Bump version to 2.3.0

Update from Weblate.

.travis.sh

@@ -11,7 +11,6 @@ fi
 
 if [ "$PRETIX_CONFIG_FILE" == "tests/travis_postgres.cfg" ]; then
     psql -c 'create database travis_ci_test;' -U postgres
-    pip3 install -Ur src/requirements/postgres.txt
 fi
 
 if [ "$1" == "style" ]; then
@@ -43,7 +42,7 @@ if [ "$1" == "tests" ]; then
 	cd src
 	python manage.py check
 	make all compress
-	py.test --reruns 5 -n 2 tests
+	py.test --reruns 5 -n 3 tests
 fi
 if [ "$1" == "tests-cov" ]; then
 	pip3 install -r src/requirements.txt -Ur src/requirements/dev.txt

.travis.yml

@@ -1,7 +1,7 @@
 language: python
 sudo: false
 install:
-  - pip install -U pip wheel setuptools==28.6.1
+  - pip install -U pip wheel setuptools
 script:
   - bash .travis.sh $JOB
 cache:
@@ -18,12 +18,12 @@ matrix:
       env: JOB=tests-cov PRETIX_CONFIG_FILE=tests/travis_postgres.cfg
     - python: 3.6
       env: JOB=style
-    - python: 3.5
-      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_sqlite.cfg
     - python: 3.6
       env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_mysql.cfg
     - python: 3.6
       env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_postgres.cfg
+    - python: 3.5
+      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_postgres.cfg
     - python: 3.6
       env: JOB=plugins
     - python: 3.6
@@ -32,11 +32,15 @@ matrix:
       env: JOB=translation-spelling
 addons:
   postgresql: "9.4"
+  mariadb: '10.3'
   apt:
       packages:
           - enchant
           - myspell-de-de
           - aspell-en
+          - sqlite3
+  sources:
+    - travis-ci/sqlite3
 branches:
   except:
   - /^weblate-.*/

Dockerfile

@@ -1,10 +1,26 @@
 FROM python:3.6
 
 RUN apt-get update && \
-    apt-get install -y git libxml2-dev libxslt1-dev python-dev python-virtualenv locales \
-      libffi-dev build-essential python3-dev zlib1g-dev libssl-dev gettext libpq-dev \
-      default-libmysqlclient-dev libmemcached-dev libjpeg-dev supervisor nginx sudo \
-	  --no-install-recommends && \
+    apt-get install -y --no-install-recommends \
+            build-essential \
+            default-libmysqlclient-dev \
+            gettext \
+            git \
+            libffi-dev \
+            libjpeg-dev \
+            libmemcached-dev \
+            libpq-dev \
+            libssl-dev \
+            libxml2-dev \
+            libxslt1-dev \
+            locales \
+            nginx \
+            python-dev \
+            python-virtualenv \
+            python3-dev \
+            sudo \
+            supervisor \
+            zlib1g-dev && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/* && \
     dpkg-reconfigure locales && \
@@ -19,6 +35,22 @@ RUN apt-get update && \
 ENV LC_ALL=C.UTF-8 \
     DJANGO_SETTINGS_MODULE=production_settings
 
+# To copy only the requirements files needed to install from PIP
+COPY src/requirements /pretix/src/requirements
+COPY src/requirements.txt /pretix/src
+RUN pip3 install -U \
+        pip \
+        setuptools \
+        wheel && \
+    cd /pretix/src && \
+    pip3 install \
+        -r requirements.txt \
+        -r requirements/memcached.txt \
+        -r requirements/mysql.txt \
+        -r requirements/redis.txt \
+        gunicorn && \
+    rm -rf ~/.cache/pip
+
 COPY deployment/docker/pretix.bash /usr/local/bin/pretix
 COPY deployment/docker/supervisord.conf /etc/supervisord.conf
 COPY deployment/docker/nginx.conf /etc/nginx/nginx.conf
@@ -27,11 +59,8 @@ COPY src /pretix/src
 
 RUN chmod +x /usr/local/bin/pretix && \
     rm /etc/nginx/sites-enabled/default && \
-    pip3 install -U pip wheel setuptools && \
     cd /pretix/src && \
     rm -f pretix.cfg && \
-    pip3 install -r requirements.txt -r requirements/mysql.txt -r requirements/postgres.txt \
-    	-r requirements/memcached.txt -r requirements/redis.txt gunicorn && \
 	mkdir -p data && \
     chown -R pretixuser:pretixuser /pretix /data data && \
 	sudo -u pretixuser make production

doc/admin/config.rst

@@ -295,5 +295,13 @@ various places like order codes, secrets in the ticket QR codes, etc. Example::
     ; Voucher code needs to be < 255 characters, default is 16
     voucher_code=16
 
+External tools
+--------------
+
+pretix can make use of some external tools if they are installed. Currently, they are all optional. Example::
+
+    [tools]
+    pdftk=/usr/bin/pdftk
+
 .. _Python documentation: https://docs.python.org/3/library/configparser.html?highlight=configparser#supported-ini-file-structure
 .. _Celery documentation: http://docs.celeryproject.org/en/latest/userguide/configuration.html

doc/admin/installation/dev_version.rst

@@ -0,0 +1,37 @@
+.. highlight:: none
+
+Installing a development version
+================================
+
+If you want to use a feature of pretix that is not yet contained in the last monthly release, you can also
+install a development version with pretix.
+
+.. warning:: When in production, we strongly recommend only installing released versions. Development versions might
+             be broken, incompatible to plugins, or in rare cases incompatible to upgrade later on.
+
+
+Manual installation
+-------------------
+
+You can use ``pip`` to update pretix directly to the development branch. Then, upgrade as usual::
+
+    $ source /var/pretix/venv/bin/activate
+    (venv)$ pip3 install -U "git+https://github.com/pretix/pretix.git#egg=pretix&subdirectory=src"
+    (venv)$ python -m pretix migrate
+    (venv)$ python -m pretix rebuild
+    (venv)$ python -m pretix updatestyles
+    # systemctl restart pretix-web pretix-worker
+
+Docker installation
+-------------------
+
+To use the latest development version with Docker, first pull it from Docker Hub::
+
+    $ docker pull pretix/standalone:latest
+
+
+Then change your ``/etc/systemd/system/pretix.service`` file to use the ``:latest`` tag instead of ``:stable`` as well
+and upgrade as usual::
+
+    $ systemctl restart pretix.service
+    $ docker exec -it pretix.service pretix upgrade

doc/admin/installation/docker_smallscale.rst

@@ -26,7 +26,7 @@ installation guides):
 * `Docker`_
 * A SMTP server to send out mails, e.g. `Postfix`_ on your machine or some third-party server you have credentials for
 * A HTTP reverse proxy, e.g. `nginx`_ or Apache to allow HTTPS connections
-* A `MySQL`_ or `PostgreSQL`_ database server
+* A `PostgreSQL`_, `MySQL`_ 5.7+, or MariaDB 10.2.7+ database server
 * A `redis`_ server
 
 We also recommend that you use a firewall, although this is not a pretix-specific recommendation. If you're new to
@@ -36,6 +36,9 @@ Linux and firewalls, we recommend that you start with `ufw`_.
           SSL certificates can be obtained for free these days. We also *do not* provide support for HTTP-only
           installations except for evaluation purposes.
 
+.. warning:: We recommend **PostgreSQL**. If you go for MySQL, make sure you run **MySQL 5.7 or newer** or
+             **MariaDB 10.2.7 or newer**.
+
 On this guide
 -------------
 
@@ -58,7 +61,7 @@ Next, we need a database and a database user. We can create these with any kind
 our database's shell, e.g. for MySQL::
 
     $ mysql -u root -p
-    mysql> CREATE DATABASE pretix DEFAULT CHARACTER SET utf8 DEFAULT COLLATE utf8_general_ci;
+    mysql> CREATE DATABASE pretix DEFAULT CHARACTER SET utf8mb4 DEFAULT COLLATE utf8mb4_unicode_ci;
     mysql> GRANT ALL PRIVILEGES ON pretix.* TO pretix@'localhost' IDENTIFIED BY '*********';
     mysql> FLUSH PRIVILEGES;
 

doc/admin/installation/enterprise.rst

@@ -0,0 +1,84 @@
+.. highlight:: none
+
+Installing pretix Enterprise plugins
+====================================
+
+If you want to use a feature of pretix that is part of our commercial offering pretix Enterprise, you need to follow
+some extra steps. Installation works similar to normal pretix plugins, but involves a few extra steps.
+
+Buying the license
+------------------
+
+To obtain a license, please get in touch at sales@pretix.eu. Please let us know how many tickets you roughly intend
+to sell per year and how many servers you want to use the plugin on. We recommend having a look at our `price list`_
+first.
+
+
+Manual installation
+-------------------
+
+First, generate an SSH key for the system user that you install pretix as. In our tutorial, that would be the user
+``pretix``. Choose an empty passphrase::
+
+    # su pretix
+    $ ssh-keygen
+    Generating public/private rsa key pair.
+    Enter file in which to save the key (/var/pretix/.ssh/id_rsa):
+    Enter passphrase (empty for no passphrase):
+    Enter same passphrase again:
+    Your identification has been saved in /var/pretix/.ssh/id_rsa.
+    Your public key has been saved in /var/pretix/.ssh/id_rsa.pub.
+
+Next, send the content of the *public* key to your sales representative at pretix::
+
+    $ cat /var/pretix/.ssh/id_rsa.pub
+    ssh-rsa AAAAB3N...744HZawHlD pretix@foo
+
+After we configured your key in our system, you can install the plugin directly using ``pip`` from the URL we told
+you, for example::
+
+    $ source /var/pretix/venv/bin/activate
+    (venv)$ pip3 install -U "git+ssh://git@code.rami.io:10022/pretix/pretix-slack.git@stable#egg=pretix-slack"
+    (venv)$ python -m pretix migrate
+    (venv)$ python -m pretix rebuild
+    # systemctl restart pretix-web pretix-worker
+
+Docker installation
+-------------------
+
+To install a plugin, you need to build your own docker image. To do so, create a new directory to work in. As a first
+step, generate a new SSH key in that directory to use for authentication with us::
+
+    $ cd /home/me/mypretixdocker
+    $ ssh-keygen -N "" -f id_pretix_enterprise
+
+Next, send the content of the *public* key to your sales representative at pretix::
+
+    $ cat id_pretix_enterprise.pub
+    ssh-rsa AAAAB3N...744HZawHlD pretix@foo
+
+After we configured your key in our system, you can add a ``Dockerfile`` in your directory that includes the newly
+generated key and installs the plugin from the URL we told you::
+
+    FROM pretix/standalone:stable
+    USER root
+    COPY id_pretix_enterprise /root/.ssh/id_rsa
+    COPY id_pretix_enterprise.pub /root/.ssh/id_rsa.pub
+    RUN chmod -R 0600 /root/.ssh && \
+        mkdir -p /etc/ssh && \
+        ssh-keyscan -t rsa -p 10022 code.rami.io >> /root/.ssh/known_hosts && \
+        echo StrictHostKeyChecking=no >> /root/.ssh/config && \
+        pip3 install -Ue "git+ssh://git@code.rami.io:10022/pretix/pretix-slack.git@stable#egg=pretix-slack" && \
+        cd /pretix/src && \
+        sudo -u pretixuser make production
+    USER pretixuser
+
+Then, build the image for docker::
+
+    $ docker build -t mypretix
+
+You can now use that image ``mypretix`` instead of ``pretix/standalone:stable`` in your ``/etc/systemd/system/pretix.service``
+service file. Be sure to re-build your custom image after you pulled ``pretix/standalone`` if you want to perform an
+update to a new version of pretix.
+
+.. _price list: https://pretix.eu/about/en/pricing

doc/admin/installation/general.rst

@@ -21,6 +21,9 @@ To use pretix, you will need the following things:
 
   .. warning:: Do not ever use SQLite in production. It will break.
 
+  .. warning:: We recommend **PostgreSQL**. If you go for MySQL, make sure you run **MySQL 5.7 or newer** or
+               **MariaDB 10.2.7 or newer**.
+
 * A **reverse proxy**. pretix needs to deliver some static content to your users (e.g. CSS, images, ...). While pretix
   is capable of doing this, having this handled by a proper web server like **nginx** or **Apache** will be much
   faster. Also, you need a proxying web server in front to provide SSL encryption.

doc/admin/installation/index.rst

@@ -10,3 +10,5 @@ for your needs.
    general
    docker_smallscale
    manual_smallscale
+   dev_version
+   enterprise

doc/admin/installation/manual_smallscale.rst

@@ -23,7 +23,7 @@ installation guides):
 
 * A SMTP server to send out mails, e.g. `Postfix`_ on your machine or some third-party server you have credentials for
 * A HTTP reverse proxy, e.g. `nginx`_ or Apache to allow HTTPS connections
-* A `MySQL`_ or `PostgreSQL`_ database server
+* A `PostgreSQL`_, `MySQL`_ 5.7+, or MariaDB 10.2.7+ database server
 * A `redis`_ server
 
 We also recommend that you use a firewall, although this is not a pretix-specific recommendation. If you're new to
@@ -33,6 +33,9 @@ Linux and firewalls, we recommend that you start with `ufw`_.
           SSL certificates can be obtained for free these days. We also *do not* provide support for HTTP-only
           installations except for evaluation purposes.
 
+.. warning:: We recommend **PostgreSQL**. If you go for MySQL, make sure you run **MySQL 5.7 or newer** or
+             **MariaDB 10.2.7 or newer**.
+
 Unix user
 ---------
 
@@ -50,7 +53,7 @@ Having the database server installed, we still need a database and a database us
 of database managing tool or directly on our database's shell, e.g. for MySQL::
 
     $ mysql -u root -p
-    mysql> CREATE DATABASE pretix DEFAULT CHARACTER SET utf8 DEFAULT COLLATE utf8_general_ci;
+    mysql> CREATE DATABASE pretix DEFAULT CHARACTER SET utf8mb4 DEFAULT COLLATE utf8mb4_unicode_ci;
     mysql> GRANT ALL PRIVILEGES ON pretix.* TO pretix@'localhost' IDENTIFIED BY '*********';
     mysql> FLUSH PRIVILEGES;
 

doc/api/auth.rst

@@ -0,0 +1,9 @@
+Authentication
+==============
+
+.. toctree::
+   :maxdepth: 2
+
+   tokenauth
+   oauth
+   deviceauth

doc/api/deviceauth.rst

@@ -0,0 +1,137 @@
+.. _`rest-deviceauth`:
+
+Device authentication
+=====================
+
+Initializing a new device
+-------------------------
+
+Users can create new devices in the "Device" section of their organizer settings. When creating
+a new device, users can specify a list of events the device is allowed to access. After a new
+device is created, users will be presented initialization instructions, consisting of an URL
+and an initialization token. They will also be shown as a QR code with the following contents::
+
+   {"handshake_version": 1, "url": "https://pretix.eu", "token": "kpp4jn8g2ynzonp6"}
+
+Your application should be able to scan a QR code of this type, or allow to enter the URL and the
+initialization token manually. The handshake version is not used for manual initialization. When a
+QR code is scanned with a higher handshake version than you support, you should reject the request
+and prompt the user to update the client application.
+
+After your application received the token, you need to call the initialization endpoint to obtain
+a proper API token. At this point, you need to identify the name and version of your application,
+as well as the type of underlying hardware. Example:
+
+.. sourcecode:: http
+
+   POST /api/v1/device/initialize HTTP/1.1
+   Host: pretix.eu
+   Content-Type: application/json
+
+   {
+       "token": "kpp4jn8g2ynzonp6",
+       "hardware_brand": "Samsung",
+       "hardware_model": "Galaxy S",
+       "software_brand": "pretixdroid",
+       "software_version": "4.0.0"
+   }
+
+Every initialization token can only be used once. On success, you will receive a response containing
+information on your device as well as your API token:
+
+.. sourcecode:: http
+
+   HTTP/1.1 200 OK
+   Content-Type: application/json
+
+   {
+       "organizer": "foo",
+       "device_id": 5,
+       "unique_serial": "HHZ9LW9JWP390VFZ",
+       "api_token": "1kcsh572fonm3hawalrncam4l1gktr2rzx25a22l8g9hx108o9oi0rztpcvwnfnd",
+       "name": "Bar"
+   }
+
+Please make sure that you store this ``api_token`` value. We also recommend storing your device ID, your assigned
+``unique_serial``, and the ``organizer`` you have access to, but that's up to you.
+
+In case of an error, the response will look like this:
+
+.. sourcecode:: http
+
+   HTTP/1.1 400 Bad Request
+   Content-Type: application/json
+
+   {"token":["This initialization token has already been used."]}
+
+
+Performing API requests
+-----------------------
+
+You need to include the API token with every request to pretix' API in the ``Authorization`` header
+like the following:
+
+.. sourcecode:: http
+   :emphasize-lines: 3
+
+   GET /api/v1/organizers/ HTTP/1.1
+   Host: pretix.eu
+   Authorization: Device 1kcsh572fonm3hawalrncam4l1gktr2rzx25a22l8g9hx108o9oi0rztpcvwnfnd
+
+Updating the software version
+-----------------------------
+
+If your application is updated, we ask you to tell the server about the new version in use. You can do this at the
+following endpoint:
+
+.. sourcecode:: http
+
+   POST /api/v1/device/update HTTP/1.1
+   Host: pretix.eu
+   Content-Type: application/json
+   Authorization: Device 1kcsh572fonm3hawalrncam4l1gktr2rzx25a22l8g9hx108o9oi0rztpcvwnfnd
+
+   {
+       "hardware_brand": "Samsung",
+       "hardware_model": "Galaxy S",
+       "software_brand": "pretixdroid",
+       "software_version": "4.1.0"
+   }
+
+Creating a new API key
+----------------------
+
+If you think your API key might have leaked or just want to be extra cautious, the API allows you to create a new key.
+The old API key will be invalid immediately. A request for a new key looks like this:
+
+.. sourcecode:: http
+
+   POST /api/v1/device/roll HTTP/1.1
+   Host: pretix.eu
+   Authorization: Device 1kcsh572fonm3hawalrncam4l1gktr2rzx25a22l8g9hx108o9oi0rztpcvwnfnd
+
+The response will look like the response to the initialization request.
+
+Removing a device
+-----------------
+
+If you want implement a way to to deprovision a device in your software, you can call the ``revoke`` endpoint to
+invalidate your API key. There is no way to reverse this operation.
+
+.. sourcecode:: http
+
+   POST /api/v1/device/revoke HTTP/1.1
+   Host: pretix.eu
+   Authorization: Device 1kcsh572fonm3hawalrncam4l1gktr2rzx25a22l8g9hx108o9oi0rztpcvwnfnd
+
+This can also be done by the user through the web interface.
+
+Permissions
+-----------
+
+Device authentication is currently hardcoded to grant the following permissions:
+
+* View event meta data and products etc.
+* View and change orders
+
+Devices cannot change events or products and cannot access vouchers.

doc/api/fundamentals.rst

@@ -9,44 +9,20 @@ with pretix' REST API, such as authentication, pagination and similar definition
 Authentication
 --------------
 
-If you're building an application for end users, we strongly recommend that you use our
-:ref:`OAuth-based authentication progress <rest-oauth>`. However, for simpler needs, you
-can also go with static API tokens that you can create on a per-team basis (see below).
+To access the API, you need to present valid authentication credentials. pretix currently
+supports the following authorization schemes:
 
-You need to include the API token with every request to pretix' API in the ``Authorization`` header
-like the following:
-
-.. sourcecode:: http
-   :emphasize-lines: 3
-
-   GET /api/v1/organizers/ HTTP/1.1
-   Host: pretix.eu
-   Authorization: Token e1l6gq2ye72thbwkacj7jbri7a7tvxe614ojv8ybureain92ocub46t5gab5966k
-
-.. note:: The API currently also supports authentication via browser sessions, i.e. the
-          same way that you authenticate with pretix when using the browser interface.
-          Using this type of authentication is *not* officially supported for use by
-          third-party clients and might change or be removed at any time. We plan on
-          adding OAuth2 support in the future for user-level authentication. If you want
-          to use session authentication, be sure to comply with Django's `CSRF policies`_.
-
-Obtaining an API token
-----------------------
-
-To authenticate your API requests, you need to obtain an API token. You can create a
-token in the pretix web interface on the level of organizer teams. Create a new team
-or choose an existing team that has the level of permissions the token should have and
-create a new token using the form below the list of team members:
-
-.. image:: img/token_form.png
-    :class: screenshot
-
-You can enter a description for the token to distinguish from other tokens later on.
-Once you click "Add", you will be provided with an API token in the success message.
-Copy this token, as you won't be able to retrieve it again.
-
-.. image:: img/token_success.png
-    :class: screenshot
+* :ref:`rest-tokenauth`: This is the simplest way and recommended for server-side applications
+  that interact with pretix without user interaction.
+* :ref:`rest-oauth`: This is the recommended way to use if you write a third-party application
+  that users can connect with their pretix account. It provides the best user experience, but
+  requires user interaction and slightly more implementation effort.
+* :ref:`rest-deviceauth`: This is the recommended way if you build apps or hardware devices that can
+  connect to pretix, e.g. for processing check-ins or to sell tickets offline. It provides a way
+  to uniquely identify devices and allows for a quick configuration flow inside your software.
+* Authentication using browser sessions: This is used by the pretix web interface and it is *not*
+  officially supported for use by third-party applications. It might change or be removed at any
+  time without prior notice. If you use it, you need to comply with Django's `CSRF policies`_.
 
 Permissions
 -----------
@@ -172,6 +148,7 @@ Field specific input errors include the name of the offending fields as keys in
 
    {"amount": ["A valid integer is required."], "description": ["This field may not be blank."]}
 
+If you see errors of type ``429 Too Many Requests``, you should read our documentation on :ref:`rest-ratelimit`.
 
 Data types
 ----------
@@ -204,4 +181,4 @@ as the string values ``true`` and ``false``.
 If the ``ordering`` parameter is documented for a resource, you can use it to sort the result set by one of the allowed
 fields. Prepend a ``-`` to the field name to reverse the sort order.
 
-.. _CSRF policies: https://docs.djangoproject.com/en/1.11/ref/csrf/#ajax
+.. _CSRF policies: https://docs.djangoproject.com/en/1.11/ref/csrf/#ajax

doc/api/index.rst

@@ -14,5 +14,7 @@ in functionality over time.
    :maxdepth: 2
 
    fundamentals
-   oauth
+   auth
    resources/index
+   ratelimit
+   webhooks

doc/api/oauth.rst

@@ -1,7 +1,7 @@
 .. _`rest-oauth`:
 
-OAuth support / "Connect with pretix"
-=====================================
+OAuth authentication / "Connect with pretix"
+============================================
 
 In addition to static tokens, pretix supports `OAuth2`_-based authentication starting with
 pretix 1.16. This allows you to put a "Connect with pretix" button into your website or tool
@@ -166,6 +166,42 @@ endpoint to revoke it.
 If you want to revoke your client secret, you can generate a new one in the list of your managed applications in the
 pretix user interface.
 
+Fetching the user profile
+-------------------------
+
+If you need the user's meta data, you can fetch it here:
+
+.. http:get:: /api/v1/me
+
+   Returns the profile of the authenticated user
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/me HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Authorization: Bearer i3ytqTSRWsKp16fqjekHXa4tdM4qNC
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        email: "admin@localhost",
+        fullname: "John Doe",
+        locale: "de",
+        timezone: "Europe/Berlin"
+      }
+
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+
 .. _OAuth2: https://en.wikipedia.org/wiki/OAuth
 .. _OAuth2 Simplified: https://aaronparecki.com/oauth-2-simplified/
-.. _HTTP Basic authentication: https://en.wikipedia.org/wiki/Basic_access_authentication
+.. _HTTP Basic authentication: https://en.wikipedia.org/wiki/Basic_access_authentication

doc/api/ratelimit.rst

@@ -0,0 +1,31 @@
+.. _`rest-ratelimit`:
+
+Rate limiting
+=============
+
+.. note:: This page only applies to the pretix Hosted service at pretix.eu. APIs of custom pretix installations do not
+          enforce any rate limiting by default.
+
+All authenticated requests to pretix' API are rate limited. If you exceed the limits, you will receive a response
+with HTTP status code ``429 Too Many Requests``. This response will have a ``Retry-After`` header, containing the number
+of seconds you are supposed to wait until you try again. We expect that all API clients respect this. If you continue
+to burst requests after a ``429`` status code, we might get in touch with you or, in extreme cases, disable your API
+access.
+
+Currently, the following rate limits apply:
+
+
+
+.. rst-class:: rest-resource-table
+
+===================================== =================================================================================
+Authentication method                 Rate limit
+===================================== =================================================================================
+:ref:`rest-deviceauth`                360 requests per minute per device
+:ref:`rest-tokenauth`                 360 requests per minute per organizer account
+:ref:`rest-oauth`                     360 requests per minute per combination of accessed organizer and OAuth application
+Session authentication                *Not an officially supported authentication method for external access*
+===================================== =================================================================================
+
+If you require a higher rate limit, please get in touch at support@pretix.eu and tell us about your use case, we are
+sure we can work something out.

doc/api/resources/carts.rst

@@ -25,6 +25,7 @@ item                                  integer                    ID of the item
 variation                             integer                    ID of the variation (or ``null``)
 price                                 money (string)             Price of this position
 attendee_name                         string                     Specified attendee name for this position (or ``null``)
+attendee_name_parts                   object of strings          Composition of attendee name (i.e. first name, last name, …)
 attendee_email                        string                     Specified attendee email address for this position (or ``null``)
 voucher                               integer                    Internal ID of the voucher used for this position (or ``null``)
 addon_to                              integer                    Internal ID of the position this position is an add-on for (or ``null``)
@@ -78,6 +79,7 @@ Cart position endpoints
             "variation": null,
             "price": "23.00",
             "attendee_name": null,
+            "attendee_name_parts": {},
             "attendee_email": null,
             "voucher": null,
             "addon_to": null,
@@ -122,6 +124,7 @@ Cart position endpoints
         "variation": null,
         "price": "23.00",
         "attendee_name": null,
+        "attendee_name_parts": {},
         "attendee_email": null,
         "voucher": null,
         "addon_to": null,
@@ -175,7 +178,7 @@ Cart position endpoints
    * ``item``
    * ``variation`` (optional)
    * ``price``
-   * ``attendee_name`` (optional)
+   * ``attendee_name`` **or** ``attendee_name_parts`` (optional)
    * ``attendee_email`` (optional)
    * ``subevent`` (optional)
    * ``expires`` (optional)
@@ -199,7 +202,10 @@ Cart position endpoints
         "item": 1,
         "variation": null,
         "price": "23.00",
-        "attendee_name": "Peter",
+        "attendee_name_parts": {
+          "given_name": "Peter",
+          "family_name": "Miller"
+        },
         "attendee_email": null,
         "answers": [
           {

doc/api/resources/checkinlists.rst

@@ -371,6 +371,9 @@ Order position endpoints
             "variation": null,
             "price": "23.00",
             "attendee_name": "Peter",
+            "attendee_name_parts": {
+              "full_name": "Peter",
+            },
             "attendee_email": null,
             "voucher": null,
             "tax_rate": "0.00",
@@ -466,6 +469,9 @@ Order position endpoints
         "variation": null,
         "price": "23.00",
         "attendee_name": "Peter",
+        "attendee_name_parts": {
+          "full_name": "Peter",
+        },
         "attendee_email": null,
         "voucher": null,
         "tax_rate": "0.00",

doc/api/resources/events.rst

@@ -41,6 +41,10 @@ plugins                               list                       A list of packa
    The ``plugins`` field has been added.
    The operations POST, PATCH, PUT and DELETE have been added.
 
+.. versionchanged:: 2.1
+
+   Filters have been added to the list of events.
+
 Endpoints
 ---------
 
@@ -96,6 +100,12 @@ Endpoints
       }
 
    :query page: The page number in case of a multi-page result set, default is 1
+   :query is_public: If set to ``true``/``false``, only events with a matching value of ``is_public`` are returned.
+   :query live: If set to ``true``/``false``, only events with a matching value of ``live`` are returned.
+   :query has_subevents: If set to ``true``/``false``, only events with a matching value of ``has_subevents`` are returned.
+   :query is_future: If set to ``true`` (``false``), only events that happen currently or in the future are (not) returned. Event series are never (always) returned.
+   :query is_past: If set to ``true`` (``false``), only events that are over are (not) returned. Event series are never (always) returned.
+   :query ends_after: If set to a date and time, only events that happen during of after the given time are returned. Event series are never returned.
    :param organizer: The ``slug`` field of a valid organizer
    :statuscode 200: no error
    :statuscode 401: Authentication failure

doc/api/resources/index.rst

@@ -21,3 +21,4 @@ Resources and endpoints
    checkinlists
    waitinglist
    carts
+   webhooks

doc/api/resources/items.rst

@@ -37,6 +37,8 @@ admission                             boolean                    ``True`` for it
 position                              integer                    An integer, used for sorting
 picture                               string                     A product picture to be displayed in the shop
                                                                  (read-only).
+sales_channels                        list of strings            Sales channels this product is available on, such as
+                                                                 ``"web"`` or ``"resellers"``. Defaults to ``["web"]``.
 available_from                        datetime                   The first date time at which this item can be bought
                                                                  (or ``null``).
 available_until                       datetime                   The last date time at which this item can be bought
@@ -105,6 +107,10 @@ addons                                list of objects            Definition of a
 
    The field ``require_approval`` has been added.
 
+.. versionchanged:: 2.3
+
+   The ``sales_channels`` attribute has been added.
+
 Notes
 -----
 Please note that an item either always has variations or never has. Once created with variations the item can never
@@ -147,6 +153,7 @@ Endpoints
             "id": 1,
             "name": {"en": "Standard ticket"},
             "internal_name": "",
+            "sales_channels": ["web"],
             "default_price": "23.00",
             "original_price": null,
             "category": null,
@@ -232,6 +239,7 @@ Endpoints
         "id": 1,
         "name": {"en": "Standard ticket"},
         "internal_name": "",
+        "sales_channels": ["web"],
         "default_price": "23.00",
         "original_price": null,
         "category": null,
@@ -298,6 +306,7 @@ Endpoints
         "id": 1,
         "name": {"en": "Standard ticket"},
         "internal_name": "",
+        "sales_channels": ["web"],
         "default_price": "23.00",
         "original_price": null,
         "category": null,
@@ -351,6 +360,7 @@ Endpoints
         "id": 1,
         "name": {"en": "Standard ticket"},
         "internal_name": "",
+        "sales_channels": ["web"],
         "default_price": "23.00",
         "original_price": null,
         "category": null,
@@ -436,6 +446,7 @@ Endpoints
         "id": 1,
         "name": {"en": "Ticket"},
         "internal_name": "",
+        "sales_channels": ["web"],
         "default_price": "25.00",
         "original_price": null,
         "category": null,

doc/api/resources/orders.rst

@@ -30,6 +30,8 @@ status                                string                     Order status, o
 secret                                string                     The secret contained in the link sent to the customer
 email                                 string                     The customer email address
 locale                                string                     The locale used for communication with this customer
+sales_channel                         string                     Channel this sale was created through, such as
+                                                                 ``"web"``.
 datetime                              datetime                   Time of order creation
 expires                               datetime                   The order will expire, if it is still pending by this time
 payment_date                          date                       **DEPRECATED AND INACCURATE** Date of payment receipt
@@ -46,6 +48,7 @@ invoice_address                       object                     Invoice address
                                                                  for orders created before pretix 1.7, do not rely on
                                                                  it).
 ├ name                                string                     Customer name
+├ name_parts                          object of strings          Customer name decomposition
 ├ street                              string                     Customer street
 ├ zipcode                             string                     Customer ZIP code
 ├ city                                string                     Customer city
@@ -120,6 +123,10 @@ last_modified                         datetime                   Last modificati
    nested ``payments`` and ``refunds`` resources, but will still be served and removed in 2.2. The ``require_approval``
    attribute has been added, as have been the ``…/approve/`` and ``…/deny/`` endpoints.
 
+.. versionchanged:: 2.3
+
+   The ``sales_channel`` attribute has been added.
+
 .. _order-position-resource:
 
 Order position resource
@@ -137,6 +144,7 @@ item                                  integer                    ID of the purch
 variation                             integer                    ID of the purchased variation (or ``null``)
 price                                 money (string)             Price of this position
 attendee_name                         string                     Specified attendee name for this position (or ``null``)
+attendee_name_parts                   object of strings          Decomposition of attendee name (i.e. given name, family name)
 attendee_email                        string                     Specified attendee email address for this position (or ``null``)
 voucher                               integer                    Internal ID of the voucher used for this position (or ``null``)
 tax_rate                              decimal (string)           VAT rate applied for this position
@@ -263,6 +271,7 @@ List of all orders
             "secret": "k24fiuwvu8kxz3y1",
             "email": "tester@example.org",
             "locale": "en",
+            "sales_channel": "web",
             "datetime": "2017-12-01T10:00:00Z",
             "expires": "2017-12-10T10:00:00Z",
             "last_modified": "2017-12-01T10:00:00Z",
@@ -278,6 +287,7 @@ List of all orders
                 "is_business": True,
                 "company": "Sample company",
                 "name": "John Doe",
+                "name_parts": {"full_name": "John Doe"},
                 "street": "Test street 12",
                 "zipcode": "12345",
                 "city": "Testington",
@@ -295,6 +305,9 @@ List of all orders
                 "variation": null,
                 "price": "23.00",
                 "attendee_name": "Peter",
+                "attendee_name_parts": {
+                  "full_name": "Peter",
+                },
                 "attendee_email": null,
                 "voucher": null,
                 "tax_rate": "0.00",
@@ -395,6 +408,7 @@ Fetching individual orders
         "secret": "k24fiuwvu8kxz3y1",
         "email": "tester@example.org",
         "locale": "en",
+        "sales_channel": "web",
         "datetime": "2017-12-01T10:00:00Z",
         "expires": "2017-12-10T10:00:00Z",
         "last_modified": "2017-12-01T10:00:00Z",
@@ -410,6 +424,7 @@ Fetching individual orders
             "company": "Sample company",
             "is_business": True,
             "name": "John Doe",
+            "name_parts": {"full_name": "John Doe"},
             "street": "Test street 12",
             "zipcode": "12345",
             "city": "Testington",
@@ -427,6 +442,9 @@ Fetching individual orders
             "variation": null,
             "price": "23.00",
             "attendee_name": "Peter",
+            "attendee_name_parts": {
+              "full_name": "Peter",
+            },
             "attendee_email": null,
             "voucher": null,
             "tax_rate": "0.00",
@@ -551,6 +569,8 @@ Creating orders
 
        * does not validate if products are only to be sold in a specific time frame
 
+       * does not validate if products are only to be sold on other sales channels
+
        * does not validate if the event's ticket sales are already over or haven't started
 
        * does not validate the number of items per order or the number of times an item can be included in an order
@@ -587,6 +607,7 @@ Creating orders
      creation.
    * ``email``
    * ``locale``
+   * ``sales_channel``
    * ``payment_provider`` – The identifier of the payment provider set for this order. This needs to be an existing
      payment provider. You should use ``"free"`` for free orders, and we strongly advise to use ``"manual"`` for all
      orders you create as paid.
@@ -601,7 +622,7 @@ Creating orders
 
       * ``company``
       * ``is_business``
-      * ``name``
+      * ``name`` **or** ``name_parts``
       * ``street``
       * ``zipcode``
       * ``city``
@@ -615,7 +636,7 @@ Creating orders
       * ``item``
       * ``variation``
       * ``price``
-      * ``attendee_name``
+      * ``attendee_name`` **or** ``attendee_name_parts``
       * ``attendee_email``
       * ``secret`` (optional)
       * ``addon_to`` (optional, see below)
@@ -651,6 +672,7 @@ Creating orders
       {
         "email": "dummy@example.org",
         "locale": "en",
+        "sales_channel": "web",
         "fees": [
           {
             "fee_type": "payment",
@@ -664,7 +686,7 @@ Creating orders
         "invoice_address": {
           "is_business": False,
           "company": "Sample company",
-          "name": "John Doe",
+          "name_parts": {"full_name": "John Doe"},
           "street": "Sesam Street 12",
           "zipcode": "12345",
           "city": "Sample City",
@@ -678,7 +700,9 @@ Creating orders
             "item": 1,
             "variation": null,
             "price": "23.00",
-            "attendee_name": "Peter",
+            "attendee_name_parts": {
+              "full_name": "Peter"
+            },
             "attendee_email": null,
             "addon_to": null,
             "answers": [
@@ -1075,6 +1099,9 @@ List of all order positions
             "variation": null,
             "price": "23.00",
             "attendee_name": "Peter",
+            "attendee_name_parts": {
+              "full_name": "Peter"
+            },
             "attendee_email": null,
             "voucher": null,
             "tax_rate": "0.00",
@@ -1172,6 +1199,9 @@ Fetching individual positions
         "variation": null,
         "price": "23.00",
         "attendee_name": "Peter",
+        "attendee_name_parts": {
+          "full_name": "Peter",
+        },
         "attendee_email": null,
         "voucher": null,
         "tax_rate": "0.00",

doc/api/resources/subevents.rst

@@ -17,6 +17,7 @@ Field                                 Type                       Description
 ===================================== ========================== =======================================================
 id                                    integer                    Internal ID of the sub-event
 name                                  multi-lingual string       The sub-event's full name
+event                                 string                     The slug of the parent event
 active                                boolean                    If ``true``, the sub-event ticket shop is publicly
                                                                  available.
 date_from                             datetime                   The sub-event's start date
@@ -40,6 +41,10 @@ meta_data                             dict                       Values set for
 
    The ``meta_data`` field has been added.
 
+.. versionchanged:: 2.1
+
+   The ``event`` field has been added, together with filters on the list of dates and an organizer-level list.
+
 
 Endpoints
 ---------
@@ -72,6 +77,7 @@ Endpoints
           {
             "id": 1,
             "name": {"en": "First Sample Conference"},
+            "event": "sampleconf",
             "active": false,
             "date_from": "2017-12-27T10:00:00Z",
             "date_to": null,
@@ -92,6 +98,10 @@ Endpoints
       }
 
    :query page: The page number in case of a multi-page result set, default is 1
+   :query active: If set to ``true``/``false``, only events with a matching value of ``active`` are returned.
+   :query is_future: If set to ``true`` (``false``), only events that happen currently or in the future are (not) returned.
+   :query is_past: If set to ``true`` (``false``), only events that are over are (not) returned.
+   :query ends_after: If set to a date and time, only events that happen during of after the given time are returned.
    :param organizer: The ``slug`` field of a valid organizer
    :param event: The ``slug`` field of the event to fetch
    :statuscode 200: no error
@@ -121,6 +131,7 @@ Endpoints
       {
         "id": 1,
         "name": {"en": "First Sample Conference"},
+        "event": "sampleconf",
         "active": false,
         "date_from": "2017-12-27T10:00:00Z",
         "date_to": null,
@@ -144,3 +155,63 @@ Endpoints
    :statuscode 200: no error
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view it.
+
+.. http:get:: /api/v1/organizers/(organizer)/subevents/
+
+   Returns a list of all sub-events of any event series you have access to within an organizer account.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/subevents/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "count": 1,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id": 1,
+            "name": {"en": "First Sample Conference"},
+            "event": "sampleconf",
+            "active": false,
+            "date_from": "2017-12-27T10:00:00Z",
+            "date_to": null,
+            "date_admission": null,
+            "presale_start": null,
+            "presale_end": null,
+            "location": null,
+            "item_price_overrides": [
+              {
+                "item": 2,
+                "price": "12.00"
+              }
+            ],
+            "variation_price_overrides": [],
+            "meta_data": {}
+          }
+        ]
+      }
+
+   :query page: The page number in case of a multi-page result set, default is 1
+   :query active: If set to ``true``/``false``, only events with a matching value of ``active`` are returned.
+   :query event__live: If set to ``true``/``false``, only events with a matching value of ``live`` on the parent event are returned.
+   :query is_future: If set to ``true`` (``false``), only events that happen currently or in the future are (not) returned.
+   :query is_past: If set to ``true`` (``false``), only events that are over are (not) returned.
+   :query ends_after: If set to a date and time, only events that happen during of after the given time are returned.
+   :param organizer: The ``slug`` field of a valid organizer
+   :param event: The ``slug`` field of the event to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to view it.

doc/api/resources/vouchers.rst

@@ -231,6 +231,76 @@ Endpoints
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create this resource.
    :statuscode 409: The server was unable to acquire a lock and could not process your request. You can try again after a short waiting period.
 
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/vouchers/batch_create/
+
+   Creates multiple new vouchers atomically.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/vouchers/batch_create/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 408
+
+      [
+        {
+          "code": "43K6LKM37FBVR2YG",
+          "max_usages": 1,
+          "valid_until": null,
+          "block_quota": false,
+          "allow_ignore_quota": false,
+          "price_mode": "set",
+          "value": "12.00",
+          "item": 1,
+          "variation": null,
+          "quota": null,
+          "tag": "testvoucher",
+          "comment": "",
+          "subevent": null
+        },
+        {
+          "code": "ASDKLJCYXCASDASD",
+          "max_usages": 1,
+          "valid_until": null,
+          "block_quota": false,
+          "allow_ignore_quota": false,
+          "price_mode": "set",
+          "value": "12.00",
+          "item": 1,
+          "variation": null,
+          "quota": null,
+          "tag": "testvoucher",
+          "comment": "",
+          "subevent": null
+        },
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+      [
+        {
+          "id": 1,
+          "code": "43K6LKM37FBVR2YG",
+          …
+        }, …
+      }
+
+   :param organizer: The ``slug`` field of the organizer to create a vouchers for
+   :param event: The ``slug`` field of the event to create a vouchers for
+   :statuscode 201: no error
+   :statuscode 400: The vouchers could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create this resource.
+   :statuscode 409: The server was unable to acquire a lock and could not process your request. You can try again after a short waiting period.
+
 .. http:patch:: /api/v1/organizers/(organizer)/events/(event)/vouchers/(id)/
 
    Update a voucher. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all fields of

doc/api/resources/webhooks.rst

@@ -0,0 +1,243 @@
+.. _`rest-webhooks`:
+
+Webhooks
+========
+
+.. note:: This page is about how to modify webhook settings themselves through the REST API. If you just want to know
+          how webhooks work, go here: :ref:`webhooks`
+
+Resource description
+--------------------
+
+The webhook resource contains the following public fields:
+
+.. rst-class:: rest-resource-table
+
+===================================== ========================== =======================================================
+Field                                 Type                       Description
+===================================== ========================== =======================================================
+id                                    integer                    Internal ID of the webhook
+enabled                               boolean                    If ``False``, this webhook will not receive any notifications
+target_url                            string                     The URL to call
+all_events                            boolean                    If ``True``, this webhook will receive notifications
+                                                                 on all events of this organizer
+limit_events                          list of strings            If ``all_events`` is ``False``, this is a list of
+                                                                 event slugs this webhook is active for
+action_types                          list of strings            A list of action type filters that limit the
+                                                                 notifications sent to this webhook. See below for
+                                                                 valid values
+===================================== ========================== =======================================================
+
+The following values for ``action_types`` are valid with pretix core:
+
+    * ``pretix.event.order.placed``
+    * ``pretix.event.order.paid``
+    * ``pretix.event.order.canceled``
+    * ``pretix.event.order.expired``
+    * ``pretix.event.order.modified``
+    * ``pretix.event.order.contact.changed``
+    * ``pretix.event.order.changed.*``
+    * ``pretix.event.order.refund.created.externally``
+    * ``pretix.event.order.refunded``
+    * ``pretix.event.order.approved``
+    * ``pretix.event.order.denied``
+    * ``pretix.event.checkin``
+    * ``pretix.event.checkin.reverted``
+
+Installed plugins might register more valid values.
+
+
+Endpoints
+---------
+
+.. http:get:: /api/v1/organizers/(organizer)/webhooks/
+
+   Returns a list of all webhooks within a given organizer.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/webhooks/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "count": 1,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id": 2,
+            "enabled": true,
+            "target_url": "https://httpstat.us/200",
+            "all_events": false,
+            "limit_events": ["democon"],
+            "action_types": ["pretix.event.order.modified", "pretix.event.order.changed.*"]
+          }
+        ]
+      }
+
+   :query integer page: The page number in case of a multi-page result set, default is 1
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to view this resource.
+
+.. http:get:: /api/v1/organizers/(organizer)/webhooks/(id)/
+
+   Returns information on one webhook, identified by its ID.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/webhooks/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 2,
+        "enabled": true,
+        "target_url": "https://httpstat.us/200",
+        "all_events": false,
+        "limit_events": ["democon"],
+        "action_types": ["pretix.event.order.modified", "pretix.event.order.changed.*"]
+      }
+
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param id: The ``id`` field of the webhook to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to view this resource.
+
+.. http:post:: /api/v1/organizers/(organizer)/webhooks/
+
+   Creates a new webhook
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/webhooks/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content: application/json
+
+      {
+        "enabled": true,
+        "target_url": "https://httpstat.us/200",
+        "all_events": false,
+        "limit_events": ["democon"],
+        "action_types": ["pretix.event.order.modified", "pretix.event.order.changed.*"]
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 3,
+        "enabled": true,
+        "target_url": "https://httpstat.us/200",
+        "all_events": false,
+        "limit_events": ["democon"],
+        "action_types": ["pretix.event.order.modified", "pretix.event.order.changed.*"]
+      }
+
+   :param organizer: The ``slug`` field of the organizer to create a webhook for
+   :statuscode 201: no error
+   :statuscode 400: The webhook could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to create this resource.
+
+.. http:patch:: /api/v1/organizers/(organizer)/webhooks/(id)/
+
+   Update a webhook. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all fields of
+   the resource, other fields will be reset to default. With ``PATCH``, you only need to provide the fields that you
+   want to change.
+
+   You can change all fields of the resource except the ``id`` field.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/webhooks/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 94
+
+      {
+        "enabled": false
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "enabled": false,
+        "target_url": "https://httpstat.us/200",
+        "all_events": false,
+        "limit_events": ["democon"],
+        "action_types": ["pretix.event.order.modified", "pretix.event.order.changed.*"]
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param id: The ``id`` field of the webhook to modify
+   :statuscode 200: no error
+   :statuscode 400: The webhook could not be modified due to invalid submitted data
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to change this resource.
+
+.. http:delete:: /api/v1/organizers/(organizer)/webhook/(id)/
+
+   Delete a webhook. Currently, this will not delete but just disable the webhook.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/webhooks/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+      Vary: Accept
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param id: The ``id`` field of the webhook to delete
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to delete this resource.

doc/api/tokenauth.rst

@@ -0,0 +1,36 @@
+.. _`rest-tokenauth`:
+
+Token-based authentication
+==========================
+
+Obtaining an API token
+----------------------
+
+To authenticate your API requests with Tokens, you need to obtain a team-level API token.
+You can create a token in the pretix web interface on the level of organizer teams. Create
+a new team or choose an existing team that has the level of permissions the token should
+have and create a new token using the form below the list of team members:
+
+.. image:: img/token_form.png
+   :class: screenshot
+
+You can enter a description for the token to distinguish from other tokens later on.
+Once you click "Add", you will be provided with an API token in the success message.
+Copy this token, as you won't be able to retrieve it again.
+
+.. image:: img/token_success.png
+   :class: screenshot
+
+Using an API token
+------------------
+
+You need to include the API token with every request to pretix' API in the ``Authorization`` header
+like the following:
+
+.. sourcecode:: http
+   :emphasize-lines: 3
+
+   GET /api/v1/organizers/ HTTP/1.1
+   Host: pretix.eu
+   Authorization: Token e1l6gq2ye72thbwkacj7jbri7a7tvxe614ojv8ybureain92ocub46t5gab5966k
+

doc/api/webhooks.rst

@@ -0,0 +1,108 @@
+.. _`webhooks`:
+
+Webhooks
+========
+
+pretix can send webhook calls to notify your application of any changes that happen inside pretix. This is especially
+useful for everything triggered by an actual user, such as a new ticket sale or the arrival of a payment.
+
+You can register any number of webhook URLs that pretix will notify any time one of the supported events occurs inside
+your organizer account. A great example use case of webhooks would be to add the buyer to your mailing list every time
+a new order comes in.
+
+Configuring webhooks
+--------------------
+
+You can find the list of your active webhooks in the "Webhook" section of your organizer account:
+
+.. thumbnail:: ../screens/organizer/webhook_list.png
+   :align: center
+   :class: screenshot
+
+Click "Create webhook" if you want to add a new URL. You will then be able to enter the URL pretix shall call for
+notifications. You need to select any number of notification types that you want to receive and you can optionally
+filter the events you want to receive notifications for.
+
+.. thumbnail:: ../screens/organizer/webhook_edit.png
+   :align: center
+   :class: screenshot
+
+You can also configure webhooks :ref:`through the API itself <rest-webhooks>`.
+
+Receiving webhooks
+------------------
+
+Creating a webhook endpoint on your server is no different from creating any other page on your website. If your
+website is written in PHP, you might just create a new ``.php`` file on your server; if you use a web framework like
+Symfony or Django, you would just create a new route with the desired URL.
+
+We will call your URL with a HTTP ``POST`` request with a ``JSON`` body. In PHP, you can parse this like this::
+
+    $input = @file_get_contents('php://input');
+    $event_json = json_decode($input);
+    // Do something with $event_json
+
+In Django, you would create a view like this::
+
+    def my_webhook_view(request):
+      event_json = json.loads(request.body)
+      # Do something with event_json
+      return HttpResponse(status=200)
+
+More samples for the language of your choice are easy to find online.
+
+The exact body of the request varies by notification type, but for the main types included with pretix core, such as
+those related to changes of an order, it will look like this::
+
+    {
+      "notification_id": 123455,
+      "organizer": "acmecorp",
+      "event": "democon",
+      "code": "ABC23",
+      "action": "pretix.event.order.placed"
+    }
+
+Notifications regarding a check-in will contain more details like ``orderposition_id``
+and ``checkin_list``.
+
+.. warning:: You should not trust data supplied to your webhook, but only use it as a trigger to fetch updated data.
+             Anyone could send data there if they guess the correct URL and you won't be able to tell. Therefore, we
+             only include the minimum amount of data necessary for you to fetch the changed objects from our
+             :ref:`rest-api` in an authenticated way.
+
+If you want to further prevent others from accessing your webhook URL, you can also use `Basic authentication`_ and
+supply the URL to us in the format of ``https://username:password@domain.com/path/``.
+We recommend that you use HTTPS for your webhook URL and might require it in the future. If HTTPS is used, we require
+that a valid certificate is in use.
+
+.. note:: If you use a web framework that makes use of automatic CSRF protection, this protection might prevent us
+          from calling your webhook URL. In this case, we recommend that you turn of CSRF protection selectively
+          for that route. In Django, you can do this by putting the ``@csrf_exempt`` decorator on your view. In
+          Rails, you can pass an ``except`` parameter to ``protect_from_forgery``.
+
+
+Responding to a webhook
+-----------------------
+
+If you successfully received a webhook call, your endpoint should return a HTTP status code between ``200`` and ``299``.
+If any other status code is returned, we will assume you did not receive the call. This does mean that any redirection
+or ``304 Not Modified`` response will be treated as a failure. pretix will not follow any ``301`` or ``302`` redirect
+headers and pretix will ignore all other information in your response headers or body.
+
+If we do not receive a status code in the range of ``200`` and ``299``, pretix will retry to deliver for up to three
+days with an exponential back off. Therefore, we recommend that you implement your endpoint in a way where calling it
+multiple times for the same event due to a perceived error does not do any harm.
+
+There is only one exception: If status code ``410 Gone`` is returned, we will assume the
+endpoint does not exist any more and automatically disable the webhook.
+
+.. note:: If you use a self-hosted version of pretix (i.e. not our SaaS offering at pretix.eu) and you did not
+          configure a background task queue, failed webhooks will not be retried.
+
+Debugging webhooks
+------------------
+
+If you want to debug your webhooks, you can view a log of all sent notifications and the responses of your server for
+30 days right next to your configuration.
+
+.. _Basic authentication: https://en.wikipedia.org/wiki/Basic_access_authentication

doc/development/api/general.rst

@@ -12,7 +12,7 @@ Core
 
 .. automodule:: pretix.base.signals
    :members: periodic_task, event_live_issues, event_copy_data, email_filter, register_notification_types,
-      item_copy_data
+      item_copy_data, register_sales_channels
 
 Order events
 """"""""""""

doc/development/api/payment.rst

@@ -64,6 +64,8 @@ The provider class
 
    .. autoattribute:: settings_form_fields
 
+   .. automethod:: settings_form_clean
+
    .. automethod:: settings_content_render
 
    .. automethod:: is_allowed
@@ -96,8 +98,6 @@ The provider class
 
    .. automethod:: order_change_allowed
 
-   .. automethod:: order_can_retry
-
    .. automethod:: payment_prepare
 
    .. automethod:: payment_control_render

doc/plugins/ticketoutputpdf.rst

@@ -20,6 +20,7 @@ default                               boolean                    ``true`` if thi
 layout                                object                     Layout specification for libpretixprint
 background                            URL                        Background PDF file
 item_assignments                      list of objects            Products this layout is assigned to
+├ sales_channel                       string                     Sales channel (defaults to ``web``).
 └ item                                integer                    Item ID
 ===================================== ========================== =======================================================
 
@@ -27,6 +28,10 @@ item_assignments                      list of objects            Products this l
 
    This resource has been added.
 
+.. versionchanged:: 2.3
+
+   The ``item_assignments.sales_channel`` field has been added.
+
 
 Endpoints
 ---------

doc/spelling_wordlist.txt

@@ -1,5 +1,6 @@
 addon
 addons
+Analytics
 anonymize
 api
 auditability
@@ -23,6 +24,7 @@ cronjob
 cryptographic
 debian
 deduplication
+deprovision
 discoverable
 django
 dockerfile
@@ -64,6 +66,7 @@ ons
 optimizations
 overpayment
 param
+passphrase
 percental
 positionid
 pre
@@ -88,6 +91,7 @@ regex
 renderer
 renderers
 reportlab
+SaaS
 screenshot
 selectable
 serializers
@@ -104,6 +108,7 @@ subevent
 subevents
 submodule
 subpath
+Symfony
 systemd
 testutils
 timestamp

doc/user/events/widget.rst

@@ -149,8 +149,101 @@ Just as the widget, the button supports the optional attributes ``voucher`` and
 
 You can style the button using the ``pretix-button`` CSS class.
 
-.. versionchanged:: 1.13
+Dynamically loading the widget
+------------------------------
 
-   The pretix Button has been added in version 1.13.
+If you need to control the way or timing the widget loads, for example because you want to modify user data (see
+below) dynamically via JavaScript, you can register a listener that we will call before creating the widget::
+
+    <script type="text/javascript">
+    window.pretixWidgetCallback = function () {
+        // Will be run before we create the widget.
+    }
+    </script>
+
+If you want, you can suppress us loading the widget and/or modify the user data passed to the widget::
+
+    <script type="text/javascript">
+    window.pretixWidgetCallback = function () {
+        window.PretixWidget.build_widgets = false;
+        window.PretixWidget.widget_data["email"] = "test@example.org";
+    }
+    </script>
+
+If you then later want to trigger loading the widgets, just call ``window.PretixWidget.buildWidgets()``.
+
+
+Passing user data to the widget
+-------------------------------
+
+If you display the widget in a restricted area of your website and you want to pre-fill fields in the checkout process
+with known user data to save your users some typing and increase conversions, you can pass additional data attributes
+with that information::
+
+    <pretix-widget event="https://pretix.eu/demo/democon/"
+        data-attendee-name-given-name="John"
+        data-attendee-name-family-name="Doe"
+        data-invoice-address-name-given-name="John"
+        data-invoice-address-name-family-name="Doe"
+        data-email="test@example.org"
+        data-question-L9G8NG9M="Foobar">
+    </pretix-widget>
+
+This works for the pretix Button as well. Currently, the following attributes are understood by pretix itself:
+
+* ``data-email`` will pre-fill the order email field as well as the attendee email field (if enabled).
+
+* ``data-question-IDENTIFIER`` will pre-fill the answer for the question with the given identifier. You can view and set
+  identifiers in the *Questions* section of the backend.
+
+* Depending on the person name scheme configured in your event settings, you can pass one or more of
+  ``data-attendee-name-full-name``, ``data-attendee-name-given-name``, ``data-attendee-name-family-name``,
+  ``data-attendee-name-middle-name``, ``data-attendee-name-title``, ``data-attendee-name-calling-name``,
+  ``data-attendee-name-latin-transcription``. If you don't know or don't care, you can also just pass a string as
+  ``data-attendee-name``, which will pre-fill the last part of the name, whatever that is.
+
+* ``data-invoice-address-FIELD`` will  pre-fill the corresponding field of the invoice address. Possible values for
+  ``FIELD`` are ``company``, ``street``, ``zipcode``, ``city`` and ``country``, as well as fields specified by the
+  naming scheme such as ``name-title`` or ``name-given-name`` (see above). ``country`` expects a two-character
+  country code.
+
+Any configured pretix plugins might understand more data fields. For example, if the appropriate plugins on pretix
+Hosted or pretix Enterprise are active, you can pass the following fields:
+
+* If you use the campaigns plugin, you can pass a campaign ID as a value to ``data-campaign``. This way, all orders
+  made through this widget will be counted towards this campaign.
+
+* If you use the tracking plugin, you can pass a Google Analytics User ID to enable cross-domain tracking. This will
+  require you to dynamically load the widget, like this::
+
+    <script>
+        (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
+        (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
+        m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
+        })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
+
+        ga('create', 'UA-XXXXXX-1', 'auto');
+        ga('send', 'pageview');
+
+        window.pretixWidgetCallback = function () {
+            window.PretixWidget.build_widgets = false;
+            window.addEventListener('load', function() { // Wait for GA to be loaded
+                if(window.ga && ga.create) {
+                    ga(function(tracker) {
+                        window.PretixWidget.widget_data["tracking-ga-id"] = tracker.get('clientId');
+                        window.PretixWidget.buildWidgets()
+                    });
+                } else { // Tracking is probably blocked
+                       window.PretixWidget.buildWidgets()
+                }
+            });
+        };
+    </script>
+
+
+.. versionchanged:: 2.3
+
+   Data passing options have been added in pretix 2.3. If you use a self-hosted version of pretix, they only work
+   fully if you configured a redis server.
 
 .. _Let's Encrypt: https://letsencrypt.org/

src/.coveragerc

@@ -1,12 +0,0 @@
-[run]
-source = pretix
-omit = */migrations/*,*/urls.py,*/tests/*,*/testdummy/*,*/admin.py,pretix/wsgi.py,pretix/settings.py
-
-[report]
-exclude_lines =
-	pragma: no cover
-	def __str__
-	der __repr__
-	if settings.DEBUG
-	NOQA
-	NotImplementedError

src/pretix/__init__.py

@@ -1 +1 @@
-__version__ = "2.1.0.dev0"
+__version__ = "2.3.0"

src/pretix/api/__init__.py

@@ -5,5 +5,8 @@ class PretixApiConfig(AppConfig):
     name = 'pretix.api'
     label = 'pretixapi'
 
+    def ready(self):
+        from . import signals, webhooks  # noqa
+
 
 default_app_config = 'pretix.api.PretixApiConfig'

src/pretix/api/auth/device.py

@@ -0,0 +1,25 @@
+from django.contrib.auth.models import AnonymousUser
+from rest_framework import exceptions
+from rest_framework.authentication import TokenAuthentication
+
+from pretix.base.models import Device
+
+
+class DeviceTokenAuthentication(TokenAuthentication):
+    model = Device
+    keyword = 'Device'
+
+    def authenticate_credentials(self, key):
+        model = self.get_model()
+        try:
+            device = model.objects.select_related('organizer').get(api_token=key)
+        except model.DoesNotExist:
+            raise exceptions.AuthenticationFailed('Invalid token.')
+
+        if not device.initialized:
+            raise exceptions.AuthenticationFailed('Device has not been initialized.')
+
+        if not device.api_token:
+            raise exceptions.AuthenticationFailed('Device access has been revoked.')
+
+        return AnonymousUser(), device

src/pretix/api/auth/permission.py

@@ -1,7 +1,7 @@
 from rest_framework.permissions import SAFE_METHODS, BasePermission
 
 from pretix.api.models import OAuthAccessToken
-from pretix.base.models import Event
+from pretix.base.models import Device, Event
 from pretix.base.models.organizer import Organizer, TeamAPIToken
 from pretix.helpers.security import (
     SessionInvalid, SessionReauthRequired, assert_session_valid,
@@ -9,10 +9,9 @@ from pretix.helpers.security import (
 
 
 class EventPermission(BasePermission):
-    model = TeamAPIToken
 
     def has_permission(self, request, view):
-        if not request.user.is_authenticated and not isinstance(request.auth, TeamAPIToken):
+        if not request.user.is_authenticated and not isinstance(request.auth, (Device, TeamAPIToken)):
             return False
 
         if request.method not in SAFE_METHODS and hasattr(view, 'write_permission'):
@@ -31,7 +30,7 @@ class EventPermission(BasePermission):
             except SessionReauthRequired:
                 return False
 
-        perm_holder = (request.auth if isinstance(request.auth, TeamAPIToken)
+        perm_holder = (request.auth if isinstance(request.auth, (Device, TeamAPIToken))
                        else request.user)
         if 'event' in request.resolver_match.kwargs and 'organizer' in request.resolver_match.kwargs:
             request.event = Event.objects.filter(
@@ -76,7 +75,7 @@ class EventCRUDPermission(EventPermission):
             return False
         elif view.action == 'destroy' and 'can_change_event_settings' not in request.eventpermset:
             return False
-        elif view.action in ['retrieve', 'update', 'partial_update'] \
+        elif view.action in ['update', 'partial_update'] \
                 and 'can_change_event_settings' not in request.eventpermset:
             return False
 

src/pretix/api/exception.py

@@ -10,7 +10,10 @@ def custom_exception_handler(exc, context):
     if isinstance(exc, LockTimeoutException):
         response = Response(
             {'detail': 'The server was too busy to process your request. Please try again.'},
-            status=status.HTTP_409_CONFLICT
+            status=status.HTTP_409_CONFLICT,
+            headers={
+                'Retry-After': 5
+            }
         )
 
     return response

src/pretix/api/migrations/0003_webhook_webhookcall_webhookeventlistener.py

@@ -0,0 +1,79 @@
+# Generated by Django 2.1.1 on 2018-11-07 10:46
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0102_auto_20181017_0024'),
+        ('pretixapi', '0002_auto_20180604_1120'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='WebHook',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('enabled', models.BooleanField(default=True, verbose_name='Enable webhook')),
+                ('target_url', models.URLField(verbose_name='Target URL')),
+                ('all_events', models.BooleanField(default=False, verbose_name='All events (including newly created ones)')),
+                ('limit_events', models.ManyToManyField(blank=True, to='pretixbase.Event', verbose_name='Limit to events')),
+                ('organizer', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='pretixbase.Organizer')),
+            ],
+        ),
+        migrations.CreateModel(
+            name='WebHookCall',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('datetime', models.DateTimeField(auto_now_add=True)),
+                ('target_url', models.URLField()),
+                ('is_retry', models.BooleanField(default=False)),
+                ('execution_time', models.FloatField(null=True)),
+                ('return_code', models.PositiveIntegerField(default=0)),
+                ('payload', models.TextField()),
+                ('response_body', models.TextField()),
+                ('webhook', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='pretixapi.WebHook')),
+            ],
+        ),
+        migrations.CreateModel(
+            name='WebHookEventListener',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('action_type', models.CharField(max_length=255)),
+                ('webhook', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='pretixapi.WebHook')),
+            ],
+        ),
+        migrations.AddField(
+            model_name='webhookcall',
+            name='success',
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AlterField(
+            model_name='webhook',
+            name='all_events',
+            field=models.BooleanField(default=True, verbose_name='All events (including newly created ones)'),
+        ),
+        migrations.AlterField(
+            model_name='webhook',
+            name='organizer',
+            field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='webhooks', to='pretixbase.Organizer'),
+        ),
+        migrations.AlterField(
+            model_name='webhookcall',
+            name='webhook',
+            field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='calls', to='pretixapi.WebHook'),
+        ),
+        migrations.AlterField(
+            model_name='webhookeventlistener',
+            name='webhook',
+            field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='listeners', to='pretixapi.WebHook'),
+        ),
+        migrations.AddField(
+            model_name='webhookcall',
+            name='action_type',
+            field=models.CharField(default='', max_length=255),
+            preserve_default=False,
+        ),
+    ]

src/pretix/api/models.py

@@ -68,3 +68,41 @@ class OAuthRefreshToken(AbstractRefreshToken):
         OAuthAccessToken, on_delete=models.SET_NULL, blank=True, null=True,
         related_name="refresh_token"
     )
+
+
+class WebHook(models.Model):
+    organizer = models.ForeignKey('pretixbase.Organizer', on_delete=models.CASCADE, related_name='webhooks')
+    enabled = models.BooleanField(default=True, verbose_name=_("Enable webhook"))
+    target_url = models.URLField(verbose_name=_("Target URL"))
+    all_events = models.BooleanField(default=True, verbose_name=_("All events (including newly created ones)"))
+    limit_events = models.ManyToManyField('pretixbase.Event', verbose_name=_("Limit to events"), blank=True)
+
+    @property
+    def action_types(self):
+        return [
+            l.action_type for l in self.listeners.all()
+        ]
+
+
+class WebHookEventListener(models.Model):
+    webhook = models.ForeignKey('WebHook', on_delete=models.CASCADE, related_name='listeners')
+    action_type = models.CharField(max_length=255)
+
+    class Meta:
+        ordering = ("action_type",)
+
+
+class WebHookCall(models.Model):
+    webhook = models.ForeignKey('WebHook', on_delete=models.CASCADE, related_name='calls')
+    datetime = models.DateTimeField(auto_now_add=True)
+    target_url = models.URLField()
+    action_type = models.CharField(max_length=255)
+    is_retry = models.BooleanField(default=False)
+    execution_time = models.FloatField(null=True)
+    return_code = models.PositiveIntegerField(default=0)
+    success = models.BooleanField(default=False)
+    payload = models.TextField()
+    response_body = models.TextField()
+
+    class Meta:
+        ordering = ("-datetime",)

src/pretix/api/serializers/cart.py

@@ -19,18 +19,19 @@ class CartPositionSerializer(I18nAwareModelSerializer):
 
     class Meta:
         model = CartPosition
-        fields = ('id', 'cart_id', 'item', 'variation', 'price', 'attendee_name', 'attendee_email',
-                  'voucher', 'addon_to', 'subevent', 'datetime', 'expires', 'includes_tax',
+        fields = ('id', 'cart_id', 'item', 'variation', 'price', 'attendee_name', 'attendee_name_parts',
+                  'attendee_email', 'voucher', 'addon_to', 'subevent', 'datetime', 'expires', 'includes_tax',
                   'answers',)
 
 
 class CartPositionCreateSerializer(I18nAwareModelSerializer):
     answers = AnswerCreateSerializer(many=True, required=False)
     expires = serializers.DateTimeField(required=False)
+    attendee_name = serializers.CharField(required=False, allow_null=True)
 
     class Meta:
         model = CartPosition
-        fields = ('cart_id', 'item', 'variation', 'price', 'attendee_name', 'attendee_email',
+        fields = ('cart_id', 'item', 'variation', 'price', 'attendee_name', 'attendee_name_parts', 'attendee_email',
                   'subevent', 'expires', 'includes_tax', 'answers',)
 
     def create(self, validated_data):
@@ -65,6 +66,11 @@ class CartPositionCreateSerializer(I18nAwareModelSerializer):
                             quota.name
                         )
                     )
+            attendee_name = validated_data.pop('attendee_name', '')
+            if attendee_name and not validated_data.get('attendee_name_parts'):
+                validated_data['attendee_name_parts'] = {
+                    '_legacy': attendee_name
+                }
             cp = CartPosition.objects.create(event=self.context['event'], **validated_data)
 
         for answ_data in answers_data:
@@ -118,4 +124,8 @@ class CartPositionCreateSerializer(I18nAwareModelSerializer):
                 raise ValidationError(
                     'You cannot specify a variation for this item.'
                 )
+        if data.get('attendee_name') and data.get('attendee_name_parts'):
+            raise ValidationError(
+                {'attendee_name': ['Do not specify attendee_name if you specified attendee_name_parts.']}
+            )
         return data

src/pretix/api/serializers/event.py

@@ -4,6 +4,7 @@ from django.utils.functional import cached_property
 from django.utils.translation import ugettext as _
 from django_countries.serializers import CountryFieldMixin
 from rest_framework.fields import Field
+from rest_framework.relations import SlugRelatedField
 
 from pretix.api.serializers.i18n import I18nAwareModelSerializer
 from pretix.base.models import Event, TaxRule
@@ -190,12 +191,13 @@ class SubEventItemVariationSerializer(I18nAwareModelSerializer):
 class SubEventSerializer(I18nAwareModelSerializer):
     item_price_overrides = SubEventItemSerializer(source='subeventitem_set', many=True)
     variation_price_overrides = SubEventItemVariationSerializer(source='subeventitemvariation_set', many=True)
+    event = SlugRelatedField(slug_field='slug', read_only=True)
     meta_data = MetaDataField(source='*')
 
     class Meta:
         model = SubEvent
         fields = ('id', 'name', 'date_from', 'date_to', 'active', 'date_admission',
-                  'presale_start', 'presale_end', 'location',
+                  'presale_start', 'presale_end', 'location', 'event',
                   'item_price_overrides', 'variation_price_overrides', 'meta_data')
 
 

src/pretix/api/serializers/i18n.py

@@ -15,13 +15,20 @@ class I18nField(Field):
         super().__init__(**kwargs)
 
     def to_representation(self, value):
-        if value is None or value.data is None:
+        if hasattr(value, 'data'):
+            if isinstance(value.data, dict):
+                return value.data
+            elif value.data is None:
+                return None
+            else:
+                return {
+                    settings.LANGUAGE_CODE: str(value.data)
+                }
+        elif value is None:
             return None
-        if isinstance(value.data, dict):
-            return value.data
         else:
             return {
-                settings.LANGUAGE_CODE: str(value.data)
+                settings.LANGUAGE_CODE: str(value)
             }
 
     def to_internal_value(self, data):

src/pretix/api/serializers/item.py

@@ -74,7 +74,7 @@ class ItemSerializer(I18nAwareModelSerializer):
 
     class Meta:
         model = Item
-        fields = ('id', 'category', 'name', 'internal_name', 'active', 'description',
+        fields = ('id', 'category', 'name', 'internal_name', 'active', 'sales_channels', 'description',
                   'default_price', 'free_price', 'tax_rate', 'tax_rule', 'admission',
                   'position', 'picture', 'available_from', 'available_until',
                   'require_voucher', 'hide_without_voucher', 'allow_cancel',

src/pretix/api/serializers/order.py

@@ -11,6 +11,7 @@ from rest_framework.relations import SlugRelatedField
 from rest_framework.reverse import reverse
 
 from pretix.api.serializers.i18n import I18nAwareModelSerializer
+from pretix.base.channels import get_all_sales_channels
 from pretix.base.models import (
     Checkin, Invoice, InvoiceAddress, InvoiceLine, Order, OrderPosition,
     Question, QuestionAnswer,
@@ -35,11 +36,12 @@ class CompatibleCountryField(serializers.Field):
 
 class InvoiceAddressSerializer(I18nAwareModelSerializer):
     country = CompatibleCountryField(source='*')
+    name = serializers.CharField(required=False)
 
     class Meta:
         model = InvoiceAddress
-        fields = ('last_modified', 'is_business', 'company', 'name', 'street', 'zipcode', 'city', 'country', 'vat_id',
-                  'vat_id_validated', 'internal_reference')
+        fields = ('last_modified', 'is_business', 'company', 'name', 'name_parts', 'street', 'zipcode', 'city', 'country',
+                  'vat_id', 'vat_id_validated', 'internal_reference')
         read_only_fields = ('last_modified', 'vat_id_validated')
 
     def __init__(self, *args, **kwargs):
@@ -48,6 +50,15 @@ class InvoiceAddressSerializer(I18nAwareModelSerializer):
             v.required = False
             v.allow_blank = True
 
+    def validate(self, data):
+        if data.get('name') and data.get('name_parts'):
+            raise ValidationError(
+                {'name': ['Do not specify name if you specified name_parts.']}
+            )
+        if data.get('name_parts') and '_scheme' not in data.get('name_parts'):
+            data['name_parts']['_scheme'] = self.context['request'].event.settings.name_scheme
+        return data
+
 
 class AnswerQuestionIdentifierField(serializers.Field):
     def to_representation(self, instance: QuestionAnswer):
@@ -77,7 +88,8 @@ class CheckinSerializer(I18nAwareModelSerializer):
 class OrderDownloadsField(serializers.Field):
     def to_representation(self, instance: Order):
         if instance.status != Order.STATUS_PAID:
-            return []
+            if instance.status != Order.STATUS_PENDING or instance.require_approval or not instance.event.settings.ticket_download_pending:
+                return []
 
         request = self.context['request']
         res = []
@@ -100,7 +112,8 @@ class OrderDownloadsField(serializers.Field):
 class PositionDownloadsField(serializers.Field):
     def to_representation(self, instance: OrderPosition):
         if instance.order.status != Order.STATUS_PAID:
-            return []
+            if instance.order.status != Order.STATUS_PENDING or instance.order.require_approval or not instance.order.event.settings.ticket_download_pending:
+                return []
         if instance.addon_to_id and not instance.order.event.settings.ticket_download_addons:
             return []
         if not instance.item.admission and not instance.order.event.settings.ticket_download_nonadm:
@@ -129,12 +142,19 @@ class PdfDataSerializer(serializers.Field):
         res = {}
 
         ev = instance.subevent or instance.order.event
+        # This needs to have some extra performance improvements to avoid creating hundreds of queries when
+        # we serialize a list.
 
-        pdfvars = get_variables(instance.order.event)
-        for k, f in pdfvars.items():
+        if 'vars' not in self.context:
+            self.context['vars'] = get_variables(self.context['request'].event)
+
+        for k, f in self.context['vars'].items():
             res[k] = f['evaluate'](instance, instance.order, ev)
 
-        for k, v in ev.meta_data.items():
+        if not hasattr(ev, '_cached_meta_data'):
+            ev._cached_meta_data = ev.meta_data
+
+        for k, v in ev._cached_meta_data.items():
             res['meta:' + k] = v
 
         return res
@@ -149,9 +169,9 @@ class OrderPositionSerializer(I18nAwareModelSerializer):
 
     class Meta:
         model = OrderPosition
-        fields = ('id', 'order', 'positionid', 'item', 'variation', 'price', 'attendee_name', 'attendee_email',
-                  'voucher', 'tax_rate', 'tax_value', 'secret', 'addon_to', 'subevent', 'checkins', 'downloads',
-                  'answers', 'tax_rule', 'pseudonymization_id', 'pdf_data')
+        fields = ('id', 'order', 'positionid', 'item', 'variation', 'price', 'attendee_name', 'attendee_name_parts',
+                  'attendee_email', 'voucher', 'tax_rate', 'tax_value', 'secret', 'addon_to', 'subevent', 'checkins',
+                  'downloads', 'answers', 'tax_rule', 'pseudonymization_id', 'pdf_data')
 
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
@@ -213,7 +233,7 @@ class OrderSerializer(I18nAwareModelSerializer):
         model = Order
         fields = ('code', 'status', 'secret', 'email', 'locale', 'datetime', 'expires', 'payment_date',
                   'payment_provider', 'fees', 'total', 'comment', 'invoice_address', 'positions', 'downloads',
-                  'checkin_attention', 'last_modified', 'payments', 'refunds', 'require_approval')
+                  'checkin_attention', 'last_modified', 'payments', 'refunds', 'require_approval', 'sales_channel')
 
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
@@ -296,10 +316,11 @@ class OrderPositionCreateSerializer(I18nAwareModelSerializer):
     answers = AnswerCreateSerializer(many=True, required=False)
     addon_to = serializers.IntegerField(required=False, allow_null=True)
     secret = serializers.CharField(required=False)
+    attendee_name = serializers.CharField(required=False, allow_null=True)
 
     class Meta:
         model = OrderPosition
-        fields = ('positionid', 'item', 'variation', 'price', 'attendee_name', 'attendee_email',
+        fields = ('positionid', 'item', 'variation', 'price', 'attendee_name', 'attendee_name_parts', 'attendee_email',
                   'secret', 'addon_to', 'subevent', 'answers')
 
     def validate_secret(self, secret):
@@ -350,6 +371,12 @@ class OrderPositionCreateSerializer(I18nAwareModelSerializer):
                 raise ValidationError(
                     {'variation': ['You cannot specify a variation for this item.']}
                 )
+        if data.get('attendee_name') and data.get('attendee_name_parts'):
+            raise ValidationError(
+                {'attendee_name': ['Do not specify attendee_name if you specified attendee_name_parts.']}
+            )
+        if data.get('attendee_name_parts') and '_scheme' not in data.get('attendee_name_parts'):
+            data['attendee_name_parts']['_scheme'] = self.context['request'].event.settings.name_scheme
         return data
 
 
@@ -386,7 +413,7 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
 
     class Meta:
         model = Order
-        fields = ('code', 'status', 'email', 'locale', 'payment_provider', 'fees', 'comment',
+        fields = ('code', 'status', 'email', 'locale', 'payment_provider', 'fees', 'comment', 'sales_channel',
                   'invoice_address', 'positions', 'checkin_attention', 'payment_info', 'consume_carts')
 
     def validate_payment_provider(self, pp):
@@ -394,6 +421,11 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
             raise ValidationError('The given payment provider is not known.')
         return pp
 
+    def validate_sales_channel(self, channel):
+        if channel not in get_all_sales_channels():
+            raise ValidationError('Unknown sales channel.')
+        return channel
+
     def validate_code(self, code):
         if code and Order.objects.filter(event__organizer=self.context['event'].organizer, code=code).exists():
             raise ValidationError(
@@ -455,7 +487,13 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
         payment_info = validated_data.pop('payment_info', '{}')
 
         if 'invoice_address' in validated_data:
-            ia = InvoiceAddress(**validated_data.pop('invoice_address'))
+            iadata = validated_data.pop('invoice_address')
+            name = iadata.pop('name', '')
+            if name and not iadata.get('name_parts'):
+                iadata['name_parts'] = {
+                    '_legacy': name
+                }
+            ia = InvoiceAddress(**iadata)
         else:
             ia = None
 
@@ -507,6 +545,8 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
             if any(errs):
                 raise ValidationError({'positions': errs})
 
+            if validated_data.get('locale', None) is None:
+                validated_data['locale'] = self.context['event'].settings.locale
             order = Order(event=self.context['event'], **validated_data)
             order.set_expires(subevents=[p.get('subevent') for p in positions_data])
             order.total = sum([p['price'] for p in positions_data]) + sum([f['value'] for f in fees_data], Decimal('0.00'))
@@ -544,6 +584,11 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
             for pos_data in positions_data:
                 answers_data = pos_data.pop('answers', [])
                 addon_to = pos_data.pop('addon_to', None)
+                attendee_name = pos_data.pop('attendee_name', '')
+                if attendee_name and not pos_data.get('attendee_name_parts'):
+                    pos_data['attendee_name_parts'] = {
+                        '_legacy': attendee_name
+                    }
                 pos = OrderPosition(**pos_data)
                 pos.order = order
                 pos._calculate_tax()

src/pretix/api/serializers/voucher.py

@@ -1,7 +1,27 @@
+from rest_framework import serializers
+from rest_framework.exceptions import ValidationError
+
 from pretix.api.serializers.i18n import I18nAwareModelSerializer
 from pretix.base.models import Voucher
 
 
+class VoucherListSerializer(serializers.ListSerializer):
+    def create(self, validated_data):
+        codes = set()
+        errs = []
+        err = False
+        for voucher_data in validated_data:
+            if voucher_data['code'] in codes:
+                err = True
+                errs.append({'code': ['Duplicate voucher code in request.']})
+            else:
+                codes.add(voucher_data['code'])
+                errs.append({})
+        if err:
+            raise ValidationError(errs)
+        return super().create(validated_data)
+
+
 class VoucherSerializer(I18nAwareModelSerializer):
     class Meta:
         model = Voucher
@@ -9,6 +29,7 @@ class VoucherSerializer(I18nAwareModelSerializer):
                   'allow_ignore_quota', 'price_mode', 'value', 'item', 'variation', 'quota',
                   'tag', 'comment', 'subevent')
         read_only_fields = ('id', 'redeemed')
+        list_serializer_class = VoucherListSerializer
 
     def validate(self, data):
         data = super().validate(data)

src/pretix/api/serializers/webhooks.py

@@ -0,0 +1,71 @@
+from django.core.exceptions import ValidationError
+from rest_framework import serializers
+
+from pretix.api.models import WebHook
+from pretix.api.serializers.i18n import I18nAwareModelSerializer
+from pretix.api.webhooks import get_all_webhook_events
+from pretix.base.models import Event
+
+
+class EventRelatedField(serializers.SlugRelatedField):
+    def get_queryset(self):
+        return self.context['organizer'].events.all()
+
+
+class ActionTypesField(serializers.Field):
+    def to_representation(self, instance: WebHook):
+        return instance.action_types
+
+    def to_internal_value(self, data):
+        types = get_all_webhook_events()
+        for d in data:
+            if d not in types:
+                raise ValidationError('Invalid action type "%s".' % d)
+        return {'action_types': data}
+
+
+class WebHookSerializer(I18nAwareModelSerializer):
+    limit_events = EventRelatedField(
+        slug_field='slug',
+        queryset=Event.objects.none(),
+        many=True
+    )
+    action_types = ActionTypesField(source='*')
+
+    class Meta:
+        model = WebHook
+        fields = ('id', 'enabled', 'target_url', 'all_events', 'limit_events', 'action_types')
+
+    def validate(self, data):
+        data = super().validate(data)
+
+        full_data = self.to_internal_value(self.to_representation(self.instance)) if self.instance else {}
+        full_data.update(data)
+
+        for event in full_data.get('limit_events'):
+            if self.context['organizer'] != event.organizer:
+                raise ValidationError('One or more events do not belong to this organizer.')
+
+        if full_data.get('limit_events') and full_data.get('all_events'):
+            raise ValidationError('You can set either limit_events or all_events.')
+
+        return data
+
+    def create(self, validated_data):
+        action_types = validated_data.pop('action_types')
+        inst = super().create(validated_data)
+        for l in action_types:
+            inst.listeners.create(action_type=l)
+        return inst
+
+    def update(self, instance, validated_data):
+        action_types = validated_data.pop('action_types', None)
+        instance = super().update(instance, validated_data)
+        if action_types is not None:
+            current_listeners = set(instance.listeners.values_list('action_type', flat=True))
+            new_listeners = set(action_types)
+            for l in current_listeners - new_listeners:
+                instance.listeners.filter(action_type=l).delete()
+            for l in new_listeners - current_listeners:
+                instance.listeners.create(action_type=l)
+        return instance

src/pretix/api/signals.py

@@ -0,0 +1,21 @@
+from datetime import timedelta
+
+from django.dispatch import Signal, receiver
+from django.utils.timezone import now
+
+from pretix.api.models import WebHookCall
+from pretix.base.signals import periodic_task
+
+register_webhook_events = Signal(
+    providing_args=[]
+)
+"""
+This signal is sent out to get all known webhook events. Receivers should return an
+instance of a subclass of pretix.api.webhooks.WebhookEvent or a list of such
+instances.
+"""
+
+
+@receiver(periodic_task)
+def cleanup_webhook_logs(sender, **kwargs):
+    WebHookCall.objects.filter(datetime__lte=now() - timedelta(days=30)).delete()

src/pretix/api/urls.py

@@ -7,7 +7,8 @@ from rest_framework import routers
 from pretix.api.views import cart
 
 from .views import (
-    checkin, event, item, oauth, order, organizer, voucher, waitinglist,
+    checkin, device, event, item, oauth, order, organizer, user, voucher,
+    waitinglist, webhooks,
 )
 
 router = routers.DefaultRouter()
@@ -15,6 +16,8 @@ router.register(r'organizers', organizer.OrganizerViewSet)
 
 orga_router = routers.DefaultRouter()
 orga_router.register(r'events', event.EventViewSet)
+orga_router.register(r'subevents', event.SubEventViewSet)
+orga_router.register(r'webhooks', webhooks.WebHookViewSet)
 
 event_router = routers.DefaultRouter()
 event_router.register(r'subevents', event.SubEventViewSet)
@@ -65,4 +68,9 @@ urlpatterns = [
     url(r"^oauth/authorize$", oauth.AuthorizationView.as_view(), name="authorize"),
     url(r"^oauth/token$", oauth.TokenView.as_view(), name="token"),
     url(r"^oauth/revoke_token$", oauth.RevokeTokenView.as_view(), name="revoke-token"),
+    url(r"^device/initialize$", device.InitializeView.as_view(), name="device.initialize"),
+    url(r"^device/update$", device.UpdateView.as_view(), name="device.update"),
+    url(r"^device/roll$", device.RollKeyView.as_view(), name="device.roll"),
+    url(r"^device/revoke$", device.RevokeKeyView.as_view(), name="device.revoke"),
+    url(r"^me$", user.MeView.as_view(), name="user.me"),
 ]

src/pretix/api/views/__init__.py

@@ -37,6 +37,9 @@ class ConditionalListView:
         if_unmodified_since = request.META.get('HTTP_IF_UNMODIFIED_SINCE')
         if if_unmodified_since:
             if_unmodified_since = parse_http_date_safe(if_unmodified_since)
+        if not hasattr(request, 'event'):
+            return super().list(request, **kwargs)
+
         lmd = request.event.logentry_set.filter(
             content_type__model=self.queryset.model._meta.model_name,
             content_type__app_label=self.queryset.model._meta.app_label,

src/pretix/api/views/checkin.py

@@ -154,7 +154,7 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
     serializer_class = OrderPositionSerializer
     queryset = OrderPosition.objects.none()
     filter_backends = (DjangoFilterBackend, RichOrderingFilter)
-    ordering = ('attendee_name', 'positionid')
+    ordering = ('attendee_name_cached', 'positionid')
     ordering_fields = (
         'order__code', 'order__datetime', 'positionid', 'attendee_name',
         'last_checked_in', 'order__email',
@@ -162,11 +162,11 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
     ordering_custom = {
         'attendee_name': {
             '_order': F('display_name').asc(nulls_first=True),
-            'display_name': Coalesce('attendee_name', 'addon_to__attendee_name')
+            'display_name': Coalesce('attendee_name_cached', 'addon_to__attendee_name_cached')
         },
         '-attendee_name': {
             '_order': F('display_name').desc(nulls_last=True),
-            'display_name': Coalesce('attendee_name', 'addon_to__attendee_name')
+            'display_name': Coalesce('attendee_name_cached', 'addon_to__attendee_name_cached')
         },
         'last_checked_in': {
             '_order': FixedOrderBy(F('last_checked_in'), nulls_first=True),
@@ -244,7 +244,9 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
                 ignore_unpaid=ignore_unpaid,
                 nonce=nonce,
                 datetime=dt,
-                questions_supported=self.request.data.get('questions_supported', True)
+                questions_supported=self.request.data.get('questions_supported', True),
+                user=self.request.user,
+                auth=self.request.auth,
             )
         except RequiredQuestionsError as e:
             return Response({

src/pretix/api/views/device.py

@@ -0,0 +1,113 @@
+import logging
+
+from django.utils.timezone import now
+from rest_framework import serializers
+from rest_framework.exceptions import ValidationError
+from rest_framework.response import Response
+from rest_framework.views import APIView
+
+from pretix.api.auth.device import DeviceTokenAuthentication
+from pretix.base.models import Device
+from pretix.base.models.devices import generate_api_token
+
+logger = logging.getLogger(__name__)
+
+
+class InitializationRequestSerializer(serializers.Serializer):
+    token = serializers.CharField(max_length=190)
+    hardware_brand = serializers.CharField(max_length=190)
+    hardware_model = serializers.CharField(max_length=190)
+    software_brand = serializers.CharField(max_length=190)
+    software_version = serializers.CharField(max_length=190)
+
+
+class UpdateRequestSerializer(serializers.Serializer):
+    hardware_brand = serializers.CharField(max_length=190)
+    hardware_model = serializers.CharField(max_length=190)
+    software_brand = serializers.CharField(max_length=190)
+    software_version = serializers.CharField(max_length=190)
+
+
+class DeviceSerializer(serializers.ModelSerializer):
+    organizer = serializers.SlugRelatedField(slug_field='slug', read_only=True)
+
+    class Meta:
+        model = Device
+        fields = [
+            'organizer', 'device_id', 'unique_serial', 'api_token',
+            'name'
+        ]
+
+
+class InitializeView(APIView):
+    authentication_classes = tuple()
+    permission_classes = tuple()
+
+    def post(self, request, format=None):
+        serializer = InitializationRequestSerializer(data=request.data)
+        serializer.is_valid(raise_exception=True)
+
+        try:
+            device = Device.objects.get(initialization_token=serializer.validated_data.get('token'))
+        except Device.DoesNotExist:
+            raise ValidationError({'token': ['Unknown initialization token.']})
+
+        if device.initialized:
+            raise ValidationError({'token': ['This initialization token has already been used.']})
+
+        device.initialized = now()
+        device.hardware_brand = serializer.validated_data.get('hardware_brand')
+        device.hardware_model = serializer.validated_data.get('hardware_model')
+        device.software_brand = serializer.validated_data.get('software_brand')
+        device.software_version = serializer.validated_data.get('software_version')
+        device.api_token = generate_api_token()
+        device.save()
+
+        device.log_action('pretix.device.initialized', data=serializer.validated_data, auth=device)
+
+        serializer = DeviceSerializer(device)
+        return Response(serializer.data)
+
+
+class UpdateView(APIView):
+    authentication_classes = (DeviceTokenAuthentication,)
+
+    def post(self, request, format=None):
+        serializer = UpdateRequestSerializer(data=request.data)
+        serializer.is_valid(raise_exception=True)
+        device = request.auth
+        device.hardware_brand = serializer.validated_data.get('hardware_brand')
+        device.hardware_model = serializer.validated_data.get('hardware_model')
+        device.software_brand = serializer.validated_data.get('software_brand')
+        device.software_version = serializer.validated_data.get('software_version')
+        device.save()
+        device.log_action('pretix.device.updated', data=serializer.validated_data, auth=device)
+
+        serializer = DeviceSerializer(device)
+        return Response(serializer.data)
+
+
+class RollKeyView(APIView):
+    authentication_classes = (DeviceTokenAuthentication,)
+
+    def post(self, request, format=None):
+        device = request.auth
+        device.api_token = generate_api_token()
+        device.save()
+        device.log_action('pretix.device.keyroll', auth=device)
+
+        serializer = DeviceSerializer(device)
+        return Response(serializer.data)
+
+
+class RevokeKeyView(APIView):
+    authentication_classes = (DeviceTokenAuthentication,)
+
+    def post(self, request, format=None):
+        device = request.auth
+        device.api_token = None
+        device.save()
+        device.log_action('pretix.device.revoked', auth=device)
+
+        serializer = DeviceSerializer(device)
+        return Response(serializer.data)

src/pretix/api/views/event.py

@@ -1,5 +1,7 @@
+import django_filters
 from django.db import transaction
-from django.db.models import ProtectedError
+from django.db.models import ProtectedError, Q
+from django.utils.timezone import now
 from django_filters.rest_framework import DjangoFilterBackend, FilterSet
 from rest_framework import filters, viewsets
 from rest_framework.exceptions import PermissionDenied
@@ -10,20 +12,79 @@ from pretix.api.serializers.event import (
     TaxRuleSerializer,
 )
 from pretix.api.views import ConditionalListView
-from pretix.base.models import Event, ItemCategory, TaxRule
+from pretix.base.models import (
+    Device, Event, ItemCategory, TaxRule, TeamAPIToken,
+)
 from pretix.base.models.event import SubEvent
 from pretix.helpers.dicts import merge_dicts
 
 
+class EventFilter(FilterSet):
+    is_past = django_filters.rest_framework.BooleanFilter(method='is_past_qs')
+    is_future = django_filters.rest_framework.BooleanFilter(method='is_future_qs')
+    ends_after = django_filters.rest_framework.IsoDateTimeFilter(method='ends_after_qs')
+
+    class Meta:
+        model = Event
+        fields = ['is_public', 'live', 'has_subevents']
+
+    def ends_after_qs(self, queryset, name, value):
+        expr = (
+            Q(has_subevents=False) &
+            Q(
+                Q(Q(date_to__isnull=True) & Q(date_from__gte=value))
+                | Q(Q(date_to__isnull=False) & Q(date_to__gte=value))
+            )
+        )
+        return queryset.filter(expr)
+
+    def is_past_qs(self, queryset, name, value):
+        expr = (
+            Q(has_subevents=False) &
+            Q(
+                Q(Q(date_to__isnull=True) & Q(date_from__lt=now()))
+                | Q(Q(date_to__isnull=False) & Q(date_to__lt=now()))
+            )
+        )
+        if value:
+            return queryset.filter(expr)
+        else:
+            return queryset.exclude(expr)
+
+    def is_future_qs(self, queryset, name, value):
+        expr = (
+            Q(has_subevents=False) &
+            Q(
+                Q(Q(date_to__isnull=True) & Q(date_from__gte=now()))
+                | Q(Q(date_to__isnull=False) & Q(date_to__gte=now()))
+            )
+        )
+        if value:
+            return queryset.filter(expr)
+        else:
+            return queryset.exclude(expr)
+
+
 class EventViewSet(viewsets.ModelViewSet):
     serializer_class = EventSerializer
     queryset = Event.objects.none()
     lookup_field = 'slug'
     lookup_url_kwarg = 'event'
     permission_classes = (EventCRUDPermission,)
+    filter_backends = (DjangoFilterBackend, filters.OrderingFilter)
+    filterset_class = EventFilter
 
     def get_queryset(self):
-        return self.request.organizer.events.prefetch_related('meta_values', 'meta_values__property')
+        if isinstance(self.request.auth, (TeamAPIToken, Device)):
+            qs = self.request.auth.get_events_with_any_permission()
+        elif self.request.user.is_authenticated:
+            qs = self.request.user.get_events_with_any_permission(self.request).filter(
+                organizer=self.request.organizer
+            )
+
+        return qs.prefetch_related(
+            'meta_values', 'meta_values__property'
+        )
 
     def perform_update(self, serializer):
         current_live_value = serializer.instance.live
@@ -120,9 +181,40 @@ class CloneEventViewSet(viewsets.ModelViewSet):
 
 
 class SubEventFilter(FilterSet):
+    is_past = django_filters.rest_framework.BooleanFilter(method='is_past_qs')
+    is_future = django_filters.rest_framework.BooleanFilter(method='is_future_qs')
+    ends_after = django_filters.rest_framework.IsoDateTimeFilter(method='ends_after_qs')
+
     class Meta:
         model = SubEvent
-        fields = ['active']
+        fields = ['active', 'event__live']
+
+    def ends_after_qs(self, queryset, name, value):
+        expr = Q(
+            Q(Q(date_to__isnull=True) & Q(date_from__gte=value))
+            | Q(Q(date_to__isnull=False) & Q(date_to__gte=value))
+        )
+        return queryset.filter(expr)
+
+    def is_past_qs(self, queryset, name, value):
+        expr = Q(
+            Q(Q(date_to__isnull=True) & Q(date_from__lt=now()))
+            | Q(Q(date_to__isnull=False) & Q(date_to__lt=now()))
+        )
+        if value:
+            return queryset.filter(expr)
+        else:
+            return queryset.exclude(expr)
+
+    def is_future_qs(self, queryset, name, value):
+        expr = Q(
+            Q(Q(date_to__isnull=True) & Q(date_from__gte=now()))
+            | Q(Q(date_to__isnull=False) & Q(date_to__gte=now()))
+        )
+        if value:
+            return queryset.filter(expr)
+        else:
+            return queryset.exclude(expr)
 
 
 class SubEventViewSet(ConditionalListView, viewsets.ReadOnlyModelViewSet):
@@ -132,7 +224,19 @@ class SubEventViewSet(ConditionalListView, viewsets.ReadOnlyModelViewSet):
     filterset_class = SubEventFilter
 
     def get_queryset(self):
-        return self.request.event.subevents.prefetch_related(
+        if getattr(self.request, 'event', None):
+            qs = self.request.event.subevents
+        elif isinstance(self.request.auth, (TeamAPIToken, Device)):
+            qs = SubEvent.objects.filter(
+                event__organizer=self.request.organizer,
+                event__in=self.request.auth.get_events_with_any_permission()
+            )
+        elif self.request.user.is_authenticated:
+            qs = SubEvent.objects.filter(
+                event__organizer=self.request.organizer,
+                event__in=self.request.user.get_events_with_any_permission()
+            )
+        return qs.prefetch_related(
             'subeventitem_set', 'subeventitemvariation_set'
         )
 

src/pretix/api/views/item.py

@@ -42,7 +42,7 @@ class ItemViewSet(ConditionalListView, viewsets.ModelViewSet):
     ordering_fields = ('id', 'position')
     ordering = ('position', 'id')
     filterset_class = ItemFilter
-    permission = 'can_change_items'
+    permission = None
     write_permission = 'can_change_items'
 
     def get_queryset(self):
@@ -83,6 +83,7 @@ class ItemViewSet(ConditionalListView, viewsets.ModelViewSet):
             user=self.request.user,
             auth=self.request.auth,
         )
+        self.get_object().cartposition_set.all().delete()
         super().perform_destroy(instance)
 
 
@@ -92,7 +93,7 @@ class ItemVariationViewSet(viewsets.ModelViewSet):
     filter_backends = (DjangoFilterBackend, OrderingFilter,)
     ordering_fields = ('id', 'position')
     ordering = ('id',)
-    permission = 'can_change_items'
+    permission = None
     write_permission = 'can_change_items'
 
     def get_queryset(self):
@@ -154,7 +155,7 @@ class ItemAddOnViewSet(viewsets.ModelViewSet):
     filter_backends = (DjangoFilterBackend, OrderingFilter,)
     ordering_fields = ('id', 'position')
     ordering = ('id',)
-    permission = 'can_change_items'
+    permission = None
     write_permission = 'can_change_items'
 
     def get_queryset(self):
@@ -210,7 +211,7 @@ class ItemCategoryViewSet(ConditionalListView, viewsets.ModelViewSet):
     filterset_class = ItemCategoryFilter
     ordering_fields = ('id', 'position')
     ordering = ('position', 'id')
-    permission = 'can_change_items'
+    permission = None
     write_permission = 'can_change_items'
 
     def get_queryset(self):
@@ -264,7 +265,8 @@ class QuestionViewSet(ConditionalListView, viewsets.ModelViewSet):
     filterset_class = QuestionFilter
     ordering_fields = ('id', 'position')
     ordering = ('position', 'id')
-    permission = 'can_change_items'
+    permission = None
+    write_permission = 'can_change_items'
 
     def get_queryset(self):
         return self.request.event.questions.prefetch_related('options').all()
@@ -307,7 +309,7 @@ class QuestionOptionViewSet(viewsets.ModelViewSet):
     filter_backends = (DjangoFilterBackend, OrderingFilter,)
     ordering_fields = ('id', 'position')
     ordering = ('position',)
-    permission = 'can_change_items'
+    permission = None
     write_permission = 'can_change_items'
 
     def get_queryset(self):
@@ -362,7 +364,7 @@ class QuotaViewSet(ConditionalListView, viewsets.ModelViewSet):
     filterset_class = QuotaFilter
     ordering_fields = ('id', 'size')
     ordering = ('id',)
-    permission = 'can_change_items'
+    permission = None
     write_permission = 'can_change_items'
 
     def get_queryset(self):

src/pretix/api/views/order.py

@@ -3,8 +3,8 @@ import datetime
 import django_filters
 import pytz
 from django.db import transaction
-from django.db.models import Q
-from django.db.models.functions import Concat
+from django.db.models import F, Prefetch, Q
+from django.db.models.functions import Coalesce, Concat
 from django.http import FileResponse
 from django.shortcuts import get_object_or_404
 from django.utils.timezone import make_aware, now
@@ -25,8 +25,8 @@ from pretix.api.serializers.order import (
     OrderRefundSerializer, OrderSerializer,
 )
 from pretix.base.models import (
-    Invoice, Order, OrderPayment, OrderPosition, OrderRefund, Quota,
-    TeamAPIToken,
+    CachedCombinedTicket, CachedTicket, Device, Invoice, Order, OrderPayment,
+    OrderPosition, OrderRefund, Quota, TeamAPIToken,
 )
 from pretix.base.payment import PaymentException
 from pretix.base.services.invoices import (
@@ -38,9 +38,7 @@ from pretix.base.services.orders import (
     OrderChangeManager, OrderError, approve_order, cancel_order, deny_order,
     extend_order, mark_order_expired, mark_order_refunded,
 )
-from pretix.base.services.tickets import (
-    get_cachedticket_for_order, get_cachedticket_for_position,
-)
+from pretix.base.services.tickets import generate
 from pretix.base.signals import order_placed, register_ticket_outputs
 
 
@@ -60,7 +58,7 @@ class OrderViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
     queryset = Order.objects.none()
     filter_backends = (DjangoFilterBackend, OrderingFilter)
     ordering = ('datetime',)
-    ordering_fields = ('datetime', 'code', 'status')
+    ordering_fields = ('datetime', 'code', 'status', 'last_modified')
     filterset_class = OrderFilter
     lookup_field = 'code'
     permission = 'can_view_orders'
@@ -72,13 +70,34 @@ class OrderViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
         return ctx
 
     def get_queryset(self):
-        return self.request.event.orders.prefetch_related(
-            'positions', 'positions__checkins', 'positions__item', 'positions__answers', 'positions__answers__options',
-            'positions__answers__question', 'fees', 'payments', 'refunds', 'refunds__payment'
+        qs = self.request.event.orders.prefetch_related(
+            'fees', 'payments', 'refunds', 'refunds__payment'
         ).select_related(
             'invoice_address'
         )
 
+        if self.request.query_params.get('pdf_data', 'false') == 'true':
+            qs = qs.prefetch_related(
+                Prefetch(
+                    'positions',
+                    OrderPosition.objects.all().prefetch_related(
+                        'checkins', 'item', 'variation', 'answers', 'answers__options', 'answers__question',
+                        Prefetch('addons', OrderPosition.objects.select_related('item', 'variation'))
+                    )
+                )
+            )
+        else:
+            qs = qs.prefetch_related(
+                Prefetch(
+                    'positions',
+                    OrderPosition.objects.all().prefetch_related(
+                        'checkins', 'item', 'variation', 'answers', 'answers__options', 'answers__question',
+                    )
+                )
+            )
+
+        return qs
+
     def _get_output_provider(self, identifier):
         responses = register_ticket_outputs.send(self.request.event)
         for receiver, response in responses:
@@ -109,9 +128,11 @@ class OrderViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
         if order.status != Order.STATUS_PAID:
             raise PermissionDenied("Downloads are not available for unpaid orders.")
 
-        ct = get_cachedticket_for_order(order, provider.identifier)
-
-        if not ct.file:
+        ct = CachedCombinedTicket.objects.filter(
+            order=order, provider=provider.identifier, file__isnull=False
+        ).last()
+        if not ct or not ct.file:
+            generate.apply_async(args=('order', order.pk, provider.identifier))
             raise RetryException()
         else:
             resp = FileResponse(ct.file.file, content_type=ct.type)
@@ -177,6 +198,7 @@ class OrderViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
             order,
             user=request.user if request.user.is_authenticated else None,
             api_token=request.auth if isinstance(request.auth, TeamAPIToken) else None,
+            device=request.auth if isinstance(request.auth, Device) else None,
             oauth_application=request.auth.application if isinstance(request.auth, OAuthAccessToken) else None,
             send_mail=send_mail
         )
@@ -191,7 +213,7 @@ class OrderViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
             approve_order(
                 order,
                 user=request.user if request.user.is_authenticated else None,
-                auth=request.auth if isinstance(request.auth, (TeamAPIToken, OAuthAccessToken)) else None,
+                auth=request.auth if isinstance(request.auth, (Device, TeamAPIToken, OAuthAccessToken)) else None,
                 send_mail=send_mail,
             )
         except Quota.QuotaExceededException as e:
@@ -210,7 +232,7 @@ class OrderViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
             deny_order(
                 order,
                 user=request.user if request.user.is_authenticated else None,
-                auth=request.auth if isinstance(request.auth, (TeamAPIToken, OAuthAccessToken)) else None,
+                auth=request.auth if isinstance(request.auth, (Device, TeamAPIToken, OAuthAccessToken)) else None,
                 send_mail=send_mail,
                 comment=comment,
             )
@@ -229,7 +251,7 @@ class OrderViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
             )
 
         order.status = Order.STATUS_PENDING
-        order.save()
+        order.save(update_fields=['status'])
         order.log_action(
             'pretix.event.order.unpaid',
             user=request.user if request.user.is_authenticated else None,
@@ -267,7 +289,7 @@ class OrderViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
         mark_order_refunded(
             order,
             user=request.user if request.user.is_authenticated else None,
-            api_token=(request.auth if isinstance(request.auth, TeamAPIToken) else None),
+            auth=(request.auth if isinstance(request.auth, (TeamAPIToken, OAuthAccessToken, Device)) else None),
         )
         return self.retrieve(request, [], **kwargs)
 
@@ -351,17 +373,17 @@ class OrderPositionFilter(FilterSet):
     def search_qs(self, queryset, name, value):
         return queryset.filter(
             Q(secret__istartswith=value)
-            | Q(attendee_name__icontains=value)
-            | Q(addon_to__attendee_name__icontains=value)
+            | Q(attendee_name_cached__icontains=value)
+            | Q(addon_to__attendee_name_cached__icontains=value)
             | Q(order__code__istartswith=value)
-            | Q(order__invoice_address__name__icontains=value)
+            | Q(order__invoice_address__name_cached__icontains=value)
         )
 
     def has_checkin_qs(self, queryset, name, value):
         return queryset.filter(checkins__isnull=not value)
 
     def attendee_name_qs(self, queryset, name, value):
-        return queryset.filter(Q(attendee_name__iexact=value) | Q(addon_to__attendee_name__iexact=value))
+        return queryset.filter(Q(attendee_name_cached__iexact=value) | Q(addon_to__attendee_name_cached__iexact=value))
 
     class Meta:
         model = OrderPosition
@@ -387,6 +409,16 @@ class OrderPositionViewSet(mixins.DestroyModelMixin, viewsets.ReadOnlyModelViewS
     filterset_class = OrderPositionFilter
     permission = 'can_view_orders'
     write_permission = 'can_change_orders'
+    ordering_custom = {
+        'attendee_name': {
+            '_order': F('display_name').asc(nulls_first=True),
+            'display_name': Coalesce('attendee_name_cached', 'addon_to__attendee_name_cached')
+        },
+        '-attendee_name': {
+            '_order': F('display_name').asc(nulls_last=True),
+            'display_name': Coalesce('attendee_name_cached', 'addon_to__attendee_name_cached')
+        },
+    }
 
     def get_queryset(self):
         return OrderPosition.objects.filter(order__event=self.request.event).prefetch_related(
@@ -415,9 +447,11 @@ class OrderPositionViewSet(mixins.DestroyModelMixin, viewsets.ReadOnlyModelViewS
         if not pos.item.admission and not request.event.settings.ticket_download_nonadm:
             raise PermissionDenied("Downloads are not enabled for non-admission products.")
 
-        ct = get_cachedticket_for_position(pos, provider.identifier)
-
-        if not ct.file:
+        ct = CachedTicket.objects.filter(
+            order_position=pos, provider=provider.identifier, file__isnull=False
+        ).last()
+        if not ct or not ct.file:
+            generate.apply_async(args=('orderposition', pos.pk, provider.identifier))
             raise RetryException()
         else:
             resp = FileResponse(ct.file.file, content_type=ct.type)
@@ -534,7 +568,7 @@ class PaymentViewSet(viewsets.ReadOnlyModelViewSet):
                         payment.order.event.subevents.filter(
                             id__in=payment.order.positions.values_list('subevent_id', flat=True))
                     )
-                    payment.order.save()
+                    payment.order.save(update_fields=['status', 'expires'])
             return Response(OrderRefundSerializer(r).data, status=status.HTTP_200_OK)
 
     @detail_route(methods=['POST'])
@@ -600,7 +634,7 @@ class RefundViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
                 refund.order.event.subevents.filter(
                     id__in=refund.order.positions.values_list('subevent_id', flat=True))
             )
-            refund.order.save()
+            refund.order.save(update_fields=['status', 'expires'])
         return self.retrieve(request, [], **kwargs)
 
     @detail_route(methods=['POST'])

src/pretix/api/views/organizer.py

@@ -23,5 +23,7 @@ class OrganizerViewSet(viewsets.ReadOnlyModelViewSet):
                 )
             else:
                 return Organizer.objects.filter(pk__in=self.request.user.teams.values_list('organizer', flat=True))
+        elif hasattr(self.request.auth, 'organizer_id'):
+            return Organizer.objects.filter(pk=self.request.auth.organizer_id)
         else:
             return Organizer.objects.filter(pk=self.request.auth.team.organizer_id)

src/pretix/api/views/user.py

@@ -0,0 +1,16 @@
+from oauth2_provider.contrib.rest_framework import OAuth2Authentication
+from rest_framework.authentication import SessionAuthentication
+from rest_framework.response import Response
+from rest_framework.views import APIView
+
+
+class MeView(APIView):
+    authentication_classes = (SessionAuthentication, OAuth2Authentication)
+
+    def get(self, request, format=None):
+        return Response({
+            'email': request.user.email,
+            'fullname': request.user.fullname,
+            'locale': request.user.locale,
+            'timezone': request.user.timezone
+        })

src/pretix/api/views/voucher.py

@@ -1,11 +1,16 @@
+import contextlib
+
+from django.db import transaction
 from django.db.models import F, Q
 from django.utils.timezone import now
 from django_filters.rest_framework import (
     BooleanFilter, DjangoFilterBackend, FilterSet,
 )
-from rest_framework import viewsets
+from rest_framework import status, viewsets
+from rest_framework.decorators import list_route
 from rest_framework.exceptions import PermissionDenied
 from rest_framework.filters import OrderingFilter
+from rest_framework.response import Response
 
 from pretix.api.serializers.voucher import VoucherSerializer
 from pretix.base.models import Voucher
@@ -41,8 +46,29 @@ class VoucherViewSet(viewsets.ModelViewSet):
     def get_queryset(self):
         return self.request.event.vouchers.all()
 
+    def _predict_quota_check(self, data, instance):
+        # This method predicts if Voucher.clean_quota_needs_checking
+        # *migh* later require a quota check. It is only approximate
+        # and returns True a little too often. The point is to avoid
+        # locks when we know we won't need them.
+        if 'allow_ignore_quota' in data and data.get('allow_ignore_quota'):
+            return False
+        if instance and 'allow_ignore_quota' not in data and instance.allow_ignore_quota:
+            return False
+
+        if 'block_quota' in data and not data.get('block_quota'):
+            return False
+        if instance and 'block_quota' not in data and not instance.block_quota:
+            return False
+
+        return True
+
     def create(self, request, *args, **kwargs):
-        with request.event.lock():
+        if self._predict_quota_check(request.data, None):
+            lockfn = request.event.lock
+        else:
+            lockfn = contextlib.suppress  # noop context manager
+        with lockfn():
             return super().create(request, *args, **kwargs)
 
     def perform_create(self, serializer):
@@ -60,7 +86,11 @@ class VoucherViewSet(viewsets.ModelViewSet):
         return ctx
 
     def update(self, request, *args, **kwargs):
-        with request.event.lock():
+        if self._predict_quota_check(request.data, self.get_object()):
+            lockfn = request.event.lock
+        else:
+            lockfn = contextlib.suppress  # noop context manager
+        with lockfn():
             return super().update(request, *args, **kwargs)
 
     def perform_update(self, serializer):
@@ -82,3 +112,24 @@ class VoucherViewSet(viewsets.ModelViewSet):
             auth=self.request.auth,
         )
         super().perform_destroy(instance)
+
+    @list_route(methods=['POST'])
+    def batch_create(self, request, *args, **kwargs):
+        if any(self._predict_quota_check(d, None) for d in request.data):
+            lockfn = request.event.lock
+        else:
+            lockfn = contextlib.suppress  # noop context manager
+        with lockfn():
+            serializer = self.get_serializer(data=request.data, many=True)
+            serializer.is_valid(raise_exception=True)
+            with transaction.atomic():
+                serializer.save(event=self.request.event)
+                for i in serializer.instance:
+                    i.log_action(
+                        'pretix.voucher.added',
+                        user=self.request.user,
+                        auth=self.request.auth,
+                        data=self.request.data
+                    )
+        headers = self.get_success_headers(serializer.data)
+        return Response(serializer.data, status=status.HTTP_201_CREATED, headers=headers)

src/pretix/api/views/webhooks.py

@@ -0,0 +1,49 @@
+from rest_framework import viewsets
+
+from pretix.api.models import WebHook
+from pretix.api.serializers.webhooks import WebHookSerializer
+from pretix.helpers.dicts import merge_dicts
+
+
+class WebHookViewSet(viewsets.ModelViewSet):
+    serializer_class = WebHookSerializer
+    queryset = WebHook.objects.none()
+    permission = 'can_change_organizer_settings'
+    write_permission = 'can_change_organizer_settings'
+
+    def get_queryset(self):
+        return self.request.organizer.webhooks.prefetch_related('listeners')
+
+    def get_serializer_context(self):
+        ctx = super().get_serializer_context()
+        ctx['organizer'] = self.request.organizer
+        return ctx
+
+    def perform_create(self, serializer):
+        inst = serializer.save(organizer=self.request.organizer)
+        self.request.organizer.log_action(
+            'pretix.webhook.created',
+            user=self.request.user,
+            auth=self.request.auth,
+            data=merge_dicts(self.request.data, {'id': inst.pk})
+        )
+
+    def perform_update(self, serializer):
+        inst = serializer.save(organizer=self.request.organizer)
+        self.request.organizer.log_action(
+            'pretix.webhook.changed',
+            user=self.request.user,
+            auth=self.request.auth,
+            data=merge_dicts(self.request.data, {'id': serializer.instance.pk})
+        )
+        return inst
+
+    def perform_destroy(self, instance):
+        self.request.organizer.log_action(
+            'pretix.webhook.changed',
+            user=self.request.user,
+            auth=self.request.auth,
+            data={'id': instance.pk, 'enabled': False}
+        )
+        instance.enabled = False
+        instance.save(update_fields=['enabled'])

src/pretix/api/webhooks.py

@@ -0,0 +1,257 @@
+import json
+import logging
+import time
+from collections import OrderedDict
+
+import requests
+from celery.exceptions import MaxRetriesExceededError
+from django.db.models import Exists, OuterRef, Q
+from django.dispatch import receiver
+from django.utils.translation import ugettext_lazy as _
+from requests import RequestException
+
+from pretix.api.models import WebHook, WebHookCall, WebHookEventListener
+from pretix.api.signals import register_webhook_events
+from pretix.base.models import LogEntry
+from pretix.base.services.tasks import ProfiledTask, TransactionAwareTask
+from pretix.celery_app import app
+
+logger = logging.getLogger(__name__)
+_ALL_EVENTS = None
+
+
+class WebhookEvent:
+    def __init__(self):
+        pass
+
+    def __repr__(self):
+        return '<WebhookEvent: {}>'.format(self.action_type)
+
+    @property
+    def action_type(self) -> str:
+        """
+        The action_type string that this notification handles, for example
+        ``"pretix.event.order.paid"``. Only one notification type should be registered
+        per action type.
+        """
+        raise NotImplementedError()  # NOQA
+
+    @property
+    def verbose_name(self) -> str:
+        """
+        A human-readable name of this notification type.
+        """
+        raise NotImplementedError()  # NOQA
+
+    def build_payload(self, logentry: LogEntry) -> dict:
+        """
+        This is the main function that you should override. It is supposed to turn a log entry
+        object into a dictionary that can be used as the webhook payload.
+        """
+        raise NotImplementedError()  # NOQA
+
+
+def get_all_webhook_events():
+    global _ALL_EVENTS
+
+    if _ALL_EVENTS:
+        return _ALL_EVENTS
+
+    types = OrderedDict()
+    for recv, ret in register_webhook_events.send(None):
+        if isinstance(ret, (list, tuple)):
+            for r in ret:
+                types[r.action_type] = r
+        else:
+            types[ret.action_type] = ret
+    _ALL_EVENTS = types
+    return types
+
+
+class ParametrizedOrderWebhookEvent(WebhookEvent):
+    def __init__(self, action_type, verbose_name):
+        self._action_type = action_type
+        self._verbose_name = verbose_name
+        super().__init__()
+
+    @property
+    def action_type(self):
+        return self._action_type
+
+    @property
+    def verbose_name(self):
+        return self._verbose_name
+
+    def build_payload(self, logentry: LogEntry):
+        order = logentry.content_object
+
+        return {
+            'notification_id': logentry.pk,
+            'organizer': order.event.organizer.slug,
+            'event': order.event.slug,
+            'code': order.code,
+            'action': logentry.action_type,
+        }
+
+
+class ParametrizedOrderPositionWebhookEvent(ParametrizedOrderWebhookEvent):
+
+    def build_payload(self, logentry: LogEntry):
+        d = super().build_payload(logentry)
+        d['orderposition_id'] = logentry.parsed_data.get('position')
+        d['orderposition_positionid'] = logentry.parsed_data.get('positionid')
+        d['checkin_list'] = logentry.parsed_data.get('list')
+        d['first_checkin'] = logentry.parsed_data.get('first_checkin')
+        return d
+
+
+@receiver(register_webhook_events, dispatch_uid="base_register_default_webhook_events")
+def register_default_webhook_events(sender, **kwargs):
+    return (
+        ParametrizedOrderWebhookEvent(
+            'pretix.event.order.placed',
+            _('New order placed'),
+        ),
+        ParametrizedOrderWebhookEvent(
+            'pretix.event.order.placed.required_approval',
+            _('New order requires approval'),
+        ),
+        ParametrizedOrderWebhookEvent(
+            'pretix.event.order.paid',
+            _('Order marked as paid'),
+        ),
+        ParametrizedOrderWebhookEvent(
+            'pretix.event.order.canceled',
+            _('Order canceled'),
+        ),
+        ParametrizedOrderWebhookEvent(
+            'pretix.event.order.expired',
+            _('Order expired'),
+        ),
+        ParametrizedOrderWebhookEvent(
+            'pretix.event.order.modified',
+            _('Order information changed'),
+        ),
+        ParametrizedOrderWebhookEvent(
+            'pretix.event.order.contact.changed',
+            _('Order contact address changed'),
+        ),
+        ParametrizedOrderWebhookEvent(
+            'pretix.event.order.changed.*',
+            _('Order changed'),
+        ),
+        ParametrizedOrderWebhookEvent(
+            'pretix.event.order.refund.created.externally',
+            _('External refund of payment'),
+        ),
+        ParametrizedOrderWebhookEvent(
+            'pretix.event.order.refunded',
+            _('Order refunded'),
+        ),
+        ParametrizedOrderWebhookEvent(
+            'pretix.event.order.approved',
+            _('Order approved'),
+        ),
+        ParametrizedOrderWebhookEvent(
+            'pretix.event.order.denied',
+            _('Order denied'),
+        ),
+        ParametrizedOrderPositionWebhookEvent(
+            'pretix.event.checkin',
+            _('Ticket checked in'),
+        ),
+        ParametrizedOrderPositionWebhookEvent(
+            'pretix.event.checkin.reverted',
+            _('Ticket check-in reverted'),
+        ),
+    )
+
+
+@app.task(base=TransactionAwareTask)
+def notify_webhooks(logentry_id: int):
+    logentry = LogEntry.all.get(id=logentry_id)
+
+    if not logentry.organizer:
+        return  # We need to know the organizer
+
+    types = get_all_webhook_events()
+    notification_type = None
+    typepath = logentry.action_type
+    while not notification_type and '.' in typepath:
+        notification_type = types.get(typepath + ('.*' if typepath != logentry.action_type else ''))
+        typepath = typepath.rsplit('.', 1)[0]
+
+    if not notification_type:
+        return  # Ignore, no webhooks for this event type
+
+    # All webhooks that registered for this notification
+    event_listener = WebHookEventListener.objects.filter(
+        webhook=OuterRef('pk'),
+        action_type=notification_type.action_type
+    )
+
+    webhooks = WebHook.objects.annotate(has_el=Exists(event_listener)).filter(
+        organizer=logentry.organizer,
+        has_el=True,
+        enabled=True
+    )
+    if logentry.event_id:
+        webhooks = webhooks.filter(
+            Q(all_events=True) | Q(limit_events__pk=logentry.event_id)
+        )
+
+    for wh in webhooks:
+        send_webhook.apply_async(args=(logentry_id, notification_type.action_type, wh.pk))
+
+
+@app.task(base=ProfiledTask, bind=True, max_retries=9)
+def send_webhook(self, logentry_id: int, action_type: str, webhook_id: int):
+    # 9 retries with 2**(2*x) timing is roughly 72 hours
+    logentry = LogEntry.all.get(id=logentry_id)
+    webhook = WebHook.objects.get(id=webhook_id)
+
+    types = get_all_webhook_events()
+    event_type = types.get(action_type)
+    if not event_type or not webhook.enabled:
+        return  # Ignore, e.g. plugin not installed
+
+    payload = event_type.build_payload(logentry)
+    t = time.time()
+
+    try:
+        try:
+            resp = requests.post(
+                webhook.target_url,
+                json=payload,
+                allow_redirects=False
+            )
+            WebHookCall.objects.create(
+                webhook=webhook,
+                action_type=logentry.action_type,
+                target_url=webhook.target_url,
+                is_retry=self.request.retries > 0,
+                execution_time=time.time() - t,
+                return_code=resp.status_code,
+                payload=json.dumps(payload),
+                response_body=resp.text[:1024 * 1024],
+                success=200 <= resp.status_code <= 299
+            )
+            if resp.status_code == 410:
+                webhook.enabled = False
+                webhook.save()
+            elif resp.status_code > 299:
+                raise self.retry(countdown=2 ** (self.request.retries * 2))
+        except RequestException as e:
+            WebHookCall.objects.create(
+                webhook=webhook,
+                action_type=logentry.action_type,
+                target_url=webhook.target_url,
+                is_retry=self.request.retries > 0,
+                execution_time=time.time() - t,
+                return_code=0,
+                payload=json.dumps(payload),
+                response_body=str(e)[:1024 * 1024]
+            )
+            raise self.retry(countdown=2 ** (self.request.retries * 2))
+    except MaxRetriesExceededError:
+        pass

src/pretix/base/channels.py

@@ -0,0 +1,66 @@
+import logging
+from collections import OrderedDict
+
+from django.dispatch import receiver
+from django.utils.translation import ugettext_lazy as _
+
+from pretix.base.signals import register_sales_channels
+
+logger = logging.getLogger(__name__)
+_ALL_CHANNELS = None
+
+
+class SalesChannel:
+    def __repr__(self):
+        return '<SalesChannel: {}>'.format(self.identifier)
+
+    @property
+    def identifier(self) -> str:
+        """
+        The internal identifier of this sales channel.
+        """
+        raise NotImplementedError()  # NOQA
+
+    @property
+    def verbose_name(self) -> str:
+        """
+        A human-readable name of this sales channel.
+        """
+        raise NotImplementedError()  # NOQA
+
+    @property
+    def icon(self) -> str:
+        """
+        The name of a Font Awesome icon to represent this channel
+        """
+        return "circle"
+
+
+def get_all_sales_channels():
+    global _ALL_CHANNELS
+
+    if _ALL_CHANNELS:
+        return _ALL_CHANNELS
+
+    types = OrderedDict()
+    for recv, ret in register_sales_channels.send(None):
+        if isinstance(ret, (list, tuple)):
+            for r in ret:
+                types[r.identifier] = r
+        else:
+            types[ret.identifier] = ret
+    _ALL_CHANNELS = types
+    return types
+
+
+class WebshopSalesChannel(SalesChannel):
+    identifier = "web"
+    verbose_name = _('Online shop')
+    icon = "globe"
+
+
+@receiver(register_sales_channels, dispatch_uid="base_register_default_sales_channels")
+def base_sales_channels(sender, **kwargs):
+    return (
+        WebshopSalesChannel(),
+    )

src/pretix/base/email.py

@@ -1,5 +1,5 @@
 import logging
-from smtplib import SMTPRecipientsRefused, SMTPSenderRefused
+from smtplib import SMTPResponseException
 
 import bleach
 import markdown
@@ -23,16 +23,14 @@ class CustomSMTPBackend(EmailBackend):
         try:
             self.open()
             self.connection.ehlo_or_helo_if_needed()
-            self.connection.rcpt("test@example.org")
             (code, resp) = self.connection.mail(from_addr, [])
             if code != 250:
                 logger.warn('Error testing mail settings, code %d, resp: %s' % (code, resp))
-                raise SMTPSenderRefused(code, resp, from_addr)
-            senderrs = {}
+                raise SMTPResponseException(code, resp)
             (code, resp) = self.connection.rcpt('test@example.com')
             if (code != 250) and (code != 251):
                 logger.warn('Error testing mail settings, code %d, resp: %s' % (code, resp))
-                raise SMTPRecipientsRefused(senderrs)
+                raise SMTPResponseException(code, resp)
         finally:
             self.close()
 
@@ -97,7 +95,7 @@ class TemplateBasedMailRenderer(BaseHTMLMailRenderer):
 
     @property
     def template_name(self):
-        raise NotImplemented
+        raise NotImplementedError()
 
     def render(self, plain_body: str, plain_signature: str, subject: str, order: Order) -> str:
         body_md = bleach.linkify(markdown_compile(plain_body))

src/pretix/base/exporter.py

@@ -1,5 +1,14 @@
+import io
+import tempfile
+from collections import OrderedDict
 from typing import Tuple
 
+from defusedcsv import csv
+from django import forms
+from django.utils.translation import ugettext_lazy as _
+from openpyxl import Workbook
+from openpyxl.cell.cell import KNOWN_TYPES
+
 
 class BaseExporter:
     """
@@ -55,7 +64,7 @@ class BaseExporter:
         """
         return {}
 
-    def render(self, form_data: dict) -> Tuple[str, str, str]:
+    def render(self, form_data: dict) -> Tuple[str, str, bytes]:
         """
         Render the exported file and return a tuple consisting of a filename, a file type
         and file content.
@@ -69,3 +78,68 @@ class BaseExporter:
         tasks.
         """
         raise NotImplementedError()  # NOQA
+
+
+class ListExporter(BaseExporter):
+
+    @property
+    def export_form_fields(self) -> dict:
+        ff = OrderedDict(
+            [
+                ('_format',
+                 forms.ChoiceField(
+                     label=_('Export format'),
+                     choices=(
+                         ('xlsx', _('Excel (.xlsx)')),
+                         ('default', _('CSV (with commas)')),
+                         ('excel', _('CSV (Excel-style)')),
+                         ('semicolon', _('CSV (with semicolons)')),
+                     ),
+                 )),
+            ]
+        )
+        ff.update(self.additional_form_fields)
+        return ff
+
+    @property
+    def additional_form_fields(self) -> dict:
+        return {}
+
+    def iterate_list(self, form_data):
+        raise NotImplementedError()  # noqa
+
+    def get_filename(self):
+        return 'export.csv'
+
+    def _render_csv(self, form_data, **kwargs):
+        output = io.StringIO()
+        writer = csv.writer(output, **kwargs)
+        for line in self.iterate_list(form_data):
+            writer.writerow(line)
+        return self.get_filename() + '.csv', 'text/csv', output.getvalue().encode("utf-8")
+
+    def _render_xlsx(self, form_data):
+        wb = Workbook()
+        ws = wb.get_active_sheet()
+        try:
+            ws.title = str(self.verbose_name)
+        except:
+            pass
+        for i, line in enumerate(self.iterate_list(form_data)):
+            for j, val in enumerate(line):
+                ws.cell(row=i + 1, column=j + 1).value = str(val) if not isinstance(val, KNOWN_TYPES) else val
+
+        with tempfile.NamedTemporaryFile(suffix='.xlsx') as f:
+            wb.save(f.name)
+            f.seek(0)
+            return self.get_filename() + '.xlsx', 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', f.read()
+
+    def render(self, form_data: dict) -> Tuple[str, str, bytes]:
+        if form_data.get('_format') == 'xlsx':
+            return self._render_xlsx(form_data)
+        elif form_data.get('_format') == 'default':
+            return self._render_csv(form_data, quoting=csv.QUOTE_NONNUMERIC, delimiter=',')
+        elif form_data.get('_format') == 'csv-excel':
+            return self._render_csv(form_data, dialect='excel')
+        elif form_data.get('_format') == 'semicolon':
+            return self._render_csv(form_data, dialect='excel', delimiter=';')

src/pretix/base/exporters/invoices.py

@@ -27,7 +27,7 @@ class InvoiceExporter(BaseExporter):
             qs = qs.annotate(
                 has_payment_with_provider=Exists(
                     OrderPayment.objects.filter(
-                        Q(order=OuterRef('pk')) & Q(provider=form_data.get('payment_provider'))
+                        Q(order=OuterRef('order_id')) & Q(provider=form_data.get('payment_provider'))
                     )
                 )
             )

src/pretix/base/exporters/orderlist.py

@@ -1,9 +1,7 @@
-import io
 from collections import OrderedDict
 from decimal import Decimal
 
 import pytz
-from defusedcsv import csv
 from django import forms
 from django.db.models import DateTimeField, Max, OuterRef, Subquery, Sum
 from django.dispatch import receiver
@@ -12,17 +10,18 @@ from django.utils.translation import ugettext as _, ugettext_lazy
 
 from pretix.base.models import InvoiceAddress, Order, OrderPosition
 from pretix.base.models.orders import OrderFee, OrderPayment, OrderRefund
+from pretix.base.settings import PERSON_NAME_SCHEMES
 
-from ..exporter import BaseExporter
+from ..exporter import ListExporter
 from ..signals import register_data_exporters
 
 
-class OrderListExporter(BaseExporter):
-    identifier = 'orderlistcsv'
-    verbose_name = ugettext_lazy('List of orders (CSV)')
+class OrderListExporter(ListExporter):
+    identifier = 'orderlist'
+    verbose_name = ugettext_lazy('List of orders')
 
     @property
-    def export_form_fields(self):
+    def additional_form_fields(self):
         return OrderedDict(
             [
                 ('paid_only',
@@ -50,10 +49,8 @@ class OrderListExporter(BaseExporter):
         tax_rates = sorted(tax_rates)
         return tax_rates
 
-    def render(self, form_data: dict):
-        output = io.StringIO()
+    def iterate_list(self, form_data: dict):
         tz = pytz.timezone(self.event.settings.timezone)
-        writer = csv.writer(output, quoting=csv.QUOTE_NONNUMERIC, delimiter=",")
 
         p_date = OrderPayment.objects.filter(
             order=OuterRef('pk'),
@@ -74,7 +71,14 @@ class OrderListExporter(BaseExporter):
 
         headers = [
             _('Order code'), _('Order total'), _('Status'), _('Email'), _('Order date'),
-            _('Company'), _('Name'), _('Address'), _('ZIP code'), _('City'), _('Country'), _('VAT ID'),
+            _('Company'), _('Name'),
+        ]
+        name_scheme = PERSON_NAME_SCHEMES[self.event.settings.name_scheme]
+        if len(name_scheme['fields']) > 1:
+            for k, label, w in name_scheme['fields']:
+                headers.append(label)
+        headers += [
+            _('Address'), _('ZIP code'), _('City'), _('Country'), _('VAT ID'),
             _('Date of last payment'), _('Fees'), _('Order locale')
         ]
 
@@ -87,7 +91,7 @@ class OrderListExporter(BaseExporter):
 
         headers.append(_('Invoice numbers'))
 
-        writer.writerow(headers)
+        yield headers
 
         full_fee_sum_cache = {
             o['order__id']: o['grosssum'] for o in
@@ -118,6 +122,13 @@ class OrderListExporter(BaseExporter):
                 row += [
                     order.invoice_address.company,
                     order.invoice_address.name,
+                ]
+                if len(name_scheme['fields']) > 1:
+                    for k, label, w in name_scheme['fields']:
+                        row.append(
+                            order.invoice_address.name_parts.get(k, '')
+                        )
+                row += [
                     order.invoice_address.street,
                     order.invoice_address.zipcode,
                     order.invoice_address.city,
@@ -126,7 +137,7 @@ class OrderListExporter(BaseExporter):
                     order.invoice_address.vat_id,
                 ]
             except InvoiceAddress.DoesNotExist:
-                row += ['', '', '', '', '', '', '']
+                row += [''] * (7 + (len(name_scheme['fields']) if len(name_scheme['fields']) > 1 else 0))
 
             row += [
                 order.payment_date.astimezone(tz).strftime('%Y-%m-%d') if order.payment_date else '',
@@ -147,17 +158,18 @@ class OrderListExporter(BaseExporter):
                 ]
 
             row.append(', '.join([i.number for i in order.invoices.all()]))
-            writer.writerow(row)
+            yield row
 
-        return '{}_orders.csv'.format(self.event.slug), 'text/csv', output.getvalue().encode("utf-8")
+    def get_filename(self):
+        return '{}_orders'.format(self.event.slug)
 
 
-class PaymentListExporter(BaseExporter):
-    identifier = 'paymentlistcsv'
-    verbose_name = ugettext_lazy('List of payments and refunds (CSV)')
+class PaymentListExporter(ListExporter):
+    identifier = 'paymentlist'
+    verbose_name = ugettext_lazy('List of payments and refunds')
 
     @property
-    def export_form_fields(self):
+    def additional_form_fields(self):
         return OrderedDict(
             [
                 ('successful_only',
@@ -169,10 +181,8 @@ class PaymentListExporter(BaseExporter):
             ]
         )
 
-    def render(self, form_data: dict):
-        output = io.StringIO()
+    def iterate_list(self, form_data):
         tz = pytz.timezone(self.event.settings.timezone)
-        writer = csv.writer(output, quoting=csv.QUOTE_NONNUMERIC, delimiter=",")
 
         provider_names = {
             k: v.verbose_name
@@ -200,7 +210,7 @@ class PaymentListExporter(BaseExporter):
             _('Order'), _('Payment ID'), _('Creation date'), _('Completion date'), _('Status'),
             _('Amount'), _('Payment method')
         ]
-        writer.writerow(headers)
+        yield headers
 
         for obj in objs:
             if isinstance(obj, OrderPayment) and obj.payment_date:
@@ -218,24 +228,22 @@ class PaymentListExporter(BaseExporter):
                 localize(obj.amount * (-1 if isinstance(obj, OrderRefund) else 1)),
                 provider_names.get(obj.provider, obj.provider)
             ]
-            writer.writerow(row)
+            yield row
 
-        return '{}_payments.csv'.format(self.event.slug), 'text/csv', output.getvalue().encode("utf-8")
+    def get_filename(self):
+        return '{}_payments'.format(self.event.slug)
 
 
-class QuotaListExporter(BaseExporter):
-    identifier = 'quotalistcsv'
-    verbose_name = ugettext_lazy('Quota availabilities (CSV)')
-
-    def render(self, form_data: dict):
-        output = io.StringIO()
-        writer = csv.writer(output, quoting=csv.QUOTE_NONNUMERIC, delimiter=",")
+class QuotaListExporter(ListExporter):
+    identifier = 'quotalist'
+    verbose_name = ugettext_lazy('Quota availabilities')
 
+    def iterate_list(self, form_data):
         headers = [
             _('Quota name'), _('Total quota'), _('Paid orders'), _('Pending orders'), _('Blocking vouchers'),
             _('Current user\'s carts'), _('Waiting list'), _('Current availability')
         ]
-        writer.writerow(headers)
+        yield headers
 
         for quota in self.event.quotas.all():
             avail = quota.availability()
@@ -249,9 +257,10 @@ class QuotaListExporter(BaseExporter):
                 quota.count_waiting_list_pending(),
                 _('Infinite') if avail[1] is None else avail[1]
             ]
-            writer.writerow(row)
+            yield row
 
-        return '{}_quotas.csv'.format(self.event.slug), 'text/csv', output.getvalue().encode("utf-8")
+    def get_filename(self):
+        return '{}_quotas'.format(self.event.slug)
 
 
 @receiver(register_data_exporters, dispatch_uid="exporter_orderlist")

src/pretix/base/forms/__init__.py

@@ -57,7 +57,7 @@ class SettingsForm(i18nfield.forms.I18nFormMixin, HierarkeyForm):
         kwargs['locales'] = self.locales
         kwargs['initial'] = self.obj.settings.freeze()
         super().__init__(*args, **kwargs)
-        for f in self.fields.values():
+        for k, f in self.fields.items():
             if isinstance(f, (RelativeDateTimeField, RelativeDateField)):
                 f.set_event(self.obj)
 

src/pretix/base/forms/questions.py

@@ -1,3 +1,4 @@
+import copy
 import logging
 from decimal import Decimal
 
@@ -8,6 +9,7 @@ import vat_moss.id
 from django import forms
 from django.contrib import messages
 from django.core.exceptions import ValidationError
+from django.utils.safestring import mark_safe
 from django.utils.translation import ugettext_lazy as _
 
 from pretix.base.forms.widgets import (
@@ -16,12 +18,112 @@ from pretix.base.forms.widgets import (
 )
 from pretix.base.models import InvoiceAddress, Question
 from pretix.base.models.tax import EU_COUNTRIES
+from pretix.base.settings import PERSON_NAME_SCHEMES
+from pretix.base.templatetags.rich_text import rich_text
+from pretix.control.forms import SplitDateTimeField
 from pretix.helpers.i18n import get_format_without_seconds
 from pretix.presale.signals import question_form_fields
 
 logger = logging.getLogger(__name__)
 
 
+class NamePartsWidget(forms.MultiWidget):
+    widget = forms.TextInput
+
+    def __init__(self, scheme: dict, field: forms.Field, attrs=None):
+        widgets = []
+        self.scheme = scheme
+        self.field = field
+        for fname, label, size in self.scheme['fields']:
+            a = copy.copy(attrs) or {}
+            a['data-fname'] = fname
+            widgets.append(self.widget(attrs=a))
+        super().__init__(widgets, attrs)
+
+    def decompress(self, value):
+        if value is None:
+            return None
+        data = []
+        for i, field in enumerate(self.scheme['fields']):
+            fname, label, size = field
+            data.append(value.get(fname, ""))
+        if '_legacy' in value and not data[-1]:
+            data[-1] = value.get('_legacy', '')
+        return data
+
+    def render(self, name: str, value, attrs=None, renderer=None) -> str:
+        if not isinstance(value, list):
+            value = self.decompress(value)
+        output = []
+        final_attrs = self.build_attrs(attrs or dict())
+        if 'required' in final_attrs:
+            del final_attrs['required']
+        id_ = final_attrs.get('id', None)
+        for i, widget in enumerate(self.widgets):
+            try:
+                widget_value = value[i]
+            except (IndexError, TypeError):
+                widget_value = None
+            if id_:
+                final_attrs = dict(
+                    final_attrs,
+                    id='%s_%s' % (id_, i),
+                    title=self.scheme['fields'][i][1],
+                    placeholder=self.scheme['fields'][i][1],
+                )
+                final_attrs['data-size'] = self.scheme['fields'][i][2]
+            output.append(widget.render(name + '_%s' % i, widget_value, final_attrs, renderer=renderer))
+        return mark_safe(self.format_output(output))
+
+    def format_output(self, rendered_widgets) -> str:
+        return '<div class="nameparts-form-group">%s</div>' % ''.join(rendered_widgets)
+
+
+class NamePartsFormField(forms.MultiValueField):
+    widget = NamePartsWidget
+
+    def compress(self, data_list) -> dict:
+        data = {}
+        data['_scheme'] = self.scheme_name
+        for i, value in enumerate(data_list):
+            data[self.scheme['fields'][i][0]] = value or ''
+        return data
+
+    def __init__(self, *args, **kwargs):
+        fields = []
+        defaults = {
+            'widget': self.widget,
+            'max_length': kwargs.pop('max_length', None),
+        }
+        self.scheme_name = kwargs.pop('scheme')
+        self.scheme = PERSON_NAME_SCHEMES.get(self.scheme_name)
+        self.one_required = kwargs.get('required', True)
+        require_all_fields = kwargs.pop('require_all_fields', False)
+        kwargs['required'] = False
+        kwargs['widget'] = (kwargs.get('widget') or self.widget)(
+            scheme=self.scheme, field=self, **kwargs.pop('widget_kwargs', {})
+        )
+        defaults.update(**kwargs)
+        for fname, label, size in self.scheme['fields']:
+            defaults['label'] = label
+            field = forms.CharField(**defaults)
+            field.part_name = fname
+            fields.append(field)
+        super().__init__(
+            fields=fields, require_all_fields=False, *args, **kwargs
+        )
+        self.require_all_fields = require_all_fields
+        self.required = self.one_required
+
+    def clean(self, value) -> dict:
+        value = super().clean(value)
+        if self.one_required and (not value or not any(v for v in value)):
+            raise forms.ValidationError(self.error_messages['required'], code='required')
+        if self.require_all_fields and not all(v for v in value):
+            raise forms.ValidationError(self.error_messages['incomplete'], code='required')
+        return value
+
+
 class BaseQuestionsForm(forms.Form):
     """
     This form class is responsible for asking order-related questions. This includes
@@ -46,10 +148,12 @@ class BaseQuestionsForm(forms.Form):
         super().__init__(*args, **kwargs)
 
         if item.admission and event.settings.attendee_names_asked:
-            self.fields['attendee_name'] = forms.CharField(
-                max_length=255, required=event.settings.attendee_names_required,
+            self.fields['attendee_name_parts'] = NamePartsFormField(
+                max_length=255,
+                required=event.settings.attendee_names_required,
+                scheme=event.settings.name_scheme,
                 label=_('Attendee name'),
-                initial=(cartpos.attendee_name if cartpos else orderpos.attendee_name),
+                initial=(cartpos.attendee_name_parts if cartpos else orderpos.attendee_name_parts),
             )
         if item.admission and event.settings.attendee_emails_asked:
             self.fields['attendee_email'] = forms.EmailField(
@@ -66,6 +170,7 @@ class BaseQuestionsForm(forms.Form):
             else:
                 initial = None
             tz = pytz.timezone(event.settings.timezone)
+            help_text = rich_text(q.help_text)
             if q.type == Question.TYPE_BOOLEAN:
                 if q.required:
                     # For some reason, django-bootstrap3 does not set the required attribute
@@ -81,7 +186,7 @@ class BaseQuestionsForm(forms.Form):
 
                 field = forms.BooleanField(
                     label=q.question, required=q.required,
-                    help_text=q.help_text,
+                    help_text=help_text,
                     initial=initialbool, widget=widget,
                 )
             elif q.type == Question.TYPE_NUMBER:
@@ -94,13 +199,13 @@ class BaseQuestionsForm(forms.Form):
             elif q.type == Question.TYPE_STRING:
                 field = forms.CharField(
                     label=q.question, required=q.required,
-                    help_text=q.help_text,
+                    help_text=help_text,
                     initial=initial.answer if initial else None,
                 )
             elif q.type == Question.TYPE_TEXT:
                 field = forms.CharField(
                     label=q.question, required=q.required,
-                    help_text=q.help_text,
+                    help_text=help_text,
                     widget=forms.Textarea,
                     initial=initial.answer if initial else None,
                 )
@@ -108,7 +213,7 @@ class BaseQuestionsForm(forms.Form):
                 field = forms.ModelChoiceField(
                     queryset=q.options,
                     label=q.question, required=q.required,
-                    help_text=q.help_text,
+                    help_text=help_text,
                     widget=forms.Select,
                     empty_label='',
                     initial=initial.options.first() if initial else None,
@@ -117,35 +222,35 @@ class BaseQuestionsForm(forms.Form):
                 field = forms.ModelMultipleChoiceField(
                     queryset=q.options,
                     label=q.question, required=q.required,
-                    help_text=q.help_text,
+                    help_text=help_text,
                     widget=forms.CheckboxSelectMultiple,
                     initial=initial.options.all() if initial else None,
                 )
             elif q.type == Question.TYPE_FILE:
                 field = forms.FileField(
                     label=q.question, required=q.required,
-                    help_text=q.help_text,
+                    help_text=help_text,
                     initial=initial.file if initial else None,
                     widget=UploadedFileWidget(position=pos, event=event, answer=initial),
                 )
             elif q.type == Question.TYPE_DATE:
                 field = forms.DateField(
                     label=q.question, required=q.required,
-                    help_text=q.help_text,
+                    help_text=help_text,
                     initial=dateutil.parser.parse(initial.answer).date() if initial and initial.answer else None,
                     widget=DatePickerWidget(),
                 )
             elif q.type == Question.TYPE_TIME:
                 field = forms.TimeField(
                     label=q.question, required=q.required,
-                    help_text=q.help_text,
+                    help_text=help_text,
                     initial=dateutil.parser.parse(initial.answer).time() if initial and initial.answer else None,
                     widget=TimePickerWidget(time_format=get_format_without_seconds('TIME_INPUT_FORMATS')),
                 )
             elif q.type == Question.TYPE_DATETIME:
-                field = forms.SplitDateTimeField(
+                field = SplitDateTimeField(
                     label=q.question, required=q.required,
-                    help_text=q.help_text,
+                    help_text=help_text,
                     initial=dateutil.parser.parse(initial.answer).astimezone(tz) if initial and initial.answer else None,
                     widget=SplitDateTimePickerWidget(time_format=get_format_without_seconds('TIME_INPUT_FORMATS')),
                 )
@@ -169,13 +274,12 @@ class BaseInvoiceAddressForm(forms.ModelForm):
 
     class Meta:
         model = InvoiceAddress
-        fields = ('is_business', 'company', 'name', 'street', 'zipcode', 'city', 'country', 'vat_id',
+        fields = ('is_business', 'company', 'name_parts', 'street', 'zipcode', 'city', 'country', 'vat_id',
                   'internal_reference')
         widgets = {
             'is_business': BusinessBooleanRadio,
             'street': forms.Textarea(attrs={'rows': 2, 'placeholder': _('Street and Number')}),
             'company': forms.TextInput(attrs={'data-display-dependency': '#id_is_business_1'}),
-            'name': forms.TextInput(attrs={}),
             'vat_id': forms.TextInput(attrs={'data-display-dependency': '#id_is_business_1'}),
             'internal_reference': forms.TextInput,
         }
@@ -190,15 +294,13 @@ class BaseInvoiceAddressForm(forms.ModelForm):
         super().__init__(*args, **kwargs)
         if not event.settings.invoice_address_vatid:
             del self.fields['vat_id']
+
         if not event.settings.invoice_address_required:
             for k, f in self.fields.items():
                 f.required = False
                 f.widget.is_required = False
                 if 'required' in f.widget.attrs:
                     del f.widget.attrs['required']
-
-            if event.settings.invoice_name_required:
-                self.fields['name'].required = True
         elif event.settings.invoice_address_company_required:
             self.initial['is_business'] = True
 
@@ -209,18 +311,34 @@ class BaseInvoiceAddressForm(forms.ModelForm):
             del self.fields['company'].widget.attrs['data-display-dependency']
             if 'vat_id' in self.fields:
                 del self.fields['vat_id'].widget.attrs['data-display-dependency']
-        else:
+
+        self.fields['name_parts'] = NamePartsFormField(
+            max_length=255,
+            required=event.settings.invoice_name_required,
+            scheme=event.settings.name_scheme,
+            label=_('Name'),
+            initial=(self.instance.name_parts if self.instance else self.instance.name_parts),
+        )
+        if event.settings.invoice_address_required and not event.settings.invoice_address_company_required:
+            self.fields['name_parts'].widget.attrs['data-required-if'] = '#id_is_business_0'
+            self.fields['name_parts'].widget.attrs['data-no-required-attr'] = '1'
             self.fields['company'].widget.attrs['data-required-if'] = '#id_is_business_1'
-            self.fields['name'].widget.attrs['data-required-if'] = '#id_is_business_0'
 
     def clean(self):
         data = self.cleaned_data
-        if not data.get('name') and not data.get('company') and self.event.settings.invoice_address_required:
-            raise ValidationError(_('You need to provide either a company name or your name.'))
+        if not data.get('is_business'):
+            data['company'] = ''
+        if self.event.settings.invoice_address_required:
+            if data.get('is_business') and not data.get('company'):
+                raise ValidationError(_('You need to provide a company name.'))
+            if not data.get('is_business') and not data.get('name_parts'):
+                raise ValidationError(_('You need to provide your name.'))
 
         if 'vat_id' in self.changed_data or not data.get('vat_id'):
             self.instance.vat_id_validated = False
 
+        self.instance.name_parts = data.get('name_parts')
+
         if self.validate_vat_id and self.instance.vat_id_validated and 'vat_id' not in self.changed_data:
             pass
         elif self.validate_vat_id and data.get('is_business') and data.get('country') in EU_COUNTRIES and data.get('vat_id'):
@@ -232,7 +350,7 @@ class BaseInvoiceAddressForm(forms.ModelForm):
                     country_code, normalized_id, company_name = result
                     self.instance.vat_id_validated = True
                     self.instance.vat_id = normalized_id
-            except vat_moss.errors.InvalidError:
+            except (vat_moss.errors.InvalidError, ValueError):
                 raise ValidationError(_('This VAT ID is not valid. Please re-check your input.'))
             except vat_moss.errors.WebServiceUnavailableError:
                 logger.exception('VAT ID checking failed for country {}'.format(data.get('country')))

src/pretix/base/forms/widgets.py

@@ -2,6 +2,7 @@ import os
 
 from django import forms
 from django.utils.formats import get_format
+from django.utils.functional import lazy
 from django.utils.timezone import now
 from django.utils.translation import ugettext_lazy as _
 
@@ -92,14 +93,20 @@ class SplitDateTimePickerWidget(forms.SplitDateTimeWidget):
         date_attrs['class'] += ' datepickerfield'
         time_attrs['class'] += ' timepickerfield'
 
-        df = date_format or get_format('DATE_INPUT_FORMATS')[0]
-        date_attrs['placeholder'] = now().replace(
-            year=2000, month=12, day=31, hour=18, minute=0, second=0, microsecond=0
-        ).strftime(df)
-        tf = time_format or get_format('TIME_INPUT_FORMATS')[0]
-        time_attrs['placeholder'] = now().replace(
-            year=2000, month=1, day=1, hour=0, minute=0, second=0, microsecond=0
-        ).strftime(tf)
+        def date_placeholder():
+            df = date_format or get_format('DATE_INPUT_FORMATS')[0]
+            return now().replace(
+                year=2000, month=12, day=31, hour=18, minute=0, second=0, microsecond=0
+            ).strftime(df)
+
+        def time_placeholder():
+            tf = time_format or get_format('TIME_INPUT_FORMATS')[0]
+            return now().replace(
+                year=2000, month=1, day=1, hour=0, minute=0, second=0, microsecond=0
+            ).strftime(tf)
+
+        date_attrs['placeholder'] = lazy(date_placeholder, str)
+        time_attrs['placeholder'] = lazy(time_placeholder, str)
 
         widgets = (
             forms.DateInput(attrs=date_attrs, format=date_format),

src/pretix/base/invoice.py

@@ -192,8 +192,15 @@ class ThumbnailingImageReader(ImageReader):
             size=(int(width * dpi / 72), int(height * dpi / 72)),
             resample=BICUBIC
         )
+        self._data = None
         return width, height
 
+    def _jpeg_fh(self):
+        # Bypass a reportlab-internal optimization that falls back to the original
+        # file handle if the file is a JPEG, and therefore does not respect the
+        # (smaller) size of the modified image.
+        return None
+
 
 class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
     identifier = 'classic'
@@ -216,7 +223,7 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
         p.drawOn(canvas, 25 * mm, (297 - 52) * mm - p_size[1])
 
     def _draw_invoice_from(self, canvas):
-        p = Paragraph(self.invoice.invoice_from.strip().replace('\n', '<br />\n'), style=self.stylesheet['Normal'])
+        p = Paragraph(self.invoice.full_invoice_from.strip().replace('\n', '<br />\n'), style=self.stylesheet['Normal'])
         p.wrapOn(canvas, 70 * mm, 50 * mm)
         p_size = p.wrap(70 * mm, 50 * mm)
         p.drawOn(canvas, 25 * mm, (297 - 17) * mm - p_size[1])
@@ -323,7 +330,7 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
             return txt
 
         if not self.invoice.event.has_subevents:
-            if self.invoice.event.settings.show_date_to:
+            if self.invoice.event.settings.show_date_to and self.invoice.event.date_to:
                 p_str = (
                     shorten(self.invoice.event.name) + '\n' + pgettext('invoice', '{from_date}\nuntil {to_date}').format(
                         from_date=self.invoice.event.get_date_from_display(),
@@ -379,7 +386,7 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
 
         if self.invoice.internal_reference:
             story.append(Paragraph(
-                pgettext('invoice', 'Your reference: {reference}').format(reference=self.invoice.internal_reference),
+                pgettext('invoice', 'Customer reference: {reference}').format(reference=self.invoice.internal_reference),
                 self.stylesheet['Normal']
             ))
 

src/pretix/base/migrations/0001_initial.py

@@ -28,7 +28,8 @@ class Migration(migrations.Migration):
                 ('password', models.CharField(verbose_name='password', max_length=128)),
                 ('last_login', models.DateTimeField(verbose_name='last login', blank=True, null=True)),
                 ('is_superuser', models.BooleanField(verbose_name='superuser status', default=False, help_text='Designates that this user has all permissions without explicitly assigning them.')),
-                ('email', models.EmailField(max_length=254, blank=True, unique=True, verbose_name='E-mail', null=True, db_index=True)),
+                ('email', models.EmailField(max_length=191, blank=True, unique=True, verbose_name='E-mail', null=True,
+                                            db_index=True)),
                 ('givenname', models.CharField(verbose_name='Given name', max_length=255, blank=True, null=True)),
                 ('familyname', models.CharField(verbose_name='Family name', max_length=255, blank=True, null=True)),
                 ('is_active', models.BooleanField(verbose_name='Is active', default=True)),

src/pretix/base/migrations/0099_auto_20180912_1035.py

@@ -0,0 +1,45 @@
+# Generated by Django 2.1 on 2018-09-12 10:35
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+import pretix.base.models.devices
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0098_auto_20180731_1243_squashed_0100_item_require_approval'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='Device',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('device_id', models.PositiveIntegerField()),
+                ('unique_serial', models.CharField(default=pretix.base.models.devices.generate_serial, max_length=190, unique=True)),
+                ('initialization_token', models.CharField(default=pretix.base.models.devices.generate_initialization_token, max_length=190, unique=True)),
+                ('api_token', models.CharField(max_length=190, null=True, unique=True)),
+                ('all_events', models.BooleanField(default=False, verbose_name='All events (including newly created ones)')),
+                ('name', models.CharField(max_length=190, verbose_name='Name')),
+                ('created', models.DateTimeField(auto_now_add=True, verbose_name='Setup date')),
+                ('initialized', models.DateTimeField(null=True, verbose_name='Initialization date')),
+                ('hardware_brand', models.CharField(blank=True, max_length=190, null=True)),
+                ('hardware_model', models.CharField(blank=True, max_length=190, null=True)),
+                ('software_brand', models.CharField(blank=True, max_length=190, null=True)),
+                ('software_version', models.CharField(blank=True, max_length=190, null=True)),
+                ('limit_events', models.ManyToManyField(blank=True, to='pretixbase.Event', verbose_name='Limit to events')),
+                ('organizer', models.ForeignKey(on_delete=django.db.models.deletion.PROTECT, related_name='devices', to='pretixbase.Organizer')),
+            ],
+        ),
+        migrations.AlterUniqueTogether(
+            name='device',
+            unique_together={('organizer', 'device_id')},
+        ),
+        migrations.AddField(
+            model_name='logentry',
+            name='device',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.PROTECT, to='pretixbase.Device'),
+        ),
+    ]

src/pretix/base/migrations/0100_auto_20181023_2300.py

@@ -0,0 +1,79 @@
+# Generated by Django 2.1 on 2018-10-23 23:00
+
+import django_countries.fields
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0099_auto_20180912_1035'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='invoice',
+            name='invoice_from_city',
+            field=models.CharField(max_length=190, null=True),
+        ),
+        migrations.AddField(
+            model_name='invoice',
+            name='invoice_from_country',
+            field=django_countries.fields.CountryField(max_length=2, null=True),
+        ),
+        migrations.AddField(
+            model_name='invoice',
+            name='invoice_from_name',
+            field=models.CharField(max_length=190, null=True),
+        ),
+        migrations.AddField(
+            model_name='invoice',
+            name='invoice_from_tax_id',
+            field=models.CharField(max_length=190, null=True),
+        ),
+        migrations.AddField(
+            model_name='invoice',
+            name='invoice_from_vat_id',
+            field=models.CharField(max_length=190, null=True),
+        ),
+        migrations.AddField(
+            model_name='invoice',
+            name='invoice_from_zipcode',
+            field=models.CharField(max_length=190, null=True),
+        ),
+        migrations.AddField(
+            model_name='invoice',
+            name='invoice_to_city',
+            field=models.TextField(null=True),
+        ),
+        migrations.AddField(
+            model_name='invoice',
+            name='invoice_to_company',
+            field=models.TextField(null=True),
+        ),
+        migrations.AddField(
+            model_name='invoice',
+            name='invoice_to_country',
+            field=django_countries.fields.CountryField(max_length=2, null=True),
+        ),
+        migrations.AddField(
+            model_name='invoice',
+            name='invoice_to_name',
+            field=models.TextField(null=True),
+        ),
+        migrations.AddField(
+            model_name='invoice',
+            name='invoice_to_street',
+            field=models.TextField(null=True),
+        ),
+        migrations.AddField(
+            model_name='invoice',
+            name='invoice_to_vat_id',
+            field=models.TextField(null=True),
+        ),
+        migrations.AddField(
+            model_name='invoice',
+            name='invoice_to_zipcode',
+            field=models.CharField(max_length=190, null=True),
+        ),
+    ]

src/pretix/base/migrations/0101_auto_20181025_2255.py

@@ -0,0 +1,18 @@
+# Generated by Django 2.1 on 2018-10-25 22:55
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0100_auto_20181023_2300'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='invoice',
+            name='reverse_charge',
+            field=models.BooleanField(default=False),
+        ),
+    ]

src/pretix/base/migrations/0102_auto_20181017_0024.py

@@ -0,0 +1,96 @@
+# Generated by Django 2.1 on 2018-10-17 00:24
+
+import jsonfallback.fields
+from django.core.exceptions import ImproperlyConfigured
+from django.db import migrations
+from django_mysql.checks import mysql_connections
+from django_mysql.utils import connection_is_mariadb
+
+
+def set_attendee_name_parts(apps, schema_editor):
+    OrderPosition = apps.get_model('pretixbase', 'OrderPosition')  # noqa
+    for op in OrderPosition.objects.exclude(attendee_name_cached=None).exclude(
+            attendee_name_cached__isnull=True).iterator():
+        op.attendee_name_parts = {'_legacy': op.attendee_name_cached}
+        op.save(update_fields=['attendee_name_parts'])
+    CartPosition = apps.get_model('pretixbase', 'CartPosition')  # noqa
+    for op in CartPosition.objects.exclude(attendee_name_cached=None).exclude(
+            attendee_name_cached__isnull=True).iterator():
+        op.attendee_name_parts = {'_legacy': op.attendee_name_cached}
+        op.save(update_fields=['attendee_name_parts'])
+    InvoiceAddress = apps.get_model('pretixbase', 'InvoiceAddress')  # noqa
+    for ia in InvoiceAddress.objects.exclude(name_cached=None).exclude(
+            name_cached__isnull=True).iterator():
+        ia.name_parts = {'_legacy': ia.name_cached}
+        ia.save(update_fields=['name_parts'])
+
+
+def check_mysqlversion(apps, schema_editor):
+    errors = []
+    any_conn_works = False
+    conns = list(mysql_connections())
+    found = 'Unknown version'
+    for alias, conn in conns:
+        if connection_is_mariadb(conn) and hasattr(conn, 'mysql_version'):
+            if conn.mysql_version >= (10, 2, 7):
+                any_conn_works = True
+            else:
+                found = 'MariaDB ' + '.'.join(str(v) for v in conn.mysql_version)
+        elif hasattr(conn, 'mysql_version'):
+            if conn.mysql_version >= (5, 7):
+                any_conn_works = True
+            else:
+                found = 'MySQL ' + '.'.join(str(v) for v in conn.mysql_version)
+
+    if conns and not any_conn_works:
+        raise ImproperlyConfigured(
+            'As of pretix 2.2, you need MySQL 5.7+ or MariaDB 10.2.7+ to run pretix. However, we detected a '
+            'database connection to {}'.format(found)
+        )
+    return errors
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ('pretixbase', '0101_auto_20181025_2255'),
+    ]
+
+    operations = [
+        migrations.RunPython(
+            check_mysqlversion, migrations.RunPython.noop
+        ),
+        migrations.RenameField(
+            model_name='cartposition',
+            old_name='attendee_name',
+            new_name='attendee_name_cached',
+        ),
+        migrations.RenameField(
+            model_name='orderposition',
+            old_name='attendee_name',
+            new_name='attendee_name_cached',
+        ),
+        migrations.RenameField(
+            model_name='invoiceaddress',
+            old_name='name',
+            new_name='name_cached',
+        ),
+        migrations.AddField(
+            model_name='cartposition',
+            name='attendee_name_parts',
+            field=jsonfallback.fields.FallbackJSONField(null=False, default=dict),
+            preserve_default=False,
+        ),
+        migrations.AddField(
+            model_name='orderposition',
+            name='attendee_name_parts',
+            field=jsonfallback.fields.FallbackJSONField(null=False, default=dict),
+            preserve_default=False,
+        ),
+        migrations.AddField(
+            model_name='invoiceaddress',
+            name='name_parts',
+            field=jsonfallback.fields.FallbackJSONField(default=dict),
+            preserve_default=False,
+        ),
+        migrations.RunPython(set_attendee_name_parts, migrations.RunPython.noop)
+    ]

src/pretix/base/migrations/0103_auto_20181121_1224.py

@@ -0,0 +1,29 @@
+# Generated by Django 2.1.1 on 2018-11-21 12:24
+
+import django.db.models.deletion
+import jsonfallback.fields
+from django.db import migrations, models
+
+import pretix.base.models.fields
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0102_auto_20181017_0024'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='item',
+            name='sales_channels',
+            field=pretix.base.models.fields.MultiStringField(default=['web'], verbose_name='Sales channels'),
+            preserve_default=False,
+        ),
+        migrations.AddField(
+            model_name='order',
+            name='sales_channel',
+            field=models.CharField(default='web', max_length=190),
+            preserve_default=False,
+        ),
+    ]

src/pretix/base/models/__init__.py

@@ -2,6 +2,7 @@ from ..settings import GlobalSettingsObject_SettingsStore
 from .auth import U2FDevice, User
 from .base import CachedFile, LoggedModel, cachedfile_name
 from .checkin import Checkin, CheckinList
+from .devices import Device
 from .event import (
     Event, Event_SettingsStore, EventLock, EventMetaProperty, EventMetaValue,
     RequiredAction, SubEvent, SubEventMetaValue, generate_invite_token,

src/pretix/base/models/auth.py

@@ -75,7 +75,7 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
     REQUIRED_FIELDS = []
 
     email = models.EmailField(unique=True, db_index=True, null=True, blank=True,
-                              verbose_name=_('E-mail'))
+                              verbose_name=_('E-mail'), max_length=190)
     fullname = models.CharField(max_length=255, blank=True, null=True,
                                 verbose_name=_('Full name'))
     is_active = models.BooleanField(default=True,

src/pretix/base/models/base.py

@@ -3,6 +3,7 @@ import uuid
 
 from django.contrib.contenttypes.models import ContentType
 from django.db import models
+from django.db.models.constants import LOOKUP_SEP
 from django.db.models.signals import post_delete
 from django.dispatch import receiver
 from django.utils.crypto import get_random_string
@@ -47,10 +48,12 @@ class LoggingMixin:
         """
         from .log import LogEntry
         from .event import Event
+        from .devices import Device
         from pretix.api.models import OAuthAccessToken, OAuthApplication
         from .organizer import TeamAPIToken
         from ..notifications import get_all_notification_types
         from ..services.notifications import notify
+        from pretix.api.webhooks import get_all_webhook_events, notify_webhooks
 
         event = None
         if isinstance(self, Event):
@@ -67,6 +70,8 @@ class LoggingMixin:
             kwargs['oauth_application'] = auth
         elif isinstance(auth, TeamAPIToken):
             kwargs['api_token'] = auth
+        elif isinstance(auth, Device):
+            kwargs['device'] = auth
         elif isinstance(api_token, TeamAPIToken):
             kwargs['api_token'] = api_token
 
@@ -76,8 +81,21 @@ class LoggingMixin:
         if save:
             logentry.save()
 
-            if action in get_all_notification_types():
+            no_types = get_all_notification_types()
+            wh_types = get_all_webhook_events()
+
+            no_type = None
+            wh_type = None
+            typepath = logentry.action_type
+            while (not no_type or not wh_types) and '.' in typepath:
+                wh_type = wh_type or wh_types.get(typepath + ('.*' if typepath != logentry.action_type else ''))
+                no_type = no_type or no_types.get(typepath + ('.*' if typepath != logentry.action_type else ''))
+                typepath = typepath.rsplit('.', 1)[0]
+
+            if no_type:
                 notify.apply_async(args=(logentry.pk,))
+            if wh_type:
+                notify_webhooks.apply_async(args=(logentry.pk,))
         return logentry
 
 
@@ -96,4 +114,50 @@ class LoggedModel(models.Model, LoggingMixin):
 
         return LogEntry.objects.filter(
             content_type=ContentType.objects.get_for_model(type(self)), object_id=self.pk
-        ).select_related('user', 'event', 'oauth_application', 'api_token')
+        ).select_related('user', 'event', 'oauth_application', 'api_token', 'device')
+
+
+class LockModel:
+    def refresh_for_update(self, fields=None, using=None, **kwargs):
+        """
+        Like refresh_from_db(), but with select_for_update().
+        See also https://code.djangoproject.com/ticket/28344
+        """
+        if fields is not None:
+            if not fields:
+                return
+            if any(LOOKUP_SEP in f for f in fields):
+                raise ValueError(
+                    'Found "%s" in fields argument. Relations and transforms '
+                    'are not allowed in fields.' % LOOKUP_SEP)
+
+        hints = {'instance': self}
+        db_instance_qs = self.__class__._base_manager.db_manager(using, hints=hints).filter(pk=self.pk).select_for_update(**kwargs)
+
+        # Use provided fields, if not set then reload all non-deferred fields.
+        deferred_fields = self.get_deferred_fields()
+        if fields is not None:
+            fields = list(fields)
+            db_instance_qs = db_instance_qs.only(*fields)
+        elif deferred_fields:
+            fields = [f.attname for f in self._meta.concrete_fields
+                      if f.attname not in deferred_fields]
+            db_instance_qs = db_instance_qs.only(*fields)
+
+        db_instance = db_instance_qs.get()
+        non_loaded_fields = db_instance.get_deferred_fields()
+        for field in self._meta.concrete_fields:
+            if field.attname in non_loaded_fields:
+                # This field wasn't refreshed - skip ahead.
+                continue
+            setattr(self, field.attname, getattr(db_instance, field.attname))
+            # Clear cached foreign keys.
+            if field.is_relation and field.is_cached(self):
+                field.delete_cached_value(self)
+
+        # Clear cached relations.
+        for field in self._meta.related_objects:
+            if field.is_cached(self):
+                field.delete_cached_value(self)
+
+        self._state.db = db_instance._state.db

src/pretix/base/models/devices.py

@@ -0,0 +1,155 @@
+import string
+
+from django.db import models
+from django.db.models import Max
+from django.utils.crypto import get_random_string
+from django.utils.translation import ugettext_lazy as _
+
+from pretix.base.models import LoggedModel
+
+
+def generate_serial():
+    serial = get_random_string(allowed_chars='ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789', length=16)
+    while Device.objects.filter(unique_serial=serial).exists():
+        serial = get_random_string(allowed_chars='ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789', length=16)
+    return serial
+
+
+def generate_initialization_token():
+    token = get_random_string(length=16, allowed_chars=string.ascii_lowercase + string.digits)
+    while Device.objects.filter(initialization_token=token).exists():
+        token = get_random_string(length=16, allowed_chars=string.ascii_lowercase + string.digits)
+    return token
+
+
+def generate_api_token():
+    token = get_random_string(length=64, allowed_chars=string.ascii_lowercase + string.digits)
+    while Device.objects.filter(api_token=token).exists():
+        token = get_random_string(length=64, allowed_chars=string.ascii_lowercase + string.digits)
+    return token
+
+
+class Device(LoggedModel):
+    organizer = models.ForeignKey(
+        'pretixbase.Organizer',
+        on_delete=models.PROTECT,
+        related_name='devices'
+    )
+    device_id = models.PositiveIntegerField()
+    unique_serial = models.CharField(max_length=190, default=generate_serial, unique=True)
+    initialization_token = models.CharField(max_length=190, default=generate_initialization_token, unique=True)
+    api_token = models.CharField(max_length=190, unique=True, null=True)
+    all_events = models.BooleanField(default=False, verbose_name=_("All events (including newly created ones)"))
+    limit_events = models.ManyToManyField('Event', verbose_name=_("Limit to events"), blank=True)
+    name = models.CharField(
+        max_length=190,
+        verbose_name=_('Name')
+    )
+    created = models.DateTimeField(
+        auto_now_add=True,
+        verbose_name=_('Setup date')
+    )
+    initialized = models.DateTimeField(
+        verbose_name=_('Initialization date'),
+        null=True,
+    )
+    hardware_brand = models.CharField(
+        max_length=190,
+        null=True, blank=True
+    )
+    hardware_model = models.CharField(
+        max_length=190,
+        null=True, blank=True
+    )
+    software_brand = models.CharField(
+        max_length=190,
+        null=True, blank=True
+    )
+    software_version = models.CharField(
+        max_length=190,
+        null=True, blank=True
+    )
+
+    class Meta:
+        unique_together = (('organizer', 'device_id'),)
+
+    def __str__(self):
+        return '#{}: {} ({} {})'.format(
+            self.device_id, self.name, self.hardware_brand, self.hardware_model
+        )
+
+    def save(self, *args, **kwargs):
+        if not self.device_id:
+            self.device_id = (self.organizer.devices.aggregate(m=Max('device_id'))['m'] or 0) + 1
+        super().save(*args, **kwargs)
+
+    def permission_set(self) -> set:
+        return {
+            'can_view_orders',
+            'can_change_orders',
+        }
+
+    def get_event_permission_set(self, organizer, event) -> set:
+        """
+        Gets a set of permissions (as strings) that a token holds for a particular event
+
+        :param organizer: The organizer of the event
+        :param event: The event to check
+        :return: set of permissions
+        """
+        has_event_access = (self.all_events and organizer == self.organizer) or (
+            event in self.limit_events.all()
+        )
+        return self.permission_set() if has_event_access else set()
+
+    def get_organizer_permission_set(self, organizer) -> set:
+        """
+        Gets a set of permissions (as strings) that a token holds for a particular organizer
+
+        :param organizer: The organizer of the event
+        :return: set of permissions
+        """
+        return self.permission_set() if self.organizer == organizer else set()
+
+    def has_event_permission(self, organizer, event, perm_name=None, request=None) -> bool:
+        """
+        Checks if this token is part of a team that grants access of type ``perm_name``
+        to the event ``event``.
+
+        :param organizer: The organizer of the event
+        :param event: The event to check
+        :param perm_name: The permission, e.g. ``can_change_teams``
+        :param request: This parameter is ignored and only defined for compatibility reasons.
+        :return: bool
+        """
+        has_event_access = (self.all_events and organizer == self.organizer) or (
+            event in self.limit_events.all()
+        )
+        if isinstance(perm_name, (tuple, list)):
+            return has_event_access and any(p in self.permission_set() for p in perm_name)
+        return has_event_access and (not perm_name or perm_name in self.permission_set())
+
+    def has_organizer_permission(self, organizer, perm_name=None, request=None):
+        """
+        Checks if this token is part of a team that grants access of type ``perm_name``
+        to the organizer ``organizer``.
+
+        :param organizer: The organizer to check
+        :param perm_name: The permission, e.g. ``can_change_teams``
+        :param request: This parameter is ignored and only defined for compatibility reasons.
+        :return: bool
+        """
+        if isinstance(perm_name, (tuple, list)):
+            return organizer == self.organizer and any(p in self.permission_set() for p in perm_name)
+        return organizer == self.organizer and (not perm_name or perm_name in self.permission_set())
+
+    def get_events_with_any_permission(self):
+        """
+        Returns a queryset of events the token has any permissions to.
+
+        :return: Iterable of Events
+        """
+        if self.all_events:
+            return self.organizer.events.all()
+        else:
+            return self.limit_events.all()

src/pretix/base/models/event.py

@@ -227,10 +227,9 @@ class Event(EventMixin, LoggedModel):
                                    verbose_name=_("Event end time"))
     date_admission = models.DateTimeField(null=True, blank=True,
                                           verbose_name=_("Admission time"))
-    is_public = models.BooleanField(default=False,
-                                    verbose_name=_("Visible in public lists"),
-                                    help_text=_("If selected, this event may show up on the ticket system's start page "
-                                                "or an organization profile."))
+    is_public = models.BooleanField(default=True,
+                                    verbose_name=_("Show in lists"),
+                                    help_text=_("If selected, this event will show up publicly on the list of events for your organizer account."))
     presale_end = models.DateTimeField(
         null=True, blank=True,
         verbose_name=_("End of presale"),
@@ -276,12 +275,24 @@ class Event(EventMixin, LoggedModel):
         else:
             return super().presale_has_ended
 
+    def delete_all_orders(self, really=False):
+        from .orders import OrderRefund, OrderPayment, OrderPosition, OrderFee
+
+        if not really:
+            raise TypeError("Pass really=True as a parameter.")
+
+        OrderPosition.objects.filter(order__event=self).delete()
+        OrderFee.objects.filter(order__event=self).delete()
+        OrderPayment.objects.filter(order__event=self).delete()
+        OrderRefund.objects.filter(order__event=self).delete()
+        self.orders.all().delete()
+
     def save(self, *args, **kwargs):
         obj = super().save(*args, **kwargs)
         self.cache.clear()
         return obj
 
-    def get_plugins(self) -> "list[str]":
+    def get_plugins(self):
         """
         Returns the names of the plugins activated for this event as a list.
         """
@@ -289,7 +300,7 @@ class Event(EventMixin, LoggedModel):
             return []
         return self.plugins.split(",")
 
-    def get_cache(self) -> "pretix.base.cache.ObjectRelatedCache":
+    def get_cache(self):
         """
         Returns an :py:class:`ObjectRelatedCache` object. This behaves equivalent to
         Django's built-in cache backends, but puts you into an isolated environment for

src/pretix/base/models/fields.py

@@ -0,0 +1,94 @@
+from django.core import exceptions
+from django.db.models import TextField, lookups as builtin_lookups
+from django.utils.translation import gettext_lazy as _
+from rest_framework import serializers
+from rest_framework.exceptions import ValidationError
+
+DELIMITER = "\x1F"
+
+
+class MultiStringField(TextField):
+    default_error_messages = {
+        'delimiter_found': _('No value can contain the delimiter character.')
+    }
+
+    def __init__(self, verbose_name=None, name=None, **kwargs):
+        super().__init__(verbose_name, name, **kwargs)
+
+    def deconstruct(self):
+        name, path, args, kwargs = super().deconstruct()
+        return name, path, args, kwargs
+
+    def to_python(self, value):
+        if isinstance(value, (list, tuple)):
+            return value
+        elif value:
+            return [v for v in value.split(DELIMITER) if v]
+        else:
+            return []
+
+    def get_prep_value(self, value):
+        if isinstance(value, (list, tuple)):
+            return DELIMITER + DELIMITER.join(value) + DELIMITER
+        elif value is None:
+            return ""
+        raise TypeError("Invalid data type passed.")
+
+    def get_prep_lookup(self, lookup_type, value):  # NOQA
+        raise TypeError('Lookups on multi strings are currently not supported.')
+
+    def from_db_value(self, value, expression, connection, context):
+        if value:
+            return [v for v in value.split(DELIMITER) if v]
+        else:
+            return []
+
+    def validate(self, value, model_instance):
+        super().validate(value, model_instance)
+        for l in value:
+            if DELIMITER in l:
+                raise exceptions.ValidationError(
+                    self.error_messages['delimiter_found'],
+                    code='delimiter_found',
+                )
+
+    def get_lookup(self, lookup_name):
+        if lookup_name == 'contains':
+            return MultiStringContains
+        elif lookup_name == 'icontains':
+            return MultiStringIContains
+        raise NotImplementedError(
+            "Lookup '{}' doesn't work with MultiStringField".format(lookup_name),
+        )
+
+
+class MultiStringContains(builtin_lookups.Contains):
+    def process_rhs(self, qn, connection):
+        sql, params = super().process_rhs(qn, connection)
+        params[0] = "%" + DELIMITER + params[0][1:-1] + DELIMITER + "%"
+        return sql, params
+
+
+class MultiStringIContains(builtin_lookups.IContains):
+    def process_rhs(self, qn, connection):
+        sql, params = super().process_rhs(qn, connection)
+        params[0] = "%" + DELIMITER + params[0][1:-1] + DELIMITER + "%"
+        return sql, params
+
+
+class MultiStringSerializer(serializers.Field):
+    def __init__(self, **kwargs):
+        self.allow_blank = kwargs.pop('allow_blank', False)
+        super().__init__(**kwargs)
+
+    def to_representation(self, value):
+        return value
+
+    def to_internal_value(self, data):
+        if isinstance(data, list):
+            return data
+        else:
+            raise ValidationError('Invalid data type.')
+
+
+serializers.ModelSerializer.serializer_field_mapping[MultiStringField] = MultiStringSerializer

src/pretix/base/models/invoices.py

@@ -2,9 +2,13 @@ import string
 from decimal import Decimal
 
 from django.db import DatabaseError, models, transaction
+from django.db.models import Max
+from django.db.models.functions import Cast
 from django.utils import timezone
 from django.utils.crypto import get_random_string
 from django.utils.functional import cached_property
+from django.utils.translation import pgettext
+from django_countries.fields import CountryField
 
 
 def invoice_filename(instance, filename: str) -> str:
@@ -73,11 +77,25 @@ class Invoice(models.Model):
     is_cancellation = models.BooleanField(default=False)
     refers = models.ForeignKey('Invoice', related_name='refered', null=True, blank=True, on_delete=models.CASCADE)
     invoice_from = models.TextField()
+    invoice_from_name = models.CharField(max_length=190, null=True)
+    invoice_from_zipcode = models.CharField(max_length=190, null=True)
+    invoice_from_city = models.CharField(max_length=190, null=True)
+    invoice_from_country = CountryField(null=True)
+    invoice_from_tax_id = models.CharField(max_length=190, null=True)
+    invoice_from_vat_id = models.CharField(max_length=190, null=True)
     invoice_to = models.TextField()
+    invoice_to_company = models.TextField(null=True)
+    invoice_to_name = models.TextField(null=True)
+    invoice_to_street = models.TextField(null=True)
+    invoice_to_zipcode = models.CharField(max_length=190, null=True)
+    invoice_to_city = models.TextField(null=True)
+    invoice_to_country = CountryField(null=True)
+    invoice_to_vat_id = models.TextField(null=True)
     date = models.DateField(default=today)
     locale = models.CharField(max_length=50, default='en')
     introductory_text = models.TextField(blank=True)
     additional_text = models.TextField(blank=True)
+    reverse_charge = models.BooleanField(default=False)
     payment_provider_text = models.TextField(blank=True)
     footer_text = models.TextField(blank=True)
     foreign_currency_display = models.CharField(max_length=50, null=True, blank=True)
@@ -92,12 +110,28 @@ class Invoice(models.Model):
     def _to_numeric_invoice_number(number):
         return '{:05d}'.format(int(number))
 
+    @property
+    def full_invoice_from(self):
+        parts = [
+            self.invoice_from_name,
+            self.invoice_from,
+            (self.invoice_from_zipcode or "") + " " + (self.invoice_from_city or ""),
+            str(self.invoice_from_country),
+            pgettext("invoice", "VAT-ID: %s" % self.invoice_from_vat_id) if self.invoice_from_vat_id else "",
+            pgettext("invoice", "Tax ID: %s" % self.invoice_from_tax_id) if self.invoice_from_tax_id else "",
+        ]
+        return '\n'.join([p.strip() for p in parts if p and p.strip()])
+
     def _get_numeric_invoice_number(self):
         numeric_invoices = Invoice.objects.filter(
             event__organizer=self.event.organizer,
             prefix=self.prefix,
-        ).exclude(invoice_no__contains='-')
-        return self._to_numeric_invoice_number(numeric_invoices.count() + 1)
+        ).exclude(invoice_no__contains='-').annotate(
+            numeric_number=Cast('invoice_no', models.IntegerField())
+        ).aggregate(
+            max=Max('numeric_number')
+        )['max'] or 0
+        return self._to_numeric_invoice_number(numeric_invoices + 1)
 
     def _get_invoice_number_from_order(self):
         return '{order}-{count}'.format(
@@ -155,7 +189,7 @@ class Invoice(models.Model):
 
     class Meta:
         unique_together = ('organizer', 'prefix', 'invoice_no')
-        ordering = ('invoice_no',)
+        ordering = ('date', 'invoice_no',)
 
 
 class InvoiceLine(models.Model):

src/pretix/base/models/items.py

@@ -17,6 +17,7 @@ from django.utils.timezone import is_naive, make_aware, now
 from django.utils.translation import pgettext_lazy, ugettext_lazy as _
 from i18nfield.fields import I18nCharField, I18nTextField
 
+from pretix.base.models import fields
 from pretix.base.models.base import LoggedModel
 from pretix.base.models.tax import TaxedPrice
 
@@ -195,6 +196,8 @@ class Item(LoggedModel):
     :type original_price: decimal.Decimal
     :param require_approval: If set to ``True``, orders containing this product can only be processed and paid after approved by an administrator
     :type require_approval: bool
+    :param sales_channels: Sales channels this item is available on.
+    :type sales_channels: bool
     """
 
     event = models.ForeignKey(
@@ -329,6 +332,10 @@ class Item(LoggedModel):
         help_text=_('If set, this will be displayed next to the current price to show that the current price is a '
                     'discounted one. This is just a cosmetic setting and will not actually impact pricing.')
     )
+    sales_channels = fields.MultiStringField(
+        verbose_name=_('Sales channels'),
+        default=['web']
+    )
     # !!! Attention: If you add new fields here, also add them to the copying code in
     # pretix/control/forms/item.py if applicable.
 
@@ -357,17 +364,21 @@ class Item(LoggedModel):
                               rate=Decimal('0.00'), name='')
         return self.tax_rule.tax(price, base_price_is=base_price_is)
 
+    def is_available_by_time(self, now_dt: datetime=None) -> bool:
+        now_dt = now_dt or now()
+        if self.available_from and self.available_from > now_dt:
+            return False
+        if self.available_until and self.available_until < now_dt:
+            return False
+        return True
+
     def is_available(self, now_dt: datetime=None) -> bool:
         """
         Returns whether this item is available according to its ``active`` flag
         and its ``available_from`` and ``available_until`` fields
         """
         now_dt = now_dt or now()
-        if not self.active:
-            return False
-        if self.available_from and self.available_from > now_dt:
-            return False
-        if self.available_until and self.available_until < now_dt:
+        if not self.active or not self.is_available_by_time(now_dt):
             return False
         return True
 
@@ -403,12 +414,9 @@ class Item(LoggedModel):
                    key=lambda s: (s[0], s[1] if s[1] is not None else sys.maxsize))
 
     def allow_delete(self):
-        from pretix.base.models.orders import CartPosition, OrderPosition
+        from pretix.base.models.orders import OrderPosition
 
-        return (
-            not OrderPosition.objects.filter(item=self).exists()
-            and not CartPosition.objects.filter(item=self).exists()
-        )
+        return not OrderPosition.objects.filter(item=self).exists()
 
     @cached_property
     def has_variations(self):
@@ -753,7 +761,7 @@ class Question(LoggedModel):
 
     @staticmethod
     def _clean_identifier(event, code, instance=None):
-        qs = Question.objects.filter(event=event, identifier=code)
+        qs = Question.objects.filter(event=event, identifier__iexact=code)
         if instance:
             qs = qs.exclude(pk=instance.pk)
         if qs.exists():

src/pretix/base/models/log.py

@@ -41,6 +41,7 @@ class LogEntry(models.Model):
     datetime = models.DateTimeField(auto_now_add=True, db_index=True)
     user = models.ForeignKey('User', null=True, blank=True, on_delete=models.PROTECT)
     api_token = models.ForeignKey('TeamAPIToken', null=True, blank=True, on_delete=models.PROTECT)
+    device = models.ForeignKey('Device', null=True, blank=True, on_delete=models.PROTECT)
     oauth_application = models.ForeignKey('pretixapi.OAuthApplication', null=True, blank=True, on_delete=models.PROTECT)
     event = models.ForeignKey('Event', null=True, blank=True, on_delete=models.SET_NULL)
     action_type = models.CharField(max_length=255)
@@ -62,6 +63,16 @@ class LogEntry(models.Model):
                 return response
         return self.action_type
 
+    @cached_property
+    def organizer(self):
+        if self.event:
+            return self.event.organizer
+        elif hasattr(self.content_object, 'event'):
+            return self.content_object.event.organizer
+        elif hasattr(self.content_object, 'organizer'):
+            return self.content_object.organizer
+        return None
+
     @cached_property
     def display_object(self):
         from . import Order, Voucher, Quota, Item, ItemCategory, Question, Event, TaxRule, SubEvent

src/pretix/base/models/orders.py

@@ -26,12 +26,14 @@ from django.utils.timezone import make_aware, now
 from django.utils.translation import pgettext_lazy, ugettext_lazy as _
 from django_countries.fields import CountryField
 from i18nfield.strings import LazyI18nString
+from jsonfallback.fields import FallbackJSONField
 
 from pretix.base.i18n import language
 from pretix.base.models import User
 from pretix.base.reldate import RelativeDateWrapper
+from pretix.base.settings import PERSON_NAME_SCHEMES
 
-from .base import LoggedModel
+from .base import LockModel, LoggedModel
 from .event import Event, SubEvent
 from .items import Item, ItemVariation, Question, QuestionOption, Quota
 
@@ -47,7 +49,7 @@ def generate_position_secret():
     return get_random_string(length=settings.ENTROPY['ticket_secret'], allowed_chars='abcdefghjkmnpqrstuvwxyz23456789')
 
 
-class Order(LoggedModel):
+class Order(LockModel, LoggedModel):
     """
     An order is created when a user clicks 'buy' on his cart. It holds
     several OrderPositions and is connected to a user. It has an
@@ -92,6 +94,8 @@ class Order(LoggedModel):
     :type require_approval: bool
     :param meta_info: Additional meta information on the order, JSON-encoded.
     :type meta_info: str
+    :param sales_channel: Identifier of the sales channel this order was created through.
+    :type sales_channel: str
     """
 
     STATUS_PENDING = "n"
@@ -172,6 +176,7 @@ class Order(LoggedModel):
     require_approval = models.BooleanField(
         default=False
     )
+    sales_channel = models.CharField(max_length=190, default="web")
 
     class Meta:
         verbose_name = _("Order")
@@ -420,6 +425,20 @@ class Order(LoggedModel):
                 dl_date = dl_date.datetime(self.event)
         return dl_date
 
+    @property
+    def ticket_download_available(self):
+        return self.event.settings.ticket_download and (
+            self.event.settings.ticket_download_date is None
+            or now() > self.ticket_download_date
+        ) and (
+            self.status == Order.STATUS_PAID
+            or (
+                (self.event.settings.ticket_download_pending or self.total == Decimal("0.00")) and
+                self.status == Order.STATUS_PENDING and
+                not self.require_approval
+            )
+        )
+
     @property
     def payment_term_last(self):
         tz = pytz.timezone(self.event.settings.timezone)
@@ -442,7 +461,7 @@ class Order(LoggedModel):
         error_messages = {
             'late_lastdate': _("The payment can not be accepted as the last date of payments configured in the "
                                "payment settings is over."),
-            'late': _("The payment can not be accepted as it the order is expired and you configured that no late "
+            'late': _("The payment can not be accepted as the order is expired and you configured that no late "
                       "payments should be accepted in the payment settings."),
             'require_approval': _('This order is not yet approved by the event organizer.')
         }
@@ -496,7 +515,7 @@ class Order(LoggedModel):
     def send_mail(self, subject: str, template: Union[str, LazyI18nString],
                   context: Dict[str, Any]=None, log_entry_type: str='pretix.event.order.email.sent',
                   user: User=None, headers: dict=None, sender: str=None, invoices: list=None,
-                  auth=None):
+                  auth=None, attach_tickets=False):
         """
         Sends an email to the user that placed this order. Basically, this method does two things:
 
@@ -512,6 +531,7 @@ class Order(LoggedModel):
         :param user: Administrative user who triggered this mail to be sent
         :param headers: Dictionary with additional mail headers
         :param sender: Custom email sender.
+        :param attach_tickets: Attach tickets of this order, if they are existing and ready to download
         """
         from pretix.base.services.mail import SendMailException, mail, render_mail
 
@@ -525,7 +545,7 @@ class Order(LoggedModel):
                 mail(
                     recipient, subject, template, context,
                     self.event, self.locale, self, headers, sender,
-                    invoices=invoices
+                    invoices=invoices, attach_tickets=attach_tickets
                 )
             except SendMailException:
                 raise
@@ -538,7 +558,8 @@ class Order(LoggedModel):
                         'subject': subject,
                         'message': email_content,
                         'recipient': recipient,
-                        'invoices': [i.pk for i in invoices] if invoices else []
+                        'invoices': [i.pk for i in invoices] if invoices else [],
+                        'attach_tickets': attach_tickets,
                     }
                 )
 
@@ -684,8 +705,10 @@ class AbstractPosition(models.Model):
     :type expires: datetime
     :param price: The price of this item
     :type price: decimal.Decimal
-    :param attendee_name: The attendee's name, if entered.
-    :type attendee_name: str
+    :param attendee_name_parts: The parts of the attendee's name, if entered.
+    :type attendee_name_parts: str
+    :param attendee_name_cached: The concatenated version of the attendee's name, if entered.
+    :type attendee_name_cached: str
     :param attendee_email: The attendee's email, if entered.
     :type attendee_email: str
     :param voucher: A voucher that has been applied to this sale
@@ -696,7 +719,7 @@ class AbstractPosition(models.Model):
     subevent = models.ForeignKey(
         SubEvent,
         null=True, blank=True,
-        on_delete=models.CASCADE,
+        on_delete=models.PROTECT,
         verbose_name=pgettext_lazy("subevent", "Date"),
     )
     item = models.ForeignKey(
@@ -714,22 +737,25 @@ class AbstractPosition(models.Model):
         decimal_places=2, max_digits=10,
         verbose_name=_("Price")
     )
-    attendee_name = models.CharField(
+    attendee_name_cached = models.CharField(
         max_length=255,
         verbose_name=_("Attendee name"),
         blank=True, null=True,
         help_text=_("Empty, if this product is not an admission ticket")
     )
+    attendee_name_parts = FallbackJSONField(
+        blank=True, default=dict
+    )
     attendee_email = models.EmailField(
         verbose_name=_("Attendee email"),
         blank=True, null=True,
         help_text=_("Empty, if this product is not an admission ticket")
     )
     voucher = models.ForeignKey(
-        'Voucher', null=True, blank=True, on_delete=models.CASCADE
+        'Voucher', null=True, blank=True, on_delete=models.PROTECT
     )
     addon_to = models.ForeignKey(
-        'self', null=True, blank=True, on_delete=models.CASCADE, related_name='addons'
+        'self', null=True, blank=True, on_delete=models.PROTECT, related_name='addons'
     )
     meta_info = models.TextField(
         verbose_name=_("Meta information"),
@@ -782,6 +808,24 @@ class AbstractPosition(models.Model):
                 if self.variation is None
                 else self.variation.quotas.filter(subevent=self.subevent))
 
+    def save(self, *args, **kwargs):
+        self.attendee_name_cached = self.attendee_name
+        if self.attendee_name_parts is None:
+            self.attendee_name_parts = {}
+        super().save(*args, **kwargs)
+
+    @property
+    def attendee_name(self):
+        if not self.attendee_name_parts:
+            return None
+        if '_legacy' in self.attendee_name_parts:
+            return self.attendee_name_parts['_legacy']
+        if '_scheme' in self.attendee_name_parts:
+            scheme = PERSON_NAME_SCHEMES[self.attendee_name_parts['_scheme']]
+        else:
+            scheme = PERSON_NAME_SCHEMES[self.event.settings.name_scheme]
+        return scheme['concatenation'](self.attendee_name_parts).strip()
+
 
 class OrderPayment(models.Model):
     """
@@ -882,6 +926,25 @@ class OrderPayment(models.Model):
         """
         return self.order.event.get_payment_providers().get(self.provider)
 
+    def _mark_paid(self, force, count_waitinglist, user, auth):
+        from pretix.base.signals import order_paid
+        can_be_paid = self.order._can_be_paid(count_waitinglist=count_waitinglist)
+        if not force and can_be_paid is not True:
+            self.order.log_action('pretix.event.order.quotaexceeded', {
+                'message': can_be_paid
+            }, user=user, auth=auth)
+            raise Quota.QuotaExceededException(can_be_paid)
+        self.order.status = Order.STATUS_PAID
+        self.order.save(update_fields=['status'])
+
+        self.order.log_action('pretix.event.order.paid', {
+            'provider': self.provider,
+            'info': self.info,
+            'date': self.payment_date,
+            'force': force
+        }, user=user, auth=auth)
+        order_paid.send(self.order.event, order=self.order)
+
     def confirm(self, count_waitinglist=True, send_mail=True, force=False, user=None, auth=None, mail_text=''):
         """
         Marks the payment as complete. If possible, this also marks the order as paid if no further
@@ -901,7 +964,6 @@ class OrderPayment(models.Model):
         :type mail_text: str
         :raises Quota.QuotaExceededException: if the quota is exceeded and ``force`` is ``False``
         """
-        from pretix.base.signals import order_paid
         from pretix.base.services.invoices import generate_invoice, invoice_qualified
         from pretix.base.services.mail import SendMailException
         from pretix.multidomain.urlreverse import build_absolute_uri
@@ -928,20 +990,14 @@ class OrderPayment(models.Model):
         if payment_sum - refund_sum < self.order.total:
             return
 
-        with self.order.event.lock():
-            can_be_paid = self.order._can_be_paid(count_waitinglist=count_waitinglist)
-            if not force and can_be_paid is not True:
-                raise Quota.QuotaExceededException(can_be_paid)
-            self.order.status = Order.STATUS_PAID
-            self.order.save()
-
-            self.order.log_action('pretix.event.order.paid', {
-                'provider': self.provider,
-                'info': self.info,
-                'date': self.payment_date,
-                'force': force
-            }, user=user, auth=auth)
-            order_paid.send(self.order.event, order=self.order)
+        if self.order.status == Order.STATUS_PENDING and self.order.expires > now() + timedelta(hours=12):
+            # Performance optimization. In this case, there's really no reason to lock everything and an atomic
+            # database transaction is more than enough.
+            with transaction.atomic():
+                self._mark_paid(force, count_waitinglist, user, auth)
+        else:
+            with self.order.event.lock():
+                self._mark_paid(force, count_waitinglist, user, auth)
 
         invoice = None
         if invoice_qualified(self.order):
@@ -982,7 +1038,8 @@ class OrderPayment(models.Model):
                     self.order.send_mail(
                         email_subject, email_template, email_context,
                         'pretix.event.order.email.order_paid', user,
-                        invoices=[invoice] if invoice and self.order.event.settings.invoice_email_attachment else []
+                        invoices=[invoice] if invoice and self.order.event.settings.invoice_email_attachment else [],
+                        attach_tickets=True
                     )
                 except SendMailException:
                     logger.exception('Order paid email could not be sent')
@@ -1396,6 +1453,7 @@ class OrderPosition(AbstractPosition):
         # Delete afterwards. Deleting in between might cause deletion of things related to add-ons
         # due to the deletion cascade.
         for cartpos in cp:
+            cartpos.addons.all().delete()
             cartpos.delete()
         return ops
 
@@ -1454,6 +1512,10 @@ class OrderPosition(AbstractPosition):
                 self.pseudonymization_id = code
                 return
 
+    @property
+    def event(self):
+        return self.order.event
+
 
 class CartPosition(AbstractPosition):
     """
@@ -1519,7 +1581,8 @@ class InvoiceAddress(models.Model):
     order = models.OneToOneField(Order, null=True, blank=True, related_name='invoice_address', on_delete=models.CASCADE)
     is_business = models.BooleanField(default=False, verbose_name=_('Business customer'))
     company = models.CharField(max_length=255, blank=True, verbose_name=_('Company name'))
-    name = models.CharField(max_length=255, verbose_name=_('Full name'), blank=True)
+    name_cached = models.CharField(max_length=255, verbose_name=_('Full name'), blank=True)
+    name_parts = FallbackJSONField(default=dict)
     street = models.TextField(verbose_name=_('Address'), blank=False)
     zipcode = models.CharField(max_length=30, verbose_name=_('ZIP code'), blank=False)
     city = models.CharField(max_length=255, verbose_name=_('City'), blank=False)
@@ -1537,8 +1600,26 @@ class InvoiceAddress(models.Model):
     def save(self, **kwargs):
         if self.order:
             self.order.touch()
+
+        if self.name_parts:
+            self.name_cached = self.name
+        else:
+            self.name_cached = ""
+            self.name_parts = {}
         super().save(**kwargs)
 
+    @property
+    def name(self):
+        if not self.name_parts:
+            return ""
+        if '_legacy' in self.name_parts:
+            return self.name_parts['_legacy']
+        if '_scheme' in self.name_parts:
+            scheme = PERSON_NAME_SCHEMES[self.name_parts['_scheme']]
+        else:
+            raise TypeError("Invalid name given.")
+        return scheme['concatenation'](self.name_parts).strip()
+
 
 def cachedticket_name(instance, filename: str) -> str:
     secret = get_random_string(length=16, allowed_chars=string.ascii_letters + string.digits)

src/pretix/base/models/organizer.py

@@ -58,7 +58,7 @@ class Organizer(LoggedModel):
         self.get_cache().clear()
         return obj
 
-    def get_cache(self) -> "pretix.base.cache.ObjectRelatedCache":
+    def get_cache(self):
         """
         Returns an :py:class:`ObjectRelatedCache` object. This behaves equivalent to
         Django's built-in cache backends, but puts you into an isolated environment for
@@ -82,6 +82,20 @@ class Organizer(LoggedModel):
 
         return ObjectRelatedCache(self)
 
+    def allow_delete(self):
+        from . import Order, Invoice
+        return (
+            not Order.objects.filter(event__organizer=self).exists() and
+            not Invoice.objects.filter(event__organizer=self).exists() and
+            not self.devices.exists()
+        )
+
+    def delete_sub_objects(self):
+        for e in self.events.all():
+            e.delete_sub_objects()
+            e.delete()
+        self.teams.all().delete()
+
 
 def generate_invite_token():
     return get_random_string(length=32, allowed_chars=string.ascii_lowercase + string.digits)

src/pretix/base/models/vouchers.py

@@ -240,6 +240,8 @@ class Voucher(LoggedModel):
     def clean_quota_needs_checking(data, old_instance, item_changed, creating):
         # We only need to check for quota on vouchers that are now blocking quota and haven't
         # before (or have blocked a different quota before)
+        if data.get('allow_ignore_quota', False):
+            return False
         if data.get('block_quota', False):
             is_valid = data.get('valid_until') is None or data.get('valid_until') >= now()
             if not is_valid:

src/pretix/base/notifications.py

@@ -193,6 +193,12 @@ def register_default_notification_types(sender, **kwargs):
             _('New order placed'),
             _('A new order has been placed: {order.code}'),
         ),
+        ParametrizedOrderNotificationType(
+            sender,
+            'pretix.event.order.placed.require_approval',
+            _('New order requires approval'),
+            _('A new order has been placed that requires approval: {order.code}'),
+        ),
         ParametrizedOrderNotificationType(
             sender,
             'pretix.event.order.paid',
@@ -225,7 +231,7 @@ def register_default_notification_types(sender, **kwargs):
         ),
         ParametrizedOrderNotificationType(
             sender,
-            'pretix.event.order.changed',
+            'pretix.event.order.changed.*',
             _('Order changed'),
             _('Order {order.code} has been changed.')
         ),

src/pretix/base/payment.py

@@ -14,12 +14,14 @@ from django.http import HttpRequest
 from django.template.loader import get_template
 from django.utils.timezone import now
 from django.utils.translation import pgettext_lazy, ugettext_lazy as _
+from django_countries import Countries
 from i18nfield.forms import I18nFormField, I18nTextarea, I18nTextInput
 from i18nfield.strings import LazyI18nString
 
 from pretix.base.forms import PlaceholderValidator
 from pretix.base.models import (
-    CartPosition, Event, Order, OrderPayment, OrderRefund, Quota,
+    CartPosition, Event, InvoiceAddress, Order, OrderPayment, OrderRefund,
+    Quota,
 )
 from pretix.base.reldate import RelativeDateField, RelativeDateWrapper
 from pretix.base.settings import SettingsSandbox
@@ -28,7 +30,7 @@ from pretix.base.templatetags.money import money_filter
 from pretix.base.templatetags.rich_text import rich_text
 from pretix.helpers.money import DecimalTextInput
 from pretix.presale.views import get_cart_total
-from pretix.presale.views.cart import get_or_create_cart_id
+from pretix.presale.views.cart import cart_session, get_or_create_cart_id
 
 logger = logging.getLogger(__name__)
 
@@ -179,7 +181,7 @@ class BasePaymentProvider:
                      implementation.
         """
         places = settings.CURRENCY_PLACES.get(self.event.currency, 2)
-        return OrderedDict([
+        d = OrderedDict([
             ('_enabled',
              forms.BooleanField(
                  label=_('Enable payment method'),
@@ -250,7 +252,31 @@ class BasePaymentProvider:
                              'above!').format(docs_url='https://docs.pretix.eu/en/latest/user/payments/fees.html'),
                  required=False
              )),
+            ('_restricted_countries',
+             forms.MultipleChoiceField(
+                 label=_('Restrict to countries'),
+                 choices=Countries(),
+                 help_text=_('Only allow choosing this payment provider for invoice addresses in the selected '
+                             'countries. If you don\'t select any country, all countries are allowed. This is only '
+                             'enabled if the invoice address is required.'),
+                 widget=forms.CheckboxSelectMultiple(
+                     attrs={'class': 'scrolling-multiple-choice'}
+                 ),
+                 required=False,
+                 disabled=not self.event.settings.invoice_address_required
+             )),
         ])
+        d['_restricted_countries']._as_type = list
+        return d
+
+    def settings_form_clean(self, cleaned_data):
+        """
+        Overriding this method allows you to inject custom validation into the settings form.
+
+        :param cleaned_data: Form data as per previous validations.
+        :return: Please return the modified cleaned_data
+        """
+        return cleaned_data
 
     def settings_content_render(self, request: HttpRequest) -> str:
         """
@@ -350,7 +376,8 @@ class BasePaymentProvider:
         during checkout, not on retrying.
 
         The default implementation checks for the _availability_date setting to be either unset or in the future
-        and for the _total_max and _total_min requirements to be met.
+        and for the _total_max and _total_min requirements to be met. It also checks the ``_restrict_countries``
+        setting.
 
         :param total: The total value without the payment method fee, after taxes.
 
@@ -371,6 +398,26 @@ class BasePaymentProvider:
         if self.settings._total_min is not None:
             pricing = pricing and total >= Decimal(self.settings._total_min)
 
+        def get_invoice_address():
+            if not hasattr(request, '_checkout_flow_invoice_address'):
+                cs = cart_session(request)
+                iapk = cs.get('invoice_address')
+                if not iapk:
+                    request._checkout_flow_invoice_address = InvoiceAddress()
+                else:
+                    try:
+                        request._checkout_flow_invoice_address = InvoiceAddress.objects.get(pk=iapk, order__isnull=True)
+                    except InvoiceAddress.DoesNotExist:
+                        request._checkout_flow_invoice_address = InvoiceAddress()
+            return request._checkout_flow_invoice_address
+
+        if self.event.settings.invoice_address_required:
+            restricted_countries = self.settings.get('_restricted_countries', as_type=list)
+            if restricted_countries:
+                ia = get_invoice_address()
+                if str(ia.country) not in restricted_countries:
+                    return False
+
         return timing and pricing
 
     def payment_form_render(self, request: HttpRequest, total: Decimal) -> str:
@@ -503,7 +550,8 @@ class BasePaymentProvider:
         Will be called to check whether it is allowed to change the payment method of
         an order to this one.
 
-        The default implementation checks for the _availability_date setting to be either unset or in the future.
+        The default implementation checks for the _availability_date setting to be either unset or in the future,
+        as well as for the _total_max, _total_min and _restricted_countries settings.
 
         :param order: The order object
         """
@@ -514,6 +562,16 @@ class BasePaymentProvider:
         if self.settings._total_min is not None and ps < Decimal(self.settings._total_min):
             return False
 
+        restricted_countries = self.settings.get('_restricted_countries', as_type=list)
+        if restricted_countries:
+            try:
+                ia = order.invoice_address
+            except InvoiceAddress.DoesNotExist:
+                return True
+            else:
+                if str(ia.country) not in restricted_countries:
+                    return False
+
         return self._is_still_available(order=order)
 
     def payment_prepare(self, request: HttpRequest, payment: OrderPayment) -> Union[bool, str]:

src/pretix/base/pdf.py

@@ -1,12 +1,18 @@
 import copy
 import logging
+import os
 import re
+import subprocess
+import tempfile
 import uuid
 from collections import OrderedDict
+from functools import partial
 from io import BytesIO
 
 import bleach
+from django.conf import settings
 from django.contrib.staticfiles import finders
+from django.dispatch import receiver
 from django.utils.formats import date_format
 from django.utils.translation import ugettext_lazy as _
 from PyPDF2 import PdfFileReader
@@ -25,7 +31,8 @@ from reportlab.pdfgen.canvas import Canvas
 from reportlab.platypus import Paragraph
 
 from pretix.base.invoice import ThumbnailingImageReader
-from pretix.base.models import Order, OrderPosition
+from pretix.base.models import Order, OrderPosition, QuestionAnswer
+from pretix.base.settings import PERSON_NAME_SCHEMES
 from pretix.base.signals import layout_text_variables
 from pretix.base.templatetags.money import money_filter
 from pretix.presale.style import get_fonts
@@ -117,6 +124,14 @@ DEFAULT_VARIABLES = OrderedDict((
             "SHORT_DATETIME_FORMAT"
         ) if ev.date_to else ""
     }),
+    ("event_end_date", {
+        "label": _("Event end date"),
+        "editor_sample": _("2017-05-31"),
+        "evaluate": lambda op, order, ev: date_format(
+            ev.date_to.astimezone(timezone(ev.settings.timezone)),
+            "SHORT_DATE_FORMAT"
+        ) if ev.date_to else ""
+    }),
     ("event_end_time", {
         "label": _("Event end time"),
         "editor_sample": _("22:00"),
@@ -147,12 +162,12 @@ DEFAULT_VARIABLES = OrderedDict((
         "evaluate": lambda op, order, ev: str(ev.location).replace("\n", "<br/>\n")
     }),
     ("invoice_name", {
-        "label": _("Invoice address: name"),
+        "label": _("Invoice address name"),
         "editor_sample": _("John Doe"),
         "evaluate": lambda op, order, ev: order.invoice_address.name if getattr(order, 'invoice_address', None) else ''
     }),
     ("invoice_company", {
-        "label": _("Invoice address: company"),
+        "label": _("Invoice address company"),
         "editor_sample": _("Sample company"),
         "evaluate": lambda op, order, ev: order.invoice_address.company if getattr(order, 'invoice_address', None) else ''
     }),
@@ -161,7 +176,10 @@ DEFAULT_VARIABLES = OrderedDict((
         "editor_sample": _("Addon 1\nAddon 2"),
         "evaluate": lambda op, order, ev: "<br/>".join([
             '{} - {}'.format(p.item, p.variation) if p.variation else str(p.item)
-            for p in op.addons.select_related('item', 'variation')
+            for p in (
+                op.addons.all() if 'addons' in getattr(op, '_prefetched_objects_cache', {})
+                else op.addons.select_related('item', 'variation')
+            )
         ])
     }),
     ("organizer", {
@@ -177,10 +195,54 @@ DEFAULT_VARIABLES = OrderedDict((
 ))
 
 
+@receiver(layout_text_variables, dispatch_uid="pretix_base_layout_text_variables_questions")
+def variables_from_questions(sender, *args, **kwargs):
+    def get_answer(op, order, event, question_id):
+        try:
+            if 'answers' in getattr(op, '_prefetched_objects_cache', {}):
+                a = [a for a in op.answers.all() if a.question_id == question_id][0]
+            else:
+                a = op.answers.get(question_id=question_id)
+            return str(a).replace("\n", "<br/>\n")
+        except QuestionAnswer.DoesNotExist:
+            return ""
+        except IndexError:
+            return ""
+
+    d = {}
+    for q in sender.questions.all():
+        d['question_{}'.format(q.pk)] = {
+            'label': _('Question: {question}').format(question=q.question),
+            'editor_sample': _('<Answer: {question}>').format(question=q.question),
+            'evaluate': partial(get_answer, question_id=q.pk)
+        }
+    return d
+
+
 def get_variables(event):
     v = copy.copy(DEFAULT_VARIABLES)
+
+    scheme = PERSON_NAME_SCHEMES[event.settings.name_scheme]
+    for key, label, weight in scheme['fields']:
+        v['attendee_name_%s' % key] = {
+            'label': _("Attendee name: {part}").format(part=label),
+            'editor_sample': scheme['sample'][key],
+            'evaluate': lambda op, order, ev: op.attendee_name_parts.get(key, '')
+        }
+
+    v['invoice_name']['editor_sample'] = scheme['concatenation'](scheme['sample'])
+    v['attendee_name']['editor_sample'] = scheme['concatenation'](scheme['sample'])
+
+    for key, label, weight in scheme['fields']:
+        v['invoice_name_%s' % key] = {
+            'label': _("Invoice address name: {part}").format(part=label),
+            'editor_sample': scheme['sample'][key],
+            "evaluate": lambda op, order, ev: order.invoice_address.name_parts.get(key, '') if getattr(order, 'invoice_address', None) else ''
+        }
+
     for recv, res in layout_text_variables.send(sender=event):
         v.update(res)
+
     return v
 
 
@@ -191,8 +253,10 @@ class Renderer:
         self.background_file = background_file
         self.variables = get_variables(event)
         if self.background_file:
-            self.bg_pdf = PdfFileReader(BytesIO(self.background_file.read()))
+            self.bg_bytes = self.background_file.read()
+            self.bg_pdf = PdfFileReader(BytesIO(self.bg_bytes), strict=False)
         else:
+            self.bg_bytes = None
             self.bg_pdf = None
 
     @classmethod
@@ -213,6 +277,8 @@ class Renderer:
 
     def _draw_poweredby(self, canvas: Canvas, op: OrderPosition, o: dict):
         content = o.get('content', 'dark')
+        if content not in ('dark', 'white'):
+            content = 'dark'
         img = finders.find('pretixpresale/pdf/powered_by_pretix_{}.png'.format(content))
 
         ir = ThumbnailingImageReader(img)
@@ -303,24 +369,45 @@ class Renderer:
                 self._draw_textarea(canvas, op, order, o)
             elif o['type'] == "poweredby":
                 self._draw_poweredby(canvas, op, o)
+            if self.bg_pdf:
+                canvas.setPageSize((self.bg_pdf.getPage(0).mediaBox[2], self.bg_pdf.getPage(0).mediaBox[3]))
         canvas.showPage()
 
     def render_background(self, buffer, title=_('Ticket')):
-        from PyPDF2 import PdfFileWriter, PdfFileReader
-        buffer.seek(0)
-        new_pdf = PdfFileReader(buffer)
-        output = PdfFileWriter()
+        if settings.PDFTK:
+            buffer.seek(0)
+            with tempfile.TemporaryDirectory() as d:
+                with open(os.path.join(d, 'back.pdf'), 'wb') as f:
+                    f.write(self.bg_bytes)
+                with open(os.path.join(d, 'front.pdf'), 'wb') as f:
+                    f.write(buffer.read())
+                subprocess.run([
+                    settings.PDFTK,
+                    os.path.join(d, 'front.pdf'),
+                    'background',
+                    os.path.join(d, 'back.pdf'),
+                    'output',
+                    os.path.join(d, 'out.pdf'),
+                    'compress'
+                ], check=True)
+                with open(os.path.join(d, 'out.pdf'), 'rb') as f:
+                    return BytesIO(f.read())
+        else:
+            from PyPDF2 import PdfFileWriter, PdfFileReader
+            buffer.seek(0)
+            new_pdf = PdfFileReader(buffer)
+            output = PdfFileWriter()
 
-        for page in new_pdf.pages:
-            bg_page = copy.copy(self.bg_pdf.getPage(0))
-            bg_page.mergePage(page)
-            output.addPage(bg_page)
+            for page in new_pdf.pages:
+                bg_page = copy.copy(self.bg_pdf.getPage(0))
+                bg_page.mergePage(page)
+                output.addPage(bg_page)
 
-        output.addMetadata({
-            '/Title': str(title),
-            '/Creator': 'pretix',
-        })
-        outbuffer = BytesIO()
-        output.write(outbuffer)
-        outbuffer.seek(0)
-        return outbuffer
+            output.addMetadata({
+                '/Title': str(title),
+                '/Creator': 'pretix',
+            })
+            outbuffer = BytesIO()
+            output.write(outbuffer)
+            outbuffer.seek(0)
+            return outbuffer

src/pretix/base/services/cart.py

@@ -4,6 +4,7 @@ from decimal import Decimal
 from typing import List, Optional
 
 from celery.exceptions import MaxRetriesExceededError
+from django.core.exceptions import ValidationError
 from django.db import transaction
 from django.db.models import Q
 from django.dispatch import receiver
@@ -17,9 +18,11 @@ from pretix.base.models import (
 from pretix.base.models.event import SubEvent
 from pretix.base.models.orders import OrderFee
 from pretix.base.models.tax import TAXED_ZERO, TaxedPrice, TaxRule
+from pretix.base.services.checkin import _save_answers
 from pretix.base.services.locking import LockTimeoutException
 from pretix.base.services.pricing import get_price
 from pretix.base.services.tasks import ProfiledTask
+from pretix.base.settings import PERSON_NAME_SCHEMES
 from pretix.base.templatetags.rich_text import rich_text
 from pretix.celery_app import app
 from pretix.presale.signals import (
@@ -99,7 +102,8 @@ class CartManager:
         AddOperation: 30
     }
 
-    def __init__(self, event: Event, cart_id: str, invoice_address: InvoiceAddress=None):
+    def __init__(self, event: Event, cart_id: str, invoice_address: InvoiceAddress=None, widget_data=None,
+                 sales_channel='web'):
         self.event = event
         self.cart_id = cart_id
         self.now_dt = now()
@@ -111,6 +115,8 @@ class CartManager:
         self._variations_cache = {}
         self._expiry = None
         self.invoice_address = invoice_address
+        self._widget_data = widget_data or {}
+        self._sales_channel = sales_channel
 
     @property
     def positions(self):
@@ -188,6 +194,9 @@ class CartManager:
             if not op.item.is_available() or (op.variation and not op.variation.active):
                 raise CartError(error_messages['unavailable'])
 
+            if self._sales_channel not in op.item.sales_channels:
+                raise CartError(error_messages['unavailable'])
+
             if op.voucher and not op.voucher.applies_to(op.item, op.variation):
                 raise CartError(error_messages['voucher_invalid_item'])
 
@@ -570,6 +579,7 @@ class CartManager:
                 if op.position.expires > self.now_dt:
                     for q in op.position.quotas:
                         quotas_ok[q] += 1
+                op.position.addons.all().delete()
                 op.position.delete()
 
             elif isinstance(op, self.AddOperation) or isinstance(op, self.ExtendOperation):
@@ -604,12 +614,37 @@ class CartManager:
 
                 if isinstance(op, self.AddOperation):
                     for k in range(available_count):
-                        new_cart_positions.append(CartPosition(
+                        cp = CartPosition(
                             event=self.event, item=op.item, variation=op.variation,
                             price=op.price.gross, expires=self._expiry, cart_id=self.cart_id,
                             voucher=op.voucher, addon_to=op.addon_to if op.addon_to else None,
                             subevent=op.subevent, includes_tax=op.includes_tax
-                        ))
+                        )
+                        if self.event.settings.attendee_names_asked:
+                            scheme = PERSON_NAME_SCHEMES.get(self.event.settings.name_scheme)
+                            if 'attendee-name' in self._widget_data:
+                                cp.attendee_name_parts = {'_legacy': self._widget_data['attendee-name']}
+                            if any('attendee-name-{}'.format(k.replace('_', '-')) in self._widget_data for k, l, w
+                                   in scheme['fields']):
+                                cp.attendee_name_parts = {
+                                    k: self._widget_data.get('attendee-name-{}'.format(k.replace('_', '-')), '')
+                                    for k, l, w in scheme['fields']
+                                }
+                        if self.event.settings.attendee_emails_asked and 'email' in self._widget_data:
+                            cp.attendee_email = self._widget_data.get('email')
+
+                        cp._answers = {}
+                        for k, v in self._widget_data.items():
+                            if not k.startswith('question-'):
+                                continue
+                            q = cp.item.questions.filter(ask_during_checkin=False, identifier__iexact=k[9:]).first()
+                            if q:
+                                try:
+                                    cp._answers[q] = q.clean_answer(v)
+                                except ValidationError:
+                                    pass
+
+                        new_cart_positions.append(cp)
                 elif isinstance(op, self.ExtendOperation):
                     if available_count == 1:
                         op.position.expires = self._expiry
@@ -620,7 +655,11 @@ class CartManager:
                     else:
                         raise AssertionError("ExtendOperation cannot affect more than one item")
 
-        CartPosition.objects.bulk_create(new_cart_positions)
+        for p in new_cart_positions:
+            if p._answers:
+                p.save()
+                _save_answers(p, {}, p._answers)
+        CartPosition.objects.bulk_create([p for p in new_cart_positions if not p._answers])
         return err
 
     def commit(self):
@@ -701,7 +740,7 @@ def get_fees(event, request, total, invoice_address, provider):
 
 @app.task(base=ProfiledTask, bind=True, max_retries=5, default_retry_delay=1, throws=(CartError,))
 def add_items_to_cart(self, event: int, items: List[dict], cart_id: str=None, locale='en',
-                      invoice_address: int=None) -> None:
+                      invoice_address: int=None, widget_data=None, sales_channel='web') -> None:
     """
     Adds a list of items to a user's cart.
     :param event: The event ID in question
@@ -721,7 +760,8 @@ def add_items_to_cart(self, event: int, items: List[dict], cart_id: str=None, lo
 
         try:
             try:
-                cm = CartManager(event=event, cart_id=cart_id, invoice_address=ia)
+                cm = CartManager(event=event, cart_id=cart_id, invoice_address=ia, widget_data=widget_data,
+                                 sales_channel=sales_channel)
                 cm.add_new_items(items)
                 cm.commit()
             except LockTimeoutException:
@@ -773,7 +813,7 @@ def clear_cart(self, event: int, cart_id: str=None, locale='en') -> None:
 
 @app.task(base=ProfiledTask, bind=True, max_retries=5, default_retry_delay=1, throws=(CartError,))
 def set_cart_addons(self, event: int, addons: List[dict], cart_id: str=None, locale='en',
-                    invoice_address: int=None) -> None:
+                    invoice_address: int=None, sales_channel='web') -> None:
     """
     Removes a list of items from a user's cart.
     :param event: The event ID in question
@@ -791,7 +831,7 @@ def set_cart_addons(self, event: int, addons: List[dict], cart_id: str=None, loc
                 pass
         try:
             try:
-                cm = CartManager(event=event, cart_id=cart_id, invoice_address=ia)
+                cm = CartManager(event=event, cart_id=cart_id, invoice_address=ia, sales_channel=sales_channel)
                 cm.set_addons(addons)
                 cm.commit()
             except LockTimeoutException:

src/pretix/base/services/checkin.py

@@ -59,7 +59,8 @@ def _save_answers(op, answers, given_answers):
 
 @transaction.atomic
 def perform_checkin(op: OrderPosition, clist: CheckinList, given_answers: dict, force=False,
-                    ignore_unpaid=False, nonce=None, datetime=None, questions_supported=True):
+                    ignore_unpaid=False, nonce=None, datetime=None, questions_supported=True,
+                    user=None, auth=None):
     """
     Create a checkin for this particular order position and check-in list. Fails with CheckInError if the check in is
     not valid at this time.
@@ -133,7 +134,7 @@ def perform_checkin(op: OrderPosition, clist: CheckinList, given_answers: dict,
                 'forced': op.order.status != Order.STATUS_PAID,
                 'datetime': dt,
                 'list': clist.pk
-            })
+            }, user=user, auth=auth)
     else:
         if not force:
             raise CheckInError(
@@ -147,4 +148,4 @@ def perform_checkin(op: OrderPosition, clist: CheckinList, given_answers: dict,
             'forced': force,
             'datetime': dt,
             'list': clist.pk
-        })
+        }, user=user, auth=auth)

src/pretix/base/services/cleanup.py

@@ -3,13 +3,17 @@ from datetime import timedelta
 from django.dispatch import receiver
 from django.utils.timezone import now
 
+from pretix.base.models import CachedCombinedTicket, CachedTicket
+
 from ..models import CachedFile, CartPosition, InvoiceAddress
 from ..signals import periodic_task
 
 
 @receiver(signal=periodic_task)
 def clean_cart_positions(sender, **kwargs):
-    for cp in CartPosition.objects.filter(expires__lt=now() - timedelta(days=14)):
+    for cp in CartPosition.objects.filter(expires__lt=now() - timedelta(days=14), addon_to__isnull=False):
+        cp.delete()
+    for cp in CartPosition.objects.filter(expires__lt=now() - timedelta(days=14), addon_to__isnull=True):
         cp.delete()
     for ia in InvoiceAddress.objects.filter(order__isnull=True, last_modified__lt=now() - timedelta(days=14)):
         ia.delete()
@@ -19,3 +23,15 @@ def clean_cart_positions(sender, **kwargs):
 def clean_cached_files(sender, **kwargs):
     for cf in CachedFile.objects.filter(expires__isnull=False, expires__lt=now()):
         cf.delete()
+
+
+@receiver(signal=periodic_task)
+def clean_cached_tickets(sender, **kwargs):
+    for cf in CachedTicket.objects.filter(created__lte=now() - timedelta(days=30)):
+        cf.delete()
+    for cf in CachedCombinedTicket.objects.filter(created__lte=now() - timedelta(days=30)):
+        cf.delete()
+    for cf in CachedTicket.objects.filter(created__lte=now() - timedelta(minutes=30), file__isnull=True):
+        cf.delete()
+    for cf in CachedCombinedTicket.objects.filter(created__lte=now() - timedelta(minutes=30), file__isnull=True):
+        cf.delete()

src/pretix/base/services/invoices.py

@@ -14,6 +14,7 @@ from django.dispatch import receiver
 from django.utils import timezone
 from django.utils.timezone import now
 from django.utils.translation import pgettext, ugettext as _
+from django_countries.fields import Country
 from i18nfield.strings import LazyI18nString
 
 from pretix.base.i18n import language
@@ -40,12 +41,20 @@ def build_invoice(invoice: Invoice) -> Invoice:
 
     with language(invoice.locale):
         invoice.invoice_from = invoice.event.settings.get('invoice_address_from')
+        invoice.invoice_from_name = invoice.event.settings.get('invoice_address_from_name')
+        invoice.invoice_from_zipcode = invoice.event.settings.get('invoice_address_from_zipcode')
+        invoice.invoice_from_city = invoice.event.settings.get('invoice_address_from_city')
+        invoice.invoice_from_country = invoice.event.settings.get('invoice_address_from_country')
+        invoice.invoice_from_tax_id = invoice.event.settings.get('invoice_address_from_tax_id')
+        invoice.invoice_from_vat_id = invoice.event.settings.get('invoice_address_from_vat_id')
 
         introductory = invoice.event.settings.get('invoice_introductory_text', as_type=LazyI18nString)
         additional = invoice.event.settings.get('invoice_additional_text', as_type=LazyI18nString)
         footer = invoice.event.settings.get('invoice_footer_text', as_type=LazyI18nString)
         if open_payment and open_payment.payment_provider:
             payment = open_payment.payment_provider.render_invoice_text(invoice.order)
+        elif invoice.order.status == Order.STATUS_PAID:
+            payment = pgettext('invoice', 'The payment for this invoice has already been received.')
         else:
             payment = ""
 
@@ -66,8 +75,16 @@ def build_invoice(invoice: Invoice) -> Invoice:
                 country=ia.country.name if ia.country else ia.country_old
             ).strip()
             invoice.internal_reference = ia.internal_reference
+            invoice.invoice_to_company = ia.company
+            invoice.invoice_to_name = ia.name
+            invoice.invoice_to_street = ia.street
+            invoice.invoice_to_zipcode = ia.zipcode
+            invoice.invoice_to_city = ia.city
+            invoice.invoice_to_country = ia.country
+
             if ia.vat_id:
                 invoice.invoice_to += "\n" + pgettext("invoice", "VAT-ID: %s") % ia.vat_id
+                invoice.invoice_to_vat_id = ia.vat_id
 
             cc = str(ia.country)
 
@@ -138,6 +155,7 @@ def build_invoice(invoice: Invoice) -> Invoice:
                 "Reverse Charge: According to Article 194, 196 of Council Directive 2006/112/EEC, VAT liability "
                 "rests with the service recipient."
             )
+            invoice.reverse_charge = True
             invoice.save()
 
         offset = len(positions)
@@ -200,10 +218,10 @@ def regenerate_invoice(invoice: Invoice):
 
 
 def generate_invoice(order: Order, trigger_pdf=True):
-    locale = order.event.settings.get('invoice_language')
+    locale = order.event.settings.get('invoice_language', order.event.settings.locale)
     if locale:
         if locale == '__user__':
-            locale = order.locale
+            locale = order.locale or order.event.settings.locale
 
     invoice = Invoice(
         order=order,
@@ -267,6 +285,12 @@ def build_preview_invoice_pdf(event):
             date=timezone.now().date(), locale=locale, organizer=event.organizer
         )
         invoice.invoice_from = event.settings.get('invoice_address_from')
+        invoice.invoice_from_name = invoice.event.settings.get('invoice_address_from_name')
+        invoice.invoice_from_zipcode = invoice.event.settings.get('invoice_address_from_zipcode')
+        invoice.invoice_from_city = invoice.event.settings.get('invoice_address_from_city')
+        invoice.invoice_from_country = invoice.event.settings.get('invoice_address_from_country')
+        invoice.invoice_from_tax_id = invoice.event.settings.get('invoice_address_from_tax_id')
+        invoice.invoice_from_vat_id = invoice.event.settings.get('invoice_address_from_vat_id')
 
         introductory = event.settings.get('invoice_introductory_text', as_type=LazyI18nString)
         additional = event.settings.get('invoice_additional_text', as_type=LazyI18nString)
@@ -277,7 +301,15 @@ def build_preview_invoice_pdf(event):
         invoice.additional_text = str(additional).replace('\n', '<br />')
         invoice.footer_text = str(footer)
         invoice.payment_provider_text = str(payment).replace('\n', '<br />')
-        invoice.invoice_to = _("John Doe\n214th Example Street\n012345 Somecity")
+        invoice.invoice_to_name = _("John Doe")
+        invoice.invoice_to_street = _("214th Example Street")
+        invoice.invoice_to_zipcode = _("012345")
+        invoice.invoice_to_city = _('Sample city')
+        invoice.invoice_to_country = Country('DE')
+        invoice.invoice_to = '{}\n{}\n{} {}'.format(
+            invoice.invoice_to_name, invoice.invoice_to_street,
+            invoice.invoice_to_zipcode, invoice.invoice_to_city
+        )
         invoice.file = None
         invoice.save()
         invoice.lines.all().delete()

src/pretix/base/services/mail.py

@@ -14,6 +14,7 @@ from pretix.base.email import ClassicMailRenderer
 from pretix.base.i18n import language
 from pretix.base.models import Event, Invoice, InvoiceAddress, Order
 from pretix.base.services.invoices import invoice_pdf_task
+from pretix.base.services.tickets import get_tickets_for_order
 from pretix.base.signals import email_filter
 from pretix.celery_app import app
 from pretix.multidomain.urlreverse import build_absolute_uri
@@ -35,7 +36,8 @@ class SendMailException(Exception):
 
 def mail(email: str, subject: str, template: Union[str, LazyI18nString],
          context: Dict[str, Any]=None, event: Event=None, locale: str=None,
-         order: Order=None, headers: dict=None, sender: str=None, invoices: list=None):
+         order: Order=None, headers: dict=None, sender: str=None, invoices: list=None,
+         attach_tickets=False):
     """
     Sends out an email to a user. The mail will be sent synchronously or asynchronously depending on the installation.
 
@@ -65,6 +67,8 @@ def mail(email: str, subject: str, template: Union[str, LazyI18nString],
 
     :param invoices: A list of invoices to attach to this email.
 
+    :param attach_tickets: Whether to attach tickets to this email, if they are available to download.
+
     :raises MailOrderException: on obvious, immediate failures. Not raising an exception does not necessarily mean
         that the email has been sent, just that it has been queued by the email backend.
     """
@@ -153,7 +157,8 @@ def mail(email: str, subject: str, template: Union[str, LazyI18nString],
             event=event.id if event else None,
             headers=headers,
             invoices=[i.pk for i in invoices] if invoices else [],
-            order=order.pk if order else None
+            order=order.pk if order else None,
+            attach_tickets=attach_tickets
         )
 
         if invoices:
@@ -168,7 +173,7 @@ def mail(email: str, subject: str, template: Union[str, LazyI18nString],
 @app.task
 def mail_send_task(*args, to: List[str], subject: str, body: str, html: str, sender: str,
                    event: int=None, headers: dict=None, bcc: List[str]=None, invoices: List[int]=None,
-                   order: int=None) -> bool:
+                   order: int=None, attach_tickets=False) -> bool:
     email = EmailMultiAlternatives(subject, body, sender, to=to, bcc=bcc, headers=headers)
     if html is not None:
         email.attach_alternative(html, "text/html")
@@ -185,6 +190,7 @@ def mail_send_task(*args, to: List[str], subject: str, body: str, html: str, sen
                 except:
                     logger.exception('Could not attach invoice to email')
                     pass
+
     if event:
         event = Event.objects.get(id=event)
         backend = event.get_mail_backend()
@@ -197,6 +203,18 @@ def mail_send_task(*args, to: List[str], subject: str, body: str, html: str, sen
                 order = event.orders.get(pk=order)
             except Order.DoesNotExist:
                 order = None
+            else:
+                if attach_tickets:
+                    for name, ct in get_tickets_for_order(order):
+                        try:
+                            email.attach(
+                                name,
+                                ct.file.read(),
+                                ct.type
+                            )
+                        except:
+                            pass
+
         email = email_filter.send_chained(event, 'message', message=email, order=order)
 
     try:

src/pretix/base/services/notifications.py

@@ -17,9 +17,15 @@ def notify(logentry_id: int):
     if not logentry.event:
         return  # Ignore, we only have event-related notifications right now
     types = get_all_notification_types(logentry.event)
-    notification_type = types.get(logentry.action_type)
+
+    notification_type = None
+    typepath = logentry.action_type
+    while not notification_type and '.' in typepath:
+        notification_type = types.get(typepath + ('.*' if typepath != logentry.action_type else ''))
+        typepath = typepath.rsplit('.', 1)[0]
+
     if not notification_type:
-        return  # Ignore, e.g. plugin not active for this event
+        return  # No suitable plugin
 
     # All users that have the permission to get the notification
     users = logentry.event.get_users_with_permission(
@@ -33,7 +39,7 @@ def notify(logentry_id: int):
         (ns.user, ns.method): ns.enabled
         for ns in NotificationSetting.objects.filter(
             event=logentry.event,
-            action_type=logentry.action_type,
+            action_type=notification_type.action_type,
             user__pk__in=users.values_list('pk', flat=True)
         )
     }
@@ -41,7 +47,7 @@ def notify(logentry_id: int):
         (ns.user, ns.method): ns.enabled
         for ns in NotificationSetting.objects.filter(
             event__isnull=True,
-            action_type=logentry.action_type,
+            action_type=notification_type.action_type,
             user__pk__in=users.values_list('pk', flat=True)
         )
     }
@@ -49,20 +55,20 @@ def notify(logentry_id: int):
     for um, enabled in notify_specific.items():
         user, method = um
         if enabled:
-            send_notification.apply_async(args=(logentry_id, user.pk, method))
+            send_notification.apply_async(args=(logentry_id, notification_type.action_type, user.pk, method))
 
     for um, enabled in notify_global.items():
         user, method = um
         if enabled and um not in notify_specific:
-            send_notification.apply_async(args=(logentry_id, user.pk, method))
+            send_notification.apply_async(args=(logentry_id, notification_type.action_type, user.pk, method))
 
 
 @app.task(base=ProfiledTask)
-def send_notification(logentry_id: int, user_id: int, method: str):
+def send_notification(logentry_id: int, action_type: str, user_id: int, method: str):
     logentry = LogEntry.all.get(id=logentry_id)
     user = User.objects.get(id=user_id)
     types = get_all_notification_types(logentry.event)
-    notification_type = types.get(logentry.action_type)
+    notification_type = types.get(action_type)
     if not notification_type:
         return  # Ignore, e.g. plugin not active for this event
 

src/pretix/base/services/orders.py

@@ -21,7 +21,7 @@ from pretix.base.i18n import (
     LazyCurrencyNumber, LazyDate, LazyLocaleException, LazyNumber, language,
 )
 from pretix.base.models import (
-    CartPosition, Event, Item, ItemVariation, Order, OrderPayment,
+    CartPosition, Device, Event, Item, ItemVariation, Order, OrderPayment,
     OrderPosition, Quota, User, Voucher,
 )
 from pretix.base.models.event import SubEvent
@@ -91,34 +91,33 @@ def extend_order(order: Order, new_date: datetime, force: bool=False, user: User
     """
     if new_date < now():
         raise OrderError(_('The new expiry date needs to be in the future.'))
-    if order.status == Order.STATUS_PENDING:
+
+    def change(was_expired=True):
         order.expires = new_date
-        order.save()
+        if was_expired:
+            order.status = Order.STATUS_PENDING
+        order.save(update_fields=['expires'] + (['status'] if was_expired else []))
         order.log_action(
             'pretix.event.order.expirychanged',
             user=user,
             auth=auth,
             data={
                 'expires': order.expires,
-                'state_change': False
+                'state_change': was_expired
             }
         )
+        if was_expired:
+            num_invoices = order.invoices.filter(is_cancellation=False).count()
+            if num_invoices > 0 and order.invoices.filter(is_cancellation=True).count() >= num_invoices:
+                generate_invoice(order)
+
+    if order.status == Order.STATUS_PENDING:
+        change(was_expired=False)
     else:
         with order.event.lock() as now_dt:
             is_available = order._is_still_available(now_dt, count_waitinglist=False)
             if is_available is True or force is True:
-                order.expires = new_date
-                order.status = Order.STATUS_PENDING
-                order.save()
-                order.log_action(
-                    'pretix.event.order.expirychanged',
-                    user=user,
-                    auth=auth,
-                    data={
-                        'expires': order.expires,
-                        'state_change': True
-                    }
-                )
+                change(was_expired=True)
             else:
                 raise OrderError(is_available)
 
@@ -136,7 +135,7 @@ def mark_order_refunded(order, user=None, auth=None, api_token=None):
         user = User.objects.get(pk=user)
     with order.event.lock():
         order.status = Order.STATUS_REFUNDED
-        order.save()
+        order.save(update_fields=['status'])
 
     order.log_action('pretix.event.order.refunded', user=user, auth=auth or api_token)
     i = order.invoices.filter(is_cancellation=False).last()
@@ -159,7 +158,7 @@ def mark_order_expired(order, user=None, auth=None):
         user = User.objects.get(pk=user)
     with order.event.lock():
         order.status = Order.STATUS_EXPIRED
-        order.save()
+        order.save(update_fields=['status'])
 
     order.log_action('pretix.event.order.expired', user=user, auth=auth)
     i = order.invoices.filter(is_cancellation=False).last()
@@ -181,7 +180,7 @@ def approve_order(order, user=None, send_mail: bool=True, auth=None):
 
     order.require_approval = False
     order.set_expires(now(), order.event.subevents.filter(id__in=[p.subevent_id for p in order.positions.all()]))
-    order.save()
+    order.save(update_fields=['require_approval', 'expires'])
 
     order.log_action('pretix.event.order.approved', user=user, auth=auth)
     if order.total == Decimal('0.00'):
@@ -258,7 +257,7 @@ def deny_order(order, comment='', user=None, send_mail: bool=True, auth=None):
 
     with order.event.lock():
         order.status = Order.STATUS_CANCELED
-        order.save()
+        order.save(update_fields=['status'])
 
     order.log_action('pretix.event.order.denied', user=user, auth=auth, data={
         'comment': comment
@@ -307,7 +306,7 @@ def deny_order(order, comment='', user=None, send_mail: bool=True, auth=None):
 
 
 @transaction.atomic
-def _cancel_order(order, user=None, send_mail: bool=True, api_token=None, oauth_application=None):
+def _cancel_order(order, user=None, send_mail: bool=True, api_token=None, device=None, oauth_application=None):
     """
     Mark this order as canceled
     :param order: The order to change
@@ -319,15 +318,17 @@ def _cancel_order(order, user=None, send_mail: bool=True, api_token=None, oauth_
         user = User.objects.get(pk=user)
     if isinstance(api_token, int):
         api_token = TeamAPIToken.objects.get(pk=api_token)
+    if isinstance(device, int):
+        device = Device.objects.get(pk=device)
     if isinstance(oauth_application, int):
         oauth_application = OAuthApplication.objects.get(pk=oauth_application)
     with order.event.lock():
         if not order.cancel_allowed():
             raise OrderError(_('You cannot cancel this order.'))
         order.status = Order.STATUS_CANCELED
-        order.save()
+        order.save(update_fields=['status'])
 
-    order.log_action('pretix.event.order.canceled', user=user, auth=api_token or oauth_application)
+    order.log_action('pretix.event.order.canceled', user=user, auth=api_token or oauth_application or device)
     i = order.invoices.filter(is_cancellation=False).last()
     if i:
         generate_cancellation(i)
@@ -377,7 +378,7 @@ def _check_positions(event: Event, now_dt: datetime, positions: List[CartPositio
 
     products_seen = Counter()
     for i, cp in enumerate(positions):
-        if not cp.item.active or (cp.variation and not cp.variation.active):
+        if not cp.item.is_available() or (cp.variation and not cp.variation.active):
             err = err or error_messages['unavailable']
             cp.delete()
             continue
@@ -497,7 +498,7 @@ def _get_fees(positions: List[CartPosition], payment_provider: BasePaymentProvid
 
 def _create_order(event: Event, email: str, positions: List[CartPosition], now_dt: datetime,
                   payment_provider: BasePaymentProvider, locale: str=None, address: InvoiceAddress=None,
-                  meta_info: dict=None):
+                  meta_info: dict=None, sales_channel: str='web'):
     fees, pf = _get_fees(positions, payment_provider, address, meta_info, event)
     total = sum([c.price for c in positions]) + sum([c.value for c in fees])
 
@@ -510,7 +511,8 @@ def _create_order(event: Event, email: str, positions: List[CartPosition], now_d
             locale=locale,
             total=total,
             meta_info=json.dumps(meta_info or {}),
-            require_approval=any(p.item.require_approval for p in positions)
+            require_approval=any(p.item.require_approval for p in positions),
+            sales_channel=sales_channel
         )
         order.set_expires(now_dt, event.subevents.filter(id__in=[p.subevent_id for p in positions]))
         order.save()
@@ -540,6 +542,8 @@ def _create_order(event: Event, email: str, positions: List[CartPosition], now_d
 
         OrderPosition.transform_cart_positions(positions, order)
         order.log_action('pretix.event.order.placed')
+        if order.require_approval:
+            order.log_action('pretix.event.order.placed.require_approval')
         if meta_info:
             for msg in meta_info.get('confirm_messages', []):
                 order.log_action('pretix.event.order.consent', data={'msg': msg})
@@ -549,7 +553,7 @@ def _create_order(event: Event, email: str, positions: List[CartPosition], now_d
 
 
 def _perform_order(event: str, payment_provider: str, position_ids: List[str],
-                   email: str, locale: str, address: int, meta_info: dict=None):
+                   email: str, locale: str, address: int, meta_info: dict=None, sales_channel: str='web'):
 
     event = Event.objects.get(id=event)
     if payment_provider:
@@ -578,7 +582,7 @@ def _perform_order(event: str, payment_provider: str, position_ids: List[str],
             raise OrderError(error_messages['internal'])
         _check_positions(event, now_dt, positions, address=addr)
         order = _create_order(event, email, positions, now_dt, pprov,
-                              locale=locale, address=addr, meta_info=meta_info)
+                              locale=locale, address=addr, meta_info=meta_info, sales_channel=sales_channel)
 
     invoice = order.invoices.last()  # Might be generated by plugin already
     if event.settings.get('invoice_generate') == 'True' and invoice_qualified(order):
@@ -631,7 +635,8 @@ def _perform_order(event: str, payment_provider: str, position_ids: List[str],
             order.send_mail(
                 email_subject, email_template, email_context,
                 log_entry,
-                invoices=[invoice] if invoice and event.settings.invoice_email_attachment else []
+                invoices=[invoice] if invoice and event.settings.invoice_email_attachment else [],
+                attach_tickets=True
             )
         except SendMailException:
             logger.exception('Order received email could not be sent')
@@ -658,47 +663,54 @@ def send_expiry_warnings(sender, **kwargs):
     eventcache = {}
     today = now().replace(hour=0, minute=0, second=0)
 
-    for o in Order.objects.filter(expires__gte=today, expiry_reminder_sent=False, status=Order.STATUS_PENDING).select_related('event'):
-        eventsettings = eventcache.get(o.event.pk, None)
-        if eventsettings is None:
-            eventsettings = o.event.settings
-            eventcache[o.event.pk] = eventsettings
+    for o in Order.objects.filter(
+        expires__gte=today, expiry_reminder_sent=False, status=Order.STATUS_PENDING, datetime__lte=now() - timedelta(hours=2)
+    ).only('pk'):
+        with transaction.atomic():
+            o = Order.objects.select_related('event').select_for_update().get(pk=o.pk)
+            if o.status != Order.STATUS_PENDING or o.expiry_reminder_sent:
+                # Race condition
+                continue
+            eventsettings = eventcache.get(o.event.pk, None)
+            if eventsettings is None:
+                eventsettings = o.event.settings
+                eventcache[o.event.pk] = eventsettings
 
-        days = eventsettings.get('mail_days_order_expire_warning', as_type=int)
-        tz = pytz.timezone(eventsettings.get('timezone', settings.TIME_ZONE))
-        if days and (o.expires - today).days <= days:
-            with language(o.locale):
-                o.expiry_reminder_sent = True
-                o.save()
-                try:
-                    invoice_name = o.invoice_address.name
-                    invoice_company = o.invoice_address.company
-                except InvoiceAddress.DoesNotExist:
-                    invoice_name = ""
-                    invoice_company = ""
-                email_template = eventsettings.mail_text_order_expire_warning
-                email_context = {
-                    'event': o.event.name,
-                    'url': build_absolute_uri(o.event, 'presale:event.order', kwargs={
-                        'order': o.code,
-                        'secret': o.secret
-                    }),
-                    'expire_date': date_format(o.expires.astimezone(tz), 'SHORT_DATE_FORMAT'),
-                    'invoice_name': invoice_name,
-                    'invoice_company': invoice_company,
-                }
-                if eventsettings.payment_term_expire_automatically:
-                    email_subject = _('Your order is about to expire: %(code)s') % {'code': o.code}
-                else:
-                    email_subject = _('Your order is pending payment: %(code)s') % {'code': o.code}
+            days = eventsettings.get('mail_days_order_expire_warning', as_type=int)
+            tz = pytz.timezone(eventsettings.get('timezone', settings.TIME_ZONE))
+            if days and (o.expires - today).days <= days:
+                with language(o.locale):
+                    o.expiry_reminder_sent = True
+                    o.save(update_fields=['expiry_reminder_sent'])
+                    try:
+                        invoice_name = o.invoice_address.name
+                        invoice_company = o.invoice_address.company
+                    except InvoiceAddress.DoesNotExist:
+                        invoice_name = ""
+                        invoice_company = ""
+                    email_template = eventsettings.mail_text_order_expire_warning
+                    email_context = {
+                        'event': o.event.name,
+                        'url': build_absolute_uri(o.event, 'presale:event.order', kwargs={
+                            'order': o.code,
+                            'secret': o.secret
+                        }),
+                        'expire_date': date_format(o.expires.astimezone(tz), 'SHORT_DATE_FORMAT'),
+                        'invoice_name': invoice_name,
+                        'invoice_company': invoice_company,
+                    }
+                    if eventsettings.payment_term_expire_automatically:
+                        email_subject = _('Your order is about to expire: %(code)s') % {'code': o.code}
+                    else:
+                        email_subject = _('Your order is pending payment: %(code)s') % {'code': o.code}
 
-                try:
-                    o.send_mail(
-                        email_subject, email_template, email_context,
-                        'pretix.event.order.email.expire_warning_sent'
-                    )
-                except SendMailException:
-                    logger.exception('Reminder email could not be sent')
+                    try:
+                        o.send_mail(
+                            email_subject, email_template, email_context,
+                            'pretix.event.order.email.expire_warning_sent'
+                        )
+                    except SendMailException:
+                        logger.exception('Reminder email could not be sent')
 
 
 @receiver(signal=periodic_task)
@@ -706,6 +718,7 @@ def send_download_reminders(sender, **kwargs):
     today = now().replace(hour=0, minute=0, second=0, microsecond=0)
 
     for e in Event.objects.filter(date_from__gte=today):
+
         days = e.settings.get('mail_days_download_reminder', as_type=int)
         if days is None:
             continue
@@ -714,29 +727,35 @@ def send_download_reminders(sender, **kwargs):
 
         if now() < reminder_date:
             continue
-        for o in e.orders.filter(status=Order.STATUS_PAID, download_reminder_sent=False):
-            if not all([r for rr, r in allow_ticket_download.send(e, order=o)]):
-                continue
+        for o in e.orders.filter(status=Order.STATUS_PAID, download_reminder_sent=False, datetime__lte=now() - timedelta(hours=2)).only('pk'):
+            with transaction.atomic():
+                o = Order.objects.select_related('event').select_for_update().get(pk=o.pk)
+                if o.download_reminder_sent:
+                    # Race condition
+                    continue
+                if not all([r for rr, r in allow_ticket_download.send(e, order=o)]):
+                    continue
 
-            with language(o.locale):
-                o.download_reminder_sent = True
-                o.save()
-                email_template = e.settings.mail_text_download_reminder
-                email_context = {
-                    'event': o.event.name,
-                    'url': build_absolute_uri(o.event, 'presale:event.order', kwargs={
-                        'order': o.code,
-                        'secret': o.secret
-                    }),
-                }
-                email_subject = _('Your ticket is ready for download: %(code)s') % {'code': o.code}
-                try:
-                    o.send_mail(
-                        email_subject, email_template, email_context,
-                        'pretix.event.order.email.download_reminder_sent'
-                    )
-                except SendMailException:
-                    logger.exception('Reminder email could not be sent')
+                with language(o.locale):
+                    o.download_reminder_sent = True
+                    o.save(update_fields=['download_reminder_sent'])
+                    email_template = e.settings.mail_text_download_reminder
+                    email_context = {
+                        'event': o.event.name,
+                        'url': build_absolute_uri(o.event, 'presale:event.order', kwargs={
+                            'order': o.code,
+                            'secret': o.secret
+                        }),
+                    }
+                    email_subject = _('Your ticket is ready for download: %(code)s') % {'code': o.code}
+                    try:
+                        o.send_mail(
+                            email_subject, email_template, email_context,
+                            'pretix.event.order.email.download_reminder_sent',
+                            attach_tickets=True
+                        )
+                    except SendMailException:
+                        logger.exception('Reminder email could not be sent')
 
 
 class OrderChangeManager:
@@ -907,16 +926,32 @@ class OrderChangeManager:
 
     def _check_paid_price_change(self):
         if self.order.status == Order.STATUS_PAID and self._totaldiff > 0:
-            self.order.status = Order.STATUS_PENDING
-            self.order.set_expires(
-                now(),
-                self.order.event.subevents.filter(id__in=self.order.positions.values_list('subevent_id', flat=True))
-            )
-            self.order.save()
+            if self.order.pending_sum > Decimal('0.00'):
+                self.order.status = Order.STATUS_PENDING
+                self.order.set_expires(
+                    now(),
+                    self.order.event.subevents.filter(id__in=self.order.positions.values_list('subevent_id', flat=True))
+                )
+                self.order.save()
         elif self.order.status in (Order.STATUS_PENDING, Order.STATUS_EXPIRED) and self._totaldiff < 0:
             if self.order.pending_sum <= Decimal('0.00'):
                 self.order.status = Order.STATUS_PAID
                 self.order.save()
+            elif self.open_payment:
+                self.open_payment.state = OrderPayment.PAYMENT_STATE_CANCELED
+                self.open_payment.save()
+                self.order.log_action('pretix.event.order.payment.canceled', {
+                    'local_id': self.open_payment.local_id,
+                    'provider': self.open_payment.provider,
+                }, user=self.user, auth=self.auth)
+        elif self.order.status in (Order.STATUS_PENDING, Order.STATUS_EXPIRED) and self._totaldiff > 0:
+            if self.open_payment:
+                self.open_payment.state = OrderPayment.PAYMENT_STATE_CANCELED
+                self.open_payment.save()
+                self.order.log_action('pretix.event.order.payment.canceled', {
+                    'local_id': self.open_payment.local_id,
+                    'provider': self.open_payment.provider,
+                }, user=self.user, auth=self.auth)
 
     def _check_paid_to_free(self):
         if self.order.total == 0 and (self._totaldiff < 0 or (self.split_order and self.split_order.total > 0)):
@@ -1008,6 +1043,7 @@ class OrderChangeManager:
                         'addon_to': opa.addon_to_id,
                         'old_price': opa.price,
                     })
+                    opa.delete()
                 self.order.log_action('pretix.event.order.changed.cancel', user=self.user, auth=self.auth, data={
                     'position': op.position.pk,
                     'positionid': op.position.positionid,
@@ -1166,7 +1202,7 @@ class OrderChangeManager:
                 fee.save()
                 if not self.open_payment.fee:
                     self.open_payment.fee = fee
-                    self.open_payment.save()
+                    self.open_payment.save(update_fields=['fee'])
             elif fee:
                 fee.delete()
 
@@ -1287,11 +1323,13 @@ class OrderChangeManager:
 
 @app.task(base=ProfiledTask, bind=True, max_retries=5, default_retry_delay=1, throws=(OrderError,))
 def perform_order(self, event: str, payment_provider: str, positions: List[str],
-                  email: str=None, locale: str=None, address: int=None, meta_info: dict=None):
+                  email: str=None, locale: str=None, address: int=None, meta_info: dict=None,
+                  sales_channel: str='web'):
     with language(locale):
         try:
             try:
-                return _perform_order(event, payment_provider, positions, email, locale, address, meta_info)
+                return _perform_order(event, payment_provider, positions, email, locale, address, meta_info,
+                                      sales_channel)
             except LockTimeoutException:
                 self.retry()
         except (MaxRetriesExceededError, LockTimeoutException):
@@ -1299,10 +1337,11 @@ def perform_order(self, event: str, payment_provider: str, positions: List[str],
 
 
 @app.task(base=ProfiledTask, bind=True, max_retries=5, default_retry_delay=1, throws=(OrderError,))
-def cancel_order(self, order: int, user: int=None, send_mail: bool=True, api_token=None, oauth_application=None):
+def cancel_order(self, order: int, user: int=None, send_mail: bool=True, api_token=None, oauth_application=None,
+                 device=None):
     try:
         try:
-            return _cancel_order(order, user, send_mail, api_token, oauth_application)
+            return _cancel_order(order, user, send_mail, api_token, device, oauth_application)
         except LockTimeoutException:
             self.retry()
     except (MaxRetriesExceededError, LockTimeoutException):

src/pretix/base/services/tickets.py

@@ -1,5 +1,5 @@
+import logging
 import os
-from datetime import timedelta
 
 from django.core.files.base import ContentFile
 from django.utils.timezone import now
@@ -11,59 +11,56 @@ from pretix.base.models import (
     OrderPosition,
 )
 from pretix.base.services.tasks import ProfiledTask
-from pretix.base.signals import register_ticket_outputs
+from pretix.base.settings import PERSON_NAME_SCHEMES
+from pretix.base.signals import allow_ticket_download, register_ticket_outputs
 from pretix.celery_app import app
 from pretix.helpers.database import rolledback_transaction
 
+logger = logging.getLogger(__name__)
 
-@app.task(base=ProfiledTask)
-def generate(order_position: str, provider: str):
+
+def generate_orderposition(order_position: int, provider: str):
     order_position = OrderPosition.objects.select_related('order', 'order__event').get(id=order_position)
-    try:
-        ct = CachedTicket.objects.get(order_position=order_position, provider=provider)
-    except CachedTicket.MultipleObjectsReturned:
-        CachedTicket.objects.filter(order_position=order_position, provider=provider).delete()
-        ct = CachedTicket.objects.create(order_position=order_position, provider=provider, extension='',
-                                         type='', file=None)
-    except CachedTicket.DoesNotExist:
-        ct = CachedTicket.objects.create(order_position=order_position, provider=provider, extension='',
-                                         type='', file=None)
 
     with language(order_position.order.locale):
         responses = register_ticket_outputs.send(order_position.order.event)
         for receiver, response in responses:
             prov = response(order_position.order.event)
             if prov.identifier == provider:
-                filename, ct.type, data = prov.generate(order_position)
+                filename, ttype, data = prov.generate(order_position)
                 path, ext = os.path.splitext(filename)
-                ct.extension = ext
-                ct.save()
+                for ct in CachedTicket.objects.filter(order_position=order_position, provider=provider):
+                    ct.delete()
+                ct = CachedTicket.objects.create(order_position=order_position, provider=provider,
+                                                 extension=ext, type=ttype, file=None)
                 ct.file.save(filename, ContentFile(data))
+                return ct.pk
 
 
-@app.task(base=ProfiledTask)
 def generate_order(order: int, provider: str):
     order = Order.objects.select_related('event').get(id=order)
-    try:
-        ct = CachedCombinedTicket.objects.get(order=order, provider=provider)
-    except CachedCombinedTicket.MultipleObjectsReturned:
-        CachedCombinedTicket.objects.filter(order=order, provider=provider).delete()
-        ct = CachedCombinedTicket.objects.create(order=order, provider=provider, extension='',
-                                                 type='', file=None)
-    except CachedCombinedTicket.DoesNotExist:
-        ct = CachedCombinedTicket.objects.create(order=order, provider=provider, extension='',
-                                                 type='', file=None)
 
     with language(order.locale):
         responses = register_ticket_outputs.send(order.event)
         for receiver, response in responses:
             prov = response(order.event)
             if prov.identifier == provider:
-                filename, ct.type, data = prov.generate_order(order)
+                filename, ttype, data = prov.generate_order(order)
                 path, ext = os.path.splitext(filename)
-                ct.extension = ext
-                ct.save()
+                for ct in CachedCombinedTicket.objects.filter(order=order, provider=provider):
+                    ct.delete()
+                ct = CachedCombinedTicket.objects.create(order=order, provider=provider, extension=ext,
+                                                         type=ttype, file=None)
                 ct.file.save(filename, ContentFile(data))
+                return ct.pk
+
+
+@app.task(base=ProfiledTask)
+def generate(model: str, pk: int, provider: str):
+    if model == 'order':
+        return generate_order(pk, provider)
+    elif model == 'orderposition':
+        return generate_orderposition(pk, provider)
 
 
 class DummyRollbackException(Exception):
@@ -84,11 +81,13 @@ def preview(event: int, provider: str):
                                     locale=event.settings.locale,
                                     expires=now(), code="PREVIEW1234", total=119)
 
-        p = order.positions.create(item=item, attendee_name=_("John Doe"), price=item.default_price)
-        order.positions.create(item=item2, attendee_name=_("John Doe"), price=item.default_price, addon_to=p)
-        order.positions.create(item=item2, attendee_name=_("John Doe"), price=item.default_price, addon_to=p)
+        scheme = PERSON_NAME_SCHEMES[event.settings.name_scheme]
+        sample = {k: str(v) for k, v in scheme['sample'].items()}
+        p = order.positions.create(item=item, attendee_name_parts=sample, price=item.default_price)
+        order.positions.create(item=item2, attendee_name_parts=sample, price=item.default_price, addon_to=p)
+        order.positions.create(item=item2, attendee_name_parts=sample, price=item.default_price, addon_to=p)
 
-        InvoiceAddress.objects.create(order=order, name=_("John Doe"), company=_("Sample company"))
+        InvoiceAddress.objects.create(order=order, name_parts=sample, company=_("Sample company"))
 
         responses = register_ticket_outputs.send(event)
         for receiver, response in responses:
@@ -97,41 +96,61 @@ def preview(event: int, provider: str):
                 return prov.generate(p)
 
 
-def get_cachedticket_for_position(pos, identifier):
-    try:
-        ct = CachedTicket.objects.filter(
-            order_position=pos, provider=identifier
-        ).last()
-    except CachedTicket.DoesNotExist:
-        ct = None
+def get_tickets_for_order(order):
+    can_download = all([r for rr, r in allow_ticket_download.send(order.event, order=order)])
+    if not can_download:
+        return []
+    if not order.ticket_download_available:
+        return []
 
-    if not ct:
-        ct = CachedTicket.objects.create(
-            order_position=pos, provider=identifier,
-            extension='', type='', file=None)
-        generate.apply_async(args=(pos.id, identifier))
+    providers = [
+        response(order.event)
+        for receiver, response
+        in register_ticket_outputs.send(order.event)
+    ]
 
-    if not ct.file:
-        if now() - ct.created > timedelta(minutes=5):
-            generate.apply_async(args=(pos.id, identifier))
-    return ct
+    tickets = []
 
+    for p in providers:
+        if not p.is_enabled:
+            continue
 
-def get_cachedticket_for_order(order, identifier):
-    try:
-        ct = CachedCombinedTicket.objects.filter(
-            order=order, provider=identifier
-        ).last()
-    except CachedCombinedTicket.DoesNotExist:
-        ct = None
+        if p.multi_download_enabled:
+            try:
+                ct = CachedCombinedTicket.objects.filter(
+                    order=order, provider=p.identifier, file__isnull=False
+                ).last()
+                if not ct or not ct.file:
+                    retval = generate.apply(args=('order', order.pk, p.identifier))
+                    ct = CachedCombinedTicket.objects.get(pk=retval.get())
+                tickets.append((
+                    "{}-{}-{}{}".format(
+                        order.event.slug.upper(), order.code, ct.provider, ct.extension,
+                    ),
+                    ct
+                ))
+            except:
+                logger.exception('Failed to generate ticket.')
+        else:
+            for pos in order.positions.all():
+                if pos.addon_to and not order.event.settings.ticket_download_addons:
+                    continue
+                if not pos.item.admission and not order.event.settings.ticket_download_nonadm:
+                    continue
+                try:
+                    ct = CachedTicket.objects.filter(
+                        order_position=pos, provider=p.identifier, file__isnull=False
+                    ).last()
+                    if not ct or not ct.file:
+                        retval = generate.apply(args=('orderposition', pos.pk, p.identifier))
+                        ct = CachedTicket.objects.get(pk=retval.get())
+                    tickets.append((
+                        "{}-{}-{}-{}{}".format(
+                            order.event.slug.upper(), order.code, pos.positionid, ct.provider, ct.extension,
+                        ),
+                        ct
+                    ))
+                except:
+                    logger.exception('Failed to generate ticket.')
 
-    if not ct:
-        ct = CachedCombinedTicket.objects.create(
-            order=order, provider=identifier,
-            extension='', type='', file=None)
-        generate_order.apply_async(args=(order.id, identifier))
-
-    if not ct.file:
-        if now() - ct.created > timedelta(minutes=5):
-            generate_order.apply_async(args=(order.id, identifier))
-    return ct
+    return tickets