new_seat_id': op.seat.pk if op.seat else None,
                 })
                 op.position.seat = op.seat
+                assign_ticket_secret(
+                    event=self.event, position=op.position, force_invalidate=False, save=False
+                )
                 op.position.save()
             elif isinstance(op, self.SubeventOperation):
                 self.order.log_action('pretix.event.order.changed.subevent', user=self.user, auth=self.auth, data={
@@ -1586,7 +1598,9 @@ class OrderChangeManager:
                     'new_price': op.position.price
                 })
                 op.position.subevent = op.subevent
-                op.position.save()
+                assign_ticket_secret(
+                    event=self.event, position=op.position, force_invalidate=False, save=False
+                )
                 if op.position.price_before_voucher is not None and op.position.voucher and not op.position.addon_to_id:
                     op.position.price_before_voucher = max(
                         op.position.price,
@@ -1597,6 +1611,7 @@ class OrderChangeManager:
                             invoice_address=self._invoice_address
                         ).gross
                     )
+                op.position.save()
             elif isinstance(op, self.AddFeeOperation):
                 self.order.log_action('pretix.event.order.changed.addfee', user=self.user, auth=self.auth, data={
                     'fee': op.fee.pk,
@@ -1675,7 +1690,10 @@ class OrderChangeManager:
                     opa.canceled = True
                     if opa.voucher:
                         Voucher.objects.filter(pk=opa.voucher.pk).update(redeemed=Greatest(0, F('redeemed') - 1))
-                    opa.save(update_fields=['canceled'])
+                    assign_ticket_secret(
+                        event=self.event, position=op.position, force_invalidate_if_revokation_list_used=True, force_invalidate=False, save=False
+                    )
+                    opa.save(update_fields=['canceled', 'secret'])
                 self.order.log_action('pretix.event.order.changed.cancel', user=self.user, auth=self.auth, data={
                     'position': op.position.pk,
                     'positionid': op.position.positionid,
@@ -1687,7 +1705,10 @@ class OrderChangeManager:
                 op.position.canceled = True
                 if op.position.voucher:
                     Voucher.objects.filter(pk=op.position.voucher.pk).update(redeemed=Greatest(0, F('redeemed') - 1))
-                op.position.save(update_fields=['canceled'])
+                assign_ticket_secret(
+                    event=self.event, position=op.position, force_invalidate_if_revokation_list_used=True, force_invalidate=False, save=False
+                )
+                op.position.save(update_fields=['canceled', 'secret'])
             elif isinstance(op, self.AddOperation):
                 pos = OrderPosition.objects.create(
                     item=op.item, variation=op.variation, addon_to=op.addon_to,
@@ -1709,8 +1730,9 @@ class OrderChangeManager:
             elif isinstance(op, self.SplitOperation):
                 split_positions.append(op.position)
             elif isinstance(op, self.RegenerateSecretOperation):
-                op.position.secret = generate_position_secret()
-                op.position.save()
+                assign_ticket_secret(
+                    event=self.event, position=op.position, force_invalidate=True, save=True
+                )
                 tickets.invalidate_cache.apply_async(kwargs={'event': self.event.pk,
                                                              'order': self.order.pk})
                 self.order.log_action('pretix.event.order.changed.secret', user=self.user, auth=self.auth, data={
@@ -1743,7 +1765,9 @@ class OrderChangeManager:
                 'new_order': split_order.code,
             })
             op.order = split_order
-            op.secret = generate_position_secret()
+            assign_ticket_secret(
+                self.event, position=op, force_invalidate=True,
+            )
             op.save()
 
         try:

src/pretix/base/services/shredder.py

@@ -17,7 +17,7 @@ from pretix.celery_app import app
 
 
 @app.task(base=ProfiledEventTask)
-def export(event: Event, shredders: List[str]) -> None:
+def export(event: Event, shredders: List[str], session_key=None) -> None:
     known_shredders = event.get_data_shredders()
 
     with NamedTemporaryFile() as rawfile:
@@ -55,6 +55,8 @@ def export(event: Event, shredders: List[str]) -> None:
         cf.date = now()
         cf.filename = event.slug + '.zip'
         cf.type = 'application/zip'
+        cf.session_key = session_key
+        cf.web_download = True
         cf.expires = now() + timedelta(hours=1)
         cf.save()
         cf.file.save(cachedfile_name(cf, cf.filename), rawfile)

src/pretix/base/settings.py

@@ -374,6 +374,10 @@ DEFAULTS = {
         'default': 'classic',
         'type': str,
     },
+    'ticket_secret_generator': {
+        'default': 'random',
+        'type': str,
+    },
     'reservation_time': {
         'default': '30',
         'type': int,
@@ -971,6 +975,19 @@ DEFAULTS = {
                                               'data-checkbox-dependency-visual': 'on'}),
         )
     },
+    'ticket_download_require_validated_email': {
+        'default': 'False',
+        'type': bool,
+        'serializer_class': serializers.BooleanField,
+        'form_class': forms.BooleanField,
+        'form_kwargs': dict(
+            label=_("Do not issue ticket before email address is validated"),
+            help_text=_("If turned on, tickets will not be offered for download directly after purchase. They will "
+                        "be attached to the payment confirmation email (if the file size is not too large), and the "
+                        "customer will be able to download them from the page as soon as they clicked a link in "
+                        "the email. Does not affect orders performed through other sales channels."),
+        )
+    },
     'event_list_availability': {
         'default': 'True',
         'type': bool

src/pretix/base/signals.py

@@ -216,6 +216,16 @@ subclass of pretix.base.invoice.BaseInvoiceRenderer or a list of these
 As with all event-plugin signals, the ``sender`` keyword argument will contain the event.
 """
 
+register_ticket_secret_generators = EventPluginSignal(
+    providing_args=[]
+)
+"""
+This signal is sent out to get all known ticket secret generators. Receivers should return a
+subclass of ``pretix.base.secrets.BaseTicketSecretGenerator`` or a list of these
+
+As with all event-plugin signals, the ``sender`` keyword argument will contain the event.
+"""
+
 register_data_shredders = EventPluginSignal(
     providing_args=[]
 )

src/pretix/base/templatetags/rich_text.py

@@ -1,3 +1,4 @@
+import re
 import urllib.parse
 
 import bleach
@@ -71,6 +72,10 @@ EMAIL_RE = build_email_re(tlds=sorted(tld_set, key=len, reverse=True))
 
 
 def safelink_callback(attrs, new=False):
+    """
+    Makes sure that all links to a different domain are passed through a redirection handler
+    to ensure there's no passing of referers with secrets inside them.
+    """
     url = attrs.get((None, 'href'), '/')
     if not url_has_allowed_host_and_scheme(url, allowed_hosts=None) and not url.startswith('mailto:') and not url.startswith('tel:'):
         signer = signing.Signer(salt='safe-redirect')
@@ -80,7 +85,42 @@ def safelink_callback(attrs, new=False):
     return attrs
 
 
+def truelink_callback(attrs, new=False):
+    """
+    Tries to prevent "phishing" attacks in which a link looks like it points to a safe place but instead
+    points somewhere else, e.g.
+
+        <a href="https://evilsite.com">https://google.com</a>
+
+    At the same time, custom texts are still allowed:
+
+        <a href="https://maps.google.com">Get to the event</a>
+
+    Suffixes are also allowed:
+
+        <a href="https://maps.google.com/location/foo">https://maps.google.com</a>
+    """
+    text = re.sub('[^a-zA-Z0-9.-/_]', '', attrs.get('_text'))  # clean up link text
+    if URL_RE.match(text):
+        # link text looks like a url
+        if text.startswith('//'):
+            text = 'https:' + text
+        elif not text.startswith('http'):
+            text = 'https://' + text
+
+        text_url = urllib.parse.urlparse(text)
+        href_url = urllib.parse.urlparse(attrs[None, 'href'])
+        if text_url.netloc != href_url.netloc or not href_url.path.startswith(href_url.path):
+            # link text contains an URL that has a different base than the actual URL
+            attrs['_text'] = attrs[None, 'href']
+    return attrs
+
+
 def abslink_callback(attrs, new=False):
+    """
+    Makes sure that all links will be absolute links and will be opened in a new page with no
+    window.opener attribute.
+    """
     url = attrs.get((None, 'href'), '/')
     if not url.startswith('mailto:') and not url.startswith('tel:'):
         attrs[None, 'href'] = urllib.parse.urljoin(settings.SITE_URL, url)
@@ -93,6 +133,7 @@ def markdown_compile_email(source):
     linker = bleach.Linker(
         url_re=URL_RE,
         email_re=EMAIL_RE,
+        callbacks=DEFAULT_CALLBACKS + [truelink_callback, abslink_callback],
         parse_email=True
     )
     return linker.linkify(bleach.clean(
@@ -145,7 +186,7 @@ def rich_text(text: str, **kwargs):
     linker = bleach.Linker(
         url_re=URL_RE,
         email_re=EMAIL_RE,
-        callbacks=DEFAULT_CALLBACKS + ([safelink_callback] if kwargs.get('safelinks', True) else [abslink_callback]),
+        callbacks=DEFAULT_CALLBACKS + ([truelink_callback, safelink_callback] if kwargs.get('safelinks', True) else [truelink_callback, abslink_callback]),
         parse_email=True
     )
     body_md = linker.linkify(markdown_compile(text))
@@ -161,7 +202,7 @@ def rich_text_snippet(text: str, **kwargs):
     linker = bleach.Linker(
         url_re=URL_RE,
         email_re=EMAIL_RE,
-        callbacks=DEFAULT_CALLBACKS + ([safelink_callback] if kwargs.get('safelinks', True) else [abslink_callback]),
+        callbacks=DEFAULT_CALLBACKS + ([truelink_callback, safelink_callback] if kwargs.get('safelinks', True) else [truelink_callback, abslink_callback]),
         parse_email=True
     )
     body_md = linker.linkify(markdown_compile(text, snippet=True))

src/pretix/base/views/cachedfiles.py

@@ -13,7 +13,11 @@ class DownloadView(TemplateView):
     @cached_property
     def object(self) -> CachedFile:
         try:
-            return get_object_or_404(CachedFile, id=self.kwargs['id'])
+            o = get_object_or_404(CachedFile, id=self.kwargs['id'], web_download=True)
+            if o.session_key:
+                if o.session_key != self.request.session.session_key:
+                    raise Http404()
+            return o
         except ValueError:   # Invalid URLs
             raise Http404()
 

src/pretix/base/views/mixins.py

@@ -14,6 +14,7 @@ from pretix.base.models import (
     CartPosition, InvoiceAddress, OrderPosition, Question, QuestionAnswer,
     QuestionOption,
 )
+from pretix.presale.signals import contact_form_fields_overrides
 
 
 class BaseQuestionsViewMixin:
@@ -34,6 +35,9 @@ class BaseQuestionsViewMixin:
     def _positions_for_questions(self):
         raise NotImplementedError()
 
+    def get_question_override_sets(self, position):
+        return []
+
     @cached_property
     def forms(self):
         """
@@ -62,6 +66,23 @@ class BaseQuestionsViewMixin:
                     self.request.event.settings.attendee_addresses_asked
                 ))
             )
+
+            override_sets = self.get_question_override_sets(cr)
+            for overrides in override_sets:
+                for question_name, question_field in form.fields.items():
+                    if hasattr(question_field, 'question'):
+                        if question_field.question.identifier in overrides:
+                            if 'initial' in overrides[question_field.question.identifier]:
+                                question_field.initial = overrides[question_field.question.identifier]['initial']
+                            if 'disabled' in overrides[question_field.question.identifier]:
+                                question_field.disabled = overrides[question_field.question.identifier]['disabled']
+                    else:
+                        if question_name in overrides:
+                            if 'initial' in overrides[question_name]:
+                                question_field.initial = overrides[question_name]['initial']
+                            if 'disabled' in overrides[question_name]:
+                                question_field.disabled = overrides[question_name]['disabled']
+
             if len(form.fields) > 0:
                 formlist.append(form)
         return formlist
@@ -213,24 +234,47 @@ class OrderQuestionsViewMixin(BaseQuestionsViewMixin):
             self.order.total != Decimal('0.00') or not self.request.event.settings.invoice_address_not_asked_free
         )
 
+    @cached_property
+    def _contact_override_sets(self):
+        override_sets = [
+            resp for recv, resp in contact_form_fields_overrides.send(
+                self.request.event,
+                request=self.request,
+                order=self.order,
+            )
+        ]
+        for override in override_sets:
+            for k in override:
+                # We don't want initial values to be modified, they should come from the order directly
+                override[k].pop('initial', None)
+        return override_sets
+
     @cached_property
     def invoice_form(self):
         if not self.address_asked and self.request.event.settings.invoice_name_required:
-            return self.invoice_name_form_class(
+            f = self.invoice_name_form_class(
                 data=self.request.POST if self.request.method == "POST" else None,
                 event=self.request.event,
                 instance=self.invoice_address, validate_vat_id=False,
                 all_optional=self.all_optional
             )
-        if self.address_asked:
-            return self.invoice_form_class(
+        elif self.address_asked:
+            f = self.invoice_form_class(
                 data=self.request.POST if self.request.method == "POST" else None,
                 event=self.request.event,
                 instance=self.invoice_address, validate_vat_id=False,
                 all_optional=self.all_optional,
             )
         else:
-            return forms.Form(data=self.request.POST if self.request.method == "POST" else None)
+            f = forms.Form(data=self.request.POST if self.request.method == "POST" else None)
+
+        override_sets = self._contact_override_sets
+        for overrides in override_sets:
+            for fname, val in overrides.items():
+                if 'disabled' in val and fname in f.fields:
+                    f.fields[fname].disabled = val['disabled']
+
+        return f
 
     def get_context_data(self, **kwargs):
         ctx = super().get_context_data(**kwargs)

src/pretix/control/forms/checkin.py

@@ -1,5 +1,8 @@
+from datetime import datetime, timedelta
+
 from django import forms
 from django.urls import reverse
+from django.utils.timezone import get_current_timezone, make_aware, now
 from django.utils.translation import pgettext_lazy
 from django_scopes.forms import (
     SafeModelChoiceField, SafeModelMultipleChoiceField,
@@ -10,6 +13,21 @@ from pretix.base.models.checkin import CheckinList
 from pretix.control.forms.widgets import Select2
 
 
+class NextTimeField(forms.TimeField):
+    def to_python(self, value):
+        value = super().to_python(value)
+        if value is None:
+            return
+        tz = get_current_timezone()
+        result = make_aware(datetime.combine(
+            now().astimezone(tz).date(),
+            value,
+        ), tz)
+        if result <= now():
+            result += timedelta(days=1)
+        return result
+
+
 class CheckinListForm(forms.ModelForm):
     def __init__(self, **kwargs):
         self.event = kwargs.pop('event')
@@ -26,6 +44,11 @@ class CheckinListForm(forms.ModelForm):
             widget=forms.CheckboxSelectMultiple
         )
 
+        if not self.event.organizer.gates.exists():
+            del self.fields['gates']
+        else:
+            self.fields['gates'].queryset = self.event.organizer.gates.all()
+
         if self.event.has_subevents:
             self.fields['subevent'].queryset = self.event.subevents.all()
             self.fields['subevent'].widget = Select2(
@@ -55,16 +78,24 @@ class CheckinListForm(forms.ModelForm):
             'allow_multiple_entries',
             'allow_entry_after_exit',
             'rules',
+            'gates',
+            'exit_all_at',
         ]
         widgets = {
             'limit_products': forms.CheckboxSelectMultiple(attrs={
                 'data-inverse-dependency': '<[name$=all_products]'
             }),
+            'gates': forms.CheckboxSelectMultiple(attrs={
+                'class': 'scrolling-multiple-choice'
+            }),
             'auto_checkin_sales_channels': forms.CheckboxSelectMultiple(),
+            'exit_all_at': forms.TimeInput(attrs={'class': 'timepickerfield'}),
         }
         field_classes = {
             'limit_products': SafeModelMultipleChoiceField,
+            'gates': SafeModelMultipleChoiceField,
             'subevent': SafeModelChoiceField,
+            'exit_all_at': NextTimeField,
         }
 
 
@@ -75,6 +106,11 @@ class SimpleCheckinListForm(forms.ModelForm):
         super().__init__(**kwargs)
         self.fields['limit_products'].queryset = self.event.items.all()
 
+        if not self.event.organizer.gates.exists():
+            del self.fields['gates']
+        else:
+            self.fields['gates'].queryset = self.event.organizer.gates.all()
+
     class Meta:
         model = CheckinList
         localized_fields = '__all__'
@@ -84,13 +120,18 @@ class SimpleCheckinListForm(forms.ModelForm):
             'limit_products',
             'include_pending',
             'allow_entry_after_exit',
+            'gates',
         ]
         widgets = {
             'limit_products': forms.CheckboxSelectMultiple(attrs={
                 'data-inverse-dependency': '<[name$=all_products]'
             }),
+            'gates': forms.CheckboxSelectMultiple(attrs={
+                'class': 'scrolling-multiple-choice'
+            }),
         }
         field_classes = {
             'limit_products': SafeModelMultipleChoiceField,
             'subevent': SafeModelChoiceField,
+            'gates': SafeModelMultipleChoiceField,
         }

src/pretix/control/forms/event.py

@@ -1067,7 +1067,22 @@ class TicketSettingsForm(SettingsForm):
         'ticket_download_addons',
         'ticket_download_nonadm',
         'ticket_download_pending',
+        'ticket_download_require_validated_email',
     ]
+    ticket_secret_generator = forms.ChoiceField(
+        label=_("Ticket code generator"),
+        help_text=_("For advanced users, usually does not need to be changed."),
+        required=True,
+        widget=forms.RadioSelect,
+        choices=[]
+    )
+
+    def __init__(self, *args, **kwargs):
+        event = kwargs.get('obj')
+        super().__init__(*args, **kwargs)
+        self.fields['ticket_secret_generator'].choices = [
+            (r.identifier, r.verbose_name) for r in event.ticket_secret_generators.values()
+        ]
 
     def prepare_fields(self):
         # See clean()

src/pretix/control/forms/organizer.py

@@ -15,7 +15,7 @@ from pretix.api.models import WebHook
 from pretix.api.webhooks import get_all_webhook_events
 from pretix.base.forms import I18nModelForm, SettingsForm
 from pretix.base.forms.widgets import SplitDateTimePickerWidget
-from pretix.base.models import Device, GiftCard, Organizer, Team
+from pretix.base.models import Device, Gate, GiftCard, Organizer, Team
 from pretix.control.forms import (
     ExtFileField, FontSelect, MultipleLanguagesWidget, SplitDateTimeField,
 )
@@ -175,6 +175,17 @@ class TeamForm(forms.ModelForm):
         return data
 
 
+class GateForm(forms.ModelForm):
+
+    def __init__(self, *args, **kwargs):
+        kwargs.pop('organizer')
+        super().__init__(*args, **kwargs)
+
+    class Meta:
+        model = Gate
+        fields = ['name', 'identifier']
+
+
 class DeviceForm(forms.ModelForm):
 
     def __init__(self, *args, **kwargs):
@@ -183,6 +194,7 @@ class DeviceForm(forms.ModelForm):
         self.fields['limit_events'].queryset = organizer.events.all().order_by(
             '-has_subevents', '-date_from'
         )
+        self.fields['gate'].queryset = organizer.gates.all()
 
     def clean(self):
         d = super().clean()
@@ -193,7 +205,7 @@ class DeviceForm(forms.ModelForm):
 
     class Meta:
         model = Device
-        fields = ['name', 'all_events', 'limit_events', 'security_profile']
+        fields = ['name', 'all_events', 'limit_events', 'security_profile', 'gate']
         widgets = {
             'limit_events': forms.CheckboxSelectMultiple(attrs={
                 'data-inverse-dependency': '#id_all_events',

src/pretix/control/logdisplay.py

@@ -165,21 +165,42 @@ def _display_checkin(event, logentry):
     if logentry.action_type == 'pretix.event.checkin.unknown':
         if show_dt:
             return _(
-                'Unknown scan of code "{barcode}" at {datetime} for list "{list}", type "{type}".'
+                'Unknown scan of code "{barcode}…" at {datetime} for list "{list}", type "{type}".'
             ).format(
                 posid=data.get('positionid'),
                 type=data.get('type'),
-                barcode=data.get('barcode'),
+                barcode=data.get('barcode')[:16],
                 datetime=dt_formatted,
                 list=checkin_list
             )
         else:
             return _(
-                'Unknown scan of code "{barcode}" for list "{list}", type "{type}".'
+                'Unknown scan of code "{barcode}…" for list "{list}", type "{type}".'
             ).format(
                 posid=data.get('positionid'),
                 type=data.get('type'),
-                barcode=data.get('barcode'),
+                barcode=data.get('barcode')[:16],
+                list=checkin_list
+            )
+
+    if logentry.action_type == 'pretix.event.checkin.revoked':
+        if show_dt:
+            return _(
+                'Scan scan of revoked code "{barcode}…" at {datetime} for list "{list}", type "{type}", was uploaded.'
+            ).format(
+                posid=data.get('positionid'),
+                type=data.get('type'),
+                barcode=data.get('barcode')[:16],
+                datetime=dt_formatted,
+                list=checkin_list
+            )
+        else:
+            return _(
+                'Scan of revoked code "{barcode}" for list "{list}", type "{type}", was uploaded.'
+            ).format(
+                posid=data.get('positionid'),
+                type=data.get('type'),
+                barcode=data.get('barcode')[:16],
                 list=checkin_list
             )
 
@@ -391,6 +412,9 @@ def pretixcontrol_logentry_display(sender: Event, logentry: LogEntry, **kwargs):
         'pretix.team.created': _('The team has been created.'),
         'pretix.team.changed': _('The team settings have been changed.'),
         'pretix.team.deleted': _('The team has been deleted.'),
+        'pretix.gate.created': _('The gate has been created.'),
+        'pretix.gate.changed': _('The gate has been changed.'),
+        'pretix.gate.deleted': _('The gate has been deleted.'),
         'pretix.subevent.deleted': pgettext_lazy('subevent', 'The event date has been deleted.'),
         'pretix.subevent.canceled': pgettext_lazy('subevent', 'The event date has been canceled.'),
         'pretix.subevent.changed': pgettext_lazy('subevent', 'The event date has been changed.'),

src/pretix/control/navigation.py

@@ -454,8 +454,23 @@ def get_organizer_navigation(request):
             'url': reverse('control:organizer.devices', kwargs={
                 'organizer': request.organizer.slug
             }),
-            'active': 'organizer.device' in url.url_name,
             'icon': 'tablet',
+            'children': [
+                {
+                    'label': _('Devices'),
+                    'url': reverse('control:organizer.devices', kwargs={
+                        'organizer': request.organizer.slug
+                    }),
+                    'active': 'organizer.device' in url.url_name,
+                },
+                {
+                    'label': _('Gates'),
+                    'url': reverse('control:organizer.gates', kwargs={
+                        'organizer': request.organizer.slug
+                    }),
+                    'active': 'organizer.gate' in url.url_name,
+                }
+            ]
         })
     if 'can_manage_gift_cards' in request.orgapermset:
         nav.append({

src/pretix/control/templates/pretixcontrol/checkin/list_edit.html

@@ -58,7 +58,11 @@
 
                 {% bootstrap_field form.allow_multiple_entries layout="control" %}
                 {% bootstrap_field form.allow_entry_after_exit layout="control" %}
+                {% bootstrap_field form.exit_all_at layout="control" %}
                 {% bootstrap_field form.auto_checkin_sales_channels layout="control" %}
+                {% if form.gates %}
+                    {% bootstrap_field form.gates layout="control" %}
+                {% endif %}
 
                 <h3>{% trans "Custom check-in rule" %}</h3>
                 <div id="rules-editor" class="form-inline">

src/pretix/control/templates/pretixcontrol/event/tickets.html

@@ -22,6 +22,7 @@
                 {% bootstrap_field form.ticket_download_addons layout="control" horizontal_label_class='sr-only' horizontal_field_class='col-md-12' %}
                 {% bootstrap_field form.ticket_download_nonadm layout="control" horizontal_label_class='sr-only' horizontal_field_class='col-md-12' %}
                 {% bootstrap_field form.ticket_download_pending layout="control" horizontal_label_class='sr-only' horizontal_field_class='col-md-12' %}
+                {% bootstrap_field form.ticket_download_require_validated_email layout="control" horizontal_label_class='sr-only' horizontal_field_class='col-md-12' %}
             </fieldset>
             <fieldset>
                 <legend>{% trans "Download formats" %}</legend>
@@ -61,6 +62,10 @@
                 <legend>{% trans "Download time" %}</legend>
                 {% bootstrap_field form.ticket_download_date layout="control" %}
             </fieldset>
+            <fieldset>
+                <legend>{% trans "Ticket codes" %}</legend>
+                {% bootstrap_field form.ticket_secret_generator layout="control" %}
+            </fieldset>
         </div>
         <div class="form-group submit-group">
             <button type="submit" class="btn btn-primary btn-save">

src/pretix/control/templates/pretixcontrol/items/questions.html

@@ -40,7 +40,8 @@
                             {% if q.pk %}
                                 </a>
                             {% endif %}
-                        </strong>
+                        </strong><br>
+                        <small class="text-muted">{{ q.identifier }}</small>
                     </td>
                     <td>
                         {% if q.pk %}

src/pretix/control/templates/pretixcontrol/order/index.html

@@ -299,13 +299,17 @@
                                 {% if line.checkins.all %}
                                     {% for c in line.checkins.all %}
                                         {% if c.type == "exit" %}
-                                            <span class="fa fa-fw fa-sign-out" data-toggle="tooltip_html" title="{{ c.list.name }}<br>{% blocktrans trimmed with date=c.datetime|date:'SHORT_DATETIME_FORMAT' %}Exit scan: {{ date }}{% endblocktrans %}"></span>
+                                            {% if c.auto_checked_in %}
+                                                <span class="fa fa-fw fa-hourglass-end" data-toggle="tooltip_html" title="{{ c.list.name }}<br>{% blocktrans trimmed with date=c.datetime|date:'SHORT_DATETIME_FORMAT' %}Automatically marked not present: {{ date }}{% endblocktrans %}"></span>
+                                            {% else %}
+                                                <span class="fa fa-fw fa-sign-out" data-toggle="tooltip_html" title="{{ c.list.name }}<br>{% blocktrans trimmed with date=c.datetime|date:'SHORT_DATETIME_FORMAT' %}Exit scan: {{ date }}{% endblocktrans %}{% if c.gate %}<br>{{ c.gate }}{% endif %}"></span>
+                                            {% endif %}
                                         {% elif c.forced %}
-                                            <span class="fa fa-fw fa-warning" data-toggle="tooltip_html" title="{{ c.list.name }}<br>{% blocktrans trimmed with date=c.datetime|date:'SHORT_DATETIME_FORMAT' %}Additional entry scan: {{ date }}{% endblocktrans %}"></span>
+                                            <span class="fa fa-fw fa-warning" data-toggle="tooltip_html" title="{{ c.list.name }}<br>{% blocktrans trimmed with date=c.datetime|date:'SHORT_DATETIME_FORMAT' %}Additional entry scan: {{ date }}{% endblocktrans %}{% if c.gate %}<br>{{ c.gate }}{% endif %}"></span>
                                         {% elif c.auto_checked_in %}
-                                            <span class="fa fa-fw fa-magic" data-toggle="tooltip_html" title="{{ c.list.name }}<br>{% blocktrans trimmed with date=c.datetime|date:'SHORT_DATETIME_FORMAT' %}Automatically checked in: {{ date }}{% endblocktrans %}"></span>
+                                            <span class="fa fa-fw fa-magic" data-toggle="tooltip_html" title="{{ c.list.name }}<br>{% blocktrans trimmed with date=c.datetime|date:'SHORT_DATETIME_FORMAT' %}Automatically checked in: {{ date }}{% endblocktrans %}{% if c.gate %}<br>{{ c.gate }}{% endif %}"></span>
                                         {% else %}
-                                            <span class="fa fa-fw fa-check" data-toggle="tooltip_html" title="{{ c.list.name }}<br>{% blocktrans trimmed with date=c.datetime|date:'SHORT_DATETIME_FORMAT' %}Entry scan: {{ date }}{% endblocktrans %}"></span>
+                                            <span class="fa fa-fw fa-check" data-toggle="tooltip_html" title="{{ c.list.name }}<br>{% blocktrans trimmed with date=c.datetime|date:'SHORT_DATETIME_FORMAT' %}Entry scan: {{ date }}{% endblocktrans %}{% if c.gate %}<br>{{ c.gate }}{% endif %}"></span>
                                         {% endif %}
                                     {% endfor %}
                                 {% endif %}

src/pretix/control/templates/pretixcontrol/organizers/device_edit.html

@@ -14,10 +14,17 @@
         {% endif %}
         {% csrf_token %}
         {% bootstrap_form_errors form %}
-        {% bootstrap_field form.name layout="control" %}
-        {% bootstrap_field form.all_events layout="control" %}
-        {% bootstrap_field form.limit_events layout="control" %}
-        {% bootstrap_field form.security_profile layout="control" %}
+        <fieldset>
+            <legend>{% trans "General" %}</legend>
+            {% bootstrap_field form.name layout="control" %}
+            {% bootstrap_field form.all_events layout="control" %}
+            {% bootstrap_field form.limit_events layout="control" %}
+        </fieldset>
+        <fieldset>
+            <legend>{% trans "Advanced settings" %}</legend>
+            {% bootstrap_field form.security_profile layout="control" %}
+            {% bootstrap_field form.gate layout="control" %}
+        </fieldset>
         <div class="form-group submit-group">
             <button type="submit" class="btn btn-primary btn-save">
                 {% trans "Save" %}

src/pretix/control/templates/pretixcontrol/organizers/gate_delete.html

@@ -0,0 +1,19 @@
+{% extends "pretixcontrol/organizers/base.html" %}
+{% load i18n %}
+{% load bootstrap3 %}
+{% block inner %}
+    <h1>{% trans "Delete gate:" %} {{ gate.name }}</h1>
+    <form action="" method="post" class="form-horizontal">
+        {% csrf_token %}
+        <p>{% blocktrans %}Are you sure you want to delete the gate?{% endblocktrans %}
+        </p>
+        <div class="form-group submit-group">
+            <a href="{% url "control:organizer.teams" organizer=request.organizer.slug %}" class="btn btn-default btn-cancel">
+                {% trans "Cancel" %}
+            </a>
+            <button type="submit" class="btn btn-danger btn-save">
+                {% trans "Delete" %}
+            </button>
+        </div>
+    </form>
+{% endblock %}

src/pretix/control/templates/pretixcontrol/organizers/gate_edit.html

@@ -0,0 +1,20 @@
+{% extends "pretixcontrol/organizers/base.html" %}
+{% load i18n %}
+{% load bootstrap3 %}
+{% block inner %}
+    {% if gate %}
+        <h1>{% trans "Gate:" %} {{ gate.name }}</h1>
+    {% else %}
+        <h1>{% trans "Create a new gate" %}</h1>
+    {% endif %}
+    <form class="form-horizontal" action="" method="post">
+        {% csrf_token %}
+        {% bootstrap_form form layout="control" %}
+        <div class="form-group submit-group">
+            <button type="submit" class="btn btn-primary btn-save">
+                {% trans "Save" %}
+            </button>
+        </div>
+
+    </form>
+{% endblock %}

src/pretix/control/templates/pretixcontrol/organizers/gates.html

@@ -0,0 +1,38 @@
+{% extends "pretixcontrol/organizers/base.html" %}
+{% load i18n %}
+{% load bootstrap3 %}
+{% block inner %}
+    <h1>{% trans "Gates" %}</h1>
+    <p>
+        {% trans "The list below shows gates that you can use to group check-in devices." %}
+    </p>
+    <a href="{% url "control:organizer.gate.add" organizer=request.organizer.slug %}" class="btn btn-default">
+        <span class="fa fa-plus"></span>
+        {% trans "Create a new gate" %}
+    </a>
+    <table class="table table-condensed table-hover">
+        <thead>
+        <tr>
+            <th>{% trans "Gate" %}</th>
+            <th></th>
+        </tr>
+        </thead>
+        <tbody>
+        {% for g in gates %}
+            <tr>
+                <td><strong>
+                    <a href="{% url "control:organizer.gate.edit" organizer=request.organizer.slug gate=g.id %}">
+                        {{ g.name }}
+                    </a>
+                </strong></td>
+                <td class="text-right flip">
+                    <a href="{% url "control:organizer.gate.edit" organizer=request.organizer.slug gate=g.id %}"
+                            class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
+                    <a href="{% url "control:organizer.gate.delete" organizer=request.organizer.slug gate=g.id %}"
+                            class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
+                </td>
+            </tr>
+        {% endfor %}
+        </tbody>
+    </table>
+{% endblock %}

src/pretix/control/templates/pretixcontrol/subevents/bulk.html

@@ -509,6 +509,9 @@
                                 {% bootstrap_field form.all_products layout="control" %}
                                 {% bootstrap_field form.limit_products layout="control" %}
                                 {% bootstrap_field form.allow_entry_after_exit layout="control" %}
+                                {% if form.gates %}
+                                    {% bootstrap_field form.gates layout="control" %}
+                                {% endif %}
                             </div>
                         </div>
                     {% endfor %}
@@ -538,6 +541,9 @@
                                 {% bootstrap_field cl_formset.empty_form.all_products layout="control" %}
                                 {% bootstrap_field cl_formset.empty_form.limit_products layout="control" %}
                                 {% bootstrap_field cl_formset.empty_form.allow_entry_after_exit layout="control" %}
+                                {% if cl_formset.empty_form.gates %}
+                                    {% bootstrap_field cl_formset.empty_form.gates layout="control" %}
+                                {% endif %}
                             </div>
                         </div>
                     {% endescapescript %}

src/pretix/control/templates/pretixcontrol/subevents/detail.html

@@ -193,6 +193,9 @@
                                         {% bootstrap_field form.all_products layout="control" %}
                                         {% bootstrap_field form.limit_products layout="control" %}
                                         {% bootstrap_field form.allow_entry_after_exit layout="control" %}
+                                        {% if form.gates %}
+                                            {% bootstrap_field form.gates layout="control" %}
+                                        {% endif %}
                                     </div>
                                 </div>
                             {% endfor %}
@@ -222,6 +225,9 @@
                                         {% bootstrap_field cl_formset.empty_form.all_products layout="control" %}
                                         {% bootstrap_field cl_formset.empty_form.limit_products layout="control" %}
                                         {% bootstrap_field cl_formset.empty_form.allow_entry_after_exit layout="control" %}
+                                        {% if cl_formset.empty_form.gates %}
+                                            {% bootstrap_field cl_formset.empty_form.gates layout="control" %}
+                                        {% endif %}
                                     </div>
                                 </div>
                             {% endescapescript %}

src/pretix/control/urls.py

@@ -99,6 +99,12 @@ urlpatterns = [
         name='organizer.device.revoke'),
     url(r'^organizer/(?P<organizer>[^/]+)/device/(?P<device>[^/]+)/logs$', organizer.DeviceLogView.as_view(),
         name='organizer.device.logs'),
+    url(r'^organizer/(?P<organizer>[^/]+)/gates$', organizer.GateListView.as_view(), name='organizer.gates'),
+    url(r'^organizer/(?P<organizer>[^/]+)/gate/add$', organizer.GateCreateView.as_view(), name='organizer.gate.add'),
+    url(r'^organizer/(?P<organizer>[^/]+)/gate/(?P<gate>[^/]+)/edit$', organizer.GateUpdateView.as_view(),
+        name='organizer.gate.edit'),
+    url(r'^organizer/(?P<organizer>[^/]+)/gate/(?P<gate>[^/]+)/delete$', organizer.GateDeleteView.as_view(),
+        name='organizer.gate.delete'),
     url(r'^organizer/(?P<organizer>[^/]+)/teams$', organizer.TeamListView.as_view(), name='organizer.teams'),
     url(r'^organizer/(?P<organizer>[^/]+)/team/add$', organizer.TeamCreateView.as_view(), name='organizer.team.add'),
     url(r'^organizer/(?P<organizer>[^/]+)/team/(?P<team>[^/]+)/$', organizer.TeamMemberView.as_view(),

src/pretix/control/views/auth.py

@@ -74,13 +74,15 @@ def login(request):
         backend = [b for b in backends if b.visible][0]
     if request.user.is_authenticated:
         next_url = backend.get_next_url(request) or 'control:index'
-        return redirect(next_url)
+        if next_url and url_has_allowed_host_and_scheme(next_url, allowed_hosts=None):
+            return redirect(next_url)
+        return redirect(reverse('control:index'))
     if request.method == 'POST':
-        form = LoginForm(backend=backend, data=request.POST)
+        form = LoginForm(backend=backend, data=request.POST, request=request)
         if form.is_valid() and form.user_cache and form.user_cache.auth_backend == backend.identifier:
             return process_login(request, form.user_cache, form.cleaned_data.get('keep_logged_in', False))
     else:
-        form = LoginForm(backend=backend)
+        form = LoginForm(backend=backend, request=request)
     ctx['form'] = form
     ctx['can_register'] = settings.PRETIX_REGISTRATION
     ctx['can_reset'] = settings.PRETIX_PASSWORD_RESET

src/pretix/control/views/orders.py

@@ -40,13 +40,14 @@ from pretix.base.i18n import language
 from pretix.base.models import (
     CachedCombinedTicket, CachedFile, CachedTicket, Checkin, Invoice,
     InvoiceAddress, Item, ItemVariation, LogEntry, Order, QuestionAnswer,
-    Quota, generate_position_secret, generate_secret,
+    Quota, generate_secret,
 )
 from pretix.base.models.orders import (
     CancellationRequest, OrderFee, OrderPayment, OrderPosition, OrderRefund,
 )
 from pretix.base.models.tax import EU_COUNTRIES, cc_to_vat_prefix
 from pretix.base.payment import PaymentException
+from pretix.base.secrets import assign_ticket_secret
 from pretix.base.services import tickets
 from pretix.base.services.cancelevent import cancel_event
 from pretix.base.services.export import export
@@ -1644,8 +1645,9 @@ class OrderContactChange(OrderView):
                 changed = True
                 self.order.secret = generate_secret()
                 for op in self.order.all_positions.all():
-                    op.secret = generate_position_secret()
-                    op.save()
+                    assign_ticket_secret(
+                        self.request.event, position=op, force_invalidate=True, save=True
+                    )
                 tickets.invalidate_cache.apply_async(kwargs={'event': self.request.event.pk, 'order': self.order.pk})
                 self.order.log_action('pretix.event.order.secret.changed', user=self.request.user)
 
@@ -1956,9 +1958,9 @@ class ExportDoView(EventPermissionRequiredMixin, ExportMixin, AsyncAction, View)
             messages.error(self.request, _('There was a problem processing your input. See below for error details.'))
             return self.get(request, *args, **kwargs)
 
-        cf = CachedFile()
+        cf = CachedFile(web_download=True, session_key=request.session.session_key)
         cf.date = now()
-        cf.expires = now() + timedelta(days=3)
+        cf.expires = now() + timedelta(hours=24)
         cf.save()
         return self.do(self.request.event.id, str(cf.id), self.exporter.identifier, self.exporter.form.cleaned_data)
 

src/pretix/control/views/organizer.py

@@ -28,8 +28,8 @@ from django.views.generic import (
 from pretix.api.models import WebHook
 from pretix.base.auth import get_auth_backends
 from pretix.base.models import (
-    CachedFile, Device, GiftCard, LogEntry, OrderPayment, Organizer, Team,
-    TeamInvite, User,
+    CachedFile, Device, Gate, GiftCard, LogEntry, OrderPayment, Organizer,
+    Team, TeamInvite, User,
 )
 from pretix.base.models.event import Event, EventMetaProperty, EventMetaValue
 from pretix.base.models.giftcards import (
@@ -46,9 +46,9 @@ from pretix.control.forms.filter import (
 )
 from pretix.control.forms.orders import ExporterForm
 from pretix.control.forms.organizer import (
-    DeviceForm, EventMetaPropertyForm, GiftCardCreateForm, GiftCardUpdateForm,
-    OrganizerDeleteForm, OrganizerForm, OrganizerSettingsForm,
-    OrganizerUpdateForm, TeamForm, WebHookForm,
+    DeviceForm, EventMetaPropertyForm, GateForm, GiftCardCreateForm,
+    GiftCardUpdateForm, OrganizerDeleteForm, OrganizerForm,
+    OrganizerSettingsForm, OrganizerUpdateForm, TeamForm, WebHookForm,
 )
 from pretix.control.permissions import (
     AdministratorPermissionRequiredMixin, OrganizerPermissionRequiredMixin,
@@ -1245,9 +1245,9 @@ class ExportDoView(OrganizerPermissionRequiredMixin, ExportMixin, AsyncAction, V
             messages.error(self.request, _('There was a problem processing your input. See below for error details.'))
             return self.get(request, *args, **kwargs)
 
-        cf = CachedFile()
+        cf = CachedFile(web_download=True, session_key=request.session.session_key)
         cf.date = now()
-        cf.expires = now() + timedelta(days=3)
+        cf.expires = now() + timedelta(hours=24)
         cf.save()
         return self.do(
             organizer=self.request.organizer.id,
@@ -1265,3 +1265,104 @@ class ExportView(OrganizerPermissionRequiredMixin, ExportMixin, TemplateView):
         ctx = super().get_context_data(**kwargs)
         ctx['exporters'] = self.exporters
         return ctx
+
+
+class GateListView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, ListView):
+    model = Gate
+    template_name = 'pretixcontrol/organizers/gates.html'
+    permission = 'can_change_organizer_settings'
+    context_object_name = 'gates'
+
+    def get_queryset(self):
+        return self.request.organizer.gates.all()
+
+
+class GateCreateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, CreateView):
+    model = Gate
+    template_name = 'pretixcontrol/organizers/gate_edit.html'
+    permission = 'can_change_organizer_settings'
+    form_class = GateForm
+
+    def get_form_kwargs(self):
+        kwargs = super().get_form_kwargs()
+        kwargs['organizer'] = self.request.organizer
+        return kwargs
+
+    def get_object(self, queryset=None):
+        return get_object_or_404(Gate, organizer=self.request.organizer, pk=self.kwargs.get('gate'))
+
+    def get_success_url(self):
+        return reverse('control:organizer.gates', kwargs={
+            'organizer': self.request.organizer.slug,
+        })
+
+    def form_valid(self, form):
+        messages.success(self.request, _('The gate has been created.'))
+        form.instance.organizer = self.request.organizer
+        ret = super().form_valid(form)
+        form.instance.log_action('pretix.gate.created', user=self.request.user, data={
+            k: getattr(self.object, k) for k in form.changed_data
+        })
+        return ret
+
+    def form_invalid(self, form):
+        messages.error(self.request, _('Your changes could not be saved.'))
+        return super().form_invalid(form)
+
+
+class GateUpdateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, UpdateView):
+    model = Gate
+    template_name = 'pretixcontrol/organizers/gate_edit.html'
+    permission = 'can_change_organizer_settings'
+    context_object_name = 'gate'
+    form_class = GateForm
+
+    def get_form_kwargs(self):
+        kwargs = super().get_form_kwargs()
+        kwargs['organizer'] = self.request.organizer
+        return kwargs
+
+    def get_object(self, queryset=None):
+        return get_object_or_404(Gate, organizer=self.request.organizer, pk=self.kwargs.get('gate'))
+
+    def get_success_url(self):
+        return reverse('control:organizer.gates', kwargs={
+            'organizer': self.request.organizer.slug,
+        })
+
+    def form_valid(self, form):
+        if form.has_changed():
+            self.object.log_action('pretix.gate.changed', user=self.request.user, data={
+                k: getattr(self.object, k)
+                for k in form.changed_data
+            })
+        messages.success(self.request, _('Your changes have been saved.'))
+        return super().form_valid(form)
+
+    def form_invalid(self, form):
+        messages.error(self.request, _('Your changes could not be saved.'))
+        return super().form_invalid(form)
+
+
+class GateDeleteView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin, DeleteView):
+    model = Gate
+    template_name = 'pretixcontrol/organizers/gate_delete.html'
+    permission = 'can_change_organizer_settings'
+    context_object_name = 'gate'
+
+    def get_object(self, queryset=None):
+        return get_object_or_404(Gate, organizer=self.request.organizer, pk=self.kwargs.get('gate'))
+
+    def get_success_url(self):
+        return reverse('control:organizer.gates', kwargs={
+            'organizer': self.request.organizer.slug,
+        })
+
+    @transaction.atomic
+    def delete(self, request, *args, **kwargs):
+        success_url = self.get_success_url()
+        self.object = self.get_object()
+        self.object.log_action('pretix.gate.deleted', user=self.request.user)
+        self.object.delete()
+        messages.success(request, _('The selected gate has been deleted.'))
+        return redirect(success_url)

src/pretix/control/views/pdf.py

@@ -137,7 +137,7 @@ class BaseEditorView(EventPermissionRequiredMixin, TemplateView):
             buffer = BytesIO()
             p.write(buffer)
             buffer.seek(0)
-            c = CachedFile()
+            c = CachedFile(web_download=True)
             c.expires = now() + timedelta(days=7)
             c.date = now()
             c.filename = 'background_preview.pdf'
@@ -162,7 +162,7 @@ class BaseEditorView(EventPermissionRequiredMixin, TemplateView):
                     "status": "error",
                     "error": error
                 })
-            c = CachedFile()
+            c = CachedFile(web_download=True)
             c.expires = now() + timedelta(days=7)
             c.date = now()
             c.filename = 'background_preview.pdf'

src/pretix/control/views/shredder.py

@@ -75,7 +75,7 @@ class ShredExportView(RecentAuthenticationRequiredMixin, EventPermissionRequired
         if constr:
             return self.error(ShredError(self.get_error_url()))
 
-        return self.do(self.request.event.id, request.POST.getlist("shredder"))
+        return self.do(self.request.event.id, request.POST.getlist("shredder"), self.request.session.session_key)
 
 
 class ShredDoView(RecentAuthenticationRequiredMixin, EventPermissionRequiredMixin, ShredderMixin, AsyncAction, View):

src/pretix/locale/ar/LC_MESSAGES/djangojs.po

@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2020-10-13 16:13+0000\n"
+"POT-Creation-Date: 2020-10-24 20:02+0000\n"
 "PO-Revision-Date: 2020-07-30 19:00+0000\n"
 "Last-Translator: Abdullah <abdullah.gumaijan@gmail.com>\n"
 "Language-Team: Arabic <https://translate.pretix.eu/projects/pretix/pretix-js/"

src/pretix/locale/ca/LC_MESSAGES/djangojs.po

@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2020-10-13 16:13+0000\n"
+"POT-Creation-Date: 2020-10-24 20:02+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: Automatically generated\n"
 "Language-Team: none\n"

src/pretix/locale/cs/LC_MESSAGES/djangojs.po

@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2020-10-13 16:13+0000\n"
+"POT-Creation-Date: 2020-10-24 20:02+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: Automatically generated\n"
 "Language-Team: none\n"

src/pretix/locale/da/LC_MESSAGES/djangojs.po

@@ -6,7 +6,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2020-10-13 16:13+0000\n"
+"POT-Creation-Date: 2020-10-24 20:02+0000\n"
 "PO-Revision-Date: 2020-09-15 02:00+0000\n"
 "Last-Translator: Mie Frydensbjerg <mif@aarhus.dk>\n"
 "Language-Team: Danish <https://translate.pretix.eu/projects/pretix/pretix-js/"