Fix negative prices in bundles when tax rate is 0

* Authentication: Support for fallback secret keys in get_session_auth_hash

* Update src/pretix/presale/utils.py

Co-authored-by: Richard Schreiber <schreiber@rami.io>

---------

Co-authored-by: Richard Schreiber <schreiber@rami.io>

doc/admin/config.rst

@@ -294,6 +294,10 @@ Example::
     setting is not provided, pretix will generate a random secret on the first start
     and will store it in the filesystem for later usage.
 
+``secret_fallback0`` ... ``secret_fallback9``
+    Prior versions of the secret to be used by Django for signing and verification purposes that will still
+    be accepted but no longer be used for new signing.
+
 ``debug``
     Whether or not to run in debug mode. Default is ``False``.
 

pyproject.toml

@@ -80,18 +80,18 @@ dependencies = [
   "psycopg2-binary",
   "pycountry",
   "pycparser==2.22",
-  "pycryptodome==3.20.*",
+  "pycryptodome==3.21.*",
   "pypdf==5.0.*",
   "python-bidi==0.6.*",  # Support for Arabic in reportlab
   "python-dateutil==2.9.*",
   "pytz",
   "pytz-deprecation-shim==0.1.*",
   "pyuca",
-  "qrcode==7.4.*",
-  "redis==5.0.*",
+  "qrcode==8.0",
+  "redis==5.1.*",
   "reportlab==4.2.*",
   "requests==2.31.*",
-  "sentry-sdk==2.14.*",
+  "sentry-sdk==2.15.*",
   "sepaxml==2.6.*",
   "slimit",
   "stripe==7.9.*",

src/pretix/base/models/auth.py

@@ -571,13 +571,23 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
 
     def get_session_auth_hash(self):
         """
-        Return an HMAC that needs to
+        Return an HMAC that needs to be the same throughout the session, used e.g. for forced
+        logout after every password change.
+        """
+        return self._get_session_auth_hash(secret=settings.SECRET_KEY)
+
+    def get_session_auth_fallback_hash(self):
+        for fallback_secret in settings.SECRET_KEY_FALLBACKS:
+            yield self._get_session_auth_hash(secret=fallback_secret)
+
+    def _get_session_auth_hash(self, secret):
+        """
         """
         key_salt = "pretix.base.models.User.get_session_auth_hash"
         payload = self.password
         payload += self.email
         payload += self.session_token
-        return salted_hmac(key_salt, payload).hexdigest()
+        return salted_hmac(key_salt, payload, secret=secret).hexdigest()
 
     def update_session_token(self):
         self.session_token = generate_session_token()

src/pretix/base/models/customers.py

@@ -219,13 +219,24 @@ class Customer(LoggedModel):
         return is_password_usable(self.password)
 
     def get_session_auth_hash(self):
+        """
+        Return an HMAC that needs to be the same throughout the session, used e.g. for forced
+        logout after every password change.
+        """
+        return self._get_session_auth_hash(secret=settings.SECRET_KEY)
+
+    def get_session_auth_fallback_hash(self):
+        for fallback_secret in settings.SECRET_KEY_FALLBACKS:
+            yield self._get_session_auth_hash(secret=fallback_secret)
+
+    def _get_session_auth_hash(self, secret):
         """
         Return an HMAC of the password field.
         """
         key_salt = "pretix.base.models.customers.Customer.get_session_auth_hash"
         payload = self.password
         payload += self.email
-        return salted_hmac(key_salt, payload).hexdigest()
+        return salted_hmac(key_salt, payload, secret=secret).hexdigest()
 
     def get_email_context(self):
         from pretix.base.settings import get_name_parts_localized

src/pretix/base/models/orders.py

@@ -40,6 +40,7 @@ import json
 import logging
 import operator
 import string
+import warnings
 from collections import Counter
 from datetime import datetime, time, timedelta
 from decimal import Decimal
@@ -381,8 +382,28 @@ class Order(LockModel, LoggedModel):
         self.event.cache.delete('complain_testmode_orders')
         self.delete()
 
+    def email_confirm_secret(self):
+        return self.tagged_secret("email_confirm", 9)
+
     def email_confirm_hash(self):
-        return hashlib.sha256(settings.SECRET_KEY.encode() + self.secret.encode()).hexdigest()[:9]
+        warnings.warn('Use email_confirm_secret() instead of email_confirm_hash().',
+                      DeprecationWarning)
+        return self.email_confirm_secret()
+
+    def check_email_confirm_secret(self, received_secret):
+        return (
+            hmac.compare_digest(
+                self.tagged_secret("email_confirm", 9),
+                received_secret[:9].lower()
+            ) or any(
+                # TODO: remove this clause after a while (compatibility with old secrets currently in flight)
+                hmac.compare_digest(
+                    hashlib.sha256(sk.encode() + self.secret.encode()).hexdigest()[:9],
+                    received_secret
+                )
+                for sk in [settings.SECRET_KEY, *settings.SECRET_KEY_FALLBACKS]
+            )
+        )
 
     def get_extended_status_display(self):
         # Changes in this method should to be replicated in pretixcontrol/orders/fragment_order_status.html

src/pretix/base/models/tax.py

@@ -306,8 +306,11 @@ class TaxRule(LoggedModel):
 
         if rate == Decimal('0.00'):
             return TaxedPrice(
-                net=base_price - subtract_from_gross, gross=base_price - subtract_from_gross, tax=Decimal('0.00'),
-                rate=rate, name=self.name
+                net=max(Decimal('0.00'), base_price - subtract_from_gross),
+                gross=max(Decimal('0.00'), base_price - subtract_from_gross),
+                tax=Decimal('0.00'),
+                rate=rate,
+                name=self.name,
             )
 
         if base_price_is == 'auto':

src/pretix/base/services/mail.py

@@ -301,7 +301,7 @@ def mail(email: Union[str, Sequence[str]], subject: str, template: Union[str, La
                         order.event, 'presale:event.order.open', kwargs={
                             'order': order.code,
                             'secret': order.secret,
-                            'hash': order.email_confirm_hash()
+                            'hash': order.email_confirm_secret()
                         }
                     )
                 )

src/pretix/base/services/placeholders.py

@@ -262,7 +262,7 @@ def base_placeholders(sender, **kwargs):
                 'presale:event.order.open', kwargs={
                     'order': order.code,
                     'secret': order.secret,
-                    'hash': order.email_confirm_hash()
+                    'hash': order.email_confirm_secret()
                 }
             ), lambda event: build_absolute_uri(
                 event,
@@ -443,7 +443,7 @@ def base_placeholders(sender, **kwargs):
                         'organizer': event.organizer.slug,
                         'order': order.code,
                         'secret': order.secret,
-                        'hash': order.email_confirm_hash(),
+                        'hash': order.email_confirm_secret(),
                     }),
                 )
                 for order in orders

src/pretix/base/templates/pretixbase/email/order_details.html

@@ -143,7 +143,7 @@
         </tr>
     </table>
     <div class="order-button">
-        <a href="{% abseventurl event "presale:event.order.open" hash=order.email_confirm_hash order=order.code secret=order.secret %}" class="button">
+        <a href="{% abseventurl event "presale:event.order.open" hash=order.email_confirm_secret order=order.code secret=order.secret %}" class="button">
             {% trans "View order details" %}
         </a>
     </div>

src/pretix/base/timeline.py

@@ -103,7 +103,7 @@ def timeline_for_event(event, subevent=None):
         tl.append(TimelineEvent(
             event=event, subevent=subevent,
             datetime=rd.datetime(ev),
-            description=pgettext_lazy('timeline', 'Customers can no longer modify their orders'),
+            description=pgettext_lazy('timeline', 'Customers can no longer modify their order information'),
             edit_url=ev_edit_url
         ))
 
@@ -159,6 +159,18 @@ def timeline_for_event(event, subevent=None):
             })
         ))
 
+    rd = event.settings.get('change_allow_user_until', as_type=RelativeDateWrapper)
+    if rd and event.settings.change_allow_user_until:
+        tl.append(TimelineEvent(
+            event=event, subevent=subevent,
+            datetime=rd.datetime(ev),
+            description=pgettext_lazy('timeline', 'Customers can no longer make changes to their orders'),
+            edit_url=reverse('control:event.settings.cancel', kwargs={
+                'event': event.slug,
+                'organizer': event.organizer.slug
+            })
+        ))
+
     rd = event.settings.get('waiting_list_auto_disable', as_type=RelativeDateWrapper)
     if rd and event.settings.waiting_list_enabled:
         tl.append(TimelineEvent(

src/pretix/control/forms/vouchers.py

@@ -239,11 +239,14 @@ class VoucherForm(I18nModelForm):
                 self.instance.event, self.instance.quota, self.instance.item, self.instance.variation
             )
         Voucher.clean_voucher_code(data, self.instance.event, self.instance.pk)
-        if 'seat' in self.fields and data.get('seat'):
-            self.instance.seat = Voucher.clean_seat_id(
-                data, self.instance.item, self.instance.quota, self.instance.event, self.instance.pk
-            )
-            self.instance.item = self.instance.seat.product
+        if 'seat' in self.fields:
+            if data.get('seat'):
+                self.instance.seat = Voucher.clean_seat_id(
+                    data, self.instance.item, self.instance.quota, self.instance.event, self.instance.pk
+                )
+                self.instance.item = self.instance.seat.product
+            else:
+                self.instance.seat = None
 
         voucher_form_validation.send(sender=self.instance.event, form=self, data=data)
 

src/pretix/control/templates/pretixcontrol/waitinglist/index.html

@@ -21,6 +21,11 @@
             {% trans "The waiting list is no longer active for this event. The waiting list no longer affects quotas and no longer notifies waiting users." %}
         </div>
     {% endif %}
+    {% if request.event.settings.hide_sold_out %}
+        <div class="alert alert-warning">
+            {% trans "According to your event settings, sold out products are hidden from customers. This way, customers will not be able to discovere the waiting list." %}
+        </div>
+    {% endif %}
     <div class="row">
         {% if 'can_change_orders' in request.eventpermset %}
             <form method="post" class="col-md-6"

src/pretix/locale/hu/LC_MESSAGES/djangojs.po

@@ -8,16 +8,16 @@ msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2024-08-27 13:34+0000\n"
-"PO-Revision-Date: 2020-01-24 08:00+0000\n"
-"Last-Translator: Prokaj Miklós <mixolid0@gmail.com>\n"
-"Language-Team: Hungarian <https://translate.pretix.eu/projects/pretix/pretix-"
-"js/hu/>\n"
+"PO-Revision-Date: 2024-10-01 22:52+0000\n"
+"Last-Translator: Patrick Chilton <chpatrick@gmail.com>\n"
+"Language-Team: Hungarian <https://translate.pretix.eu/projects/pretix/"
+"pretix-js/hu/>\n"
 "Language: hu\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=n != 1;\n"
-"X-Generator: Weblate 3.5.1\n"
+"X-Generator: Weblate 5.7.2\n"
 
 #: pretix/plugins/banktransfer/static/pretixplugins/banktransfer/ui.js:56
 #: pretix/plugins/banktransfer/static/pretixplugins/banktransfer/ui.js:62
@@ -134,9 +134,6 @@ msgstr ""
 
 #: pretix/plugins/paypal2/static/pretixplugins/paypal2/pretix-paypal.js:167
 #: pretix/plugins/webcheckin/static/pretixplugins/webcheckin/main.js:50
-#, fuzzy
-#| msgctxt "widget"
-#| msgid "Continue"
 msgid "Continue"
 msgstr "Folytatás"
 
@@ -173,7 +170,7 @@ msgstr "Kapcsolatfelvétel Stripe-pal…"
 
 #: pretix/plugins/stripe/static/pretixplugins/stripe/pretix-stripe.js:72
 msgid "Total"
-msgstr "Teljes"
+msgstr "Összeg"
 
 #: pretix/plugins/stripe/static/pretixplugins/stripe/pretix-stripe.js:291
 msgid "Contacting your bank …"
@@ -241,7 +238,7 @@ msgstr ""
 #: pretix/plugins/webcheckin/static/pretixplugins/webcheckin/main.js:44
 #: pretix/plugins/webcheckin/static/pretixplugins/webcheckin/main.js:45
 msgid "Canceled"
-msgstr ""
+msgstr "Lemondva"
 
 #: pretix/plugins/webcheckin/static/pretixplugins/webcheckin/main.js:46
 msgid "Confirmed"
@@ -249,7 +246,7 @@ msgstr ""
 
 #: pretix/plugins/webcheckin/static/pretixplugins/webcheckin/main.js:47
 msgid "Approval pending"
-msgstr ""
+msgstr "Engedélyre vár"
 
 #: pretix/plugins/webcheckin/static/pretixplugins/webcheckin/main.js:48
 #, fuzzy
@@ -260,7 +257,7 @@ msgstr "Beváltás"
 
 #: pretix/plugins/webcheckin/static/pretixplugins/webcheckin/main.js:49
 msgid "Cancel"
-msgstr ""
+msgstr "Lemondás"
 
 #: pretix/plugins/webcheckin/static/pretixplugins/webcheckin/main.js:51
 #: pretix/plugins/webcheckin/static/pretixplugins/webcheckin/main.js:60
@@ -273,7 +270,7 @@ msgstr ""
 
 #: pretix/plugins/webcheckin/static/pretixplugins/webcheckin/main.js:53
 msgid "Additional information required"
-msgstr ""
+msgstr "Több információ szükséges"
 
 #: pretix/plugins/webcheckin/static/pretixplugins/webcheckin/main.js:54
 msgid "Valid ticket"
@@ -289,7 +286,7 @@ msgstr ""
 
 #: pretix/plugins/webcheckin/static/pretixplugins/webcheckin/main.js:57
 msgid "Information required"
-msgstr ""
+msgstr "Információ szükséges"
 
 #: pretix/plugins/webcheckin/static/pretixplugins/webcheckin/main.js:58
 #, fuzzy
@@ -471,7 +468,7 @@ msgstr ""
 
 #: pretix/static/pretixcontrol/js/ui/checkinrules.js:99
 msgid "Product"
-msgstr ""
+msgstr "Termék"
 
 #: pretix/static/pretixcontrol/js/ui/checkinrules.js:103
 #, fuzzy
@@ -730,12 +727,12 @@ msgstr[0] "(még egy időpont)"
 msgstr[1] "(még {num} időpont)"
 
 #: pretix/static/pretixpresale/js/ui/cart.js:43
-#, fuzzy
-#| msgid "The items in your cart are no longer reserved for you."
 msgid ""
 "The items in your cart are no longer reserved for you. You can still "
 "complete your order as long as they’re available."
-msgstr "A kosárba helyezett termékek tovább nincsenek tovább foglalva."
+msgstr ""
+"A kosárba helyezett tételek tovább már nincsenek lefoglalva. Még "
+"megpróbálhatod befejezni a rendelést, ha még elérhetőek."
 
 #: pretix/static/pretixpresale/js/ui/cart.js:45
 msgid "Cart expired"

src/pretix/locale/it/LC_MESSAGES/django.po

@@ -8,8 +8,8 @@ msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2024-09-26 11:22+0000\n"
-"PO-Revision-Date: 2024-08-22 15:00+0000\n"
-"Last-Translator: Michelangelo <michelangelo.morrillo@gmail.com>\n"
+"PO-Revision-Date: 2024-09-30 05:00+0000\n"
+"Last-Translator: Rosariocastellana <rosariocastellana@gmail.com>\n"
 "Language-Team: Italian <https://translate.pretix.eu/projects/pretix/pretix/"
 "it/>\n"
 "Language: it\n"
@@ -17,7 +17,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=n != 1;\n"
-"X-Generator: Weblate 5.7\n"
+"X-Generator: Weblate 5.7.2\n"
 
 #: pretix/_base_settings.py:79
 msgid "English"
@@ -37,7 +37,7 @@ msgstr "Arabo"
 
 #: pretix/_base_settings.py:83
 msgid "Basque"
-msgstr ""
+msgstr "Basco"
 
 #: pretix/_base_settings.py:84
 msgid "Catalan"
@@ -121,7 +121,7 @@ msgstr "Russo"
 
 #: pretix/_base_settings.py:104
 msgid "Slovak"
-msgstr ""
+msgstr "Slovacco"
 
 #: pretix/_base_settings.py:105
 msgid "Swedish"
@@ -31767,7 +31767,7 @@ msgstr ""
 
 #: pretix/presale/templates/pretixpresale/organizers/index.html:25
 msgid "Past events"
-msgstr ""
+msgstr "Eventi passati"
 
 #: pretix/presale/templates/pretixpresale/organizers/index.html:27
 msgid "Upcoming events"
@@ -31832,7 +31832,7 @@ msgstr ""
 
 #: pretix/presale/views/cart.py:190
 msgid "Please enter positive numbers only."
-msgstr ""
+msgstr "Inserisci solo numeri positivi."
 
 #: pretix/presale/views/cart.py:428
 msgid "We applied the voucher to as many products in your cart as we could."
@@ -31901,11 +31901,12 @@ msgid ""
 "Your email address has not been updated since the address is already in use "
 "for another customer account."
 msgstr ""
+"Il tuo indirizzo email non è stato aggiornato perché è già in uso per un "
+"altro account cliente."
 
 #: pretix/presale/views/customer.py:576
-#, fuzzy
 msgid "Your email address has been updated."
-msgstr "La tua gift card è stata applicata."
+msgstr "Il tuo indirizzo email è stato aggiornato."
 
 #: pretix/presale/views/customer.py:789 pretix/presale/views/customer.py:800
 #, python-brace-format
@@ -31913,43 +31914,41 @@ msgid ""
 "We were unable to use your login since the email address {email} is already "
 "used for a different account in this system."
 msgstr ""
+"Non siamo riusciti a utilizzare le tue credenziali di accesso poiché "
+"l'indirizzo email {email} è già utilizzato per un altro account in questo "
+"sistema."
 
 #: pretix/presale/views/event.py:890
 msgid "Unknown event code or not authorized to access this event."
 msgstr ""
+"Codice evento sconosciuto o non autorizzato ad accedere a questo evento."
 
 #: pretix/presale/views/event.py:897
 msgctxt "subevent"
 msgid "No date selected."
-msgstr ""
+msgstr "Nessuna data selezionata."
 
 #: pretix/presale/views/event.py:900
 msgctxt "subevent"
 msgid "Unknown date selected."
-msgstr ""
+msgstr "Data selezionata sconosciuta."
 
 #: pretix/presale/views/event.py:925 pretix/presale/views/event.py:933
 #: pretix/presale/views/event.py:936
 msgid "Please go back and try again."
-msgstr ""
+msgstr "Torna indietro e riprova."
 
 #: pretix/presale/views/event.py:949
-#, fuzzy
-#| msgid "Purchased"
 msgid "Fake date time"
-msgstr "Acquistato"
+msgstr "Data e ora errati"
 
 #: pretix/presale/views/event.py:961
-#, fuzzy
-#| msgid "Unknown order code or not authorized to access this order."
 msgid "You are not allowed to access time machine mode."
-msgstr "Numero di ordine sconosciuto oppure non autorizzato ad accedere."
+msgstr "Non ti è consentito accedere alla modalità macchina del tempo."
 
 #: pretix/presale/views/event.py:963
-#, fuzzy
-#| msgid "This gift card can only be used in test mode."
 msgid "This feature is only available in test mode."
-msgstr "Questa gift card può essere utilizzata solo in modalità test."
+msgstr "This feature is only available in test mode."
 
 #: pretix/presale/views/event.py:980
 #, fuzzy
@@ -31967,17 +31966,16 @@ msgid "The payment is too late to be accepted."
 msgstr "Il pagamento è troppo in ritardo per essere accettato."
 
 #: pretix/presale/views/order.py:463
-#, fuzzy
 msgid "An invoice has been generated."
-msgstr "Il dispositivo è statao creato."
+msgstr "È stata generata una fattura."
 
 #: pretix/presale/views/order.py:561
 msgid "The payment method for this order cannot be changed."
-msgstr ""
+msgstr "Il metodo di pagamento per questo ordine non può essere modificato."
 
 #: pretix/presale/views/order.py:572
 msgid "A payment is currently pending for this order."
-msgstr "Il pagamento è in attesa per questo ordine."
+msgstr "Al momento è in sospeso un pagamento per questo ordine."
 
 #: pretix/presale/views/order.py:853 pretix/presale/views/order.py:925
 msgid "You cannot modify this order"
@@ -32004,6 +32002,8 @@ msgstr ""
 #: pretix/presale/views/order.py:1119
 msgid "Please click the link we sent you via email to download your tickets."
 msgstr ""
+"Clicca sul link che ti abbiamo inviato via email per scaricare i tuoi "
+"biglietti."
 
 #: pretix/presale/views/order.py:1600
 #, python-brace-format
@@ -32011,22 +32011,28 @@ msgid ""
 "The order has been changed. You can now proceed by paying the open amount of "
 "{amount}."
 msgstr ""
+"L'ordine è stato modificato. Ora puoi procedere pagando l'importo scoperto "
+"di {amount}."
 
 #: pretix/presale/views/order.py:1612
 msgid "You did not make any changes."
-msgstr ""
+msgstr "Non hai apportato nessuna modifica."
 
 #: pretix/presale/views/order.py:1636
 msgid "You may not change your order in a way that reduces the total price."
 msgstr ""
+"Non è possibile modificare l'ordine in modo da ridurre il prezzo totale."
 
 #: pretix/presale/views/order.py:1638
 msgid "You may only change your order in a way that increases the total price."
 msgstr ""
+"È possibile modificare l'ordine solo in modo da aumentare il prezzo totale."
 
 #: pretix/presale/views/order.py:1640
 msgid "You may not change your order in a way that changes the total price."
 msgstr ""
+"Non è possibile modificare l'ordine in modo tale da modificare il prezzo "
+"totale."
 
 #: pretix/presale/views/order.py:1642
 msgid "You may not change your order in a way that would require a refund."
@@ -32055,10 +32061,14 @@ msgid ""
 "{number} hours. If the email did not arrive, please check your spam folder "
 "and also double check that you used the correct email address."
 msgstr ""
+"Se l'indirizzo email inserito è valido e associato a un ticket, ti abbiamo "
+"già inviato un'email con un link al tuo ticket nelle ultime {number} ore. Se "
+"l'email non è arrivata, controlla la cartella spam e verifica di aver "
+"utilizzato l'indirizzo email corretto."
 
 #: pretix/presale/views/user.py:91
 msgid "We have trouble sending emails right now, please check back later."
-msgstr ""
+msgstr "Al momento abbiamo problemi con l'invio delle email. Riprova più tardi."
 
 #: pretix/presale/views/user.py:94
 msgid ""
@@ -32079,13 +32089,13 @@ msgid ""
 msgstr ""
 
 #: pretix/presale/views/waiting.py:141
-#, fuzzy, python-brace-format
+#, python-brace-format
 msgid ""
 "We've added you to the waiting list. We will send an email to {email} as "
 "soon as this product gets available again."
 msgstr ""
-"Ti abbiamo aggiunto alla lista d'attesa. Riceverai un'email non appena i "
-"biglietti saranno di nuovo disponibili."
+"Ti abbiamo aggiunto alla lista d'attesa. Ti invieremo un'email a {email} non "
+"appena i biglietti saranno di nuovo disponibili."
 
 #: pretix/presale/views/waiting.py:169
 msgid "We could not find you on our waiting list."
@@ -32129,7 +32139,7 @@ msgstr ""
 
 #: pretix/settings.py:788
 msgid "Write access"
-msgstr ""
+msgstr "Accesso in scrittura"
 
 #: pretix/settings.py:799
 msgid "Kosovo"

src/pretix/locale/pl/LC_MESSAGES/django.po

@@ -8,7 +8,7 @@ msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2024-09-26 11:22+0000\n"
-"PO-Revision-Date: 2024-08-28 10:03+0000\n"
+"PO-Revision-Date: 2024-09-27 18:00+0000\n"
 "Last-Translator: Anarion Dunedain <anarion80@gmail.com>\n"
 "Language-Team: Polish <https://translate.pretix.eu/projects/pretix/pretix/pl/"
 ">\n"
@@ -18,7 +18,7 @@ msgstr ""
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=3; plural=n==1 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 "
 "|| n%100>=20) ? 1 : 2;\n"
-"X-Generator: Weblate 5.7\n"
+"X-Generator: Weblate 5.7.2\n"
 
 #: pretix/_base_settings.py:79
 msgid "English"
@@ -38,7 +38,7 @@ msgstr "Arabski"
 
 #: pretix/_base_settings.py:83
 msgid "Basque"
-msgstr ""
+msgstr "Baskijski"
 
 #: pretix/_base_settings.py:84
 msgid "Catalan"
@@ -649,7 +649,7 @@ msgstr "Hasło"
 
 #: pretix/base/auth.py:176 pretix/base/auth.py:183
 msgid "Your password must contain both numeric and alphabetic characters."
-msgstr ""
+msgstr "Twoje hasło musi zawierać znaki alfabetyczne i numeryczne."
 
 #: pretix/base/auth.py:202 pretix/base/auth.py:212
 #, python-format
@@ -657,9 +657,13 @@ msgid "Your password may not be the same as your previous password."
 msgid_plural ""
 "Your password may not be the same as one of your %(history_length)s previous "
 "passwords."
-msgstr[0] ""
+msgstr[0] "Twoje hasło nie może być takie samo jak poprzednie hasło."
 msgstr[1] ""
+"Twoje hasło nie może być takie samo jak jedno z twoich %(history_length)s "
+"poprzednich haseł."
 msgstr[2] ""
+"Twoje hasło nie może być takie samo jak jedno z twoich %(history_length)s "
+"poprzednich haseł."
 
 #: pretix/base/channels.py:168
 msgid "Online shop"
@@ -738,6 +742,8 @@ msgid ""
 "No supported Token Endpoint Auth Methods supported: "
 "{token_endpoint_auth_methods_supported}"
 msgstr ""
+"Brak wspieranych metod autentykacji tokena: "
+"{token_endpoint_auth_methods_supported}"
 
 #: pretix/base/customersso/oidc.py:203 pretix/base/customersso/oidc.py:210
 #: pretix/base/customersso/oidc.py:229 pretix/base/customersso/oidc.py:246
@@ -6161,10 +6167,14 @@ msgid ""
 "business customers in other EU countries in a way that works for all "
 "organizers. Use custom rules instead."
 msgstr ""
+"Ta funkcja zostanie usunięta w przyszłości, ponieważ nie obsługuje podatku "
+"VAT dla klientów niebędących firmami w innych krajach UE w sposób, który "
+"działa dla wszystkich organizatorów. Zamiast tego należy użyć reguł "
+"niestandardowych."
 
 #: pretix/base/models/tax.py:204
 msgid "DEPRECATED"
-msgstr ""
+msgstr "WYCOFANY"
 
 #: pretix/base/models/tax.py:205
 msgid ""
@@ -9537,19 +9547,15 @@ msgid "Show event times and dates on the ticket shop"
 msgstr "Pokaż godziny i daty wydarzeń w sklepie z biletami"
 
 #: pretix/base/settings.py:1297
-#, fuzzy
-#| msgid ""
-#| "If disabled, no date or time will be shown on the ticket shop's front "
-#| "page. This settings does however not affect the display in other "
-#| "locations."
 msgid ""
 "If disabled, no date or time will be shown on the ticket shop's front page. "
 "This settings also affects a few other locations, however it should not be "
 "expected that the date of the event is shown nowhere to users."
 msgstr ""
-"Jeśli opcja ta zostanie wyłączona, na stronie głównej sklepu z biletami nie "
-"będzie wyświetlana data ani godzina. To ustawienie nie ma jednak wpływu na "
-"wyświetlanie w innych lokalizacjach."
+"Jeśli opcja ta jest wyłączona, data ani godzina nie będą wyświetlane na "
+"stronie głównej sklepu z biletami. To ustawienie ma również wpływ na kilka "
+"innych lokalizacji, jednak nie należy oczekiwać, że data wydarzenia nie "
+"będzie nigdzie wyświetlana użytkownikom."
 
 #: pretix/base/settings.py:1308
 msgid "Show event end date"
@@ -12992,16 +12998,12 @@ msgid "Subject (if order will not expire automatically)"
 msgstr "Temat (jeśli zamówienie nie wygasa automatycznie)"
 
 #: pretix/control/forms/event.py:1146
-#, fuzzy
-#| msgid "Incomplete payment received: {code}"
 msgid "Subject (if an incomplete payment was received)"
-msgstr "Otrzymana niekompletna płatność: {code}"
+msgstr "Temat (jeśli otrzymano niekompletną płatność)"
 
 #: pretix/control/forms/event.py:1151
-#, fuzzy
-#| msgid "Incomplete payment received: {code}"
 msgid "Text (if an incomplete payment was received)"
-msgstr "Otrzymana niekompletna płatność: {code}"
+msgstr "Tekst (jeśli otrzymano niekompletną płatność)"
 
 #: pretix/control/forms/event.py:1154
 msgid ""
@@ -19327,10 +19329,8 @@ msgstr ""
 "doradcą podatkowym."
 
 #: pretix/control/templates/pretixcontrol/event/tax_edit.html:44
-#, fuzzy
-#| msgid "Customers"
 msgid "Custom rules"
-msgstr "Klienci"
+msgstr "Reguły niestandardowe"
 
 #: pretix/control/templates/pretixcontrol/event/tax_edit.html:46
 msgid ""
@@ -26725,6 +26725,8 @@ msgid ""
 "The team could not be deleted because the team or one of its API tokens is "
 "part of historical audit logs."
 msgstr ""
+"Zespół nie mógł zostać usunięty, ponieważ zespół lub jeden z jego tokenów "
+"API jest częścią historycznych dzienników inspekcji."
 
 #: pretix/control/views/organizer.py:703
 msgid ""

src/pretix/presale/utils.py

@@ -100,10 +100,23 @@ def get_customer(request):
                 request._cached_customer = None
             else:
                 session_hash = session.get(hash_session_key)
+                session_auth_hash = customer.get_session_auth_hash()
                 session_hash_verified = session_hash and constant_time_compare(
                     session_hash,
-                    customer.get_session_auth_hash()
+                    session_auth_hash,
                 )
+                if not session_hash_verified:
+                    # If the current secret does not verify the session, try
+                    # with the fallback secrets and stop when a matching one is
+                    # found.
+                    if session_hash and any(
+                        constant_time_compare(session_hash, fallback_auth_hash)
+                        for fallback_auth_hash in customer.get_session_auth_fallback_hash()
+                    ):
+                        request.session.cycle_key()
+                        request.session[hash_session_key] = session_auth_hash
+                        session_hash_verified = True
+
                 if session_hash_verified:
                     request._cached_customer = customer
                 else:

src/pretix/presale/views/order.py

@@ -156,11 +156,10 @@ class OrderOpen(EventViewMixin, OrderDetailMixin, View):
     def get(self, request, *args, **kwargs):
         if not self.order:
             raise Http404(_('Unknown order code or not authorized to access this order.'))
-        if kwargs.get('hash') == self.order.email_confirm_hash():
-            if not self.order.email_known_to_work:
-                self.order.log_action('pretix.event.order.contact.confirmed')
-                self.order.email_known_to_work = True
-                self.order.save(update_fields=['email_known_to_work'])
+        if self.order.check_email_confirm_secret(kwargs.get('hash')) and not self.order.email_known_to_work:
+            self.order.log_action('pretix.event.order.contact.confirmed')
+            self.order.email_known_to_work = True
+            self.order.save(update_fields=['email_known_to_work'])
         return redirect(self.get_order_url())
 
 

src/pretix/settings.py

@@ -94,6 +94,13 @@ else:
                 pass  # os.chown is not available on Windows
             f.write(SECRET_KEY)
 
+
+SECRET_KEY_FALLBACKS = []
+for i in range(10):
+    if config.has_option('django', f'secret_fallback{i}'):
+        SECRET_KEY_FALLBACKS.append(config.get('django', f'secret_fallback{i}'))
+
+
 # Adjustable settings
 
 debug_fallback = "runserver" in sys.argv or "runserver_plus" in sys.argv

src/pretix/static/npm_dir/package-lock.json

@@ -11,7 +11,7 @@
         "@babel/core": "^7.25.2",
         "@babel/preset-env": "^7.25.4",
         "@rollup/plugin-babel": "^6.0.4",
-        "@rollup/plugin-node-resolve": "^15.2.3",
+        "@rollup/plugin-node-resolve": "^15.3.0",
         "rollup": "^2.79.1",
         "rollup-plugin-vue": "^5.0.1",
         "vue": "^2.7.16",
@@ -1734,14 +1734,13 @@
       }
     },
     "node_modules/@rollup/plugin-node-resolve": {
-      "version": "15.2.3",
-      "resolved": "https://registry.npmjs.org/@rollup/plugin-node-resolve/-/plugin-node-resolve-15.2.3.tgz",
-      "integrity": "sha512-j/lym8nf5E21LwBT4Df1VD6hRO2L2iwUeUmP7litikRsVp1H6NWx20NEp0Y7su+7XGc476GnXXc4kFeZNGmaSQ==",
+      "version": "15.3.0",
+      "resolved": "https://registry.npmjs.org/@rollup/plugin-node-resolve/-/plugin-node-resolve-15.3.0.tgz",
+      "integrity": "sha512-9eO5McEICxMzJpDW9OnMYSv4Sta3hmt7VtBFz5zR9273suNOydOyq/FrGeGy+KsTRFm8w0SLVhzig2ILFT63Ag==",
       "dependencies": {
         "@rollup/pluginutils": "^5.0.1",
         "@types/resolve": "1.20.2",
         "deepmerge": "^4.2.2",
-        "is-builtin-module": "^3.2.1",
         "is-module": "^1.0.0",
         "resolve": "^1.22.1"
       },
@@ -2102,17 +2101,6 @@
         "node": "^6 || ^7 || ^8 || ^9 || ^10 || ^11 || ^12 || >=13.7"
       }
     },
-    "node_modules/builtin-modules": {
-      "version": "3.3.0",
-      "resolved": "https://registry.npmjs.org/builtin-modules/-/builtin-modules-3.3.0.tgz",
-      "integrity": "sha512-zhaCDicdLuWN5UbN5IMnFqNMhNfo919sH85y2/ea+5Yg9TsTkeZxpL+JLbp6cgYFS4sRLp3YV4S6yDuqVWHYOw==",
-      "engines": {
-        "node": ">=6"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/sindresorhus"
-      }
-    },
     "node_modules/call-bind": {
       "version": "1.0.7",
       "resolved": "https://registry.npmjs.org/call-bind/-/call-bind-1.0.7.tgz",
@@ -2779,20 +2767,6 @@
         "node": ">=8"
       }
     },
-    "node_modules/is-builtin-module": {
-      "version": "3.2.1",
-      "resolved": "https://registry.npmjs.org/is-builtin-module/-/is-builtin-module-3.2.1.tgz",
-      "integrity": "sha512-BSLE3HnV2syZ0FK0iMA/yUGplUeMmNz4AW5fnTunbCIqZi4vG3WjJT9FHMy5D69xmAYBHXQhJdALdpwVxV501A==",
-      "dependencies": {
-        "builtin-modules": "^3.3.0"
-      },
-      "engines": {
-        "node": ">=6"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/sindresorhus"
-      }
-    },
     "node_modules/is-core-module": {
       "version": "2.11.0",
       "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.11.0.tgz",
@@ -5162,14 +5136,13 @@
       }
     },
     "@rollup/plugin-node-resolve": {
-      "version": "15.2.3",
-      "resolved": "https://registry.npmjs.org/@rollup/plugin-node-resolve/-/plugin-node-resolve-15.2.3.tgz",
-      "integrity": "sha512-j/lym8nf5E21LwBT4Df1VD6hRO2L2iwUeUmP7litikRsVp1H6NWx20NEp0Y7su+7XGc476GnXXc4kFeZNGmaSQ==",
+      "version": "15.3.0",
+      "resolved": "https://registry.npmjs.org/@rollup/plugin-node-resolve/-/plugin-node-resolve-15.3.0.tgz",
+      "integrity": "sha512-9eO5McEICxMzJpDW9OnMYSv4Sta3hmt7VtBFz5zR9273suNOydOyq/FrGeGy+KsTRFm8w0SLVhzig2ILFT63Ag==",
       "requires": {
         "@rollup/pluginutils": "^5.0.1",
         "@types/resolve": "1.20.2",
         "deepmerge": "^4.2.2",
-        "is-builtin-module": "^3.2.1",
         "is-module": "^1.0.0",
         "resolve": "^1.22.1"
       }
@@ -5417,11 +5390,6 @@
         "update-browserslist-db": "^1.1.0"
       }
     },
-    "builtin-modules": {
-      "version": "3.3.0",
-      "resolved": "https://registry.npmjs.org/builtin-modules/-/builtin-modules-3.3.0.tgz",
-      "integrity": "sha512-zhaCDicdLuWN5UbN5IMnFqNMhNfo919sH85y2/ea+5Yg9TsTkeZxpL+JLbp6cgYFS4sRLp3YV4S6yDuqVWHYOw=="
-    },
     "call-bind": {
       "version": "1.0.7",
       "resolved": "https://registry.npmjs.org/call-bind/-/call-bind-1.0.7.tgz",
@@ -5920,14 +5888,6 @@
         "binary-extensions": "^2.0.0"
       }
     },
-    "is-builtin-module": {
-      "version": "3.2.1",
-      "resolved": "https://registry.npmjs.org/is-builtin-module/-/is-builtin-module-3.2.1.tgz",
-      "integrity": "sha512-BSLE3HnV2syZ0FK0iMA/yUGplUeMmNz4AW5fnTunbCIqZi4vG3WjJT9FHMy5D69xmAYBHXQhJdALdpwVxV501A==",
-      "requires": {
-        "builtin-modules": "^3.3.0"
-      }
-    },
     "is-core-module": {
       "version": "2.11.0",
       "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.11.0.tgz",

src/pretix/static/npm_dir/package.json

@@ -7,7 +7,7 @@
     "@babel/core": "^7.25.2",
     "@babel/preset-env": "^7.25.4",
     "@rollup/plugin-babel": "^6.0.4",
-    "@rollup/plugin-node-resolve": "^15.2.3",
+    "@rollup/plugin-node-resolve": "^15.3.0",
     "vue": "^2.7.16",
     "rollup": "^2.79.1",
     "rollup-plugin-vue": "^5.0.1",

src/tests/presale/test_cart.py

@@ -3654,6 +3654,31 @@ class CartBundleTest(CartTestMixin, TestCase):
         assert cp.price == Decimal('0.00')
         assert b.price == Decimal('1.50')
 
+    @classscope(attr='orga')
+    def test_voucher_apply_multiple_reduce_beyond_designated_price_no_tax_rules(self):
+        self.ticket.tax_rule = None
+        self.ticket.save()
+        self.trans.tax_rule = None
+        self.trans.save()
+        cp = CartPosition.objects.create(
+            event=self.event, cart_id=self.session_key, item=self.ticket,
+            price=21.5, expires=now() + timedelta(minutes=10)
+        )
+        b = CartPosition.objects.create(
+            event=self.event, cart_id=self.session_key, item=self.trans, addon_to=cp,
+            price=1.5, expires=now() + timedelta(minutes=10), is_bundled=True
+        )
+        v = Voucher.objects.create(
+            event=self.event, price_mode='set', value=Decimal('0.00'), max_usages=100
+        )
+
+        self.cm.apply_voucher(v.code)
+        self.cm.commit()
+        cp.refresh_from_db()
+        b.refresh_from_db()
+        assert cp.price == Decimal('0.00')
+        assert b.price == Decimal('1.50')
+
     @classscope(attr='orga')
     def test_voucher_apply_affect_bundled(self):
         cp = CartPosition.objects.create(

src/tests/presale/test_customer.py

@@ -628,7 +628,7 @@ def test_change_email(env, client):
 
 
 @pytest.mark.django_db
-def test_change_pw(env, client):
+def test_change_pw(env, client, client2):
     with scopes_disabled():
         customer = env[0].customers.create(email='john@example.org', is_verified=True)
         customer.set_password('foo')
@@ -640,6 +640,12 @@ def test_change_pw(env, client):
     })
     assert r.status_code == 302
 
+    r = client2.post('/bigevents/account/login', {
+        'email': 'john@example.org',
+        'password': 'foo',
+    })
+    assert r.status_code == 302
+
     r = client.post('/bigevents/account/password', {
         'password_current': 'invalid',
         'password': 'aYLBRNg4',
@@ -658,6 +664,13 @@ def test_change_pw(env, client):
     customer.refresh_from_db()
     assert customer.check_password('aYLBRNg4')
 
+    r = client.get('/bigevents/account/password')
+    assert r.status_code == 200
+
+    # Client 2 got logged out
+    r = client2.post('/bigevents/account/password')
+    assert r.status_code == 302
+
 
 @pytest.mark.django_db
 def test_login_per_org(env, client):

src/tests/presale/test_orders.py

@@ -221,7 +221,7 @@ class OrdersTest(BaseOrdersTest):
         assert not self.order.email_known_to_work
 
         response = self.client.get(
-            '/%s/%s/order/%s/%s/open/%s/' % (self.orga.slug, self.event.slug, self.order.code, self.order.secret, self.order.email_confirm_hash())
+            '/%s/%s/order/%s/%s/open/%s/' % (self.orga.slug, self.event.slug, self.order.code, self.order.secret, self.order.email_confirm_secret())
         )
         assert response.status_code == 302
         self.order.refresh_from_db()