Release 1.9.1

* Fix duplicate source string

* occured -> occurred

All resources I could find listed this as misspelled, but I wasn't too
sure…
Also, it should be checked if all changes to the .po-files are respected
in the corresponding src-files.

.gitattributes

@@ -5,6 +5,7 @@ src/static/moment/* linguist-vendored
 src/static/datetimepicker/* linguist-vendored
 src/static/colorpicker/* linguist-vendored
 src/static/fileupload/* linguist-vendored
+src/static/vuejs/* linguist-vendored
 src/static/charts/* linguist-vendored
 src/pretix/plugins/ticketoutputpdf/static/pretixplugins/ticketoutputpdf/fabric.* linguist-vendored
 src/pretix/plugins/ticketoutputpdf/static/pretixplugins/ticketoutputpdf/pdf.* linguist-vendored

.travis.yml

@@ -12,29 +12,29 @@ services:
   - postgresql
 matrix:
   include:
-    - python: 3.4
-      env: JOB=tests PRETIX_CONFIG_FILE=tests/sqlite.cfg
-    - python: 3.5
-      env: JOB=tests PRETIX_CONFIG_FILE=tests/sqlite.cfg
     - python: 3.6
-      env: JOB=tests PRETIX_CONFIG_FILE=tests/sqlite.cfg
-    - python: 3.4
-      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_mysql.cfg
-    - python: 3.5
-      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_mysql.cfg
-    - python: 3.6
-      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_mysql.cfg
-    - python: 3.4
-      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_postgres.cfg
-    - python: 3.5
-      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_postgres.cfg
-    - python: 3.6
-      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_postgres.cfg
-    - python: 3.6
-      env: JOB=style
-    - python: 3.6
-      env: JOB=plugins
+      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_sqlite.cfg
     - python: 3.6
       env: JOB=tests-cov
+    - python: 3.6
+      env: JOB=style
+    - python: 3.4
+      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_sqlite.cfg
+    - python: 3.5
+      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_sqlite.cfg
+    - python: 3.4
+      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_mysql.cfg
+    - python: 3.5
+      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_mysql.cfg
+    - python: 3.6
+      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_mysql.cfg
+    - python: 3.4
+      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_postgres.cfg
+    - python: 3.5
+      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_postgres.cfg
+    - python: 3.6
+      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_postgres.cfg
+    - python: 3.6
+      env: JOB=plugins
 addons:
   postgresql: "9.4"

doc/_themes/pretix_theme/static/css/pretix.css

@@ -6063,3 +6063,39 @@ url('../opensans_regular_macroman/OpenSans-Regular-webfont.svg#open_sansregular'
         white-space: normal;
     }
 }
+
+img.screenshot, a.screenshot img {
+    box-shadow: 0 4px 18px 0 rgba(0,0,0,0.1), 0 6px 20px 0 rgba(0,0,0,0.09);
+}
+
+/* Changes */
+.versionchanged {
+    background: #e7f2fa;
+    padding: 12px;
+    line-height: 24px;
+    margin-bottom: 24px;
+    -webkit-font-smoothing: antialiased;
+}
+.versionmodified {
+    background: #6ab0de;
+    font-weight: bold;
+    display: block;
+    color: #fff;
+    margin: -12px;
+    padding: 6px 12px;
+    margin-bottom: 12px;
+    font-family: inherit;
+}
+.versionmodified:before {
+    font-family: "FontAwesome";
+    display: inline-block;
+    font-style: normal;
+    font-weight: normal;
+    line-height: 1;
+    text-decoration: inherit;
+    content: "";
+    margin-right: 4px;
+}
+.versionchanged p:last-child {
+    margin-bottom: 0;
+}

doc/admin/config.rst

@@ -60,6 +60,14 @@ Example::
 ``password_reset``
     Enables or disables password reset. Defaults to ``on``.
 
+``long_sessions``
+    Enables or disables the "keep me logged in" button. Defaults to ``on``.
+
+``ecb_rates``
+    By default, pretix periodically downloads a XML file from the European Central Bank to retrieve exchange rates
+    that are used to print tax amounts in the customer currency on invoices for some currencies. Set to ``off`` to
+    disable this feature. Defaults to ``on``.
+
 
 Locale settings
 ---------------
@@ -164,14 +172,9 @@ Django settings
 Example::
 
     [django]
-    hosts=localhost
     secret=j1kjps5a5&4ilpn912s7a1!e2h!duz^i3&idu@_907s$wrz@x-
     debug=off
 
-``hosts``
-    Comma-separated list of allowed host names for this installation.
-    Default: ``localhost``
-
 ``secret``
     The secret to be used by Django for signing and verification purposes. If this
     setting is not provided, pretix will generate a random secret on the first start

doc/api/fundamentals.rst

@@ -4,6 +4,8 @@ Basic concepts
 This page describes basic concepts and definition that you need to know to interact
 with pretix' REST API, such as authentication, pagination and similar definitions.
 
+.. _`rest-auth`:
+
 Obtaining an API token
 ----------------------
 
@@ -13,12 +15,14 @@ or choose an existing team that has the level of permissions the token should ha
 create a new token using the form below the list of team members:
 
 .. image:: img/token_form.png
+   :class: screenshot
 
 You can enter a description for the token to distinguish from other tokens later on.
 Once you click "Add", you will be provided with an API token in the success message.
 Copy this token, as you won't be able to retrieve it again.
 
 .. image:: img/token_success.png
+   :class: screenshot
 
 Authentication
 --------------

doc/api/resources/categories.rst

@@ -44,7 +44,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "count": 1,
@@ -90,7 +90,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "id": 1,

doc/api/resources/events.rst

@@ -26,8 +26,12 @@ presale_end                           datetime                   The date at whi
 location                              multi-lingual string       The event location (or ``null``)
 has_subevents                         boolean                    ``True`` if the event series feature is active for this
                                                                  event
+meta_data                             dict                       Values set for organizer-specific meta data parameters.
 ===================================== ========================== =======================================================
 
+.. versionchanged:: 1.7
+
+   The ``meta_data`` field has been added.
 
 Endpoints
 ---------
@@ -50,7 +54,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "count": 1,
@@ -69,7 +73,8 @@ Endpoints
             "presale_start": null,
             "presale_end": null,
             "location": null,
-            "has_subevents": false
+            "has_subevents": false,
+            "meta_data": {}
           }
         ]
       }
@@ -98,7 +103,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "name": {"en": "Sample Conference"},
@@ -112,7 +117,8 @@ Endpoints
         "presale_start": null,
         "presale_end": null,
         "location": null,
-        "has_subevents": false
+        "has_subevents": false,
+        "meta_data": {}
       }
 
    :param organizer: The ``slug`` field of the organizer to fetch

doc/api/resources/index.rst

@@ -7,6 +7,7 @@ Resources and endpoints
    organizers
    events
    subevents
+   taxrules
    categories
    items
    questions

doc/api/resources/invoices.rst

@@ -29,9 +29,19 @@ payment_provider_text                 string                     Text to be prin
 footer_text                           string                     Text to be printed in the page footer area
 lines                                 list of objects            The actual invoice contents
 ├ description                         string                     Text representing the invoice line (e.g. product name)
-├ gross_value                         money (string)             Price including VAT
-├ tax_value                           money (string)             VAT amount
-└ tax_rate                            decimal (string)           Used VAT rate
+├ gross_value                         money (string)             Price including taxes
+├ tax_value                           money (string)             Tax amount included
+├ tax_name                            string                     Name of used tax rate (e.g. "VAT")
+└ tax_rate                            decimal (string)           Used tax rate
+foreign_currency_display              string                     If the invoice should also show the total and tax
+                                                                 amount in a different currency, this contains the
+                                                                 currency code (``null`` otherwise).
+foreign_currency_rate                 decimal (string)           If ``foreign_currency_rate`` is set and the system
+                                                                 knows the exchange rate to the event currency at
+                                                                 invoicing time, it is stored here.
+foreign_currency_rate_date            date                       If ``foreign_currency_rate`` is set, this signifies the
+                                                                 date at which the currency rate was obtained.
+internal_reference                    string                     Customer's reference to be printed on the invoice.
 ===================================== ========================== =======================================================
 
 
@@ -42,6 +52,17 @@ lines                                 list of objects            The actual invo
    number.
 
 
+.. versionchanged:: 1.7
+
+   The attributes ``lines.tax_name``, ``foreign_currency_display``, ``foreign_currency_rate``, and
+   ``foreign_currency_rate_date`` have been added.
+
+
+.. versionchanged:: 1.9
+
+   The attribute ``internal_reference`` has been added.
+
+
 Endpoints
 ---------
 
@@ -63,7 +84,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "count": 1,
@@ -80,6 +101,7 @@ Endpoints
             "refers": null,
             "locale": "en",
             "introductory_text": "thank you for your purchase of the following items:",
+            "internal_reference": "",
             "additional_text": "We are looking forward to see you on our conference!",
             "payment_provider_text": "Please transfer the money to our account ABC…",
             "footer_text": "Big Events LLC - Registration No. 123456 - VAT ID: EU0987654321",
@@ -88,9 +110,13 @@ Endpoints
                 "description": "Budget Ticket",
                 "gross_value": "23.00",
                 "tax_value": "0.00",
+                "tax_name": "VAT",
                 "tax_rate": "0.00"
               }
-            ]
+            ],
+            "foreign_currency_display": "PLN",
+            "foreign_currency_rate": "4.2408",
+            "foreign_currency_rate_date": "2017-07-24"
           }
         ]
       }
@@ -127,7 +153,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "number": "SAMPLECONF-00001",
@@ -139,6 +165,7 @@ Endpoints
         "refers": null,
         "locale": "en",
         "introductory_text": "thank you for your purchase of the following items:",
+        "internal_reference": "",
         "additional_text": "We are looking forward to see you on our conference!",
         "payment_provider_text": "Please transfer the money to our account ABC…",
         "footer_text": "Big Events LLC - Registration No. 123456 - VAT ID: EU0987654321",
@@ -147,9 +174,13 @@ Endpoints
             "description": "Budget Ticket",
             "gross_value": "23.00",
             "tax_value": "0.00",
+            "tax_name": "VAT",
             "tax_rate": "0.00"
           }
-        ]
+        ],
+        "foreign_currency_display": "PLN",
+        "foreign_currency_rate": "4.2408",
+        "foreign_currency_rate_date": "2017-07-24"
       }
 
    :param organizer: The ``slug`` field of the organizer to fetch

doc/api/resources/items.rst

@@ -27,6 +27,7 @@ free_price                            boolean                    If ``True``, cu
                                                                  lower than the price defined by ``default_price`` or
                                                                  otherwise).
 tax_rate                              decimal (string)           The VAT rate to be applied for this item.
+tax_rule                              integer                    The internal ID of the applied tax rule (or ``null``).
 admission                             boolean                    ``True`` for items that grant admission to the event
                                                                  (such as primary tickets) and ``False`` for others
                                                                  (such as add-ons or merchandise).
@@ -49,6 +50,9 @@ min_per_order                         integer                    This product ca
 max_per_order                         integer                    This product can only be bought if it is included at
                                                                  most this many times in the order (or ``null`` for no
                                                                  limitation).
+checkin_attention                     boolean                    If ``True``, the check-in app should show a warning
+                                                                 that this ticket requires special attention if such
+                                                                 a product is being scanned.
 has_variations                        boolean                    Shows whether or not this item has variations
                                                                  (read-only).
 variations                            list of objects            A list with one object for each variation of this item.
@@ -70,6 +74,11 @@ addons                                list of objects            Definition of a
 └ position                            integer                    An integer, used for sorting
 ===================================== ========================== =======================================================
 
+.. versionchanged:: 1.7
+
+   The attribute ``tax_rule`` has been added. ``tax_rate`` is kept for compatibility. The attribute
+   ``checkin_attention`` has been added.
+
 
 Endpoints
 ---------
@@ -92,7 +101,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "count": 1,
@@ -108,6 +117,7 @@ Endpoints
             "description": null,
             "free_price": false,
             "tax_rate": "0.00",
+            "tax_rule": 1,
             "admission": false,
             "position": 0,
             "picture": null,
@@ -118,6 +128,7 @@ Endpoints
             "allow_cancel": true,
             "min_per_order": null,
             "max_per_order": null,
+            "checkin_attention": false,
             "has_variations": false,
             "variations": [
               {
@@ -177,7 +188,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "id": 1,
@@ -188,6 +199,7 @@ Endpoints
         "description": null,
         "free_price": false,
         "tax_rate": "0.00",
+        "tax_rule": 1,
         "admission": false,
         "position": 0,
         "picture": null,
@@ -198,6 +210,7 @@ Endpoints
         "allow_cancel": true,
         "min_per_order": null,
         "max_per_order": null,
+        "checkin_attention": false,
         "has_variations": false,
         "variations": [
           {

doc/api/resources/orders.rst

@@ -27,20 +27,39 @@ expires                               datetime                   The order will
 payment_date                          date                       Date of payment receival
 payment_provider                      string                     Payment provider used for this order
 payment_fee                           money (string)             Payment fee included in this order's total
-payment_fee_tax_rate                  decimal (string)           VAT rate applied to the payment fee
-payment_fee_tax_value                 money (string)             VAT value included in the payment fee
+payment_fee_tax_rate                  decimal (string)           Tax rate applied to the payment fee
+payment_fee_tax_value                 money (string)             Tax value included in the payment fee
+payment_fee_tax_rule                  integer                    The ID of the used tax rule (or ``null``)
 total                                 money (string)             Total value of this order
 comment                               string                     Internal comment on this order
 invoice_address                       object                     Invoice address information (can be ``null``)
 ├ last_modified                       datetime                   Last modification date of the address
 ├ company                             string                     Customer company name
+├ is_business                         boolean                    Business or individual customers (always ``False``
+                                                                 for orders created before pretix 1.7, do not rely on
+                                                                 it).
 ├ name                                string                     Customer name
 ├ street                              string                     Customer street
 ├ zipcode                             string                     Customer ZIP code
 ├ city                                string                     Customer city
 ├ country                             string                     Customer country
-└ vat_id                              string                     Customer VAT ID
+├ internal_reference                  string                     Customer's internal reference to be printed on the invoice
+├ vat_id                              string                     Customer VAT ID
+└ vat_id_validated                    string                     ``True``, if the VAT ID has been validated against the
+                                                                 EU VAT service and validation was successful. This only
+                                                                 happens in rare cases.
 position                              list of objects            List of order positions (see below)
+fees                                  list of objects            List of fees included in the order total (i.e.
+                                                                 payment fees)
+├ fee_type                            string                     Type of fee (currently ``payment``, ``passbook``,
+                                                                 ``other``)
+├ value                               money (string)             Fee amount
+├ description                         string                     Human-readable string with more details (can be empty)
+├ internal_type                       string                     Internal string (i.e. ID of the payment provider),
+                                                                 can be empty
+├ tax_rate                            decimal (string)           VAT rate applied for this fee
+├ tax_value                           money (string)             VAT included in this fee
+└ tax_rule                            integer                    The ID of the used tax rule (or ``null``)
 downloads                             list of objects            List of ticket download options for order-wise ticket
                                                                  downloading. This might be a multi-page PDF or a ZIP
                                                                  file of tickets for outputs that do not support
@@ -56,6 +75,16 @@ downloads                             list of objects            List of ticket
    The ``invoice_address.country`` attribute contains a two-letter country code for all new orders. For old orders,
    a custom text might still be returned.
 
+.. versionchanged:: 1.7
+
+   The attributes ``invoice_address.vat_id_validated`` and ``invoice_address.is_business`` have been added.
+   The attributes ``order.payment_fee``, ``order.payment_fee_tax_rate`` and ``order.payment_fee_tax_value`` have been
+   deprecated in favour of the new ``fees`` attribute but will still be served and removed in 1.9.
+
+.. versionchanged:: 1.9
+
+   First write operations (``…/mark_paid/``, ``…/mark_pending/``, ``…/mark_canceled/``, ``…/mark_expired/``) have been added.
+   The attribute ``invoice_address.internal_reference`` has been added.
 
 Order position resource
 -----------------------
@@ -76,6 +105,7 @@ attendee_email                        string                     Specified atten
 voucher                               integer                    Internal ID of the voucher used for this position (or ``null``)
 tax_rate                              decimal (string)           VAT rate applied for this position
 tax_value                             money (string)             VAT included in this position
+tax_rule                              integer                    The ID of the used tax rule (or ``null``)
 secret                                string                     Secret code printed on the tickets for validation
 addon_to                              integer                    Internal ID of the position this position is an add-on for (or ``null``)
 subevent                              integer                    ID of the date inside an event series this position belongs to (or ``null``).
@@ -90,6 +120,10 @@ answers                               list of objects            Answers to user
 └ options                             list of integers           Internal IDs of selected option(s)s (only for choice types)
 ===================================== ========================== =======================================================
 
+.. versionchanged:: 1.7
+
+   The attribute ``tax_rule`` has been added.
+
 
 Order endpoints
 ---------------
@@ -112,7 +146,7 @@ Order endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "count": 1,
@@ -129,20 +163,21 @@ Order endpoints
             "expires": "2017-12-10T10:00:00Z",
             "payment_date": "2017-12-05",
             "payment_provider": "banktransfer",
-            "payment_fee": "0.00",
-            "payment_fee_tax_rate": "0.00",
-            "payment_fee_tax_value": "0.00",
+            "fees": [],
             "total": "23.00",
             "comment": "",
             "invoice_address": {
                 "last_modified": "2017-12-01T10:00:00Z",
+                "is_business": True,
                 "company": "Sample company",
                 "name": "John Doe",
                 "street": "Test street 12",
                 "zipcode": "12345",
                 "city": "Testington",
                 "country": "Testikistan",
-                "vat_id": "EU123456789"
+                "internal_reference": "",
+                "vat_id": "EU123456789",
+                "vat_id_validated": False
             },
             "positions": [
               {
@@ -157,6 +192,7 @@ Order endpoints
                 "voucher": null,
                 "tax_rate": "0.00",
                 "tax_value": "0.00",
+                "tax_rule": null,
                 "secret": "z3fsn8jyufm5kpk768q69gkbyr5f4h6w",
                 "addon_to": null,
                 "subevent": null,
@@ -221,7 +257,7 @@ Order endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "code": "ABC12",
@@ -233,20 +269,21 @@ Order endpoints
         "expires": "2017-12-10T10:00:00Z",
         "payment_date": "2017-12-05",
         "payment_provider": "banktransfer",
-        "payment_fee": "0.00",
-        "payment_fee_tax_rate": "0.00",
-        "payment_fee_tax_value": "0.00",
+        "fees": [],
         "total": "23.00",
         "comment": "",
         "invoice_address": {
             "last_modified": "2017-12-01T10:00:00Z",
             "company": "Sample company",
+            "is_business": True,
             "name": "John Doe",
             "street": "Test street 12",
             "zipcode": "12345",
             "city": "Testington",
             "country": "Testikistan",
-            "vat_id": "EU123456789"
+            "internal_reference": "",
+            "vat_id": "EU123456789",
+            "vat_id_validated": False
         },
         "positions": [
           {
@@ -260,6 +297,7 @@ Order endpoints
             "attendee_email": null,
             "voucher": null,
             "tax_rate": "0.00",
+            "tax_rule": null,
             "tax_value": "0.00",
             "secret": "z3fsn8jyufm5kpk768q69gkbyr5f4h6w",
             "addon_to": null,
@@ -298,6 +336,7 @@ Order endpoints
    :statuscode 200: no error
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+   :statuscode 404: The requested order does not exist.
 
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/download/(output)/
 
@@ -336,9 +375,206 @@ Order endpoints
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource
                     **or** downlodas are not available for this order at this time. The response content will
                     contain more details.
+   :statuscode 404: The requested order or output provider does not exist.
    :statuscode 409: The file is not yet ready and will now be prepared. Retry the request after waiting vor a few
                           seconds.
 
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/mark_paid/
+
+   Marks a pending or expired order as successfully paid.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/orders/ABC12/mark_paid/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "code": "ABC12",
+        "status": "p",
+        ...
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param code: The ``code`` field of the order to modify
+   :statuscode 200: no error
+   :statuscode 400: The order cannot be marked as paid, either because the current order status does not allow it or because no quota is left to perform the operation.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+   :statuscode 404: The requested order does not exist.
+   :statuscode 409: The server was unable to acquire a lock and could not process your request. You can try again after a short waiting period.
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/mark_canceled/
+
+   Marks a pending order as canceled.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/orders/ABC12/mark_canceled/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: text/json
+
+      {
+          "send_email": true
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "code": "ABC12",
+        "status": "c",
+        ...
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param code: The ``code`` field of the order to modify
+   :statuscode 200: no error
+   :statuscode 400: The order cannot be marked as canceled since the current order status does not allow it.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+   :statuscode 404: The requested order does not exist.
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/mark_pending/
+
+   Marks a paid order as unpaid.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/orders/ABC12/mark_pending/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "code": "ABC12",
+        "status": "n",
+        ...
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param code: The ``code`` field of the order to modify
+   :statuscode 200: no error
+   :statuscode 400: The order cannot be marked as unpaid since the current order status does not allow it.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+   :statuscode 404: The requested order does not exist.
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/mark_expired/
+
+   Marks a unpaid order as expired.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/orders/ABC12/mark_expired/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "code": "ABC12",
+        "status": "e",
+        ...
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param code: The ``code`` field of the order to modify
+   :statuscode 200: no error
+   :statuscode 400: The order cannot be marked as expired since the current order status does not allow it.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+   :statuscode 404: The requested order does not exist.
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/extend/
+
+   Extends the payment deadline of a pending order. If the order is already expired and quota is still
+   available, its state will be changed to pending.
+
+   The only required parameter of this operation is ``expires``, which should contain a date in the future.
+   Note that only a date is expected, not a datetime, since pretix will always set the deadline to the end of the
+   day in the event's timezone.
+
+   You can pass the optional parameter ``force``. If it is set to ``true``, the operation will be performed even if
+   it leads to an overbooked quota because the order was expired and the tickets have been sold again.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/orders/ABC12/extend/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: text/json
+
+      {
+          "expires": "2017-10-28",
+          "force": false
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "code": "ABC12",
+        "status": "n",
+        "expires": "2017-10-28T23:59:59Z",
+        ...
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param code: The ``code`` field of the order to modify
+   :statuscode 200: no error
+   :statuscode 400: The order cannot be extended since the current order status does not allow it or no quota is available or the submitted date is invalid.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+   :statuscode 404: The requested order does not exist.
+
 
 Order position endpoints
 ------------------------
@@ -361,7 +597,7 @@ Order position endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "count": 1,
@@ -379,6 +615,7 @@ Order position endpoints
             "attendee_email": null,
             "voucher": null,
             "tax_rate": "0.00",
+            "tax_rule": null,
             "tax_value": "0.00",
             "secret": "z3fsn8jyufm5kpk768q69gkbyr5f4h6w",
             "addon_to": null,
@@ -444,7 +681,7 @@ Order position endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "id": 23442,
@@ -457,6 +694,7 @@ Order position endpoints
         "attendee_email": null,
         "voucher": null,
         "tax_rate": "0.00",
+        "tax_rule": null,
         "tax_value": "0.00",
         "secret": "z3fsn8jyufm5kpk768q69gkbyr5f4h6w",
         "addon_to": null,
@@ -487,6 +725,7 @@ Order position endpoints
    :statuscode 200: no error
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+   :statuscode 404: The requested order position does not exist.
 
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/orderpositions/(id)/download/(output)/
 
@@ -526,5 +765,6 @@ Order position endpoints
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource
                     **or** downlodas are not available for this order position at this time. The response content will
                     contain more details.
+   :statuscode 404: The requested order position or download provider does not exist.
    :statuscode 409: The file is not yet ready and will now be prepared. Retry the request after waiting vor a few
                     seconds.

doc/api/resources/organizers.rst

@@ -41,7 +41,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "count": 1,
@@ -77,7 +77,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "name": "Big Events LLC",

doc/api/resources/questions.rst

@@ -54,7 +54,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "count": 1,
@@ -113,7 +113,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "id": 1,

doc/api/resources/quotas.rst

@@ -42,7 +42,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "count": 1,
@@ -88,7 +88,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "id": 1,
@@ -124,7 +124,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "available": true,

doc/api/resources/subevents.rst

@@ -31,8 +31,13 @@ variation_price_overrides             list of objects            List of variati
                                                                  the default price
 ├ variation                           integer                    The internal variation ID
 └ price                               money (string)             The price or ``null`` for the default price
+meta_data                             dict                       Values set for organizer-specific meta data parameters.
 ===================================== ========================== =======================================================
 
+.. versionchanged:: 1.7
+
+   The ``meta_data`` field has been added.
+
 
 Endpoints
 ---------
@@ -55,7 +60,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "count": 1,
@@ -78,7 +83,8 @@ Endpoints
                 "price": "12.00"
               }
             ],
-            "variation_price_overrides": []
+            "variation_price_overrides": [],
+            "meta_data": {}
           }
         ]
       }
@@ -108,7 +114,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "id": 1,
@@ -126,7 +132,8 @@ Endpoints
             "price": "12.00"
           }
         ],
-        "variation_price_overrides": []
+        "variation_price_overrides": [],
+        "meta_data": {}
       }
 
    :param organizer: The ``slug`` field of the organizer to fetch

doc/api/resources/taxrules.rst

@@ -0,0 +1,234 @@
+Tax rules
+=========
+
+Resource description
+--------------------
+
+Tax rules specify how tax should be calculated for specific products.
+
+.. rst-class:: rest-resource-table
+
+===================================== ========================== =======================================================
+Field                                 Type                       Description
+===================================== ========================== =======================================================
+id                                    integer                    Internal ID of the tax rule
+name                                  multi-lingual string       The tax rules' name
+rate                                  decimal (string)           Tax rate in percent
+price_includes_tax                    boolean                    If ``true`` (default), tax is assumed to be included in
+                                                                 the specified product price
+eu_reverse_charge                     boolean                    If ``true``, EU reverse charge rules are applied
+home_country                          string                     Merchant country (required for reverse charge), can be
+                                                                 ``null`` or empty string
+===================================== ========================== =======================================================
+
+.. versionchanged:: 1.7
+
+   This resource has been added.
+
+.. versionchanged:: 1.9
+
+   The write operations ``POST``, ``PATCH``, ``PUT``, and ``DELETE`` have been added.
+
+
+Endpoints
+---------
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/taxrules/
+
+   Returns a list of all tax rules configured for an event.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/taxrules/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "count": 1,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id": 1,
+            "name": {"en": "VAT"},
+            "rate": "19.00",
+            "price_includes_tax": true,
+            "eu_reverse_charge": false,
+            "home_country": "DE"
+          }
+        ]
+      }
+
+   :query page: The page number in case of a multi-page result set, default is 1
+   :param organizer: The ``slug`` field of a valid organizer
+   :param event: The ``slug`` field of the event to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to view it.
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/taxrules/(id)/
+
+   Returns information on one tax rule, identified by its ID.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/taxrules/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "name": {"en": "VAT"},
+        "rate": "19.00",
+        "price_includes_tax": true,
+        "eu_reverse_charge": false,
+        "home_country": "DE"
+      }
+
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param event: The ``slug`` field of the event to fetch
+   :param id: The ``id`` field of the tax rule to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event/rule does not exist **or** you have no permission to view it.
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/taxrules/
+
+   Create a new tax rule.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/taxrules/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 166
+
+      {
+        "name": {"en": "VAT"},
+        "rate": "19.00",
+        "price_includes_tax": true,
+        "eu_reverse_charge": false,
+        "home_country": "DE"
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "name": {"en": "VAT"},
+        "rate": "19.00",
+        "price_includes_tax": true,
+        "eu_reverse_charge": false,
+        "home_country": "DE"
+      }
+
+   :param organizer: The ``slug`` field of the organizer to create a tax rule for
+   :param event: The ``slug`` field of the event to create a tax rule for
+   :statuscode 201: no error
+   :statuscode 400: The tax rule could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create tax rules.
+
+
+.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/taxrules/(id)/
+
+   Update a tax rule. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all fields of
+   the resource, other fields will be resetted to default. With ``PATCH``, you only need to provide the fields that you
+   want to change.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/events/sampleconf/taxrules/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 34
+
+      {
+        "rate": "20.00",
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: text/javascript
+
+      {
+        "id": 1,
+        "name": {"en": "VAT"},
+        "rate": "20.00",
+        "price_includes_tax": true,
+        "eu_reverse_charge": false,
+        "home_country": "DE"
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the tax rule to modify
+   :statuscode 200: no error
+   :statuscode 400: The tax rule could not be modified due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event/rule does not exist **or** you have no permission to change it.
+
+
+.. http:delete:: /api/v1/organizers/(organizer)/events/(event)/taxrules/(id)/
+
+   Delete a tax rule. Note that tax rules can only be deleted if they are not in use for any products, settings
+   or orders. If you cannot delete a tax rule, this method will return a ``403`` status code and you can only
+   discontinue using it everywhere else.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/events/sampleconf/taxrules/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+      Vary: Accept
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the tax rule to delete
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event/rule does not exist **or** you have no permission to change it **or** this tax rule cannot be deleted since it is currently in use.

doc/api/resources/vouchers.rst

@@ -44,6 +44,10 @@ subevent                              integer                    ID of the date
 ===================================== ========================== =======================================================
 
 
+.. versionchanged:: 1.9
+
+   The write operations ``POST``, ``PATCH``, ``PUT``, and ``DELETE`` have been added.
+
 Endpoints
 ---------
 
@@ -65,7 +69,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "count": 1,
@@ -136,7 +140,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "id": 1,
@@ -162,3 +166,152 @@ Endpoints
    :statuscode 200: no error
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/vouchers/
+
+   Create a new voucher.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/vouchers/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 408
+
+      {
+        "code": "43K6LKM37FBVR2YG",
+        "max_usages": 1,
+        "valid_until": null,
+        "block_quota": false,
+        "allow_ignore_quota": false,
+        "price_mode": "set",
+        "value": "12.00",
+        "item": 1,
+        "variation": null,
+        "quota": null,
+        "tag": "testvoucher",
+        "comment": "",
+        "subevent": null
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "code": "43K6LKM37FBVR2YG",
+        "max_usages": 1,
+        "redeemed": 0,
+        "valid_until": null,
+        "block_quota": false,
+        "allow_ignore_quota": false,
+        "price_mode": "set",
+        "value": "12.00",
+        "item": 1,
+        "variation": null,
+        "quota": null,
+        "tag": "testvoucher",
+        "comment": "",
+        "subevent": null
+      }
+
+   :param organizer: The ``slug`` field of the organizer to create a voucher for
+   :param event: The ``slug`` field of the event to create a voucher for
+   :statuscode 201: no error
+   :statuscode 400: The voucher could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create this resource.
+   :statuscode 409: The server was unable to acquire a lock and could not process your request. You can try again after a short waiting period.
+
+.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/vouchers/(id)/
+
+   Update a voucher. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all fields of
+   the resource, other fields will be resetted to default. With ``PATCH``, you only need to provide the fields that you
+   want to change.
+her.
+
+   You can change all fields of the resource except the ``id`` and ``redeemed`` fields.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/events/sampleconf/vouchers/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 408
+
+      {
+        "price_mode": "set",
+        "value": "24.00",
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "code": "43K6LKM37FBVR2YG",
+        "max_usages": 1,
+        "redeemed": 0,
+        "valid_until": null,
+        "block_quota": false,
+        "allow_ignore_quota": false,
+        "price_mode": "set",
+        "value": "24.00",
+        "item": 1,
+        "variation": null,
+        "quota": null,
+        "tag": "testvoucher",
+        "comment": "",
+        "subevent": null
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the tax rule to modify
+   :statuscode 200: no error
+   :statuscode 400: The voucher could not be modified due to invalid submitted data
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to change this resource.
+   :statuscode 409: The server was unable to acquire a lock and could not process your request. You can try again after a short waiting period.
+
+.. http:delete:: /api/v1/organizers/(organizer)/events/(event)/vouchers/(id)/
+
+   Delete a voucher. Note that you cannot delete a voucher if it already has been redeemed.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/events/sampleconf/vouchers/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+      Vary: Accept
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the tax rule to delete
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to delete this resource.

doc/api/resources/waitinglist.rst

@@ -48,7 +48,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "count": 1,
@@ -102,7 +102,7 @@ Endpoints
 
       HTTP/1.1 200 OK
       Vary: Accept
-      Content-Type: text/javascript
+      Content-Type: application/json
 
       {
         "id": 1,

doc/conf.py

@@ -13,6 +13,10 @@
 # All configuration values have a default; values that are commented out
 # serve to show the default.
 
+from docutils.parsers.rst.directives.admonitions import BaseAdmonition
+from sphinx.util import compat
+compat.make_admonition = BaseAdmonition  # See https://github.com/spinus/sphinxcontrib-images/issues/41
+
 import sys
 import os
 
@@ -38,9 +42,9 @@ django.setup()
 extensions = [
     'sphinx.ext.autodoc',
     'sphinx.ext.doctest',
-    'sphinx.ext.todo',
     'sphinx.ext.coverage',
     'sphinxcontrib.httpdomain',
+    'sphinxcontrib.images',
 ]
 
 # Add any paths that contain templates here, relative to this directory.
@@ -281,3 +285,8 @@ texinfo_documents = [
 
 # If true, do not generate a @detailmenu in the "Top" node's menu.
 #texinfo_no_detailmenu = False
+
+
+images_config = {
+    'default_image_width': '250px'
+}

doc/development/api/customview.rst

@@ -60,7 +60,85 @@ your views::
     def admin_view(request, organizer, event):
         ...
 
-Similarly, there is ``organizer_permission_required`` and ``OrganizerPermissionRequiredMixin``.
+Similarly, there is ``organizer_permission_required`` and ``OrganizerPermissionRequiredMixin``. In case of
+event-related views, there is also a signal that allows you to add the view to the event navigation like this::
+
+
+    from django.core.urlresolvers import resolve, reverse
+    from django.dispatch import receiver
+    from django.utils.translation import ugettext_lazy as _
+    from pretix.control.signals import nav_event
+
+
+    @receiver(nav_event, dispatch_uid='friends_tickets_nav')
+    def navbar_info(sender, request, **kwargs):
+        url = resolve(request.path_info)
+        if not request.user.has_event_permission(request.organizer, request.event, 'can_change_vouchers'):
+            return []
+        return [{
+            'label': _('My plugin view'),
+            'icon': 'heart',
+            'url': reverse('plugins:myplugin:index', kwargs={
+                'event': request.event.slug,
+                'organizer': request.organizer.slug,
+            }),
+            'active': url.namespace == 'plugins:myplugin' and url.url_name == 'review',
+        }]
+
+
+Event settings view
+-------------------
+
+A special case of a control panel view is a view hooked into the event settings page. For this case, there is a
+special navigation signal::
+
+    @receiver(nav_event_settings, dispatch_uid='friends_tickets_nav_settings')
+    def navbar_settings(sender, request, **kwargs):
+        url = resolve(request.path_info)
+        return [{
+            'label': _('My settings'),
+            'url': reverse('plugins:myplugin:settings', kwargs={
+                'event': request.event.slug,
+                'organizer': request.organizer.slug,
+            }),
+            'active': url.namespace == 'plugins:myplugin' and url.url_name == 'settings',
+        }]
+
+Also, your view should inherit from ``EventSettingsViewMixin`` and your template from ``pretixcontrol/event/settings_base.html``
+for good integration. If you just want to display a form, you could do it like the following::
+
+    class MySettingsView(EventSettingsViewMixin, EventSettingsFormView):
+        model = Event
+        permission = 'can_change_settings'
+        form_class = MySettingsForm
+        template_name = 'my_plugin/settings.html'
+
+        def get_success_url(self, **kwargs):
+            return reverse('plugins:myplugin:settings', kwargs={
+                'organizer': self.request.event.organizer.slug,
+                'event': self.request.event.slug,
+            })
+
+With this template::
+
+    {% extends "pretixcontrol/event/settings_base.html" %}
+    {% load i18n %}
+    {% load bootstrap3 %}
+    {% block title %} {% trans "Friends Tickets Settings" %} {% endblock %}
+    {% block inside %}
+        <form action="" method="post" class="form-horizontal">
+            {% csrf_token %}
+            <fieldset>
+                <legend>{% trans "Friends Tickets Settings" %}</legend>
+                {% bootstrap_form form layout="horizontal" %}
+            </fieldset>
+            <div class="form-group submit-group">
+                <button type="submit" class="btn btn-primary btn-save">
+                    {% trans "Save" %}
+                </button>
+            </div>
+        </form>
+    {% endblock %}
 
 Frontend views
 --------------
@@ -68,35 +146,34 @@ Frontend views
 Including a custom view into the participant-facing frontend is a little bit different as there is
 no path prefix like ``control/``.
 
-First, define your URL in your ``urls.py``, but this time in the ``event_patterns`` section::
+First, define your URL in your ``urls.py``, but this time in the ``event_patterns`` section and wrapped by
+``event_url``::
 
-    from django.conf.urls import url
+    from pretix.multidomain import event_url
 
     from . import views
 
     event_patterns = [
-        url(r'^mypluginname/', views.frontend_view, name='frontend'),
+        event_url(r'^mypluginname/', views.frontend_view, name='frontend'),
     ]
 
-You can then implement a view as you would normally do, but you need to apply a decorator to your
-view if you want pretix's default behavior::
-
-    from pretix.presale.utils import event_view
-
-    @event_view
-    def some_event_view(request, *args, **kwargs):
-        ...
-
-This decorator will check the URL arguments for their ``event`` and ``organizer`` parameters and
-correctly ensure that:
+You can then implement a view as you would normally do. It will be automatically ensured that:
 
 * The requested event exists
-* The requested event is activated (can be overridden by decorating with ``@event_view(require_live=False)``)
+* The requested event is active (you can disable this check using ``event_url(…, require_live=True)``)
 * The event is accessed via the domain it should be accessed
 * The ``request.event`` attribute contains the correct ``Event`` object
 * The ``request.organizer`` attribute contains the correct ``Organizer`` object
+* Your plugin is enabled
 * The locale is set correctly
 
+.. versionchanged:: 1.7
+
+   The ``event_url()`` wrapper has been added in 1.7 to replace the former ``@event_view`` decorator. The
+   ``event_url()`` wrapper is optional and using ``url()`` still works, but you will not be able to set the
+   ``require_live`` setting any more via the decorator. The ``@event_view`` decorator is now deprecated and
+   does nothing.
+
 REST API viewsets
 -----------------
 

doc/development/api/general.rst

@@ -19,13 +19,13 @@ Order events
 There are multiple signals that will be sent out in the ordering cycle:
 
 .. automodule:: pretix.base.signals
-   :members: validate_cart, order_paid, order_placed
+   :members: validate_cart, order_fee_calculation, order_paid, order_placed, order_fee_type_name, allow_ticket_download
 
 Frontend
 --------
 
 .. automodule:: pretix.presale.signals
-   :members: html_head, html_footer, footer_links, front_page_top, front_page_bottom, contact_form_fields, question_form_fields, checkout_confirm_messages
+   :members: html_head, html_footer, footer_links, front_page_top, front_page_bottom, fee_calculation_for_cart, contact_form_fields, question_form_fields, checkout_confirm_messages, checkout_confirm_page_content
 
 
 .. automodule:: pretix.presale.signals
@@ -47,20 +47,26 @@ Backend
 -------
 
 .. automodule:: pretix.control.signals
-   :members: nav_event, html_head, quota_detail_html, nav_topbar, nav_global, nav_organizer
+   :members: nav_event, html_head, quota_detail_html, nav_topbar, nav_global, nav_organizer, nav_event_settings, order_info, event_settings_widget
 
 
 .. automodule:: pretix.base.signals
-   :members: logentry_display, requiredaction_display
+   :members: logentry_display, logentry_object_link, requiredaction_display
 
 Vouchers
 """"""""
 
 .. automodule:: pretix.control.signals
-   :members: voucher_form_class, voucher_form_html
+   :members: voucher_form_class, voucher_form_html, voucher_form_validation
 
 Dashboards
 """"""""""
 
 .. automodule:: pretix.control.signals
    :members: event_dashboard_widgets, user_dashboard_widgets
+
+Ticket designs
+""""""""""""""
+
+.. automodule:: pretix.plugins.ticketoutputpdf.signals
+   :members: layout_text_variables

doc/development/api/plugins.rst

@@ -114,6 +114,19 @@ method to make your receivers available::
         def ready(self):
             from . import signals  # NOQA
 
+You can optionally specify code that is executed when your plugin is activated for an event
+in the ``installed`` method::
+
+    class PaypalApp(AppConfig):
+        …
+
+        def installed(self, event):
+            pass  # Your code here
+
+
+Note that ``installed`` will *not* be called if the plugin in indirectly activated for an event
+because the event is created with settings copied from another event.
+
 Views
 -----
 

doc/development/concepts.rst

@@ -59,7 +59,7 @@ If an item is assigned to multiple quotas, it can only be bought if *all of them
 If multiple items are assigned to the same quota, the quota will be counted as sold out as soon as the
 *sum* of the two items exceeds the quota limit.
 
-The availability of a quota is currently calculated by substracting the following numbers from the quota
+The availability of a quota is currently calculated by subtracting the following numbers from the quota
 limit:
 
 * The number of orders placed for an item that are either already paid or within their granted payment period

doc/development/implementation/background.rst

@@ -14,7 +14,7 @@ Implementing a task
 A common pattern for implementing asynchronous tasks can be seen a lot in ``pretix.base.services``
 and looks like this::
 
-    from pretix.celery import app
+    from pretix.celery_app import app
 
     @app.task
     def my_task(argument1, argument2):

doc/development/implementation/models.rst

@@ -21,7 +21,7 @@ Organizers and events
    :members:
 
 .. autoclass:: pretix.base.models.Event
-   :members: get_date_from_display, get_time_from_display, get_date_to_display, get_date_range_display, presale_has_ended, presale_is_running, get_cache, lock, get_plugins, get_mail_backend, payment_term_last, get_payment_providers, get_invoice_renderers, active_subevents, invoice_renderer, settings
+   :members: get_date_from_display, get_time_from_display, get_date_to_display, get_date_range_display, presale_has_ended, presale_is_running, cache, lock, get_plugins, get_mail_backend, payment_term_last, get_payment_providers, get_invoice_renderers, active_subevents, invoice_renderer, settings
 
 .. autoclass:: pretix.base.models.SubEvent
    :members: get_date_from_display, get_time_from_display, get_date_to_display, get_date_range_display, presale_has_ended, presale_is_running
@@ -32,6 +32,15 @@ Organizers and events
 .. autoclass:: pretix.base.models.RequiredAction
    :members:
 
+.. autoclass:: pretix.base.models.EventMetaProperty
+   :members:
+
+.. autoclass:: pretix.base.models.EventMetaValue
+   :members:
+
+.. autoclass:: pretix.base.models.SubEventMetaValue
+   :members:
+
 
 Items
 -----

doc/development/index.rst

@@ -10,6 +10,3 @@ Developer documentation
    implementation/index
    api/index
    structure
-
-.. TODO::
-   Document settings objects, ItemVariation objects, form fields.

doc/development/setup.rst

@@ -20,7 +20,6 @@ Your should install the following on your system:
 
 * Python 3.4 or newer
 * ``pip`` for Python 3 (Debian package: ``python3-pip``)
-* ``pyvenv`` for Python 3 (Debian package: ``python3-venv``)
 * ``python-dev`` for Python 3 (Debian package: ``python3-dev``)
 * ``libffi`` (Debian package: ``libffi-dev``)
 * ``libssl`` (Debian package: ``libssl-dev``)
@@ -37,7 +36,7 @@ Please execute ``python -V`` or ``python3 -V`` to make sure you have Python 3.4
 execute ``pip3 -V`` to check. Then use Python's internal tools to create a virtual
 environment and activate it for your current session::
 
-    pyvenv env
+    python3 -m venv env
     source env/bin/activate
 
 You should now see a ``(env)`` prepended to your shell prompt. You have to do this

doc/plugins/pretixdroid.rst

@@ -99,6 +99,7 @@ uses to communicate with the pretix server.
             "variation": null,
             "attendee_name": "Peter Higgs",
             "redeemed": false,
+            "attention": false,
             "paid": true
           },
           ...
@@ -107,10 +108,10 @@ uses to communicate with the pretix server.
       }
 
    :query query: Search query
-         :query key: Secret API key
-         :statuscode 200: Valid request
-         :statuscode 404: Unknown organizer or event
-         :statuscode 403: Invalid authorization key
+   :query key: Secret API key
+   :statuscode 200: Valid request
+   :statuscode 404: Unknown organizer or event
+   :statuscode 403: Invalid authorization key
 
 .. http:get:: /pretixdroid/api/(organizer)/(event)/download/
 
@@ -140,6 +141,7 @@ uses to communicate with the pretix server.
             "variation": null,
             "attendee_name": "Peter Higgs",
             "redeemed": false,
+            "attention": false,
             "paid": true
           },
           ...

doc/requirements.txt

@@ -2,3 +2,4 @@
 sphinx
 sphinx-rtd-theme
 sphinxcontrib-httpdomain
+sphinxcontrib-images

doc/user/events/create.rst

@@ -0,0 +1,97 @@
+Creating an event
+=================
+
+After you have created an organizer account, the next step is to create your event. An event is the basic object in
+pretix that everything is organized around. One event corresponds to one ticket shop with all its products, quotas,
+orders and settings.
+
+To create an event, you can click the "Create a new event" tile on your dashboard or the button above the list of
+events. You will then be presented with the first step of event creation:
+
+.. thumbnail:: ../../screens/event/create_step1.png
+   :align: center
+   :class: screenshot
+
+Here, you first need to decide for the organizer the event belongs to. You will not be able to change this
+association later. This will determine default settings for the event, as well as access control to the event's
+settings.
+
+Second, you need to select the languages that the ticket shop should be available in. You can change this setting
+later, but if you select it correctly now, it will automatically ask you for all descriptions in the respective
+languages starting from the next step.
+
+Last on this page, you can decide if this event represents an event series. In this cases, the event will turn into
+multiple events included in once, meaning that you will get one combined ticket shop for multiple actual events. This
+is useful if you have a large number of events that are very similar to each other and that should be sold together
+(i.e. users should be able to buy tickets for multiple events at the same time). Those single events can differ in
+available products, quotas, prices and some meta information, but most settings need to be the same for all of them.
+We recommend to use this feature only if you really know that you need it and if you really run a lot of events, not if
+you run e.g. a yearly conference.
+
+Once you set these values, you can procede to the next step:
+
+.. thumbnail:: ../../screens/event/create_step2.png
+   :align: center
+   :class: screenshot
+
+In this step, you will be asked more detailled questions about your event. In particular, you can fill in the
+following fields:
+
+Name
+   This is the public name of your event. It should be descriptive and tell both you and the user which event you are
+   dealing with, but should still be concise. You probably know how your event is named already ;)
+
+Short form
+   This will be used in multiple places. For example, the URL of your ticket shop will include this short form of
+   your event name, but it will also be the default prefix e.g. for invoice numbers. We recommend to use some natural
+   abbreviation of your event name, maybe together with a date, of no more than 10 characters. This is the only value
+   on this page that can't be changed later.
+
+Event start time
+   The date and time that your event starts at. You can later configure settings to hide the time, if you don't want
+   to show that.
+
+Event end time
+   The date and time your event ends at. You can later configure settings to hide this value completely -- or you can
+   just leave it empty. It's optional!
+
+Location
+   This is the location of your event in a human-readable format. We will show this on the ticket shop frontpage, but
+   it might also be used e.g. in Wallet tickets.
+
+Event currency
+   This is the currency all prices and payments in your shop will be handled in.
+
+Sales tax rate
+   If you need to pay a form of sales tax (also known as VAT in many countries) on your products, you can set a tax rate
+   in percent here that will be used as a default later. After creating your event, you can also create multiple tax
+   rates or fine-tune the tax settings.
+
+Default language
+   If you selected multiple supported languages in the previous step, you can now decide which one should be
+   displayed by default.
+
+Start of presale
+   If you set this date, no ticket will be sold before this date. We normally recommend not to set this date during
+   event creation because it will make testing your shop harder.
+
+End of presale
+   If you set this date, no ticket will be sold after this date.
+
+If all of this is set, you can proceed to the next step. If this is your first event, there will not be a next step
+and you are done! If you have already created events before, you will be asked if you want to copy settings from one
+of them:
+
+.. thumbnail:: ../../screens/event/create_step3.png
+   :align: center
+   :class: screenshot
+
+If you do so, all products, categories, quotas and most settings of the other event will be taken over. You should
+still review them if they make sense for your new event, but it could save you a lot of work. After this step, your
+event is created successfully:
+
+.. thumbnail:: ../../screens/event/create_step4.png
+   :align: center
+   :class: screenshot
+
+You can now fine-tune all settings to your liking, publish your event and start selling tickets!

doc/user/events/taxes.rst

@@ -0,0 +1,109 @@
+Tax rules
+=========
+
+In most countries, you will be required to pay some form of sales tax for your event tickets. If you don't know about
+the exact rules, you should consult a professional tax consultant right now.
+
+To implement those taxes in pretix, you can create one or multiple "tax rules". A tax rule specifies when and at what
+rate should be calculated on a product price. Taxes will then be correctly displayed in the product list, order
+details and on invoices.
+
+At the time of this writing, every product can be assigned exactly one tax rule. To view and change the tax rules of
+your event, go to the respective section in your event's settings:
+
+.. thumbnail:: ../../screens/event/tax_list.png
+   :align: center
+   :class: screenshot
+
+On this page, you can create, edit and delete your tax rules. Clicking on the name of a tax rule will take you to its
+detailled settings:
+
+.. thumbnail:: ../../screens/event/tax_detail.png
+   :align: center
+   :class: screenshot
+
+Here, you can tune the following parameters:
+
+Name
+    What is the (short) name of this tax? This is probably "VAT" in English and should be very short as it will be
+    displayed in lots of places.
+
+Rate
+    This is the tax rate in percent.
+
+The configured product prices include the tax amount
+    If this setting is enabled (the default), then a product configured to a price of 10.00 EUR will, at a tax rate of
+    19.00 %, be interpreted as a product with a total gross price of 10.00 EUR including 1.60 EUR taxes, leading to a
+    net price of 8.40 EUR. If you disable this setting, the price will be interpreted as a net price of 10.00 EUR,
+    leading to a total price to pay of 11.90 EUR.
+
+Use EU reverse charge taxation rules
+    This enables reverse charge taxation (see section below).
+
+Merchant country
+    This is probably your country of residence, but in some cases it could also be the country your event is
+    located in. This is the place of taxation in the sense of EU reverse charge rules (see section below).
+
+EU reverse charge
+-----------------
+
+.. warning:: Everything contained in this section is not legal advice. Please consult a tax consultant
+             before making decisions. We are not responsible for the correct handling of taxes in your
+             ticket shop.
+
+"Reverse charge" is a rule in European VAT legislation that specifies how taxes are paid
+if you provide goods to a buyer in a different European country than you reside in yourself.
+If the buyer is a VAT-paying business in their country, you charge them only the net price without
+taxes and state that the buyer is responsible for paying the correct taxes themselves.
+
+.. warning:: We firmly believe that reverse charge rules are **not applicable** for most events handled
+             with pretix and therefore **strongly recommend not to enable this feature** if you do not have
+             a specific reason to do so. The reasoning behind this is that according to article 52 of the
+             `VAT directive`_ (page 17), the place of supply is always the location of your event and
+             therefore the tax rate of the event country always has to be paid regardless of the location
+             of the visitor.
+
+If you enable the reverse charge feature and specify your merchant country, then the following process
+will be performed during order creation:
+
+* The user will first be presented with the "normal" prices (net or gross, as configured).
+
+* The user adds a product to their cart. The cart will at this point always show gross prices *with*
+  taxes.
+
+* In the next step, the user can enter an invoice address. Tax will be removed from the price if one of the
+  following statements is true:
+
+  * The invoice address is in a non-EU country.
+
+  * The invoice address is a business address in an EU-country different from the merchant country and has a valid VAT ID.
+
+* In the second case, a reverse charge note will be added to the invoice.
+
+VAT IDs are validated against the EUs validation web service. Should that service be unavailable, the user
+needs to pay VAT tax and reclaim the taxes at a later point in time with their government.
+
+If you and the buyer are residing in EU countries that use different currencies, the invoice will show
+the total and VAT amount also in the local currency of the buyer, if the system was able to obtain a
+conversion rate from the European Central Bank's webservice within the last 7 days.
+
+For existing orders, a change of the invoice address will not result in a change of taxes automatically.
+You can trigger this manually in the backend by going to the order's detail view. There, first click
+the "Check" button next to the VAT ID. Then, go to "Change products" and select the option "Recalculate
+taxes" at the end of the page.
+
+.. note:: In the invoicing settings, you should turn the setting "Ask for VAT ID" on for this to work.
+
+.. note:: During back-and-forth modification of taxation status, unfortunately there can be rounding
+          errors of usually up to one cent from the intended price. This is unavoidable due to the
+          flexible nature in which prices are being calculated.
+
+Taxation of payment fees
+------------------------
+
+In the payment part of your event settings, you can choose the tax rule that needs to be applied for
+payment method fees. This works in the same way as product prices, with the small difference that the
+"configured product prices include the tax amount" settings is ignored and payment fees will always be
+treated as gross values.
+
+.. _VAT directive: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32006L0112&from=EN

doc/user/events/widget.rst

@@ -0,0 +1,104 @@
+Embeddable Widget
+=================
+
+If you want to show your ticket shop on your event website or blog, you can use our JavaScript widget. This way,
+users will not need to leave your site to buy their ticket in most cases. The widget will still open a new tab
+for the checkout if the user is on a mobile device.
+
+To obtain the correct HTML code for embedding your event into your website, we recommend that you go to the "Widget"
+tab of your event's settings. You can specify some optional settings there (for example the language of the widget)
+and then click "Generate widget code".
+
+.. thumbnail:: ../../screens/event/widget_form.png
+   :align: center
+   :class: screenshot
+
+You will obtain two code snippets that look *roughly* like the following. The first should be embedded into the
+``<head>`` part of your website, if possible. If this inconvenient, you can put it in the ``<body>`` part as well::
+
+    <link rel="stylesheet" type="text/css" href="https://pretix.eu/demo/democon/widget/v1.css">
+    <script type="text/javascript" src="https://pretix.eu/widget/v1.en.js" async></script>
+
+The second snippet should be embedded at the position where the widget should show up::
+
+    <pretix-widget event="https://pretix.eu/demo/democon/"></pretix-widget>
+    <noscript>
+       <div class="pretix-widget">
+            <div class="pretix-widget-info-message">
+                JavaScript is disabled in your browser. To access our ticket shop without JavaScript,
+                please <a target="_blank" href="https://pretix.eu/demo/democon/">click here</a>.
+            </div>
+        </div>
+    </noscript>
+
+.. note::
+
+    You can of course embed multiple widgets of multiple events on your page. In this case, please add the first
+    snippet only *once* and the second snippets once *for each event*.
+
+Example
+-------
+
+Your embedded widget could look like the following:
+
+.. raw:: html
+
+    <link rel="stylesheet" type="text/css" href="https://pretix.eu/demo/democon/widget/v1.css">
+    <script type="text/javascript" src="https://pretix.eu/widget/v1.en.js" async></script>
+    <pretix-widget event="https://pretix.eu/demo/democon/"></pretix-widget>
+    <noscript>
+       <div class="pretix-widget">
+            <div class="pretix-widget-info-message">
+                JavaScript is disabled in your browser. To access our ticket shop without javascript, please <a target="_blank" href="https://pretix.eu/demo/democon/">click here</a>.
+            </div>
+        </div>
+    </noscript>
+
+
+Styling
+-------
+
+If you want, you can customize the appearance of the widget to fit your website with CSS. If you inspect the rendered
+HTML of the widget with your browser's developer tools, you will see that nearly every element has a custom class
+and all classes are prefixed with ``pretix-widget``. You can override the styles as much as you want to and if
+you want to go all custom, you don't even need to use the stylesheet provided by us at all.
+
+SSL
+---
+
+Since buying a ticket normally involves entering sensitive data, we strongly suggest that you use SSL/HTTPS for the page
+that includes the widget. Initiatives like `Let's Encrypt`_ allow you to obtain a SSL certificat free of charge.
+
+All data transferred to pretix will be made over SSL, even if using the widget on a non-SSL site. However, without
+using SSL for your site, a man-in-the-middle attacker could potentially alter the widget in dangerous ways. Moreover,
+using SSL is becoming standard practice and your customers might want expect see the secure lock icon in their browser
+granted to SSL-enabled web pages.
+
+By default, the checkout process will open in a new tab in your customer's browsers if you don't use SSL for your
+website. If you confident to have a good reason for not using SSL, you can override this behaviour with the
+``skip-ssl-check`` attribute::
+
+   <pretix-widget event="https://pretix.eu/demo/democon/" skip-ssl-check></pretix-widget>
+
+Pre-selecting a voucher
+-----------------------
+
+You can pre-select a voucher for the widget with the ``voucher`` attribute::
+
+   <pretix-widget event="https://pretix.eu/demo/democon/" voucher="ABCDE123456"></pretix-widget>
+
+This way, the widget will only show products that can be bought with the voucher and prices according to the
+voucher's settings.
+
+.. raw:: html
+
+    <pretix-widget event="https://pretix.eu/demo/democon/" voucher="ABCDE123456"></pretix-widget>
+    <noscript>
+       <div class="pretix-widget">
+            <div class="pretix-widget-info-message">
+                JavaScript is disabled in your browser. To access our ticket shop without javascript, please <a target="_blank" href="https://pretix.eu/demo/democon/">click here</a>.
+            </div>
+        </div>
+    </noscript>
+
+.. _Let's Encrypt: https://letsencrypt.org/

doc/user/index.rst

@@ -1,7 +1,14 @@
 User Guide
 ==========
 
+This section of our documentation is dedicated to show you the way around pretix if you are an event organizer
+wanting to use pretix to sell tickets.
+
 .. toctree::
    :maxdepth: 2
 
+   organizers/index
+   events/create
+   events/taxes
    payments/index
+   events/widget

doc/user/organizers/index.rst

@@ -0,0 +1,112 @@
+Organizer accounts and teams
+============================
+
+Organizer account
+-----------------
+
+The basis of all your operations within pretix is your organizer account. It represents an entity that is running
+events, for example a company, yourself or any other institution.
+Every event belongs to one organizer account and events within the same organizer account are assumed to belong together
+in some sense, whereas events in different organizer accounts are completely isolated.
+
+If you want to use the hosted pretix service, you can create an organizer account on our `Get started`_ page. Otherwise,
+ask your pretix administrator for access to an organizer account.
+
+You can find out all organizer accounts you have access to by going to your global dashboard (click on the pretix logo
+in the top-left corner) and then select "Organizers" from the navigation bar on the left side. Then, choose one of the
+organizer accounts presented, if there are multiple of them:
+
+.. thumbnail:: ../../screens/organizer/list.png
+   :align: center
+   :class: screenshot
+
+This overview shows you all event that belong to the organizer and you have access to:
+
+.. thumbnail:: ../../screens/organizer/event_list.png
+   :align: center
+   :class: screenshot
+
+With the "Edit" button at the top, next to the organizer account name, you can modify properties of the organizer
+account such as its name and display settings for the public profile page of the organizer account:
+
+.. thumbnail:: ../../screens/organizer/edit.png
+   :align: center
+   :class: screenshot
+
+.. tip::
+
+   The profile page will be shown as ``https://pretix.eu/slug/`` where ``slug`` is to be replaced by the short form of
+   the organizer name that you entered during account creation and ``pretix.eu`` is to be replaced by your
+   installation's domain name if you are not using our hosted service.
+
+   Instead, you can also use a custom domain for the profile page and your events, for example
+   ``https://tickets.example.com/`` if ``example.com`` is a domain that you own. In this case, please contact the pretix
+   hosted support or your system administrator to set up the custom domain.
+
+Teams
+-----
+
+We don't expect you to work on your events all by yourself and therefore, pretix comes with ways to invite your fellow
+team members to access your pretix organizer account. To manage teams, click on the "Teams" link on your organizer
+settings page (see above how to find it). This shows you a list of teams that should contain at least one team already:
+
+.. thumbnail:: ../../screens/organizer/team_list.png
+   :align: center
+   :class: screenshot
+
+If you click on a team name, you get to a page that shows you the current members of the team:
+
+.. thumbnail:: ../../screens/organizer/team_detail.png
+   :align: center
+   :class: screenshot
+
+You see that there is a list of pretix user accounts (i.e. email addresses), who are part of the team. To add a user to
+the team, just enter their email address in the text box next to the "Add" button. If the user already has an account
+in the pretix system they will instantly get access to the team. Otherwise, they will be sent an email with an invitation
+link that can be used to create an account. This account will then instantly have access to the team. Users can be part
+of as many teams as you want.
+
+In the section below, you can also create access tokens for our :ref:`rest-api`. You can read more on this topic in the
+section :ref:`rest-auth` of the API documentation.
+
+Next to the team name, you again see a button called "Edit" that allows you to modify the permissions of the team.
+Permissions separate into two areas:
+
+* **Organizer permissions** allow actions on the level of an organizer account, in particular:
+
+   * Can create events – To create a new event under this organizer account, users need to have this permission
+
+   * Can change teams and permissions – This permission is required to perform the kind of action you are doing right now.
+     Anyone with this permission can assign arbitrary other permissions to themselves, so this is the most powerful
+     permission there is to give.
+
+   * Can change organizer settings – This permission is required to perform changes to the settings of the organizer
+     account, e.g. its name or display settings.
+
+* **Event permissions** allow actions on the level of an event. You can give the team access to all events of the
+  organizer (including future ones that are not yet created) or just a selected set of events. The specific permissions to choose from are:
+
+   * Can change event settings – This permission gives access to most areas of the control panel that are not controlled
+     by one of the other event permissions, especially those that are related to setting up and configuring the event.
+
+   * Can change product settings – This permission allows to create and modify products and objects that are closely
+     related to products, such as product categories, quotas, and questions.
+
+   * Can view orders – This permission allows viewing the list of orders and allindividual order details, but not
+     changing anything about it. This also includes the various exports offered.
+
+   * Can change orders – This permission allows all actions that involve changing an order, such as changing the products
+     in an order, marking an order as paid or refunden, importing banking data, etc. This only works properly if the
+     same users also have the "Can view orders" permission.
+
+   * Can view vouchers – This permission allows viewing the list of vouchers including the voucher codes themselves and
+     their redemption status.
+
+   * Can change vouchers – This permission allows to create and modify vouchers in all their details. It only works
+     properly if the same users also have the "Can view vouchers" permission.
+
+.. thumbnail:: ../../screens/organizer/team_edit.png
+   :align: center
+   :class: screenshot
+
+.. _Get started: https://pretix.eu/about/en/setup

doc/user/payments/banktransfer.rst

@@ -3,7 +3,7 @@
 Bank transfer
 =============
 
-To accept payments with bank transfer, you only need to fill one important field in pretix' settings: In "Bank
+To accept payments with bank transfer, you only need to fill out one important field in pretix' settings: In "Bank
 account details" you should specify everything one needs to know to transfer money to you, e.g. your IBAN and BIC,
 the name of your bank and for international transfers, preferably also your address and the bank's address.
 
@@ -17,6 +17,7 @@ The easiest way to import payment data is to download a CSV file from your onlin
 export of some sort. You can go to "Import bank data" in pretix to upload a new file:
 
 .. image:: img/bank1.png
+   :class: screenshot
 
 If you upload a file for the first time, pretix will not know what information is contained in which column as every
 bank builds completely different CSV files. Therefore, pretix will ask you for that information. It will show you the

doc/user/payments/paypal.rst

@@ -8,41 +8,49 @@ PayPal account, you can create one on `paypal.com`_.
 If you look into pretix' settings, you are required to fill in two keys:
 
 .. image:: img/paypal_pretix.png
+   :class: screenshot
 
 Unfortunately, it is not straightforward how to get those keys from PayPal's website. In order to do so, you
 need to go to `developer.paypal.com`_ to link the account to your pretix event.
 Click on "Log In" in the top-right corner and log in with your PayPal account.
 
 .. image:: img/paypal2.png
+   :class: screenshot
 
 Then, click on "Dashboard" in the top-right corner.
 
 .. image:: img/paypal3.png
+   :class: screenshot
 
 In the dashboard, scroll down until you see the headline "REST API Apps". Click "Create App".
 
 .. image:: img/paypal4.png
+   :class: screenshot
 
 Enter any name for the application that helps you to identify it later. Then confirm with "Create App".
 
 .. image:: img/paypal5.png
+   :class: screenshot
 
 On the next page, before you do anything else, switch the mode on the right to "Live" to get the correct keys.
 Then, copy the "Client ID" and the "Secret" and enter them into the appropriate fields in the payment settings in
 pretix.
 
 .. image:: img/paypal6.png
+   :class: screenshot
 
 Finally, we need to create a webhook. The webhook tells PayPal to notify pretix e.g. if a payment gets cancelled so
 pretix can cancel the ticket as well. If you have multiple events connected to your PayPal account, you need multiple
 webhooks. To create one, scroll a bit down and click "Add Webhook".
 
 .. image:: img/paypal7.png
+   :class: screenshot
 
 Then, enter the webhook URL that you find on the pretix settings page. It should look similar to the one in the
 screenshot but contain your event name. Tick the box "All events" and save.
 
 .. image:: img/paypal8.png
+   :class: screenshot
 
 That's it, you are ready to go!
 

doc/user/payments/stripe.rst

@@ -9,6 +9,7 @@ Dashboard. As you can see in the following screenshot, you will be presented wit
 and one for live payments. In each set, there is a secret and a publishable keys.
 
 .. image:: img/stripe1.png
+   :class: screenshot
 
 Choose one of the two sets and copy the two keys to the appropriate fields in pretix' settings. To perform actual
 payments, you will need to use the live keys, but you can use the test keys to test the payment flow before you go live.
@@ -21,6 +22,7 @@ that you are currently on. Then, click "Add endpoint" and enter the URL that you
 configuration in pretix' settings.
 
 .. image:: img/stripe2.png
+   :class: screenshot
 
 Again, you can choose between live mode and test mode here.
 

res/icon.svg

@@ -1,44 +1,17 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<!-- Created with Inkscape (http://www.inkscape.org/) -->
-
 <svg
    xmlns:dc="http://purl.org/dc/elements/1.1/"
    xmlns:cc="http://creativecommons.org/ns#"
    xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
    xmlns:svg="http://www.w3.org/2000/svg"
    xmlns="http://www.w3.org/2000/svg"
-   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
-   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
-   width="149.59399"
-   height="149.59399"
-   id="svg2"
+   viewBox="0 0 149.59399 149.59399"
    version="1.1"
-   inkscape:version="0.48.5 r10040"
-   sodipodi:docname="icon_draft.svg">
+   id="svg2"
+   height="159.56693"
+   width="159.56693">
   <defs
      id="defs4" />
-  <sodipodi:namedview
-     id="base"
-     pagecolor="#ffffff"
-     bordercolor="#666666"
-     borderopacity="1.0"
-     inkscape:pageopacity="0.0"
-     inkscape:pageshadow="2"
-     inkscape:zoom="3.959798"
-     inkscape:cx="141.14985"
-     inkscape:cy="82.686886"
-     inkscape:document-units="px"
-     inkscape:current-layer="layer1"
-     showgrid="false"
-     inkscape:window-width="1914"
-     inkscape:window-height="1039"
-     inkscape:window-x="1920"
-     inkscape:window-y="18"
-     inkscape:window-maximized="0"
-     fit-margin-top="20"
-     fit-margin-left="20"
-     fit-margin-right="20"
-     fit-margin-bottom="20" />
   <metadata
      id="metadata7">
     <rdf:RDF>
@@ -52,15 +25,12 @@
     </rdf:RDF>
   </metadata>
   <g
-     inkscape:label="Ebene 1"
-     inkscape:groupmode="layer"
-     id="layer1"
-     transform="translate(-257.78125,-548.74975)">
+     transform="translate(-257.78125,-548.74975)"
+     id="layer1">
     <path
-       style="color:#000000;fill:#3b1c4a;fill-opacity:1;fill-rule:nonzero;stroke:none;marker:none;visibility:visible;display:inline;overflow:visible;enable-background:accumulate"
-       d="m 277.78125,568.74975 0,34.09383 c 11.37842,0 20.613,9.28198 20.613,20.7188 0,11.4368 -9.23458,20.68754 -20.613,20.68754 l 0,34.09383 68.33691,0 0,-9.50002 2.98469,0 0,9.50002 38.2724,0 0,-34.09383 c -0.0104,2e-5 -0.0207,0 -0.031,0 -11.37841,0 -20.613,-9.25074 -20.613,-20.68754 0,-11.43682 9.23459,-20.7188 20.613,-20.7188 0.0105,0 0.0207,-2e-5 0.031,0 l 0,-34.09383 -38.2724,0 0,9.09377 -2.98469,0 0,-9.09377 z m 68.33691,16.09379 2.98469,0 0,14.00003 -2.98469,0 z m 0,21.00004 2.98469,0 0,14.00004 -2.98469,0 z m -24.40604,3.68751 c 4.02516,3e-5 7.02244,1.10354 8.98515,3.34376 1.96268,2.20685 2.92251,5.27326 2.92251,9.21877 l 0,3.87501 c 0,3.94554 -0.95983,7.04102 -2.92251,9.28127 -1.96271,2.20683 -4.95999,3.31251 -8.98515,3.31251 -0.5988,0 -1.31361,-0.0268 -2.14524,-0.0937 -0.83167,-0.0334 -1.71126,-0.11626 -2.64269,-0.25 l 0,8.87502 c -1e-5,0.26748 -0.11132,0.48687 -0.31091,0.6875 -0.19961,0.20061 -0.41788,0.31249 -0.68399,0.3125 l -4.60139,0 c -0.26614,-1e-5 -0.4844,-0.11189 -0.684,-0.3125 -0.19959,-0.20063 -0.3109,-0.42002 -0.3109,-0.6875 l 0,-34.90633 c 0,-0.36777 0.0824,-0.64529 0.24872,-0.8125 0.16633,-0.20059 0.52265,-0.39529 1.08817,-0.5625 1.5635,-0.40121 3.24248,-0.70343 5.00557,-0.93751 1.76309,-0.23403 3.43988,-0.34372 5.03666,-0.34375 z m 0,5.40627 c -0.89819,2e-5 -1.80453,0.0269 -2.73596,0.0937 -0.89819,0.0669 -1.58626,0.14971 -2.05197,0.25 l 0,17.50004 c 0.69857,0.10031 1.49359,0.18313 2.42505,0.25 0.9647,0.0669 1.76408,0.12501 2.36288,0.125 1.06449,10e-6 1.94409,-0.19469 2.64269,-0.5625 0.69857,-0.36781 1.24859,-0.86471 1.6478,-1.50001 0.39917,-0.63529 0.67527,-1.38064 0.80835,-2.25 0.16631,-0.86934 0.24871,-1.83846 0.24873,-2.87501 l 0,-3.87501 c -2e-5,-1.03651 -0.0824,-1.97438 -0.24873,-2.84375 -0.13308,-0.86934 -0.40918,-1.61469 -0.80835,-2.25001 -0.39921,-0.63527 -0.94923,-1.13218 -1.6478,-1.5 -0.6986,-0.36778 -1.5782,-0.56248 -2.64269,-0.5625 z m 24.40604,11.90627 2.98469,0 0,14.00003 -2.98469,0 z m 0,21.00005 2.98469,0 0,14.00003 -2.98469,0 z"
        id="rect3888"
-       inkscape:connector-curvature="0"
-       sodipodi:nodetypes="ccsccccccccssscccccccccccccccccccsscscccccccssccccccccccccccccccccccccccccc" />
+       transform="matrix(0.93749999,0,0,0.93749999,257.78125,548.74975)"
+       d="M 21.333984 21.333984 L 21.333984 57.699219 C 33.470966 57.699219 43.320312 67.601506 43.320312 79.800781 C 43.320312 92.000035 33.470966 101.86719 21.333984 101.86719 L 21.333984 138.23438 L 94.226562 138.23438 L 94.226562 128.09961 L 97.410156 128.09961 L 97.410156 138.23438 L 138.23438 138.23438 L 138.23438 101.86719 C 138.22328 101.86721 138.21216 101.86719 138.20117 101.86719 C 126.0642 101.86719 116.21289 92.000035 116.21289 79.800781 C 116.21289 67.601506 126.0642 57.699219 138.20117 57.699219 C 138.21237 57.699219 138.22339 57.699197 138.23438 57.699219 L 138.23438 21.333984 L 97.410156 21.333984 L 97.410156 31.033203 L 94.226562 31.033203 L 94.226562 21.333984 L 21.333984 21.333984 z M 94.226562 38.5 L 97.410156 38.5 L 97.410156 53.433594 L 94.226562 53.433594 L 94.226562 38.5 z M 94.226562 60.900391 L 97.410156 60.900391 L 97.410156 75.833984 L 94.226562 75.833984 L 94.226562 60.900391 z M 67.044922 64.027344 C 76.359333 64.027344 82.662109 68.991742 82.662109 79.533203 C 82.662109 89.014942 77.139434 95.039062 69.386719 95.039062 C 67.490377 95.039062 65.927327 94.814901 65.146484 94.591797 L 65.146484 106.64062 L 54.550781 106.64062 L 54.550781 66.314453 C 57.395304 64.97585 61.244324 64.027344 67.044922 64.027344 z M 66.990234 70.216797 C 66.209392 70.216797 65.648458 70.328766 65.146484 70.496094 L 65.146484 88.568359 C 65.536906 88.735677 66.097199 88.845703 66.822266 88.845703 C 70.61497 88.845703 72.175781 85.725087 72.175781 79.589844 C 72.175781 73.287273 70.838704 70.216797 66.990234 70.216797 z M 94.226562 83.300781 L 97.410156 83.300781 L 97.410156 98.234375 L 94.226562 98.234375 L 94.226562 83.300781 z M 94.226562 105.69922 L 97.410156 105.69922 L 97.410156 120.63281 L 94.226562 120.63281 L 94.226562 105.69922 z "
+       style="color:#000000;display:inline;overflow:visible;visibility:visible;fill:#3b1c4a;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:1.06666672;marker:none;enable-background:accumulate" />
   </g>
 </svg>

src/Makefile

@@ -6,7 +6,7 @@ localecompile:
 
 localegen:
 	./manage.py makemessages --all --ignore "pretix/helpers/*"
-	./manage.py makemessages --all -d djangojs --ignore "pretix/helpers/*" --ignore "pretix/static/jsi18n/*" --ignore "pretix/static/jsi18n/*" --ignore "pretix/static.dist/*" --ignore "build/*"
+	./manage.py makemessages --all -d djangojs --ignore "pretix/helpers/*" --ignore "pretix/static/jsi18n/*" --ignore "pretix/static/jsi18n/*" --ignore "pretix/static.dist/*" --ignore "data/*" --ignore "build/*"
 
 staticfiles: jsi18n
 	./manage.py collectstatic --noinput

src/make_testdata.py

@@ -47,14 +47,15 @@ question = Question.objects.create(
     event=event, question='Age',
     type=Question.TYPE_NUMBER, required=False
 )
+tr19 = event.tax_rules.create(rate=19)
 item_ticket = Item.objects.create(
     event=event, category=cat_tickets, name='Ticket',
-    default_price=23, tax_rate=19, admission=True
+    default_price=23, tax_rule=tr19, admission=True
 )
 item_ticket.questions.add(question)
 item_shirt = Item.objects.create(
     event=event, category=cat_merch, name='T-Shirt',
-    default_price=15, tax_rate=19
+    default_price=15, tax_rule=tr19
 )
 var_s = ItemVariation.objects.create(item=item_shirt, value='S')
 var_m = ItemVariation.objects.create(item=item_shirt, value='M')

src/pretix/__init__.py

@@ -1 +1 @@
-__version__ = "1.6.0"
+__version__ = "1.9.1"

src/pretix/api/auth/permission.py

@@ -1,3 +1,8 @@
+import time
+
+from django.conf import settings
+from django.contrib.auth import logout
+from rest_framework.exceptions import PermissionDenied
 from rest_framework.permissions import SAFE_METHODS, BasePermission
 
 from pretix.base.models import Event
@@ -13,6 +18,25 @@ class EventPermission(BasePermission):
                 return True
             return False
 
+        if request.method not in SAFE_METHODS and hasattr(view, 'write_permission'):
+            required_permission = getattr(view, 'write_permission')
+        elif hasattr(view, 'permission'):
+            required_permission = getattr(view, 'permission')
+        else:
+            required_permission = None
+
+        if request.user.is_authenticated:
+            # If this logic is updated, make sure to also update the logic in pretix/control/middleware.py
+            if not settings.PRETIX_LONG_SESSIONS or not request.session.get('pretix_auth_long_session', False):
+                last_used = request.session.get('pretix_auth_last_used', time.time())
+                if time.time() - request.session.get('pretix_auth_login_time', time.time()) > settings.PRETIX_SESSION_TIMEOUT_ABSOLUTE:
+                    logout(request)
+                    request.session['pretix_auth_login_time'] = 0
+                    return False
+                if time.time() - last_used > settings.PRETIX_SESSION_TIMEOUT_RELATIVE:
+                    return False
+                request.session['pretix_auth_last_used'] = int(time.time())
+
         perm_holder = (request.auth if isinstance(request.auth, TeamAPIToken)
                        else request.user)
         if 'event' in request.resolver_match.kwargs and 'organizer' in request.resolver_match.kwargs:
@@ -25,9 +49,8 @@ class EventPermission(BasePermission):
             request.organizer = request.event.organizer
             request.eventpermset = perm_holder.get_event_permission_set(request.organizer, request.event)
 
-            if hasattr(view, 'permission'):
-                if view.permission and view.permission not in request.eventpermset:
-                    return False
+            if required_permission and required_permission not in request.eventpermset:
+                return False
 
         elif 'organizer' in request.resolver_match.kwargs:
             request.organizer = Organizer.objects.filter(
@@ -37,7 +60,21 @@ class EventPermission(BasePermission):
                 return False
             request.orgapermset = perm_holder.get_organizer_permission_set(request.organizer)
 
-            if hasattr(view, 'permission'):
-                if view.permission and view.permission not in request.orgapermset:
-                    return False
+            if required_permission and required_permission not in request.orgapermset:
+                return False
         return True
+
+
+def permission_required(required_permission):
+    def decorator(function):
+        def wrapper(self, request, *args, **kw):
+            if 'event' in request.resolver_match.kwargs and 'organizer' in request.resolver_match.kwargs:
+                if required_permission and required_permission not in request.eventpermset:
+                    raise PermissionDenied('You do not have permission to perform this operation.')
+            elif 'organizer' in request.resolver_match.kwargs:
+                if required_permission and required_permission not in request.orgapermset:
+                    raise PermissionDenied('You do not have permission to perform this operation.')
+
+            return function(self, request, *args, **kw)
+        return wrapper
+    return decorator

src/pretix/api/exception.py

@@ -0,0 +1,16 @@
+from rest_framework.response import Response
+from rest_framework.views import exception_handler, status
+
+from pretix.base.services.locking import LockTimeoutException
+
+
+def custom_exception_handler(exc, context):
+    response = exception_handler(exc, context)
+
+    if isinstance(exc, LockTimeoutException):
+        response = Response(
+            {'detail': 'The server was too busy to process your request. Please try again.'},
+            status=status.HTTP_409_CONFLICT
+        )
+
+    return response

src/pretix/api/serializers/event.py

@@ -1,15 +1,28 @@
+from django_countries.serializers import CountryFieldMixin
+from rest_framework.fields import Field
+
 from pretix.api.serializers.i18n import I18nAwareModelSerializer
-from pretix.base.models import Event
+from pretix.base.models import Event, TaxRule
 from pretix.base.models.event import SubEvent
 from pretix.base.models.items import SubEventItem, SubEventItemVariation
 
 
+class MetaDataField(Field):
+
+    def to_representation(self, value):
+        return {
+            v.property.name: v.value for v in value.meta_values.all()
+        }
+
+
 class EventSerializer(I18nAwareModelSerializer):
+    meta_data = MetaDataField(source='*')
+
     class Meta:
         model = Event
         fields = ('name', 'slug', 'live', 'currency', 'date_from',
                   'date_to', 'date_admission', 'is_public', 'presale_start',
-                  'presale_end', 'location', 'has_subevents')
+                  'presale_end', 'location', 'has_subevents', 'meta_data')
 
 
 class SubEventItemSerializer(I18nAwareModelSerializer):
@@ -27,9 +40,16 @@ class SubEventItemVariationSerializer(I18nAwareModelSerializer):
 class SubEventSerializer(I18nAwareModelSerializer):
     item_price_overrides = SubEventItemSerializer(source='subeventitem_set', many=True)
     variation_price_overrides = SubEventItemVariationSerializer(source='subeventitemvariation_set', many=True)
+    meta_data = MetaDataField(source='*')
 
     class Meta:
         model = SubEvent
         fields = ('id', 'name', 'date_from', 'date_to', 'active', 'date_admission',
                   'presale_start', 'presale_end', 'location',
-                  'item_price_overrides', 'variation_price_overrides')
+                  'item_price_overrides', 'variation_price_overrides', 'meta_data')
+
+
+class TaxRuleSerializer(CountryFieldMixin, I18nAwareModelSerializer):
+    class Meta:
+        model = TaxRule
+        fields = ('id', 'name', 'rate', 'price_includes_tax', 'eu_reverse_charge', 'home_country')

src/pretix/api/serializers/i18n.py

@@ -1,5 +1,7 @@
 from django.conf import settings
 from i18nfield.fields import I18nCharField, I18nTextField
+from i18nfield.strings import LazyI18nString
+from rest_framework.exceptions import ValidationError
 from rest_framework.fields import Field
 from rest_framework.serializers import ModelSerializer
 
@@ -22,6 +24,16 @@ class I18nField(Field):
                 settings.LANGUAGE_CODE: str(value.data)
             }
 
+    def to_internal_value(self, data):
+        if isinstance(data, str):
+            return LazyI18nString(data)
+        elif isinstance(data, dict):
+            if any([k not in dict(settings.LANGUAGES) for k in data.keys()]):
+                raise ValidationError('Invalid languages included.')
+            return LazyI18nString(data)
+        else:
+            raise ValidationError('Invalid data type.')
+
 
 class I18nAwareModelSerializer(ModelSerializer):
     pass

src/pretix/api/serializers/item.py

@@ -1,3 +1,5 @@
+from decimal import Decimal
+
 from rest_framework import serializers
 
 from pretix.api.serializers.i18n import I18nAwareModelSerializer
@@ -21,17 +23,26 @@ class InlineItemAddOnSerializer(serializers.ModelSerializer):
                   'position')
 
 
+class ItemTaxRateField(serializers.Field):
+    def to_representation(self, i):
+        if i.tax_rule:
+            return str(Decimal(i.tax_rule.rate))
+        else:
+            return str(Decimal('0.00'))
+
+
 class ItemSerializer(I18nAwareModelSerializer):
     addons = InlineItemAddOnSerializer(many=True)
     variations = InlineItemVariationSerializer(many=True)
+    tax_rate = ItemTaxRateField(source='*', read_only=True)
 
     class Meta:
         model = Item
         fields = ('id', 'category', 'name', 'active', 'description',
-                  'default_price', 'free_price', 'tax_rate', 'admission',
+                  'default_price', 'free_price', 'tax_rate', 'tax_rule', 'admission',
                   'position', 'picture', 'available_from', 'available_until',
                   'require_voucher', 'hide_without_voucher', 'allow_cancel',
-                  'min_per_order', 'max_per_order', 'has_variations',
+                  'min_per_order', 'max_per_order', 'checkin_attention', 'has_variations',
                   'variations', 'addons')
 
 

src/pretix/api/serializers/order.py

@@ -1,3 +1,5 @@
+from decimal import Decimal
+
 from rest_framework import serializers
 from rest_framework.reverse import reverse
 
@@ -6,6 +8,7 @@ from pretix.base.models import (
     Checkin, Invoice, InvoiceAddress, InvoiceLine, Order, OrderPosition,
     QuestionAnswer,
 )
+from pretix.base.models.orders import OrderFee
 from pretix.base.signals import register_ticket_outputs
 
 
@@ -22,7 +25,8 @@ class InvoiceAdddressSerializer(I18nAwareModelSerializer):
 
     class Meta:
         model = InvoiceAddress
-        fields = ('last_modified', 'company', 'name', 'street', 'zipcode', 'city', 'country', 'vat_id')
+        fields = ('last_modified', 'is_business', 'company', 'name', 'street', 'zipcode', 'city', 'country', 'vat_id',
+                  'vat_id_validated', 'internal_reference')
 
 
 class AnswerSerializer(I18nAwareModelSerializer):
@@ -97,25 +101,47 @@ class OrderPositionSerializer(I18nAwareModelSerializer):
         model = OrderPosition
         fields = ('id', 'order', 'positionid', 'item', 'variation', 'price', 'attendee_name', 'attendee_email',
                   'voucher', 'tax_rate', 'tax_value', 'secret', 'addon_to', 'subevent', 'checkins', 'downloads',
-                  'answers')
+                  'answers', 'tax_rule')
+
+
+class OrderFeeSerializer(I18nAwareModelSerializer):
+    class Meta:
+        model = OrderFee
+        fields = ('fee_type', 'value', 'description', 'internal_type', 'tax_rate', 'tax_value', 'tax_rule')
+
+
+class PaymentFeeLegacyField(serializers.Field):
+    def __init__(self, *args, **kwargs):
+        self.attr = kwargs.pop('attribute')
+        super().__init__(*args, **kwargs)
+
+    def to_representation(self, instance: Order):
+        return str(
+            sum([getattr(f, self.attr) for f in instance.fees.all() if f.fee_type == OrderFee.FEE_TYPE_PAYMENT],
+                Decimal('0.00'))
+        )
 
 
 class OrderSerializer(I18nAwareModelSerializer):
     invoice_address = InvoiceAdddressSerializer()
     positions = OrderPositionSerializer(many=True)
+    fees = OrderFeeSerializer(many=True)
     downloads = OrderDownloadsField(source='*')
+    payment_fee = PaymentFeeLegacyField(source='*', attribute='value')  # TODO: Remove in 1.9
+    payment_fee_tax_rate = PaymentFeeLegacyField(source='*', attribute='tax_rate')  # TODO: Remove in 1.9
+    payment_fee_tax_value = PaymentFeeLegacyField(source='*', attribute='tax_value')  # TODO: Remove in 1.9
 
     class Meta:
         model = Order
         fields = ('code', 'status', 'secret', 'email', 'locale', 'datetime', 'expires', 'payment_date',
-                  'payment_provider', 'payment_fee', 'payment_fee_tax_rate', 'payment_fee_tax_value',
-                  'total', 'comment', 'invoice_address', 'positions', 'downloads')
+                  'payment_provider', 'fees', 'total', 'comment', 'invoice_address', 'positions', 'downloads',
+                  'payment_fee', 'payment_fee_tax_rate', 'payment_fee_tax_value')
 
 
 class InlineInvoiceLineSerializer(I18nAwareModelSerializer):
     class Meta:
         model = InvoiceLine
-        fields = ('description', 'gross_value', 'tax_value', 'tax_rate')
+        fields = ('description', 'gross_value', 'tax_value', 'tax_rate', 'tax_name')
 
 
 class InvoiceSerializer(I18nAwareModelSerializer):
@@ -126,4 +152,6 @@ class InvoiceSerializer(I18nAwareModelSerializer):
     class Meta:
         model = Invoice
         fields = ('order', 'number', 'is_cancellation', 'invoice_from', 'invoice_to', 'date', 'refers', 'locale',
-                  'introductory_text', 'additional_text', 'payment_provider_text', 'footer_text', 'lines')
+                  'introductory_text', 'additional_text', 'payment_provider_text', 'footer_text', 'lines',
+                  'foreign_currency_display', 'foreign_currency_rate', 'foreign_currency_rate_date',
+                  'internal_reference')

src/pretix/api/serializers/voucher.py

@@ -8,3 +8,36 @@ class VoucherSerializer(I18nAwareModelSerializer):
         fields = ('id', 'code', 'max_usages', 'redeemed', 'valid_until', 'block_quota',
                   'allow_ignore_quota', 'price_mode', 'value', 'item', 'variation', 'quota',
                   'tag', 'comment', 'subevent')
+        read_only_fields = ('id', 'redeemed')
+
+    def validate(self, data):
+        data = super().validate(data)
+
+        full_data = self.to_internal_value(self.to_representation(self.instance)) if self.instance else {}
+        full_data.update(data)
+
+        Voucher.clean_item_properties(
+            full_data, self.context.get('event'),
+            full_data.get('quota'), full_data.get('item'), full_data.get('variation')
+        )
+        Voucher.clean_subevent(
+            full_data, self.context.get('event')
+        )
+        Voucher.clean_max_usages(full_data, self.instance.redeemed if self.instance else 0)
+        check_quota = Voucher.clean_quota_needs_checking(
+            full_data, self.instance,
+            item_changed=self.instance and (
+                full_data.get('item') != self.instance.item or
+                full_data.get('variation') != self.instance.variation or
+                full_data.get('quota') != self.instance.quota
+            ),
+            creating=not self.instance
+        )
+        if check_quota:
+            Voucher.clean_quota_check(
+                full_data, 1, self.instance, self.context.get('event'),
+                full_data.get('quota'), full_data.get('item'), full_data.get('variation')
+            )
+        Voucher.clean_voucher_code(full_data, self.context.get('event'), self.instance.pk if self.instance else None)
+
+        return data

src/pretix/api/urls.py

@@ -22,6 +22,7 @@ event_router.register(r'vouchers', voucher.VoucherViewSet)
 event_router.register(r'orders', order.OrderViewSet)
 event_router.register(r'orderpositions', order.OrderPositionViewSet)
 event_router.register(r'invoices', order.InvoiceViewSet)
+event_router.register(r'taxrules', event.TaxRuleViewSet)
 event_router.register(r'waitinglistentries', waitinglist.WaitingListViewSet)
 
 # Force import of all plugins to give them a chance to register URLs with the router

src/pretix/api/views/event.py

@@ -1,9 +1,13 @@
 from django_filters.rest_framework import DjangoFilterBackend, FilterSet
 from rest_framework import filters, viewsets
+from rest_framework.exceptions import PermissionDenied
 
-from pretix.api.serializers.event import EventSerializer, SubEventSerializer
-from pretix.base.models import Event, ItemCategory
+from pretix.api.serializers.event import (
+    EventSerializer, SubEventSerializer, TaxRuleSerializer,
+)
+from pretix.base.models import Event, ItemCategory, TaxRule
 from pretix.base.models.event import SubEvent
+from pretix.base.models.organizer import TeamAPIToken
 
 
 class EventViewSet(viewsets.ReadOnlyModelViewSet):
@@ -13,7 +17,7 @@ class EventViewSet(viewsets.ReadOnlyModelViewSet):
     lookup_url_kwarg = 'event'
 
     def get_queryset(self):
-        return self.request.organizer.events.all()
+        return self.request.organizer.events.prefetch_related('meta_values', 'meta_values__property')
 
 
 class SubEventFilter(FilterSet):
@@ -32,3 +36,41 @@ class SubEventViewSet(viewsets.ReadOnlyModelViewSet):
         return self.request.event.subevents.prefetch_related(
             'subeventitem_set', 'subeventitemvariation_set'
         )
+
+
+class TaxRuleViewSet(viewsets.ModelViewSet):
+    serializer_class = TaxRuleSerializer
+    queryset = TaxRule.objects.none()
+    write_permission = 'can_change_event_settings'
+
+    def get_queryset(self):
+        return self.request.event.tax_rules.all()
+
+    def perform_update(self, serializer):
+        super().perform_update(serializer)
+        serializer.instance.log_action(
+            'pretix.event.taxrule.changed',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            data=self.request.data
+        )
+
+    def perform_create(self, serializer):
+        serializer.save(event=self.request.event)
+        serializer.instance.log_action(
+            'pretix.event.taxrule.added',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            data=self.request.data
+        )
+
+    def perform_destroy(self, instance):
+        if not instance.allow_delete():
+            raise PermissionDenied('This tax rule can not be deleted as it is currently in use.')
+
+        instance.log_action(
+            'pretix.event.taxrule.deleted',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+        )
+        super().perform_destroy(instance)

src/pretix/api/views/item.py

@@ -1,3 +1,5 @@
+import django_filters
+from django.db.models import Q
 from django_filters.rest_framework import DjangoFilterBackend, FilterSet
 from rest_framework import viewsets
 from rest_framework.decorators import detail_route
@@ -12,6 +14,14 @@ from pretix.base.models import Item, ItemCategory, Question, Quota
 
 
 class ItemFilter(FilterSet):
+    tax_rate = django_filters.CharFilter(method='tax_rate_qs')
+
+    def tax_rate_qs(self, queryset, name, value):
+        if value in ("0", "None", "0.00"):
+            return queryset.filter(Q(tax_rule__isnull=True) | Q(tax_rule__rate=0))
+        else:
+            return queryset.filter(tax_rule__rate=value)
+
     class Meta:
         model = Item
         fields = ['active', 'category', 'admission', 'tax_rate', 'free_price']
@@ -24,9 +34,10 @@ class ItemViewSet(viewsets.ReadOnlyModelViewSet):
     ordering_fields = ('id', 'position')
     ordering = ('position', 'id')
     filter_class = ItemFilter
+    permission = 'can_change_items'
 
     def get_queryset(self):
-        return self.request.event.items.prefetch_related('variations', 'addons').all()
+        return self.request.event.items.select_related('tax_rule').prefetch_related('variations', 'addons').all()
 
 
 class ItemCategoryFilter(FilterSet):
@@ -42,6 +53,7 @@ class ItemCategoryViewSet(viewsets.ReadOnlyModelViewSet):
     filter_class = ItemCategoryFilter
     ordering_fields = ('id', 'position')
     ordering = ('position', 'id')
+    permission = 'can_change_items'
 
     def get_queryset(self):
         return self.request.event.categories.all()
@@ -53,6 +65,7 @@ class QuestionViewSet(viewsets.ReadOnlyModelViewSet):
     filter_backends = (OrderingFilter,)
     ordering_fields = ('id', 'position')
     ordering = ('position', 'id')
+    permission = 'can_change_items'
 
     def get_queryset(self):
         return self.request.event.questions.prefetch_related('options').all()
@@ -71,6 +84,7 @@ class QuotaViewSet(viewsets.ReadOnlyModelViewSet):
     filter_class = QuotaFilter
     ordering_fields = ('id', 'size')
     ordering = ('id',)
+    permission = 'can_change_items'
 
     def get_queryset(self):
         return self.request.event.quotas.all()

src/pretix/api/views/order.py

@@ -1,18 +1,28 @@
+import datetime
+
 import django_filters
+import pytz
 from django.db.models import Q
 from django.db.models.functions import Concat
 from django.http import FileResponse
+from django.utils.timezone import make_aware
 from django_filters.rest_framework import DjangoFilterBackend, FilterSet
-from rest_framework import viewsets
+from rest_framework import serializers, status, viewsets
 from rest_framework.decorators import detail_route
 from rest_framework.exceptions import APIException, NotFound, PermissionDenied
 from rest_framework.filters import OrderingFilter
+from rest_framework.response import Response
 
 from pretix.api.serializers.order import (
     InvoiceSerializer, OrderPositionSerializer, OrderSerializer,
 )
-from pretix.base.models import Invoice, Order, OrderPosition
+from pretix.base.models import Invoice, Order, OrderPosition, Quota
+from pretix.base.models.organizer import TeamAPIToken
 from pretix.base.services.invoices import invoice_pdf
+from pretix.base.services.mail import SendMailException
+from pretix.base.services.orders import (
+    OrderError, cancel_order, extend_order, mark_order_paid,
+)
 from pretix.base.services.tickets import (
     get_cachedticket_for_order, get_cachedticket_for_position,
 )
@@ -34,10 +44,12 @@ class OrderViewSet(viewsets.ReadOnlyModelViewSet):
     filter_class = OrderFilter
     lookup_field = 'code'
     permission = 'can_view_orders'
+    write_permission = 'can_change_orders'
 
     def get_queryset(self):
         return self.request.event.orders.prefetch_related(
-            'positions', 'positions__checkins', 'positions__item', 'positions__answers', 'positions__answers__options'
+            'positions', 'positions__checkins', 'positions__item', 'positions__answers', 'positions__answers__options',
+            'fees'
         ).select_related(
             'invoice_address'
         )
@@ -70,6 +82,130 @@ class OrderViewSet(viewsets.ReadOnlyModelViewSet):
             )
             return resp
 
+    @detail_route(methods=['POST'])
+    def mark_paid(self, request, **kwargs):
+        order = self.get_object()
+
+        if order.status in (Order.STATUS_PENDING, Order.STATUS_EXPIRED):
+            try:
+                mark_order_paid(
+                    order, manual=True,
+                    user=request.user if request.user.is_authenticated else None,
+                    api_token=(request.auth if isinstance(request.auth, TeamAPIToken) else None),
+                )
+            except Quota.QuotaExceededException as e:
+                return Response({'detail': str(e)}, status=status.HTTP_400_BAD_REQUEST)
+            except SendMailException:
+                pass
+
+            return self.retrieve(request, [], **kwargs)
+        return Response(
+            {'detail': 'The order is not pending or expired.'},
+            status=status.HTTP_400_BAD_REQUEST
+        )
+
+    @detail_route(methods=['POST'])
+    def mark_canceled(self, request, **kwargs):
+        send_mail = request.data.get('send_email', True)
+
+        order = self.get_object()
+        if order.status != Order.STATUS_PENDING:
+            return Response(
+                {'detail': 'The order is not pending.'},
+                status=status.HTTP_400_BAD_REQUEST
+            )
+
+        cancel_order(
+            order,
+            user=request.user if request.user.is_authenticated else None,
+            api_token=(request.auth if isinstance(request.auth, TeamAPIToken) else None),
+            send_mail=send_mail
+        )
+        return self.retrieve(request, [], **kwargs)
+
+    @detail_route(methods=['POST'])
+    def mark_pending(self, request, **kwargs):
+        order = self.get_object()
+
+        if order.status != Order.STATUS_PAID:
+            return Response(
+                {'detail': 'The order is not paid.'},
+                status=status.HTTP_400_BAD_REQUEST
+            )
+
+        order.status = Order.STATUS_PENDING
+        order.payment_manual = True
+        order.save()
+        order.log_action(
+            'pretix.event.order.unpaid',
+            user=request.user if request.user.is_authenticated else None,
+            api_token=(request.auth if isinstance(request.auth, TeamAPIToken) else None),
+        )
+        return self.retrieve(request, [], **kwargs)
+
+    @detail_route(methods=['POST'])
+    def mark_expired(self, request, **kwargs):
+        order = self.get_object()
+
+        if order.status != Order.STATUS_PENDING:
+            return Response(
+                {'detail': 'The order is not pending.'},
+                status=status.HTTP_400_BAD_REQUEST
+            )
+
+        order.status = Order.STATUS_EXPIRED
+        order.save()
+        order.log_action(
+            'pretix.event.order.expired',
+            user=request.user if request.user.is_authenticated else None,
+            api_token=(request.auth if isinstance(request.auth, TeamAPIToken) else None),
+        )
+        return self.retrieve(request, [], **kwargs)
+
+    # TODO: Find a way to implement mark_refunded
+
+    @detail_route(methods=['POST'])
+    def extend(self, request, **kwargs):
+        new_date = request.data.get('expires', None)
+        force = request.data.get('force', False)
+        if not new_date:
+            return Response(
+                {'detail': 'New date is missing.'},
+                status=status.HTTP_400_BAD_REQUEST
+            )
+
+        df = serializers.DateField()
+        try:
+            new_date = df.to_internal_value(new_date)
+        except:
+            return Response(
+                {'detail': 'New date is invalid.'},
+                status=status.HTTP_400_BAD_REQUEST
+            )
+
+        tz = pytz.timezone(self.request.event.settings.timezone)
+        new_date = make_aware(datetime.datetime.combine(
+            new_date,
+            datetime.time(hour=23, minute=59, second=59)
+        ), tz)
+
+        order = self.get_object()
+
+        try:
+            extend_order(
+                order,
+                new_date=new_date,
+                force=force,
+                user=request.user if request.user.is_authenticated else None,
+                api_token=(request.auth if isinstance(request.auth, TeamAPIToken) else None),
+            )
+            return self.retrieve(request, [], **kwargs)
+        except OrderError as e:
+            return Response(
+                {'detail': str(e)},
+                status=status.HTTP_400_BAD_REQUEST
+            )
+
 
 class OrderPositionFilter(FilterSet):
     order = django_filters.CharFilter(name='order', lookup_expr='code')

src/pretix/api/views/voucher.py

@@ -4,10 +4,12 @@ from django_filters.rest_framework import (
     BooleanFilter, DjangoFilterBackend, FilterSet,
 )
 from rest_framework import viewsets
+from rest_framework.exceptions import PermissionDenied
 from rest_framework.filters import OrderingFilter
 
 from pretix.api.serializers.voucher import VoucherSerializer
 from pretix.base.models import Voucher
+from pretix.base.models.organizer import TeamAPIToken
 
 
 class VoucherFilter(FilterSet):
@@ -27,7 +29,7 @@ class VoucherFilter(FilterSet):
                                    (Q(valid_until__isnull=False) & Q(valid_until__lte=now())))
 
 
-class VoucherViewSet(viewsets.ReadOnlyModelViewSet):
+class VoucherViewSet(viewsets.ModelViewSet):
     serializer_class = VoucherSerializer
     queryset = Voucher.objects.none()
     filter_backends = (DjangoFilterBackend, OrderingFilter)
@@ -35,6 +37,49 @@ class VoucherViewSet(viewsets.ReadOnlyModelViewSet):
     ordering_fields = ('id', 'code', 'max_usages', 'valid_until', 'value')
     filter_class = VoucherFilter
     permission = 'can_view_vouchers'
+    write_permission = 'can_change_vouchers'
 
     def get_queryset(self):
         return self.request.event.vouchers.all()
+
+    def create(self, request, *args, **kwargs):
+        with request.event.lock():
+            return super().create(request, *args, **kwargs)
+
+    def perform_create(self, serializer):
+        serializer.save(event=self.request.event)
+        serializer.instance.log_action(
+            'pretix.voucher.added',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            data=self.request.data
+        )
+
+    def get_serializer_context(self):
+        ctx = super().get_serializer_context()
+        ctx['event'] = self.request.event
+        return ctx
+
+    def update(self, request, *args, **kwargs):
+        with request.event.lock():
+            return super().update(request, *args, **kwargs)
+
+    def perform_update(self, serializer):
+        serializer.save(event=self.request.event)
+        serializer.instance.log_action(
+            'pretix.voucher.changed',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+            data=self.request.data
+        )
+
+    def perform_destroy(self, instance):
+        if not instance.allow_delete():
+            raise PermissionDenied('This voucher can not be deleted as it has already been used.')
+
+        instance.log_action(
+            'pretix.voucher.deleted',
+            user=self.request.user,
+            api_token=(self.request.auth if isinstance(self.request.auth, TeamAPIToken) else None),
+        )
+        super().perform_destroy(instance)

src/pretix/base/__init__.py

@@ -11,7 +11,7 @@ class PretixBaseConfig(AppConfig):
         from . import payment  # NOQA
         from . import exporters  # NOQA
         from . import invoice  # NOQA
-        from .services import export, mail, tickets, cart, orders, cleanup, update_check  # NOQA
+        from .services import export, mail, tickets, cart, orders, invoices, cleanup, update_check, quotas  # NOQA
 
         try:
             from .celery_app import app as celery_app  # NOQA

src/pretix/base/cache.py

@@ -1,6 +1,6 @@
 import hashlib
 import time
-from typing import Dict, List
+from typing import Callable, Dict, List
 
 from django.core.cache import caches
 from django.db.models import Model
@@ -11,17 +11,19 @@ class NamespacedCache:
     def __init__(self, prefixkey: str, cache: str='default'):
         self.cache = caches[cache]
         self.prefixkey = prefixkey
+        self._last_prefix = None
 
-    def _prefix_key(self, original_key: str) -> str:
+    def _prefix_key(self, original_key: str, known_prefix=None) -> str:
         # Race conditions can happen here, but should be very very rare.
         # We could only handle this by going _really_ lowlevel using
         # memcached's `add` keyword instead of `set`.
         # See also:
         # https://code.google.com/p/memcached/wiki/NewProgrammingTricks#Namespacing
-        prefix = self.cache.get(self.prefixkey)
+        prefix = known_prefix or self.cache.get(self.prefixkey)
         if prefix is None:
             prefix = int(time.time())
             self.cache.set(self.prefixkey, prefix)
+        self._last_prefix = prefix
         key = '%s:%d:%s' % (self.prefixkey, prefix, original_key)
         if len(key) > 200:  # Hash long keys, as memcached has a length limit
             # TODO: Use a more efficient, non-cryptographic hash algorithm
@@ -32,17 +34,25 @@ class NamespacedCache:
         return key.split(":", 2 + self.prefixkey.count(":"))[-1]
 
     def clear(self) -> None:
+        self._last_prefix = None
         try:
             prefix = self.cache.incr(self.prefixkey, 1)
         except ValueError:
             prefix = int(time.time())
             self.cache.set(self.prefixkey, prefix)
 
-    def set(self, key: str, value: str, timeout: int=3600):
+    def set(self, key: str, value: str, timeout: int=300):
         return self.cache.set(self._prefix_key(key), value, timeout)
 
     def get(self, key: str) -> str:
-        return self.cache.get(self._prefix_key(key))
+        return self.cache.get(self._prefix_key(key, known_prefix=self._last_prefix))
+
+    def get_or_set(self, key: str, default: Callable, timeout=300) -> str:
+        return self.cache.get_or_set(
+            self._prefix_key(key, known_prefix=self._last_prefix),
+            default=default,
+            timeout=timeout
+        )
 
     def get_many(self, keys: List[str]) -> Dict[str, str]:
         values = self.cache.get_many([self._prefix_key(key) for key in keys])
@@ -51,7 +61,7 @@ class NamespacedCache:
             newvalues[self._strip_prefix(k)] = v
         return newvalues
 
-    def set_many(self, values: Dict[str, str], timeout=3600):
+    def set_many(self, values: Dict[str, str], timeout=300):
         newvalues = {}
         for k, v in values.items():
             newvalues[self._prefix_key(k)] = v

src/pretix/base/exporters/answers.py

@@ -25,7 +25,9 @@ class AnswerFilesExporter(BaseExporter):
                  forms.ModelMultipleChoiceField(
                      queryset=self.event.questions.filter(type='F'),
                      label=_('Questions'),
-                     widget=forms.CheckboxSelectMultiple,
+                     widget=forms.CheckboxSelectMultiple(
+                         attrs={'class': 'scrolling-multiple-choice'}
+                     ),
                      required=False
                  )),
             ]
@@ -41,7 +43,7 @@ class AnswerFilesExporter(BaseExporter):
             with ZipFile(os.path.join(d, 'tmp.zip'), 'w') as zipf:
                 for i in qs:
                     if i.file:
-                        i.file.open('r')
+                        i.file.open('rb')
                         fname = '{}-{}-{}-q{}-{}'.format(
                             self.event.slug.upper(),
                             i.orderposition.order.code,

src/pretix/base/exporters/json.py

@@ -1,4 +1,5 @@
 import json
+from decimal import Decimal
 
 from django.core.serializers.json import DjangoJSONEncoder
 from django.dispatch import receiver
@@ -32,7 +33,8 @@ class JSONExporter(BaseExporter):
                         'name': str(item.name),
                         'category': item.category_id,
                         'price': item.default_price,
-                        'tax_rate': item.tax_rate,
+                        'tax_rate': item.tax_rule.rate if item.tax_rule else Decimal('0.00'),
+                        'tax_name': str(item.tax_rule.name) if item.tax_rule else None,
                         'admission': item.admission,
                         'active': item.active,
                         'variations': [
@@ -44,7 +46,7 @@ class JSONExporter(BaseExporter):
                                 'name': str(variation)
                             } for variation in item.variations.all()
                         ]
-                    } for item in self.event.items.all().prefetch_related('variations')
+                    } for item in self.event.items.select_related('tax_rule').prefetch_related('variations')
                 ],
                 'questions': [
                     {
@@ -59,7 +61,13 @@ class JSONExporter(BaseExporter):
                         'status': order.status,
                         'user': order.email,
                         'datetime': order.datetime,
-                        'payment_fee': order.payment_fee,
+                        'fees': [
+                            {
+                                'type': fee.fee_type,
+                                'description': fee.description,
+                                'value': fee.value,
+                            } for fee in order.fees.all()
+                        ],
                         'total': order.total,
                         'positions': [
                             {
@@ -80,7 +88,7 @@ class JSONExporter(BaseExporter):
                             } for position in order.positions.all()
                         ]
                     } for order in
-                    self.event.orders.all().prefetch_related('positions', 'positions__answers')
+                    self.event.orders.all().prefetch_related('positions', 'positions__answers', 'fees')
                 ],
                 'quotas': [
                     {

src/pretix/base/exporters/orderlist.py

@@ -1,9 +1,9 @@
-import csv
 import io
 from collections import OrderedDict
 from decimal import Decimal
 
 import pytz
+from defusedcsv import csv
 from django import forms
 from django.db.models import Sum
 from django.dispatch import receiver
@@ -11,6 +11,7 @@ from django.utils.formats import localize
 from django.utils.translation import ugettext as _, ugettext_lazy
 
 from pretix.base.models import InvoiceAddress, Order, OrderPosition
+from pretix.base.models.orders import OrderFee
 
 from ..exporter import BaseExporter
 from ..signals import register_data_exporters
@@ -35,7 +36,10 @@ class OrderListExporter(BaseExporter):
 
     def _get_all_tax_rates(self, qs):
         tax_rates = set(
-            qs.exclude(payment_fee=0).values_list('payment_fee_tax_rate', flat=True).distinct().order_by()
+            a for a
+            in OrderFee.objects.filter(
+                order__event=self.event
+            ).values_list('tax_rate', flat=True).distinct().order_by()
         )
         tax_rates |= set(
             a for a
@@ -59,7 +63,7 @@ class OrderListExporter(BaseExporter):
         headers = [
             _('Order code'), _('Order total'), _('Status'), _('Email'), _('Order date'),
             _('Company'), _('Name'), _('Address'), _('ZIP code'), _('City'), _('Country'), _('VAT ID'),
-            _('Payment date'), _('Payment type'), _('Payment method fee'),
+            _('Payment date'), _('Payment type'), _('Fees'),
         ]
 
         for tr in tax_rates:
@@ -78,6 +82,16 @@ class OrderListExporter(BaseExporter):
             for k, v in self.event.get_payment_providers().items()
         }
 
+        full_fee_sum_cache = {
+            o['order__id']: o['grosssum'] for o in
+            OrderFee.objects.values('tax_rate', 'order__id').order_by().annotate(grosssum=Sum('value'))
+        }
+        fee_sum_cache = {
+            (o['order__id'], o['tax_rate']): o for o in
+            OrderFee.objects.values('tax_rate', 'order__id').order_by().annotate(
+                taxsum=Sum('tax_value'), grosssum=Sum('value')
+            )
+        }
         sum_cache = {
             (o['order__id'], o['tax_rate']): o for o in
             OrderPosition.objects.values('tax_rate', 'order__id').order_by().annotate(
@@ -109,19 +123,18 @@ class OrderListExporter(BaseExporter):
             row += [
                 order.payment_date.astimezone(tz).strftime('%Y-%m-%d') if order.payment_date else '',
                 provider_names.get(order.payment_provider, order.payment_provider),
-                localize(order.payment_fee)
+                localize(full_fee_sum_cache.get(order.id) or Decimal('0.00'))
             ]
 
             for tr in tax_rates:
                 taxrate_values = sum_cache.get((order.id, tr), {'grosssum': Decimal('0.00'), 'taxsum': Decimal('0.00')})
-                if tr == order.payment_fee_tax_rate and order.payment_fee_tax_value:
-                    taxrate_values['grosssum'] += order.payment_fee
-                    taxrate_values['taxsum'] += order.payment_fee_tax_value
+                fee_taxrate_values = fee_sum_cache.get((order.id, tr), {'grosssum': Decimal('0.00'), 'taxsum': Decimal('0.00')})
 
                 row += [
-                    localize(taxrate_values['grosssum']),
-                    localize(taxrate_values['grosssum'] - taxrate_values['taxsum']),
-                    localize(taxrate_values['taxsum']),
+                    localize(taxrate_values['grosssum'] + fee_taxrate_values['grosssum']),
+                    localize(taxrate_values['grosssum'] - taxrate_values['taxsum']
+                             + fee_taxrate_values['grosssum'] - fee_taxrate_values['taxsum']),
+                    localize(taxrate_values['taxsum'] + fee_taxrate_values['taxsum']),
                 ]
 
             row.append(', '.join([i.number for i in order.invoices.all()]))

src/pretix/base/forms/auth.py

@@ -1,4 +1,5 @@
 from django import forms
+from django.conf import settings
 from django.contrib.auth import authenticate
 from django.contrib.auth.password_validation import (
     password_validators_help_texts, validate_password,
@@ -15,6 +16,7 @@ class LoginForm(forms.Form):
     """
     email = forms.EmailField(label=_("E-mail"), max_length=254)
     password = forms.CharField(label=_("Password"), widget=forms.PasswordInput)
+    keep_logged_in = forms.BooleanField(label=_("Keep me logged in"), required=False)
 
     error_messages = {
         'invalid_login': _("Please enter a correct email address and password."),
@@ -29,6 +31,8 @@ class LoginForm(forms.Form):
         self.request = request
         self.user_cache = None
         super().__init__(*args, **kwargs)
+        if not settings.PRETIX_LONG_SESSIONS:
+            del self.fields['keep_logged_in']
 
     def clean(self):
         email = self.cleaned_data.get('email')
@@ -90,6 +94,12 @@ class RegistrationForm(forms.Form):
         }),
         required=True
     )
+    keep_logged_in = forms.BooleanField(label=_("Keep me logged in"), required=False)
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        if not settings.PRETIX_LONG_SESSIONS:
+            del self.fields['keep_logged_in']
 
     def clean(self):
         password1 = self.cleaned_data.get('password', '')

src/pretix/base/forms/user.py

@@ -5,6 +5,7 @@ from django.contrib.auth.password_validation import (
 )
 from django.db.models import Q
 from django.utils.translation import ugettext_lazy as _
+from pytz import common_timezones
 
 from pretix.base.models import User
 
@@ -31,17 +32,19 @@ class UserSettingsForm(forms.ModelForm):
                                     required=False,
                                     label=_("Repeat new password"),
                                     widget=forms.PasswordInput())
-    # timezone = forms.ChoiceField(
-    #     choices=((a, a) for a in common_timezones),
-    #     label=_("Default timezone"),
-    # )
+    timezone = forms.ChoiceField(
+        choices=((a, a) for a in common_timezones),
+        label=_("Default timezone"),
+        help_text=_('Only used for views that are not bound to an event. For all '
+                    'event views, the event timezone is used instead.')
+    )
 
     class Meta:
         model = User
         fields = [
             'fullname',
             'locale',
-            # 'timezone',
+            'timezone',
             'email'
         ]
 

src/pretix/base/invoice.py

@@ -3,11 +3,13 @@ from decimal import Decimal
 from io import BytesIO
 from typing import Tuple
 
+import vat_moss.exchange_rates
 from django.contrib.staticfiles import finders
 from django.dispatch import receiver
 from django.utils.formats import date_format, localize
 from django.utils.translation import pgettext
 from reportlab.lib import pagesizes
+from reportlab.lib.enums import TA_LEFT
 from reportlab.lib.styles import ParagraphStyle, StyleSheet1
 from reportlab.lib.units import mm
 from reportlab.lib.utils import ImageReader
@@ -15,10 +17,11 @@ from reportlab.pdfbase import pdfmetrics
 from reportlab.pdfbase.ttfonts import TTFont
 from reportlab.pdfgen.canvas import Canvas
 from reportlab.platypus import (
-    BaseDocTemplate, Frame, NextPageTemplate, PageTemplate, Paragraph, Spacer,
-    Table, TableStyle,
+    BaseDocTemplate, Frame, KeepTogether, NextPageTemplate, PageTemplate,
+    Paragraph, Spacer, Table, TableStyle,
 )
 
+from pretix.base.decimal import round_decimal
 from pretix.base.models import Event, Invoice
 from pretix.base.signals import register_invoice_renderers
 
@@ -86,6 +89,8 @@ class BaseReportlabInvoiceRenderer(BaseInvoiceRenderer):
         stylesheet = StyleSheet1()
         stylesheet.add(ParagraphStyle(name='Normal', fontName='OpenSans', fontSize=10, leading=12))
         stylesheet.add(ParagraphStyle(name='Heading1', fontName='OpenSansBd', fontSize=15, leading=15 * 1.2))
+        stylesheet.add(ParagraphStyle(name='FineprintHeading', fontName='OpenSansBd', fontSize=8, leading=12))
+        stylesheet.add(ParagraphStyle(name='Fineprint', fontName='OpenSans', fontSize=8, leading=10))
         return stylesheet
 
     def _register_fonts(self):
@@ -326,6 +331,12 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
             NextPageTemplate('OtherPages'),
         ]
 
+        if self.invoice.internal_reference:
+            story.append(Paragraph(
+                pgettext('invoice', 'Your reference: {reference}').format(reference=self.invoice.internal_reference),
+                self.stylesheet['Normal']
+            ))
+
         if self.invoice.introductory_text:
             story.append(Paragraph(self.invoice.introductory_text, self.stylesheet['Normal']))
             story.append(Spacer(1, 10 * mm))
@@ -355,12 +366,13 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
                 localize(line.net_value) + " " + self.invoice.event.currency,
                 localize(line.gross_value) + " " + self.invoice.event.currency,
             ))
-            taxvalue_map[line.tax_rate] += line.tax_value
-            grossvalue_map[line.tax_rate] += line.gross_value
+            taxvalue_map[line.tax_rate, line.tax_name] += line.tax_value
+            grossvalue_map[line.tax_rate, line.tax_name] += line.gross_value
             total += line.gross_value
 
-        tdata.append(
-            [pgettext('invoice', 'Invoice total'), '', '', localize(total) + " " + self.invoice.event.currency])
+        tdata.append([
+            pgettext('invoice', 'Invoice total'), '', '', localize(total) + " " + self.invoice.event.currency
+        ])
         colwidths = [a * doc.width for a in (.55, .15, .15, .15)]
         table = Table(tdata, colWidths=colwidths, repeatRows=1)
         table.setStyle(TableStyle(tstyledata))
@@ -376,33 +388,94 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
             story.append(Spacer(1, 15 * mm))
 
         tstyledata = [
-            ('SPAN', (1, 0), (-1, 0)),
-            ('ALIGN', (2, 1), (-1, -1), 'RIGHT'),
+            ('ALIGN', (1, 0), (-1, -1), 'RIGHT'),
             ('LEFTPADDING', (0, 0), (0, -1), 0),
             ('RIGHTPADDING', (-1, 0), (-1, -1), 0),
             ('FONTSIZE', (0, 0), (-1, -1), 8),
+            ('FONTNAME', (0, 0), (-1, -1), 'OpenSans'),
         ]
-        tdata = [('', pgettext('invoice', 'Included taxes'), '', '', ''),
-                 ('', pgettext('invoice', 'Tax rate'),
-                  pgettext('invoice', 'Net value'), pgettext('invoice', 'Gross value'), pgettext('invoice', 'Tax'))]
+        thead = [
+            pgettext('invoice', 'Tax rate'),
+            pgettext('invoice', 'Net value'),
+            pgettext('invoice', 'Gross value'),
+            pgettext('invoice', 'Tax'),
+            ''
+        ]
+        tdata = [thead]
 
-        for rate, gross in grossvalue_map.items():
+        for idx, gross in grossvalue_map.items():
+            rate, name = idx
             if rate == 0:
                 continue
-            tax = taxvalue_map[rate]
-            tdata.append((
-                '',
-                localize(rate) + " %",
-                localize((gross - tax)) + " " + self.invoice.event.currency,
+            tax = taxvalue_map[idx]
+            tdata.append([
+                localize(rate) + " % " + name,
+                localize(gross - tax) + " " + self.invoice.event.currency,
                 localize(gross) + " " + self.invoice.event.currency,
                 localize(tax) + " " + self.invoice.event.currency,
+                ''
+            ])
+
+        def fmt(val):
+            try:
+                return vat_moss.exchange_rates.format(val, self.invoice.foreign_currency_display)
+            except ValueError:
+                return localize(val) + ' ' + self.invoice.foreign_currency_display
+
+        if len(tdata) > 1:
+            colwidths = [a * doc.width for a in (.25, .15, .15, .15, .3)]
+            table = Table(tdata, colWidths=colwidths, repeatRows=2, hAlign=TA_LEFT)
+            table.setStyle(TableStyle(tstyledata))
+            story.append(KeepTogether([
+                Paragraph(pgettext('invoice', 'Included taxes'), self.stylesheet['FineprintHeading']),
+                table
+            ]))
+
+            if self.invoice.foreign_currency_display and self.invoice.foreign_currency_rate:
+                tdata = [thead]
+
+                for idx, gross in grossvalue_map.items():
+                    rate, name = idx
+                    if rate == 0:
+                        continue
+                    tax = taxvalue_map[idx]
+                    gross = round_decimal(gross * self.invoice.foreign_currency_rate)
+                    tax = round_decimal(tax * self.invoice.foreign_currency_rate)
+                    net = gross - tax
+
+                    tdata.append([
+                        localize(rate) + " % " + name,
+                        fmt(net), fmt(gross), fmt(tax), ''
+                    ])
+
+                table = Table(tdata, colWidths=colwidths, repeatRows=2, hAlign=TA_LEFT)
+                table.setStyle(TableStyle(tstyledata))
+
+                story.append(KeepTogether([
+                    Spacer(1, height=2 * mm),
+                    Paragraph(
+                        pgettext(
+                            'invoice', 'Using the conversion rate of 1:{rate} as published by the European Central Bank on '
+                                       '{date}, this corresponds to:'
+                        ).format(rate=localize(self.invoice.foreign_currency_rate),
+                                 date=date_format(self.invoice.foreign_currency_rate_date, "SHORT_DATE_FORMAT")),
+                        self.stylesheet['Fineprint']
+                    ),
+                    Spacer(1, height=3 * mm),
+                    table
+                ]))
+        elif self.invoice.foreign_currency_display and self.invoice.foreign_currency_rate:
+            story.append(Spacer(1, 5 * mm))
+            story.append(Paragraph(
+                pgettext(
+                    'invoice', 'Using the conversion rate of 1:{rate} as published by the European Central Bank on '
+                               '{date}, the invoice total corresponds to {total}.'
+                ).format(rate=localize(self.invoice.foreign_currency_rate),
+                         date=date_format(self.invoice.foreign_currency_rate_date, "SHORT_DATE_FORMAT"),
+                         total=fmt(total)),
+                self.stylesheet['Fineprint']
             ))
 
-        if len(tdata) > 2:
-            colwidths = [a * doc.width for a in (.45, .10, .15, .15, .15)]
-            table = Table(tdata, colWidths=colwidths, repeatRows=2)
-            table.setStyle(TableStyle(tstyledata))
-            story.append(table)
         return story
 
 

src/pretix/base/middleware.py

@@ -7,6 +7,7 @@ from django.core.urlresolvers import get_script_prefix
 from django.http import HttpRequest, HttpResponse
 from django.utils import timezone, translation
 from django.utils.cache import patch_vary_headers
+from django.utils.crypto import get_random_string
 from django.utils.deprecation import MiddlewareMixin
 from django.utils.translation import LANGUAGE_SESSION_KEY
 from django.utils.translation.trans_real import (
@@ -46,10 +47,10 @@ class LocaleMiddleware(MiddlewareMixin):
         request.LANGUAGE_CODE = translation.get_language()
 
         tzname = None
-        if request.user.is_authenticated:
-            tzname = request.user.timezone
         if hasattr(request, 'event'):
             tzname = request.event.settings.timezone
+        elif request.user.is_authenticated:
+            tzname = request.user.timezone
         if tzname:
             try:
                 timezone.activate(pytz.timezone(tzname))
@@ -165,6 +166,9 @@ class SecurityMiddleware(MiddlewareMixin):
         '/api/v1/docs/',
     )
 
+    def process_request(self, request):
+        request.csp_nonce = get_random_string(length=32)
+
     def process_response(self, request, resp):
         if settings.DEBUG and resp.status_code >= 400:
             # Don't use CSP on debug error page as it breaks of Django's fancy error
@@ -179,20 +183,25 @@ class SecurityMiddleware(MiddlewareMixin):
             # frame-src is deprecated but kept for compatibility with CSP 1.0 browsers, e.g. Safari 9
             'frame-src': ['{static}', 'https://checkout.stripe.com', 'https://js.stripe.com'],
             'child-src': ['{static}', 'https://checkout.stripe.com', 'https://js.stripe.com'],
-            'style-src': ["{static}"],
-            'connect-src': ["{dynamic}", "https://checkout.stripe.com"],
-            'img-src': ["{static}", "data:", "https://*.stripe.com"],
+            'style-src': ["{static}", "{media}", "'nonce-{nonce}'"],
+            'connect-src': ["{dynamic}", "{media}", "https://checkout.stripe.com"],
+            'img-src': ["{static}", "{media}", "data:", "https://*.stripe.com"],
+            'font-src': ["{static}"],
             # form-action is not only used to match on form actions, but also on URLs
             # form-actions redirect to. In the context of e.g. payment providers or
             # single-sign-on this can be nearly anything so we cannot really restrict
             # this. However, we'll restrict it to HTTPS.
             'form-action': ["{dynamic}", "https:"],
+            'report-uri': ["/csp_report/"],
         }
         if 'Content-Security-Policy' in resp:
             _merge_csp(h, _parse_csp(resp['Content-Security-Policy']))
 
         staticdomain = "'self'"
         dynamicdomain = "'self'"
+        mediadomain = "'self'"
+        if settings.MEDIA_URL.startswith('http'):
+            mediadomain += " " + settings.MEDIA_URL[:settings.MEDIA_URL.find('/', 9)]
         if settings.STATIC_URL.startswith('http'):
             staticdomain += " " + settings.STATIC_URL[:settings.STATIC_URL.find('/', 9)]
         if settings.SITE_URL.startswith('http'):
@@ -211,6 +220,14 @@ class SecurityMiddleware(MiddlewareMixin):
                     domain = '%s:%d' % (domain, siteurlsplit.port)
                 dynamicdomain += " " + domain
 
-        if request.path not in self.CSP_EXEMPT:
-            resp['Content-Security-Policy'] = _render_csp(h).format(static=staticdomain, dynamic=dynamicdomain)
+        if request.path not in self.CSP_EXEMPT and not getattr(resp, '_csp_ignore', False):
+            resp['Content-Security-Policy'] = _render_csp(h).format(static=staticdomain, dynamic=dynamicdomain,
+                                                                    media=mediadomain, nonce=request.csp_nonce)
+            for k, v in h.items():
+                h[k] = ' '.join(v).format(static=staticdomain, dynamic=dynamicdomain, media=mediadomain,
+                                          nonce=request.csp_nonce).split(' ')
+            resp['Content-Security-Policy'] = _render_csp(h)
+        elif 'Content-Security-Policy' in resp:
+            del resp['Content-Security-Policy']
+
         return resp

src/pretix/base/migrations/0071_auto_20170729_1616.py

@@ -0,0 +1,26 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.3 on 2017-07-29 16:16
+from __future__ import unicode_literals
+
+import i18nfield.fields
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0070_auto_20170719_0910'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='question',
+            name='help_text',
+            field=i18nfield.fields.I18nTextField(blank=True, help_text='If the question needs to be explained or clarified, do it here!', null=True, verbose_name='Help text'),
+        ),
+        migrations.AlterField(
+            model_name='invoiceaddress',
+            name='vat_id',
+            field=models.CharField(blank=True, help_text='Only for business customers within the EU.', max_length=255, verbose_name='VAT ID'),
+        ),
+    ]

src/pretix/base/migrations/0072_order_download_reminder_sent.py

@@ -0,0 +1,20 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.4 on 2017-08-04 13:42
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0071_auto_20170729_1616'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='order',
+            name='download_reminder_sent',
+            field=models.BooleanField(default=False),
+        ),
+    ]

src/pretix/base/migrations/0073_auto_20170716_1333.py

@@ -0,0 +1,181 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.2 on 2017-07-16 13:33
+from __future__ import unicode_literals
+
+import django.db.models.deletion
+import django_countries.fields
+import i18nfield.fields
+from django.core.cache import cache
+from django.db import migrations, models
+from i18nfield.strings import LazyI18nString
+
+
+def tax_rate_converter(app, schema_editor):
+    EventSettingsStore = app.get_model('pretixbase', 'Event_SettingsStore')
+    Item = app.get_model('pretixbase', 'Item')
+    TaxRule = app.get_model('pretixbase', 'TaxRule')
+    Order = app.get_model('pretixbase', 'Order')
+    OrderPosition = app.get_model('pretixbase', 'OrderPosition')
+    InvoiceLine = app.get_model('pretixbase', 'InvoiceLine')
+    n = LazyI18nString({
+        'en': 'VAT',
+        'de': 'MwSt.',
+        'de-informal': 'MwSt.'
+    })
+
+    for i in Item.objects.select_related('event').exclude(tax_rate=0):
+        try:
+            i.tax_rule = i.event.tax_rules.get(rate=i.tax_rate)
+        except TaxRule.DoesNotExist:
+            tr = i.event.tax_rules.create(rate=i.tax_rate, name=n)
+            i.tax_rule = tr
+        i.save()
+
+    for o in Order.objects.select_related('event').exclude(payment_fee_tax_rate=0):
+        try:
+            o.payment_fee_tax_rule = o.event.tax_rules.get(rate=o.payment_fee_tax_rate)
+        except TaxRule.DoesNotExist:
+            tr = o.event.tax_rules.create(rate=o.payment_fee_tax_rate, name=n)
+            o.tax_rule = tr
+        o.save()
+
+    for op in OrderPosition.objects.select_related('order', 'order__event').exclude(tax_rate=0):
+        try:
+            op.tax_rule = op.order.event.tax_rules.get(rate=op.tax_rate)
+        except TaxRule.DoesNotExist:
+            tr = op.order.event.tax_rules.create(rate=op.tax_rate, name=n)
+            op.tax_rule = tr
+        op.save()
+
+    for il in InvoiceLine.objects.select_related('invoice', 'invoice__event').exclude(tax_rate=0):
+        try:
+            il.tax_name = il.invoice.event.tax_rules.get(rate=op.tax_rate).name
+        except TaxRule.DoesNotExist:
+            tr = il.invoice.event.tax_rules.create(rate=op.tax_rate, name=n)
+            il.tax_name = tr.name
+        il.save()
+
+    for setting in EventSettingsStore.objects.filter(key='tax_rate_default'):
+        try:
+            tr = setting.object.tax_rules.get(rate=setting.value)
+        except TaxRule.DoesNotExist:
+            tr = setting.object.tax_rules.create(rate=setting.value, name=n)
+        setting.value = tr.pk
+        setting.save()
+        cache.delete('hierarkey_{}_{}'.format('event', setting.object.pk))
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ('pretixbase', '0072_order_download_reminder_sent'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='TaxRule',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('name', i18nfield.fields.I18nCharField(help_text='Should be short, e.g. "VAT"', max_length=190,
+                                                        verbose_name='Name')),
+                ('rate', models.DecimalField(decimal_places=2, max_digits=10, verbose_name='Tax rate')),
+                ('price_includes_tax', models.BooleanField(default=True,
+                                                           verbose_name='The configured product prices includes the '
+                                                                        'tax amount')),
+                ('eu_reverse_charge',
+                 models.BooleanField(default=False, help_text='Not recommended. Most events will NOT be '
+                                                              'qualified for reverse charge since the place of '
+                                                              'taxation is the location of the event. This option '
+                                                              'only enables reverse charge for business customers who '
+                                                              'entered a valid EU VAT ID. Only enable this option '
+                                                              'after consulting a tax counsel. No warranty given for '
+                                                              'correct tax calculation.',
+                                     verbose_name='Use EU reverse charge taxation')),
+                ('home_country', models.CharField(blank=True,
+                                                  choices=[('AT', 'Austria'), ('BE', 'Belgium'), ('BG', 'Bulgaria'),
+                                                           ('HR', 'Croatia'), ('CY', 'Cyprus'),
+                                                           ('CZ', 'Czech Republic'), ('DK', 'Denmark'),
+                                                           ('EE', 'Estonia'), ('FI', 'Finland'), ('FR', 'France'),
+                                                           ('DE', 'Germany'), ('GR', 'Greece'), ('HU', 'Hungary'),
+                                                           ('IE', 'Ireland'), ('IT', 'Italy'), ('LV', 'Latvia'),
+                                                           ('LT', 'Lithuania'), ('LU', 'Luxembourg'), ('MT', 'Malta'),
+                                                           ('NL', 'Netherlands'), ('PL', 'Poland'), ('PT', 'Portugal'),
+                                                           ('RO', 'Romania'), ('SK', 'Slovakia'), ('SI', 'Slovenia'),
+                                                           ('ES', 'Spain'), ('SE', 'Sweden'), ('UJ', 'United Kingdom')],
+                                                  help_text='Your country. Only relevant for EU reverse charge.',
+                                                  max_length=2, verbose_name='Merchant country')),
+                ('event', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='tax_rules',
+                                            to='pretixbase.Event')),
+            ],
+        ),
+        migrations.AddField(
+            model_name='item',
+            name='tax_rule',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.PROTECT,
+                                    to='pretixbase.TaxRule', verbose_name='Sales tax'),
+        ),
+        migrations.AddField(
+            model_name='order',
+            name='payment_fee_tax_rule',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.PROTECT,
+                                    to='pretixbase.TaxRule'),
+        ),
+        migrations.AddField(
+            model_name='orderposition',
+            name='tax_rule',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.PROTECT,
+                                    to='pretixbase.TaxRule'),
+        ),
+        migrations.RunPython(
+            tax_rate_converter, migrations.RunPython.noop
+        ),
+        migrations.RemoveField(
+            model_name='item',
+            name='tax_rate',
+        ),
+        migrations.AddField(
+            model_name='invoiceaddress',
+            name='vat_id_validated',
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AlterField(
+            model_name='invoiceaddress',
+            name='vat_id',
+            field=models.CharField(blank=True, help_text='Only for business customers within the EU.', max_length=255, verbose_name='VAT ID'),
+        ),
+        migrations.AlterField(
+            model_name='taxrule',
+            name='home_country',
+            field=django_countries.fields.CountryField(blank=True, help_text='Your country of residence. This is the country the EU reverse charge rule will not apply in, if configured above.', max_length=2, verbose_name='Merchant country'),
+        ),
+        migrations.AddField(
+            model_name='cartposition',
+            name='includes_tax',
+            field=models.BooleanField(default=True),
+        ),
+        migrations.AddField(
+            model_name='invoiceline',
+            name='tax_name',
+            field=models.CharField(default='', max_length=190),
+            preserve_default=False,
+        ),
+        migrations.AlterField(
+            model_name='taxrule',
+            name='eu_reverse_charge',
+            field=models.BooleanField(default=False, help_text='Not recommended. Most events will NOT be qualified for reverse charge since the place of taxation is the location of the event. This option disables charging VAT for all customers outside the EU and for business customers in different EU countries that do not customers who entered a valid EU VAT ID. Only enable this option after consulting a tax counsel. No warranty given for correct tax calculation. USE AT YOUR OWN RISK.', verbose_name='Use EU reverse charge taxation rules'),
+        ),
+        migrations.AddField(
+            model_name='invoice',
+            name='foreign_currency_display',
+            field=models.CharField(blank=True, max_length=50, null=True),
+        ),
+        migrations.AddField(
+            model_name='invoice',
+            name='foreign_currency_rate',
+            field=models.DecimalField(blank=True, decimal_places=4, max_digits=10, null=True),
+        ),
+        migrations.AddField(
+            model_name='invoice',
+            name='foreign_currency_rate_date',
+            field=models.DateField(blank=True, null=True),
+        ),
+    ]

src/pretix/base/migrations/0075_auto_20170828_0901.py

@@ -0,0 +1,60 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.4 on 2017-08-28 09:01
+from __future__ import unicode_literals
+
+import django.core.validators
+import django.db.models.deletion
+from django.db import migrations, models
+
+import pretix.base.models.base
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0074_auto_20170825_1258'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='EventMetaProperty',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('name', models.CharField(db_index=True, help_text='Can not contain spaces or special characters execpt underscores', max_length=50, validators=[django.core.validators.RegexValidator(message='The property name may only contain letters, numbers and underscores.', regex='^[a-zA-Z0-9_]+$')], verbose_name='Name')),
+                ('default', models.TextField()),
+                ('organizer', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='meta_properties', to='pretixbase.Organizer')),
+            ],
+            options={
+                'abstract': False,
+            },
+            bases=(models.Model, pretix.base.models.base.LoggingMixin),
+        ),
+        migrations.CreateModel(
+            name='EventMetaValue',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('value', models.TextField()),
+                ('event', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='meta_values', to='pretixbase.Event')),
+                ('property', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='event_values', to='pretixbase.EventMetaProperty')),
+            ],
+            bases=(models.Model, pretix.base.models.base.LoggingMixin),
+        ),
+        migrations.CreateModel(
+            name='SubEventMetaValue',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('value', models.TextField()),
+                ('property', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='subevent_values', to='pretixbase.EventMetaProperty')),
+                ('subevent', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='meta_values', to='pretixbase.SubEvent')),
+            ],
+            bases=(models.Model, pretix.base.models.base.LoggingMixin),
+        ),
+        migrations.AlterUniqueTogether(
+            name='subeventmetavalue',
+            unique_together=set([('subevent', 'property')]),
+        ),
+        migrations.AlterUniqueTogether(
+            name='eventmetavalue',
+            unique_together=set([('event', 'property')]),
+        ),
+    ]

src/pretix/base/migrations/0076_orderfee.py

@@ -0,0 +1,72 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.4 on 2017-08-28 14:35
+from __future__ import unicode_literals
+
+from decimal import Decimal
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+def fee_converter(app, schema_editor):
+    OrderFee = app.get_model('pretixbase', 'OrderFee')
+    Order = app.get_model('pretixbase', 'Order')
+
+    of = []
+    for o in Order.objects.exclude(payment_fee=Decimal('0.00')).iterator():
+        of.append(OrderFee(
+            order=o,
+            value=o.payment_fee,
+            fee_type='payment',
+            tax_rate=o.payment_fee_tax_rate,
+            tax_rule=o.payment_fee_tax_rule,
+            tax_value=o.payment_fee_tax_value,
+            internal_type=o.payment_provider
+        ))
+        if len(of) > 900:
+            OrderFee.objects.bulk_create(of)
+            of = []
+    OrderFee.objects.bulk_create(of)
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0075_auto_20170828_0901'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='OrderFee',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('value', models.DecimalField(decimal_places=2, max_digits=10, verbose_name='Value')),
+                ('description', models.CharField(blank=True, max_length=190)),
+                ('internal_type', models.CharField(blank=True, max_length=255)),
+                ('fee_type', models.CharField(choices=[('payment', 'Payment method fee'), ('shipping', 'Shipping fee')], max_length=100)),
+                ('tax_rate', models.DecimalField(decimal_places=2, max_digits=7, verbose_name='Tax rate')),
+                ('tax_value', models.DecimalField(decimal_places=2, max_digits=10, verbose_name='Tax value')),
+                ('order', models.ForeignKey(on_delete=django.db.models.deletion.PROTECT, related_name='fees', to='pretixbase.Order', verbose_name='Order')),
+                ('tax_rule', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.PROTECT, to='pretixbase.TaxRule')),
+            ],
+        ),
+        migrations.RunPython(
+            fee_converter, migrations.RunPython.noop
+        ),
+        migrations.RemoveField(
+            model_name='order',
+            name='payment_fee',
+        ),
+        migrations.RemoveField(
+            model_name='order',
+            name='payment_fee_tax_rate',
+        ),
+        migrations.RemoveField(
+            model_name='order',
+            name='payment_fee_tax_rule',
+        ),
+        migrations.RemoveField(
+            model_name='order',
+            name='payment_fee_tax_value',
+        ),
+    ]

src/pretix/base/migrations/0076_orderfee_squashed_0082_invoiceaddress_internal_reference.py

@@ -0,0 +1,173 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.5 on 2017-11-03 11:03
+from __future__ import unicode_literals
+
+from decimal import Decimal
+
+import django.db.migrations.operations.special
+import django.db.models.deletion
+import i18nfield.fields
+from django.db import migrations, models
+
+
+def fee_converter(app, schema_editor):
+    OrderFee = app.get_model('pretixbase', 'OrderFee')
+    Order = app.get_model('pretixbase', 'Order')
+
+    of = []
+    for o in Order.objects.exclude(payment_fee=Decimal('0.00')).iterator():
+        of.append(OrderFee(
+            order=o,
+            value=o.payment_fee,
+            fee_type='payment',
+            tax_rate=o.payment_fee_tax_rate,
+            tax_rule=o.payment_fee_tax_rule,
+            tax_value=o.payment_fee_tax_value,
+            internal_type=o.payment_provider
+        ))
+        if len(of) > 900:
+            OrderFee.objects.bulk_create(of)
+            of = []
+    OrderFee.objects.bulk_create(of)
+
+
+def assign_positions(app, schema_editor):
+    Invoice = app.get_model('pretixbase', 'Invoice')
+
+    for i in Invoice.objects.iterator():
+        for j, l in enumerate(i.lines.all()):
+            l.position = j
+            l.save()
+
+
+def clear_quota_caches(app, schema_editor):
+    Quota = app.get_model('pretixbase', 'Quota')
+    Quota.objects.all().update(cached_availability_time=None)
+
+
+class Migration(migrations.Migration):
+
+    replaces = [('pretixbase', '0076_orderfee'), ('pretixbase', '0077_auto_20170829_1126'), ('pretixbase', '0078_auto_20171003_1650'), ('pretixbase', '0079_auto_20171010_2117'), ('pretixbase', '0080_auto_20171016_1553'), ('pretixbase', '0081_quota_cached_availability_paid_orders'), ('pretixbase', '0082_invoiceaddress_internal_reference')]
+
+    dependencies = [
+        ('pretixbase', '0075_auto_20170828_0901'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='OrderFee',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('value', models.DecimalField(decimal_places=2, max_digits=10, verbose_name='Value')),
+                ('description', models.CharField(blank=True, max_length=190)),
+                ('internal_type', models.CharField(blank=True, max_length=255)),
+                ('fee_type', models.CharField(choices=[('payment', 'Payment method fee'), ('shipping', 'Shipping fee')], max_length=100)),
+                ('tax_rate', models.DecimalField(decimal_places=2, max_digits=7, verbose_name='Tax rate')),
+                ('tax_value', models.DecimalField(decimal_places=2, max_digits=10, verbose_name='Tax value')),
+                ('order', models.ForeignKey(on_delete=django.db.models.deletion.PROTECT, related_name='fees', to='pretixbase.Order', verbose_name='Order')),
+                ('tax_rule', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.PROTECT, to='pretixbase.TaxRule')),
+            ],
+        ),
+        migrations.RunPython(
+            code=fee_converter,
+            reverse_code=django.db.migrations.operations.special.RunPython.noop,
+        ),
+        migrations.RemoveField(
+            model_name='order',
+            name='payment_fee',
+        ),
+        migrations.RemoveField(
+            model_name='order',
+            name='payment_fee_tax_rate',
+        ),
+        migrations.RemoveField(
+            model_name='order',
+            name='payment_fee_tax_rule',
+        ),
+        migrations.RemoveField(
+            model_name='order',
+            name='payment_fee_tax_value',
+        ),
+        migrations.AddField(
+            model_name='invoiceline',
+            name='position',
+            field=models.PositiveIntegerField(default=0),
+        ),
+        migrations.AlterField(
+            model_name='orderfee',
+            name='fee_type',
+            field=models.CharField(choices=[('payment', 'Payment fee'), ('shipping', 'Shipping fee'), ('other', 'Other fees')], max_length=100),
+        ),
+        migrations.RunPython(
+            code=assign_positions,
+            reverse_code=django.db.migrations.operations.special.RunPython.noop,
+        ),
+        migrations.AlterModelOptions(
+            name='invoiceline',
+            options={'ordering': ('position', 'pk')},
+        ),
+        migrations.AddField(
+            model_name='quota',
+            name='cached_availability_number',
+            field=models.PositiveIntegerField(blank=True, null=True),
+        ),
+        migrations.AddField(
+            model_name='quota',
+            name='cached_availability_state',
+            field=models.PositiveIntegerField(blank=True, null=True),
+        ),
+        migrations.AddField(
+            model_name='quota',
+            name='cached_availability_time',
+            field=models.DateTimeField(blank=True, null=True),
+        ),
+        migrations.AlterField(
+            model_name='eventmetaproperty',
+            name='default',
+            field=models.TextField(blank=True),
+        ),
+        migrations.AlterField(
+            model_name='taxrule',
+            name='eu_reverse_charge',
+            field=models.BooleanField(default=False, help_text='Not recommended. Most events will NOT be qualified for reverse charge since the place of taxation is the location of the event. This option disables charging VAT for all customers outside the EU and for business customers in different EU countries who entered a valid EU VAT ID. Only enable this option after consulting a tax counsel. No warranty given for correct tax calculation. USE AT YOUR OWN RISK.', verbose_name='Use EU reverse charge taxation rules'),
+        ),
+        migrations.AddField(
+            model_name='logentry',
+            name='api_token',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.PROTECT, to='pretixbase.TeamAPIToken'),
+        ),
+        migrations.AlterField(
+            model_name='event',
+            name='name',
+            field=i18nfield.fields.I18nCharField(max_length=200, verbose_name='Event name'),
+        ),
+        migrations.AlterField(
+            model_name='item',
+            name='category',
+            field=models.ForeignKey(blank=True, help_text='If you have many products, you can optionally sort them into categories to keep things organized.', null=True, on_delete=django.db.models.deletion.PROTECT, related_name='items', to='pretixbase.ItemCategory', verbose_name='Category'),
+        ),
+        migrations.AlterField(
+            model_name='cartposition',
+            name='cart_id',
+            field=models.CharField(blank=True, db_index=True, max_length=255, null=True, verbose_name='Cart ID (e.g. session key)'),
+        ),
+        migrations.AddField(
+            model_name='quota',
+            name='cached_availability_paid_orders',
+            field=models.PositiveIntegerField(blank=True, null=True),
+        ),
+        migrations.RunPython(
+            code=clear_quota_caches,
+            reverse_code=django.db.migrations.operations.special.RunPython.noop,
+        ),
+        migrations.AddField(
+            model_name='invoiceaddress',
+            name='internal_reference',
+            field=models.TextField(blank=True, help_text='This reference will be printed on your invoice for your convenience.', verbose_name='Internal reference'),
+        ),
+        migrations.AddField(
+            model_name='invoice',
+            name='internal_reference',
+            field=models.TextField(blank=True),
+        ),
+    ]

src/pretix/base/migrations/0077_auto_20170829_1126.py

@@ -0,0 +1,41 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.4 on 2017-08-29 11:26
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+
+def assign_positions(app, schema_editor):
+    Invoice = app.get_model('pretixbase', 'Invoice')
+
+    for i in Invoice.objects.iterator():
+        for j, l in enumerate(i.lines.all()):
+            l.position = j
+            l.save()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0076_orderfee'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='invoiceline',
+            name='position',
+            field=models.PositiveIntegerField(default=0),
+        ),
+        migrations.AlterField(
+            model_name='orderfee',
+            name='fee_type',
+            field=models.CharField(choices=[('payment', 'Payment fee'), ('shipping', 'Shipping fee'), ('other', 'Other fees')], max_length=100),
+        ),
+        migrations.RunPython(
+            assign_positions, migrations.RunPython.noop
+        ),
+        migrations.AlterModelOptions(
+            name='invoiceline',
+            options={'ordering': ('position', 'pk')},
+        ),
+    ]

src/pretix/base/migrations/0078_auto_20171003_1650.py

@@ -0,0 +1,40 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.5 on 2017-10-03 16:50
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0077_auto_20170829_1126'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='quota',
+            name='cached_availability_number',
+            field=models.PositiveIntegerField(blank=True, null=True),
+        ),
+        migrations.AddField(
+            model_name='quota',
+            name='cached_availability_state',
+            field=models.PositiveIntegerField(blank=True, null=True),
+        ),
+        migrations.AddField(
+            model_name='quota',
+            name='cached_availability_time',
+            field=models.DateTimeField(blank=True, null=True),
+        ),
+        migrations.AlterField(
+            model_name='eventmetaproperty',
+            name='default',
+            field=models.TextField(blank=True),
+        ),
+        migrations.AlterField(
+            model_name='taxrule',
+            name='eu_reverse_charge',
+            field=models.BooleanField(default=False, help_text='Not recommended. Most events will NOT be qualified for reverse charge since the place of taxation is the location of the event. This option disables charging VAT for all customers outside the EU and for business customers in different EU countries who entered a valid EU VAT ID. Only enable this option after consulting a tax counsel. No warranty given for correct tax calculation. USE AT YOUR OWN RISK.', verbose_name='Use EU reverse charge taxation rules'),
+        ),
+    ]

src/pretix/base/migrations/0079_auto_20171010_2117.py

@@ -0,0 +1,32 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.5 on 2017-10-10 21:17
+from __future__ import unicode_literals
+
+import django.db.models.deletion
+import i18nfield.fields
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0078_auto_20171003_1650'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='logentry',
+            name='api_token',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.PROTECT, to='pretixbase.TeamAPIToken'),
+        ),
+        migrations.AlterField(
+            model_name='event',
+            name='name',
+            field=i18nfield.fields.I18nCharField(max_length=200, verbose_name='Event name'),
+        ),
+        migrations.AlterField(
+            model_name='item',
+            name='category',
+            field=models.ForeignKey(blank=True, help_text='If you have many products, you can optionally sort them into categories to keep things organized.', null=True, on_delete=django.db.models.deletion.PROTECT, related_name='items', to='pretixbase.ItemCategory', verbose_name='Category'),
+        ),
+    ]

src/pretix/base/migrations/0080_auto_20171016_1553.py

@@ -0,0 +1,20 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.5 on 2017-10-16 15:53
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0079_auto_20171010_2117'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='cartposition',
+            name='cart_id',
+            field=models.CharField(blank=True, db_index=True, max_length=255, null=True, verbose_name='Cart ID (e.g. session key)'),
+        ),
+    ]

src/pretix/base/migrations/0081_quota_cached_availability_paid_orders.py

@@ -0,0 +1,28 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.5 on 2017-10-18 09:06
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+
+def clear_quota_caches(app, schema_editor):
+    Quota = app.get_model('pretixbase', 'Quota')
+    Quota.objects.all().update(cached_availability_time=None)
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0080_auto_20171016_1553'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='quota',
+            name='cached_availability_paid_orders',
+            field=models.PositiveIntegerField(blank=True, null=True),
+        ),
+        migrations.RunPython(
+            clear_quota_caches, migrations.RunPython.noop
+        )
+    ]

src/pretix/base/migrations/0082_invoiceaddress_internal_reference.py

@@ -0,0 +1,25 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.2 on 2017-10-26 22:13
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0081_quota_cached_availability_paid_orders'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='invoiceaddress',
+            name='internal_reference',
+            field=models.TextField(blank=True, help_text='This reference will be printed on your invoice for your convenience.', verbose_name='Internal reference'),
+        ),
+        migrations.AddField(
+            model_name='invoice',
+            name='internal_reference',
+            field=models.TextField(blank=True),
+        ),
+    ]

src/pretix/base/models/__init__.py

@@ -3,8 +3,8 @@ from .auth import U2FDevice, User
 from .base import CachedFile, LoggedModel, cachedfile_name
 from .checkin import Checkin
 from .event import (
-    Event, Event_SettingsStore, EventLock, RequiredAction, SubEvent,
-    generate_invite_token,
+    Event, Event_SettingsStore, EventLock, EventMetaProperty, EventMetaValue,
+    RequiredAction, SubEvent, SubEventMetaValue, generate_invite_token,
 )
 from .invoices import Invoice, InvoiceLine, invoice_filename
 from .items import (
@@ -19,5 +19,6 @@ from .orders import (
     generate_secret,
 )
 from .organizer import Organizer, Organizer_SettingsStore, Team, TeamInvite
+from .tax import TaxRule
 from .vouchers import Voucher
 from .waitinglist import WaitingListEntry

src/pretix/base/models/auth.py

@@ -251,6 +251,24 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
             | Q(id__in=self.teams.values_list('limit_events__id', flat=True))
         )
 
+    def get_events_with_permission(self, permission):
+        """
+        Returns a queryset of events the user has a specific permissions to.
+
+        :return: Iterable of Events
+        """
+        from .event import Event
+
+        if self.is_superuser:
+            return Event.objects.all()
+
+        kwargs = {permission: True}
+
+        return Event.objects.filter(
+            Q(organizer_id__in=self.teams.filter(all_events=True, **kwargs).values_list('organizer', flat=True))
+            | Q(id__in=self.teams.filter(**kwargs).values_list('limit_events__id', flat=True))
+        )
+
 
 class U2FDevice(Device):
     json_data = models.TextField()

src/pretix/base/models/base.py

@@ -36,7 +36,7 @@ def cached_file_delete(sender, instance, **kwargs):
 
 class LoggingMixin:
 
-    def log_action(self, action, data=None, user=None):
+    def log_action(self, action, data=None, user=None, api_token=None):
         """
         Create a LogEntry object that is related to this object.
         See the LogEntry documentation for details.
@@ -53,10 +53,12 @@ class LoggingMixin:
             event = self
         elif hasattr(self, 'event'):
             event = self.event
-        l = LogEntry(content_object=self, user=user, action_type=action, event=event)
+        if user and not user.is_authenticated:
+            user = None
+        logentry = LogEntry(content_object=self, user=user, action_type=action, event=event, api_token=api_token)
         if data:
-            l.data = json.dumps(data, cls=CustomJSONEncoder)
-        l.save()
+            logentry.data = json.dumps(data, cls=CustomJSONEncoder)
+        logentry.save()
 
 
 class LoggedModel(models.Model, LoggingMixin):

src/pretix/base/models/event.py

@@ -38,6 +38,31 @@ class EventMixin:
             raise ValidationError({'date_to': _('The end of the event has to be later than its start.')})
         super().clean()
 
+    def get_short_date_from_display(self, tz=None, show_times=True) -> str:
+        """
+        Returns a shorter formatted string containing the start date of the event with respect
+        to the current locale and to the ``show_times`` setting.
+        """
+        tz = tz or pytz.timezone(self.settings.timezone)
+        return _date(
+            self.date_from.astimezone(tz),
+            "SHORT_DATETIME_FORMAT" if self.settings.show_times and show_times else "DATE_FORMAT"
+        )
+
+    def get_short_date_to_display(self, tz=None) -> str:
+        """
+        Returns a shorter formatted string containing the start date of the event with respect
+        to the current locale and to the ``show_times`` setting. Returns an empty string
+        if ``show_date_to`` is ``False``.
+        """
+        tz = tz or pytz.timezone(self.settings.timezone)
+        if not self.settings.show_date_to or not self.date_to:
+            return ""
+        return _date(
+            self.date_to.astimezone(tz),
+            "SHORT_DATETIME_FORMAT" if self.settings.show_times else "DATE_FORMAT"
+        )
+
     def get_date_from_display(self, tz=None, show_times=True) -> str:
         """
         Returns a formatted string containing the start date of the event with respect
@@ -169,7 +194,7 @@ class Event(EventMixin, LoggedModel):
     organizer = models.ForeignKey(Organizer, related_name="events", on_delete=models.PROTECT)
     name = I18nCharField(
         max_length=200,
-        verbose_name=_("Name"),
+        verbose_name=_("Event name"),
     )
     slug = models.SlugField(
         max_length=50, db_index=True,
@@ -189,7 +214,7 @@ class Event(EventMixin, LoggedModel):
     )
     live = models.BooleanField(default=False, verbose_name=_("Shop is live"))
     currency = models.CharField(max_length=10,
-                                verbose_name=_("Default currency"),
+                                verbose_name=_("Event currency"),
                                 choices=CURRENCY_CHOICES,
                                 default=settings.DEFAULT_CURRENCY)
     date_from = models.DateTimeField(verbose_name=_("Event start time"))
@@ -239,7 +264,7 @@ class Event(EventMixin, LoggedModel):
 
     def save(self, *args, **kwargs):
         obj = super().save(*args, **kwargs)
-        self.get_cache().clear()
+        self.cache.clear()
         return obj
 
     def get_plugins(self) -> "list[str]":
@@ -256,6 +281,19 @@ class Event(EventMixin, LoggedModel):
         Django's built-in cache backends, but puts you into an isolated environment for
         this event, so you don't have to prefix your cache keys. In addition, the cache
         is being cleared every time the event or one of its related objects change.
+
+        .. deprecated:: 1.9
+           Use the property ``cache`` instead.
+        """
+        return self.cache
+
+    @cached_property
+    def cache(self):
+        """
+        Returns an :py:class:`ObjectRelatedCache` object. This behaves equivalent to
+        Django's built-in cache backends, but puts you into an isolated environment for
+        this event, so you don't have to prefix your cache keys. In addition, the cache
+        is being cleared every time the event or one of its related objects change.
         """
         from pretix.base.cache import ObjectRelatedCache
 
@@ -304,6 +342,13 @@ class Event(EventMixin, LoggedModel):
         self.is_public = other.is_public
         self.save()
 
+        tax_map = {}
+        for t in other.tax_rules.all():
+            tax_map[t.pk] = t
+            t.pk = None
+            t.event = self
+            t.save()
+
         category_map = {}
         for c in ItemCategory.objects.filter(event=other):
             category_map[c.pk] = c
@@ -322,6 +367,8 @@ class Event(EventMixin, LoggedModel):
                 i.picture.save(i.picture.name, i.picture)
             if i.category_id:
                 i.category = category_map[i.category_id]
+            if i.tax_rule_id:
+                i.tax_rule = tax_map[i.tax_rule_id]
             i.save()
             for v in vars:
                 variation_map[v.pk] = v
@@ -371,7 +418,18 @@ class Event(EventMixin, LoggedModel):
                 )
                 newname = default_storage.save(fname, fi)
                 s.value = 'file://' + newname
-            s.save()
+                s.save()
+            elif s.key == 'tax_rate_default':
+                try:
+                    if int(s.value) in tax_map:
+                        s.value = tax_map.get(int(s.value)).pk
+                        s.save()
+                    else:
+                        s.delete()
+                except ValueError:
+                    s.delete()
+            else:
+                s.save()
 
         event_copy_data.send(sender=self, other=other)
 
@@ -432,6 +490,12 @@ class Event(EventMixin, LoggedModel):
             )
         ).order_by('date_from', 'name')
 
+    @property
+    def meta_data(self):
+        data = {p.name: p.default for p in self.organizer.meta_properties.all()}
+        data.update({v.property.name: v.value for v in self.meta_values.select_related('property').all()})
+        return data
+
 
 class SubEvent(EventMixin, LoggedModel):
     """
@@ -521,6 +585,22 @@ class SubEvent(EventMixin, LoggedModel):
             for si in SubEventItemVariation.objects.filter(subevent=self, price__isnull=False)
         }
 
+    @property
+    def meta_data(self):
+        data = self.event.meta_data
+        data.update({v.property.name: v.value for v in self.meta_values.select_related('property').all()})
+        return data
+
+    def delete(self, *args, **kwargs):
+        super().delete(*args, **kwargs)
+        if self.event:
+            self.event.cache.clear()
+
+    def save(self, *args, **kwargs):
+        super().save(*args, **kwargs)
+        if self.event:
+            self.event.cache.clear()
+
 
 def generate_invite_token():
     return get_random_string(length=32, allowed_chars=string.ascii_lowercase + string.digits)
@@ -569,3 +649,94 @@ class RequiredAction(models.Model):
             if response:
                 return response
         return self.action_type
+
+
+class EventMetaProperty(LoggedModel):
+    """
+    An organizer account can have EventMetaProperty objects attached to define meta information fields
+    for its events. This information can be re-used for example in ticket layouts.
+
+    :param organizer: The organizer this property is defined for.
+    :type organizer: Organizer
+    :param name: Name
+    :type name: Name of the property, used in various places
+    :param default: Default value
+    :type default: str
+    """
+    organizer = models.ForeignKey(Organizer, related_name="meta_properties", on_delete=models.CASCADE)
+    name = models.CharField(
+        max_length=50, db_index=True,
+        help_text=_(
+            "Can not contain spaces or special characters except underscores"
+        ),
+        validators=[
+            RegexValidator(
+                regex="^[a-zA-Z0-9_]+$",
+                message=_("The property name may only contain letters, numbers and underscores."),
+            ),
+        ],
+        verbose_name=_("Name"),
+    )
+    default = models.TextField(blank=True)
+
+
+class EventMetaValue(LoggedModel):
+    """
+    A meta-data value assigned to an event.
+
+    :param event: The event this metadata is valid for
+    :type event: Event
+    :param property: The property this value belongs to
+    :type property: EventMetaProperty
+    :param value: The actual value
+    :type value: str
+    """
+    event = models.ForeignKey('Event', on_delete=models.CASCADE,
+                              related_name='meta_values')
+    property = models.ForeignKey('EventMetaProperty', on_delete=models.CASCADE,
+                                 related_name='event_values')
+    value = models.TextField()
+
+    class Meta:
+        unique_together = ('event', 'property')
+
+    def delete(self, *args, **kwargs):
+        super().delete(*args, **kwargs)
+        if self.event:
+            self.event.cache.clear()
+
+    def save(self, *args, **kwargs):
+        super().save(*args, **kwargs)
+        if self.event:
+            self.event.cache.clear()
+
+
+class SubEventMetaValue(LoggedModel):
+    """
+    A meta-data value assigned to a sub-event.
+
+    :param event: The event this metadata is valid for
+    :type event: Event
+    :param property: The property this value belongs to
+    :type property: EventMetaProperty
+    :param value: The actual value
+    :type value: str
+    """
+    subevent = models.ForeignKey('SubEvent', on_delete=models.CASCADE,
+                                 related_name='meta_values')
+    property = models.ForeignKey('EventMetaProperty', on_delete=models.CASCADE,
+                                 related_name='subevent_values')
+    value = models.TextField()
+
+    class Meta:
+        unique_together = ('subevent', 'property')
+
+    def delete(self, *args, **kwargs):
+        super().delete(*args, **kwargs)
+        if self.subevent:
+            self.subevent.event.cache.clear()
+
+    def save(self, *args, **kwargs):
+        super().save(*args, **kwargs)
+        if self.subevent:
+            self.subevent.event.cache.clear()

src/pretix/base/models/invoices.py

@@ -53,6 +53,12 @@ class Invoice(models.Model):
     :type payment_provider_text: str
     :param footer_text: A footer text, displayed smaller and centered on every page
     :type footer_text: str
+    :param foreign_currency_display: A different currency that taxes should also be displayed in.
+    :type foreign_currency_display: str
+    :param foreign_currency_rate: The rate of a forein currency that the taxes should be displayed in.
+    :type foreign_currency_rate: Decimal
+    :param foreign_currency_rate_date: The date of the forein currency exchange rates.
+    :type foreign_currency_rate_date: date
     :param file: The filename of the rendered invoice
     :type file: File
     """
@@ -71,7 +77,11 @@ class Invoice(models.Model):
     additional_text = models.TextField(blank=True)
     payment_provider_text = models.TextField(blank=True)
     footer_text = models.TextField(blank=True)
+    foreign_currency_display = models.CharField(max_length=50, null=True, blank=True)
+    foreign_currency_rate = models.DecimalField(decimal_places=4, max_digits=10, null=True, blank=True)
+    foreign_currency_rate_date = models.DateField(null=True, blank=True)
     file = models.FileField(null=True, blank=True, upload_to=invoice_filename)
+    internal_reference = models.TextField(blank=True)
 
     @staticmethod
     def _to_numeric_invoice_number(number):
@@ -155,13 +165,20 @@ class InvoiceLine(models.Model):
     :type tax_value: decimal.Decimal
     :param tax_rate: The applied tax rate in percent
     :type tax_rate: decimal.Decimal
+    :param tax_name: The name of the applied tax rate
+    :type tax_name: str
     """
     invoice = models.ForeignKey('Invoice', related_name='lines')
+    position = models.PositiveIntegerField(default=0)
     description = models.TextField()
     gross_value = models.DecimalField(max_digits=10, decimal_places=2)
     tax_value = models.DecimalField(max_digits=10, decimal_places=2, default=Decimal('0.00'))
     tax_rate = models.DecimalField(max_digits=7, decimal_places=2, default=Decimal('0.00'))
+    tax_name = models.CharField(max_length=190)
 
     @property
     def net_value(self):
         return self.gross_value - self.tax_value
+
+    class Meta:
+        ordering = ('position', 'pk')

src/pretix/base/models/items.py

@@ -13,8 +13,8 @@ from django.utils.timezone import now
 from django.utils.translation import pgettext_lazy, ugettext_lazy as _
 from i18nfield.fields import I18nCharField, I18nTextField
 
-from pretix.base.decimal import round_decimal
 from pretix.base.models.base import LoggedModel
+from pretix.base.models.tax import TaxedPrice
 
 from .event import Event, SubEvent
 
@@ -66,12 +66,12 @@ class ItemCategory(LoggedModel):
     def delete(self, *args, **kwargs):
         super().delete(*args, **kwargs)
         if self.event:
-            self.event.get_cache().clear()
+            self.event.cache.clear()
 
     def save(self, *args, **kwargs):
         super().save(*args, **kwargs)
         if self.event:
-            self.event.get_cache().clear()
+            self.event.cache.clear()
 
     @property
     def sortkey(self):
@@ -104,6 +104,16 @@ class SubEventItem(models.Model):
     item = models.ForeignKey('Item', on_delete=models.CASCADE)
     price = models.DecimalField(max_digits=7, decimal_places=2, null=True, blank=True)
 
+    def delete(self, *args, **kwargs):
+        super().delete(*args, **kwargs)
+        if self.subevent:
+            self.subevent.event.cache.clear()
+
+    def save(self, *args, **kwargs):
+        super().save(*args, **kwargs)
+        if self.subevent:
+            self.subevent.event.cache.clear()
+
 
 class SubEventItemVariation(models.Model):
     """
@@ -121,6 +131,16 @@ class SubEventItemVariation(models.Model):
     variation = models.ForeignKey('ItemVariation', on_delete=models.CASCADE)
     price = models.DecimalField(max_digits=7, decimal_places=2, null=True, blank=True)
 
+    def delete(self, *args, **kwargs):
+        super().delete(*args, **kwargs)
+        if self.subevent:
+            self.subevent.event.cache.clear()
+
+    def save(self, *args, **kwargs):
+        super().save(*args, **kwargs)
+        if self.subevent:
+            self.subevent.event.cache.clear()
+
 
 class Item(LoggedModel):
     """
@@ -159,6 +179,8 @@ class Item(LoggedModel):
     :type max_per_order: int
     :param min_per_order: Minimum number of times this item needs to be in an order if bought at all. None for unlimited.
     :type min_per_order: int
+    :param checkin_attention: Requires special attention at checkin
+    :type checkin_attention: bool
     """
 
     event = models.ForeignKey(
@@ -173,6 +195,7 @@ class Item(LoggedModel):
         related_name="items",
         blank=True, null=True,
         verbose_name=_("Category"),
+        help_text=_("If you have many products, you can optionally sort them into categories to keep things organized.")
     )
     name = I18nCharField(
         max_length=255,
@@ -202,10 +225,11 @@ class Item(LoggedModel):
                     "additional donations for your event. This is currently not supported for products that are "
                     "bought as an add-on to other products.")
     )
-    tax_rate = models.DecimalField(
-        verbose_name=_("Taxes included in percent"),
-        max_digits=7, decimal_places=2,
-        default=Decimal('0.00')
+    tax_rule = models.ForeignKey(
+        'TaxRule',
+        verbose_name=_('Sales tax'),
+        on_delete=models.PROTECT,
+        null=True, blank=True
     )
     admission = models.BooleanField(
         verbose_name=_("Is an admission ticket"),
@@ -265,6 +289,13 @@ class Item(LoggedModel):
                     'empty or set it to 0, there is no special limit for this product. The limit for the maximum '
                     'number of items in the whole order applies regardless.')
     )
+    checkin_attention = models.BooleanField(
+        verbose_name=_('Requires special attention'),
+        default=False,
+        help_text=_('If you set this, the check-in app will show a visible warning that this ticket requires special '
+                    'attention. You can use this for example for student tickets to indicate to the person at '
+                    'check-in that the student ID card still needs to be checked.')
+    )
     # !!! Attention: If you add new fields here, also add them to the copying code in
     # pretix/control/views/item.py if applicable.
 
@@ -279,17 +310,19 @@ class Item(LoggedModel):
     def save(self, *args, **kwargs):
         super().save(*args, **kwargs)
         if self.event:
-            self.event.get_cache().clear()
+            self.event.cache.clear()
 
     def delete(self, *args, **kwargs):
         super().delete(*args, **kwargs)
         if self.event:
-            self.event.get_cache().clear()
+            self.event.cache.clear()
 
-    @property
-    def default_price_net(self):
-        tax_value = round_decimal(self.default_price * (1 - 100 / (100 + self.tax_rate)))
-        return self.default_price - tax_value
+    def tax(self, price=None, base_price_is='auto'):
+        price = price if price is not None else self.default_price
+        if not self.tax_rule:
+            return TaxedPrice(gross=price, net=price, tax=Decimal('0.00'),
+                              rate=Decimal('0.00'), name='')
+        return self.tax_rule.tax(price, base_price_is=base_price_is)
 
     def is_available(self, now_dt: datetime=None) -> bool:
         """
@@ -396,20 +429,21 @@ class ItemVariation(models.Model):
     def price(self):
         return self.default_price if self.default_price is not None else self.item.default_price
 
-    @property
-    def net_price(self):
-        tax_value = round_decimal(self.price * (1 - 100 / (100 + self.item.tax_rate)))
-        return self.price - tax_value
+    def tax(self, price=None):
+        price = price or self.price
+        if not self.item.tax_rule:
+            return TaxedPrice(gross=price, net=price, tax=Decimal('0.00'), rate=Decimal('0.00'), name='')
+        return self.item.tax_rule.tax(price)
 
     def delete(self, *args, **kwargs):
         super().delete(*args, **kwargs)
         if self.item:
-            self.item.event.get_cache().clear()
+            self.item.event.cache.clear()
 
     def save(self, *args, **kwargs):
         super().save(*args, **kwargs)
         if self.item:
-            self.item.event.get_cache().clear()
+            self.item.event.cache.clear()
 
     def check_quotas(self, ignored_quotas=None, count_waitinglist=True, subevent=None, _cache=None) -> Tuple[int, int]:
         """
@@ -545,6 +579,11 @@ class Question(LoggedModel):
     question = I18nTextField(
         verbose_name=_("Question")
     )
+    help_text = I18nTextField(
+        verbose_name=_("Help text"),
+        help_text=_("If the question needs to be explained or clarified, do it here!"),
+        null=True, blank=True,
+    )
     type = models.CharField(
         max_length=5,
         choices=TYPE_CHOICES,
@@ -576,12 +615,12 @@ class Question(LoggedModel):
     def delete(self, *args, **kwargs):
         super().delete(*args, **kwargs)
         if self.event:
-            self.event.get_cache().clear()
+            self.event.cache.clear()
 
     def save(self, *args, **kwargs):
         super().save(*args, **kwargs)
         if self.event:
-            self.event.get_cache().clear()
+            self.event.cache.clear()
 
     @property
     def sortkey(self):
@@ -686,6 +725,10 @@ class Quota(LoggedModel):
         blank=True,
         verbose_name=_("Variations")
     )
+    cached_availability_state = models.PositiveIntegerField(null=True, blank=True)
+    cached_availability_number = models.PositiveIntegerField(null=True, blank=True)
+    cached_availability_paid_orders = models.PositiveIntegerField(null=True, blank=True)
+    cached_availability_time = models.DateTimeField(null=True, blank=True)
 
     class Meta:
         verbose_name = _("Quota")
@@ -697,14 +740,27 @@ class Quota(LoggedModel):
     def delete(self, *args, **kwargs):
         super().delete(*args, **kwargs)
         if self.event:
-            self.event.get_cache().clear()
+            self.event.cache.clear()
 
     def save(self, *args, **kwargs):
+        clear_cache = kwargs.pop('clear_cache', True)
         super().save(*args, **kwargs)
-        if self.event:
-            self.event.get_cache().clear()
+        if self.event and clear_cache:
+            self.event.cache.clear()
 
-    def availability(self, now_dt: datetime=None, count_waitinglist=True, _cache=None) -> Tuple[int, int]:
+    def rebuild_cache(self, now_dt=None):
+        self.cached_availability_time = None
+        self.cached_availability_number = None
+        self.cached_availability_state = None
+        self.availability(now_dt=now_dt)
+
+    def cache_is_hot(self, now_dt=None):
+        now_dt = now_dt or now()
+        return self.cached_availability_time and (now_dt - self.cached_availability_time).total_seconds() < 120
+
+    def availability(
+            self, now_dt: datetime=None, count_waitinglist=True, _cache=None, allow_cache=False
+    ) -> Tuple[int, int]:
         """
         This method is used to determine whether Items or ItemVariations belonging
         to this quota should currently be available for sale.
@@ -712,12 +768,32 @@ class Quota(LoggedModel):
         :returns: a tuple where the first entry is one of the ``Quota.AVAILABILITY_`` constants
                   and the second is the number of available tickets.
         """
+        if allow_cache and self.cache_is_hot() and count_waitinglist:
+            return self.cached_availability_state, self.cached_availability_number
+
         if _cache and count_waitinglist is not _cache.get('_count_waitinglist', True):
             _cache.clear()
 
         if _cache is not None and self.pk in _cache:
             return _cache[self.pk]
+        now_dt = now_dt or now()
         res = self._availability(now_dt, count_waitinglist)
+
+        self.event.cache.delete('item_quota_cache')
+        if count_waitinglist and not self.cache_is_hot(now_dt):
+            self.cached_availability_state = res[0]
+            self.cached_availability_number = res[1]
+            self.cached_availability_time = now_dt
+            if self.size is None:
+                self.cached_availability_paid_orders = self.count_pending_orders()
+            self.save(
+                update_fields=[
+                    'cached_availability_state', 'cached_availability_number', 'cached_availability_time',
+                    'cached_availability_paid_orders'
+                ],
+                clear_cache=False
+            )
+
         if _cache is not None:
             _cache[self.pk] = res
             _cache['_count_waitinglist'] = count_waitinglist
@@ -729,8 +805,9 @@ class Quota(LoggedModel):
         if size_left is None:
             return Quota.AVAILABILITY_OK, None
 
-        # TODO: Test for interference with old versions of Item-Quota-relations, etc.
-        size_left -= self.count_paid_orders()
+        paid_orders = self.count_paid_orders()
+        self.cached_availability_paid_orders = paid_orders
+        size_left -= paid_orders
         if size_left <= 0:
             return Quota.AVAILABILITY_GONE, 0
 
@@ -790,7 +867,7 @@ class Quota(LoggedModel):
                 & Q(Q(voucher__valid_until__isnull=True) | Q(voucher__valid_until__gte=now_dt))
             ) &
             self._position_lookup
-        ).values('id').distinct().count()
+        ).count()
 
     def count_pending_orders(self) -> dict:
         from pretix.base.models import Order, OrderPosition
@@ -798,23 +875,23 @@ class Quota(LoggedModel):
         # This query has beeen benchmarked against a Count('id', distinct=True) aggregate and won by a small margin.
         return OrderPosition.objects.filter(
             self._position_lookup, order__status=Order.STATUS_PENDING, order__event=self.event, subevent=self.subevent
-        ).values('id').distinct().count()
+        ).count()
 
     def count_paid_orders(self):
         from pretix.base.models import Order, OrderPosition
 
         return OrderPosition.objects.filter(
             self._position_lookup, order__status=Order.STATUS_PAID, order__event=self.event, subevent=self.subevent
-        ).values('id').distinct().count()
+        ).count()
 
     @cached_property
     def _position_lookup(self) -> Q:
         return (
             (  # Orders for items which do not have any variations
                Q(variation__isnull=True) &
-               Q(item__quotas=self)
+               Q(item_id__in=Quota.items.through.objects.filter(quota_id=self.pk).values_list('item_id', flat=True))
             ) | (  # Orders for items which do have any variations
-                   Q(variation__quotas=self)
+                   Q(variation__in=Quota.variations.through.objects.filter(quota_id=self.pk).values_list('itemvariation_id', flat=True))
             )
         )
 

src/pretix/base/models/log.py

@@ -5,9 +5,10 @@ from django.contrib.contenttypes.models import ContentType
 from django.db import models
 from django.urls import reverse
 from django.utils.functional import cached_property
+from django.utils.html import escape
 from django.utils.translation import pgettext_lazy, ugettext_lazy as _
 
-from pretix.base.models.event import SubEvent
+from pretix.base.signals import logentry_object_link
 
 
 class LogEntry(models.Model):
@@ -34,6 +35,7 @@ class LogEntry(models.Model):
     content_object = GenericForeignKey('content_type', 'object_id')
     datetime = models.DateTimeField(auto_now_add=True, db_index=True)
     user = models.ForeignKey('User', null=True, blank=True, on_delete=models.PROTECT)
+    api_token = models.ForeignKey('TeamAPIToken', null=True, blank=True, on_delete=models.PROTECT)
     event = models.ForeignKey('Event', null=True, blank=True, on_delete=models.CASCADE)
     action_type = models.CharField(max_length=255)
     data = models.TextField(default='{}')
@@ -51,7 +53,7 @@ class LogEntry(models.Model):
 
     @cached_property
     def display_object(self):
-        from . import Order, Voucher, Quota, Item, ItemCategory, Question, Event
+        from . import Order, Voucher, Quota, Item, ItemCategory, Question, Event, TaxRule, SubEvent
 
         if self.content_type.model_class() is Event:
             return ''
@@ -68,7 +70,7 @@ class LogEntry(models.Model):
                     'organizer': self.event.organizer.slug,
                     'code': co.code
                 }),
-                'val': co.code,
+                'val': escape(co.code),
             }
         elif isinstance(co, Voucher):
             a_text = _('Voucher {val}…')
@@ -78,7 +80,7 @@ class LogEntry(models.Model):
                     'organizer': self.event.organizer.slug,
                     'voucher': co.id
                 }),
-                'val': co.code[:6],
+                'val': escape(co.code[:6]),
             }
         elif isinstance(co, Item):
             a_text = _('Product {val}')
@@ -88,7 +90,7 @@ class LogEntry(models.Model):
                     'organizer': self.event.organizer.slug,
                     'item': co.id
                 }),
-                'val': co.name,
+                'val': escape(co.name),
             }
         elif isinstance(co, SubEvent):
             a_text = pgettext_lazy('subevent', 'Date {val}')
@@ -98,7 +100,7 @@ class LogEntry(models.Model):
                     'organizer': self.event.organizer.slug,
                     'subevent': co.id
                 }),
-                'val': str(co)
+                'val': escape(str(co))
             }
         elif isinstance(co, Quota):
             a_text = _('Quota {val}')
@@ -108,7 +110,7 @@ class LogEntry(models.Model):
                     'organizer': self.event.organizer.slug,
                     'quota': co.id
                 }),
-                'val': co.name,
+                'val': escape(co.name),
             }
         elif isinstance(co, ItemCategory):
             a_text = _('Category {val}')
@@ -118,7 +120,7 @@ class LogEntry(models.Model):
                     'organizer': self.event.organizer.slug,
                     'category': co.id
                 }),
-                'val': co.name,
+                'val': escape(co.name),
             }
         elif isinstance(co, Question):
             a_text = _('Question {val}')
@@ -128,7 +130,17 @@ class LogEntry(models.Model):
                     'organizer': self.event.organizer.slug,
                     'question': co.id
                 }),
-                'val': co.question,
+                'val': escape(co.question),
+            }
+        elif isinstance(co, TaxRule):
+            a_text = _('Tax rule {val}')
+            a_map = {
+                'href': reverse('control:event.settings.tax.edit', kwargs={
+                    'event': self.event.slug,
+                    'organizer': self.event.organizer.slug,
+                    'rule': co.id
+                }),
+                'val': escape(co.name),
             }
 
         if a_text and a_map:
@@ -137,6 +149,9 @@ class LogEntry(models.Model):
         elif a_text:
             return a_text
         else:
+            for receiver, response in logentry_object_link.send(self.event, logentry=self):
+                if response:
+                    return response
             return ''
 
     @cached_property

src/pretix/base/models/orders.py

@@ -12,11 +12,10 @@ from django.db import models
 from django.db.models import F, Sum
 from django.db.models.signals import post_delete
 from django.dispatch import receiver
+from django.urls import reverse
 from django.utils.crypto import get_random_string
 from django.utils.encoding import escape_uri_path
 from django.utils.functional import cached_property
-from django.utils.html import escape
-from django.utils.safestring import mark_safe
 from django.utils.timezone import make_aware, now
 from django.utils.translation import pgettext_lazy, ugettext_lazy as _
 from django_countries.fields import CountryField
@@ -26,7 +25,6 @@ from pretix.base.i18n import language
 from pretix.base.models import User
 from pretix.base.reldate import RelativeDateWrapper
 
-from ..decimal import round_decimal
 from .base import LoggedModel
 from .event import Event, SubEvent
 from .items import Item, ItemVariation, Question, QuestionOption, Quota
@@ -80,18 +78,14 @@ class Order(LoggedModel):
     :type payment_date: datetime
     :param payment_provider: The payment provider selected by the user
     :type payment_provider: str
-    :param payment_fee: The payment fee calculated at checkout time
-    :type payment_fee: decimal.Decimal
-    :param payment_fee_tax_value: The absolute amount of tax included in the payment fee
-    :type payment_fee_tax_value: decimal.Decimal
-    :param payment_fee_tax_rate: The tax rate applied to the payment fee (in percent)
-    :type payment_fee_tax_rate: decimal.Decimal
     :param payment_info: Arbitrary information stored by the payment provider
     :type payment_info: str
     :param total: The total amount of the order, including the payment fee
     :type total: decimal.Decimal
     :param comment: An internal comment that will only be visible to staff, and never displayed to the user
     :type comment: str
+    :param download_reminder_sent: A field to indicate whether a download reminder has been sent.
+    :type download_reminder_sent: boolean
     :param meta_info: Additional meta information on the order, JSON-encoded.
     :type meta_info: str
     """
@@ -149,18 +143,6 @@ class Order(LoggedModel):
         max_length=255,
         verbose_name=_("Payment provider")
     )
-    payment_fee = models.DecimalField(
-        decimal_places=2, max_digits=10,
-        default=0, verbose_name=_("Payment method fee")
-    )
-    payment_fee_tax_rate = models.DecimalField(
-        decimal_places=2, max_digits=10,
-        verbose_name=_("Payment method fee tax rate")
-    )
-    payment_fee_tax_value = models.DecimalField(
-        decimal_places=2, max_digits=10,
-        default=0, verbose_name=_("Payment method fee tax")
-    )
     payment_info = models.TextField(
         verbose_name=_("Payment information"),
         null=True, blank=True
@@ -181,6 +163,10 @@ class Order(LoggedModel):
     expiry_reminder_sent = models.BooleanField(
         default=False
     )
+
+    download_reminder_sent = models.BooleanField(
+        default=False
+    )
     meta_info = models.TextField(
         verbose_name=_("Meta information"),
         null=True, blank=True
@@ -215,29 +201,11 @@ class Order(LoggedModel):
             self.assign_code()
         if not self.datetime:
             self.datetime = now()
-        if self.payment_fee_tax_rate is None:
-            self._calculate_tax()
         super().save(*args, **kwargs)
 
-    def _calculate_tax(self):
-        """
-        Calculates the taxes on the payment fees and sets the parameters payment_fee_tax_rate
-        and payment_fee_tax_value accordingly.
-        """
-        self.payment_fee_tax_rate = self.event.settings.get('tax_rate_default')
-        if self.payment_fee_tax_rate:
-            self.payment_fee_tax_value = round_decimal(
-                self.payment_fee * (1 - 100 / (100 + self.payment_fee_tax_rate)))
-        else:
-            self.payment_fee_tax_value = Decimal('0.00')
-
-    @property
-    def payment_fee_net(self):
-        return self.payment_fee - self.payment_fee_tax_value
-
     @cached_property
     def tax_total(self):
-        return (self.positions.aggregate(s=Sum('tax_value'))['s'] or 0) + self.payment_fee_tax_value
+        return (self.positions.aggregate(s=Sum('tax_value'))['s'] or 0) + (self.fees.aggregate(s=Sum('tax_value'))['s'] or 0)
 
     @property
     def net_total(self):
@@ -346,7 +314,7 @@ class Order(LoggedModel):
             ), tz)
         return term_last
 
-    def _can_be_paid(self) -> Union[bool, str]:
+    def _can_be_paid(self, count_waitinglist=True) -> Union[bool, str]:
         error_messages = {
             'late_lastdate': _("The payment can not be accepted as the last date of payments configured in the "
                                "payment settings is over."),
@@ -363,9 +331,9 @@ class Order(LoggedModel):
         if not self.event.settings.get('payment_term_accept_late'):
             return error_messages['late']
 
-        return self._is_still_available()
+        return self._is_still_available(count_waitinglist=count_waitinglist)
 
-    def _is_still_available(self, now_dt: datetime=None) -> Union[bool, str]:
+    def _is_still_available(self, now_dt: datetime=None, count_waitinglist=True) -> Union[bool, str]:
         error_messages = {
             'unavailable': _('The ordered product "{item}" is no longer available.'),
         }
@@ -383,7 +351,7 @@ class Order(LoggedModel):
                 for quota in quotas:
                     if quota.id not in quota_cache:
                         quota_cache[quota.id] = quota
-                        quota.cached_availability = quota.availability(now_dt)[1]
+                        quota.cached_availability = quota.availability(now_dt, count_waitinglist=count_waitinglist)[1]
                     else:
                         # Use cached version
                         quota = quota_cache[quota.id]
@@ -487,7 +455,19 @@ class QuestionAnswer(models.Model):
     )
 
     @property
-    def file_link(self):
+    def backend_file_url(self):
+        if self.file:
+            if self.orderposition:
+                return reverse('control:event.order.download.answer', kwargs={
+                    'code': self.orderposition.order.code,
+                    'event': self.orderposition.order.event.slug,
+                    'organizer': self.orderposition.order.event.organizer.slug,
+                    'answer': self.pk,
+                })
+        return ""
+
+    @property
+    def frontend_file_url(self):
         from pretix.multidomain.urlreverse import eventreverse
 
         if self.file:
@@ -502,12 +482,13 @@ class QuestionAnswer(models.Model):
                     'answer': self.pk,
                 })
 
-            return mark_safe("<a href='{}'>{}</a>".format(
-                url,
-                escape(self.file.name.split('.', 1)[-1])
-            ))
+            return url
         return ""
 
+    @property
+    def file_name(self):
+        return self.file.name.split('.', 1)[-1]
+
     def __str__(self):
         if self.question.type == Question.TYPE_BOOLEAN and self.answer == "True":
             return str(_("Yes"))
@@ -633,6 +614,91 @@ class AbstractPosition(models.Model):
                 else self.variation.quotas.filter(subevent=self.subevent))
 
 
+class OrderFee(models.Model):
+    """
+    An OrderFee objet represents a fee that is added to the order total independently of
+    the actual positions. This might for example be a payment or a shipping fee.
+    """
+    FEE_TYPE_PAYMENT = "payment"
+    FEE_TYPE_SHIPPING = "shipping"
+    FEE_TYPE_OTHER = "other"
+    FEE_TYPES = (
+        (FEE_TYPE_PAYMENT, _("Payment fee")),
+        (FEE_TYPE_SHIPPING, _("Shipping fee")),
+        (FEE_TYPE_OTHER, _("Other fees")),
+    )
+
+    value = models.DecimalField(
+        decimal_places=2, max_digits=10,
+        verbose_name=_("Value")
+    )
+    order = models.ForeignKey(
+        Order,
+        verbose_name=_("Order"),
+        related_name='fees',
+        on_delete=models.PROTECT
+    )
+    fee_type = models.CharField(
+        max_length=100, choices=FEE_TYPES
+    )
+    description = models.CharField(max_length=190, blank=True)
+    internal_type = models.CharField(max_length=255, blank=True)
+    tax_rate = models.DecimalField(
+        max_digits=7, decimal_places=2,
+        verbose_name=_('Tax rate')
+    )
+    tax_rule = models.ForeignKey(
+        'TaxRule',
+        on_delete=models.PROTECT,
+        null=True, blank=True
+    )
+    tax_value = models.DecimalField(
+        max_digits=10, decimal_places=2,
+        verbose_name=_('Tax value')
+    )
+
+    @property
+    def net_value(self):
+        return self.value - self.tax_value
+
+    def __str__(self):
+        if self.description:
+            return '{} - {}'.format(self.get_fee_type_display(), self.description)
+        else:
+            return self.get_fee_type_display()
+
+    def __repr__(self):
+        return '<OrderFee: type %s, value %d>' % (
+            self.fee_type, self.value
+        )
+
+    def _calculate_tax(self):
+        try:
+            ia = self.order.invoice_address
+        except InvoiceAddress.DoesNotExist:
+            ia = None
+
+        if not self.tax_rule and self.fee_type == "payment" and self.order.event.settings.tax_rate_default:
+            self.tax_rule = self.order.event.settings.tax_rate_default
+
+        if self.tax_rule:
+            if self.tax_rule.tax_applicable(ia):
+                tax = self.tax_rule.tax(self.value, base_price_is='gross')
+                self.tax_rate = tax.rate
+                self.tax_value = tax.tax
+            else:
+                self.tax_value = Decimal('0.00')
+                self.tax_rate = Decimal('0.00')
+        else:
+            self.tax_value = Decimal('0.00')
+            self.tax_rate = Decimal('0.00')
+
+    def save(self, *args, **kwargs):
+        if self.tax_rate is None:
+            self._calculate_tax()
+        return super().save(*args, **kwargs)
+
+
 class OrderPosition(AbstractPosition):
     """
     An OrderPosition is one line of an order, representing one ordered item
@@ -653,6 +719,11 @@ class OrderPosition(AbstractPosition):
         max_digits=7, decimal_places=2,
         verbose_name=_('Tax rate')
     )
+    tax_rule = models.ForeignKey(
+        'TaxRule',
+        on_delete=models.PROTECT,
+        null=True, blank=True
+    )
     tax_value = models.DecimalField(
         max_digits=10, decimal_places=2,
         verbose_name=_('Tax value')
@@ -712,11 +783,22 @@ class OrderPosition(AbstractPosition):
         )
 
     def _calculate_tax(self):
-        self.tax_rate = self.item.tax_rate
-        if self.tax_rate:
-            self.tax_value = round_decimal(self.price * (1 - 100 / (100 + self.item.tax_rate)))
+        self.tax_rule = self.item.tax_rule
+        try:
+            ia = self.order.invoice_address
+        except InvoiceAddress.DoesNotExist:
+            ia = None
+        if self.tax_rule:
+            if self.tax_rule.tax_applicable(ia):
+                tax = self.tax_rule.tax(self.price, base_price_is='gross')
+                self.tax_rate = tax.rate
+                self.tax_value = tax.tax
+            else:
+                self.tax_value = Decimal('0.00')
+                self.tax_rate = Decimal('0.00')
         else:
             self.tax_value = Decimal('0.00')
+            self.tax_rate = Decimal('0.00')
 
     def save(self, *args, **kwargs):
         if self.tax_rate is None:
@@ -746,7 +828,7 @@ class CartPosition(AbstractPosition):
         verbose_name=_("Event")
     )
     cart_id = models.CharField(
-        max_length=255, null=True, blank=True,
+        max_length=255, null=True, blank=True, db_index=True,
         verbose_name=_("Cart ID (e.g. session key)")
     )
     datetime = models.DateTimeField(
@@ -757,6 +839,9 @@ class CartPosition(AbstractPosition):
         verbose_name=_("Expiration date"),
         db_index=True
     )
+    includes_tax = models.BooleanField(
+        default=True
+    )
 
     class Meta:
         verbose_name = _("Cart position")
@@ -769,19 +854,23 @@ class CartPosition(AbstractPosition):
 
     @property
     def tax_rate(self):
-        return self.item.tax_rate
+        if self.includes_tax:
+            return self.item.tax(self.price, base_price_is='gross').rate
+        else:
+            return Decimal('0.00')
 
     @property
     def tax_value(self):
-        if not self.tax_rate:
+        if self.includes_tax:
+            return self.item.tax(self.price, base_price_is='gross').tax
+        else:
             return Decimal('0.00')
-        return round_decimal(self.price * (1 - 100 / (100 + self.item.tax_rate)))
 
 
 class InvoiceAddress(models.Model):
     last_modified = models.DateTimeField(auto_now=True)
-    is_business = models.BooleanField(default=False, verbose_name=_('Business customer'))
     order = models.OneToOneField(Order, null=True, blank=True, related_name='invoice_address')
+    is_business = models.BooleanField(default=False, verbose_name=_('Business customer'))
     company = models.CharField(max_length=255, blank=True, verbose_name=_('Company name'))
     name = models.CharField(max_length=255, verbose_name=_('Full name'), blank=True)
     street = models.TextField(verbose_name=_('Address'), blank=False)
@@ -791,6 +880,12 @@ class InvoiceAddress(models.Model):
     country = CountryField(verbose_name=_('Country'), blank=False, blank_label=_('Select country'))
     vat_id = models.CharField(max_length=255, blank=True, verbose_name=_('VAT ID'),
                               help_text=_('Only for business customers within the EU.'))
+    vat_id_validated = models.BooleanField(default=False)
+    internal_reference = models.TextField(
+        verbose_name=_('Internal reference'),
+        help_text=_('This reference will be printed on your invoice for your convenience.'),
+        blank=True
+    )
 
 
 def cachedticket_name(instance, filename: str) -> str:

src/pretix/base/models/organizer.py

@@ -3,6 +3,7 @@ import string
 from django.core.validators import RegexValidator
 from django.db import models
 from django.utils.crypto import get_random_string
+from django.utils.functional import cached_property
 from django.utils.translation import ugettext_lazy as _
 
 from pretix.base.models.base import LoggedModel
@@ -62,6 +63,19 @@ class Organizer(LoggedModel):
         Django's built-in cache backends, but puts you into an isolated environment for
         this organizer, so you don't have to prefix your cache keys. In addition, the cache
         is being cleared every time the organizer changes.
+
+        .. deprecated:: 1.9
+           Use the property ``cache`` instead.
+        """
+        return self.cache
+
+    @cached_property
+    def cache(self):
+        """
+        Returns an :py:class:`ObjectRelatedCache` object. This behaves equivalent to
+        Django's built-in cache backends, but puts you into an isolated environment for
+        this organizer, so you don't have to prefix your cache keys. In addition, the cache
+        is being cleared every time the organizer changes.
         """
         from pretix.base.cache import ObjectRelatedCache
 

src/pretix/base/models/tax.py

@@ -0,0 +1,194 @@
+from decimal import Decimal
+
+from django.db import models
+from django.utils.formats import localize
+from django.utils.translation import ugettext_lazy as _
+from django_countries.fields import CountryField
+from i18nfield.fields import I18nCharField
+
+from pretix.base.decimal import round_decimal
+from pretix.base.models.base import LoggedModel
+
+
+class TaxedPrice:
+    def __init__(self, *, gross: Decimal, net: Decimal, tax: Decimal, rate: Decimal, name: str):
+        if net + tax != gross:
+            raise ValueError('Net value and tax value need to add to the gross value')
+        self.gross = gross
+        self.net = net
+        self.tax = tax
+        self.rate = rate
+        self.name = name
+
+    def __repr__(self):
+        return '{} + {}% = {}'.format(localize(self.net), localize(self.rate), localize(self.gross))
+
+
+TAXED_ZERO = TaxedPrice(
+    gross=Decimal('0.00'),
+    net=Decimal('0.00'),
+    tax=Decimal('0.00'),
+    rate=Decimal('0.00'),
+    name=''
+)
+
+EU_COUNTRIES = {
+    'AT', 'BE', 'BG', 'HR', 'CY', 'CZ', 'DK', 'EE', 'FI', 'FR', 'DE', 'GR', 'HU', 'IE', 'IT', 'LV', 'LT', 'LU', 'MT',
+    'NL', 'PL', 'PT', 'RO', 'SK', 'SI', 'ES', 'SE', 'GB'
+}
+EU_CURRENCIES = {
+    'BG': 'BGN',
+    'GB': 'GBP',
+    'HR': 'HRK',
+    'CZ': 'CZK',
+    'DK': 'DKK',
+    'HU': 'HUF',
+    'PL': 'PLN',
+    'RO': 'RON',
+    'SE': 'SEK'
+}
+
+
+class TaxRule(LoggedModel):
+    event = models.ForeignKey('Event', related_name='tax_rules')
+    name = I18nCharField(
+        verbose_name=_('Name'),
+        help_text=_('Should be short, e.g. "VAT"'),
+        max_length=190,
+    )
+    rate = models.DecimalField(
+        max_digits=10,
+        decimal_places=2,
+        verbose_name=_("Tax rate")
+    )
+    price_includes_tax = models.BooleanField(
+        verbose_name=_("The configured product prices include the tax amount"),
+        default=True,
+    )
+    eu_reverse_charge = models.BooleanField(
+        verbose_name=_("Use EU reverse charge taxation rules"),
+        default=False,
+        help_text=_("Not recommended. Most events will NOT be qualified for reverse charge since the place of "
+                    "taxation is the location of the event. This option disables charging VAT for all customers "
+                    "outside the EU and for business customers in different EU countries who entered a valid EU VAT "
+                    "ID. Only enable this option after consulting a tax counsel. No warranty given for correct tax "
+                    "calculation. USE AT YOUR OWN RISK.")
+    )
+    home_country = CountryField(
+        verbose_name=_('Merchant country'),
+        blank=True,
+        help_text=_('Your country of residence. This is the country the EU reverse charge rule will not apply in, '
+                    'if configured above.'),
+    )
+
+    def allow_delete(self):
+        from pretix.base.models.orders import OrderFee, OrderPosition
+
+        return (
+            not OrderFee.objects.filter(tax_rule=self, order__event=self.event).exists()
+            and not OrderPosition.objects.filter(tax_rule=self, order__event=self.event).exists()
+            and not self.event.items.filter(tax_rule=self).exists()
+            and self.event.settings.tax_rate_default != self
+        )
+
+    @classmethod
+    def zero(cls):
+        return cls(
+            event=None,
+            name='',
+            rate=Decimal('0.00'),
+            price_includes_tax=True,
+            eu_reverse_charge=False
+        )
+
+    def clean(self):
+        if self.eu_reverse_charge and not self.home_country:
+            raise ValueError(_('You need to set your home country to use the reverse charge feature.'))
+
+    def __str__(self):
+        if self.price_includes_tax:
+            s = _('incl. {rate}% {name}').format(rate=self.rate, name=self.name)
+        else:
+            s = _('plus {rate}% {name}').format(rate=self.rate, name=self.name)
+        if self.eu_reverse_charge:
+            s += ' ({})'.format(_('reverse charge enabled'))
+        return str(s)
+
+    def tax(self, base_price, base_price_is='auto'):
+        if self.rate == Decimal('0.00'):
+            return TaxedPrice(
+                net=base_price, gross=base_price, tax=Decimal('0.00'),
+                rate=self.rate, name=self.name
+            )
+
+        if base_price_is == 'auto':
+            if self.price_includes_tax:
+                base_price_is = 'gross'
+            else:
+                base_price_is = 'net'
+
+        if base_price_is == 'gross':
+            gross = base_price
+            net = gross - round_decimal(base_price * (1 - 100 / (100 + self.rate)))
+        elif base_price_is == 'net':
+            net = base_price
+            gross = round_decimal(net * (1 + self.rate / 100))
+        else:
+            raise ValueError('Unknown base price type: {}'.format(base_price_is))
+
+        return TaxedPrice(
+            net=net, gross=gross, tax=gross - net,
+            rate=self.rate, name=self.name
+        )
+
+    def is_reverse_charge(self, invoice_address):
+        if not self.eu_reverse_charge:
+            return False
+
+        if not invoice_address or not invoice_address.country:
+            return False
+
+        if str(invoice_address.country) not in EU_COUNTRIES:
+            return False
+
+        if invoice_address.country == self.home_country:
+            return False
+
+        if invoice_address.is_business and invoice_address.vat_id and invoice_address.vat_id_validated:
+            return True
+
+        return False
+
+    def tax_applicable(self, invoice_address):
+        if not self.eu_reverse_charge:
+            # No reverse charge rules? Always apply VAT!
+            return True
+
+        if not invoice_address or not invoice_address.country:
+            # No country specified? Always apply VAT!
+            return True
+
+        if str(invoice_address.country) not in EU_COUNTRIES:
+            # Non-EU country? Never apply VAT!
+            return False
+
+        if invoice_address.country == self.home_country:
+            # Within same EU country? Always apply VAT!
+            return True
+
+        if invoice_address.is_business and invoice_address.vat_id and invoice_address.vat_id_validated:
+            # Reverse charge case
+            return False
+
+        # Consumer in different EU country / invalid VAT
+        return True
+
+    def delete(self, *args, **kwargs):
+        super().delete(*args, **kwargs)
+        if self.event:
+            self.event.cache.clear()
+
+    def save(self, *args, **kwargs):
+        super().save(*args, **kwargs)
+        if self.event:
+            self.event.cache.clear()

src/pretix/base/models/vouchers.py

@@ -2,7 +2,9 @@ from decimal import Decimal
 
 from django.conf import settings
 from django.core.exceptions import ValidationError
+from django.core.validators import MinLengthValidator
 from django.db import models
+from django.db.models import Q
 from django.utils.crypto import get_random_string
 from django.utils.timezone import now
 from django.utils.translation import pgettext_lazy, ugettext_lazy as _
@@ -92,6 +94,7 @@ class Voucher(LoggedModel):
         verbose_name=_("Voucher code"),
         max_length=255, default=generate_code,
         db_index=True,
+        validators=[MinLengthValidator(5)]
     )
     max_usages = models.PositiveIntegerField(
         verbose_name=_("Maximum usages"),
@@ -178,33 +181,149 @@ class Voucher(LoggedModel):
     def __str__(self):
         return self.code
 
+    def allow_delete(self):
+        return self.redeemed == 0
+
     def clean(self):
-        super().clean()
-        if self.quota:
-            if self.item:
+        Voucher.clean_item_properties(
+            {
+                'block_quota': self.block_quota,
+            },
+            self.event,
+            self.quota,
+            self.item,
+            self.variation
+        )
+
+    @staticmethod
+    def clean_item_properties(data, event, quota, item, variation):
+        if quota:
+            if quota.event != event:
+                raise ValidationError(_('You cannot select a quota that belongs to a different event.'))
+            if item:
                 raise ValidationError(_('You cannot select a quota and a specific product at the same time.'))
-        elif self.item:
-            if self.variation and (not self.item or not self.item.has_variations):
+        elif item:
+            if item.event != event:
+                raise ValidationError(_('You cannot select an item that belongs to a different event.'))
+            if variation and (not item or not item.has_variations):
                 raise ValidationError(_('You cannot select a variation without having selected a product that provides '
                                         'variations.'))
-            if self.variation and not self.item.variations.filter(pk=self.variation.pk).exists():
+            if variation and not item.variations.filter(pk=variation.pk).exists():
                 raise ValidationError(_('This variation does not belong to this product.'))
-            if self.item.has_variations and not self.variation and self.block_quota:
+            if item.has_variations and not variation and data.get('block_quota'):
                 raise ValidationError(_('You can only block quota if you specify a specific product variation. '
                                         'Otherwise it might be unclear which quotas to block.'))
+            if item.category and item.category.is_addon:
+                raise ValidationError(_('It is currently not possible to create vouchers for add-on products.'))
         else:
             raise ValidationError(_('You need to specify either a quota or a product.'))
-        if self.event.has_subevents and self.block_quota and not self.subevent:
+
+    @staticmethod
+    def clean_max_usages(data, redeemed):
+        if data.get('max_usages', 1) < redeemed:
+            raise ValidationError(
+                _('This voucher has already been redeemed %(redeemed)s times. You cannot reduce the maximum number of '
+                  'usages below this number.'),
+                params={
+                    'redeemed': redeemed
+                }
+            )
+
+    @staticmethod
+    def clean_subevent(data, event):
+        if event.has_subevents and data.get('block_quota') and not data.get('subevent'):
             raise ValidationError(_('If you want this voucher to block quota, you need to select a specific date.'))
+        elif data.get('subevent') and not event.has_subevents:
+            raise ValidationError(_('You can not select a subevent if your event is not an event series.'))
+
+    @staticmethod
+    def clean_quota_needs_checking(data, old_instance, item_changed, creating):
+        # We only need to check for quota on vouchers that are now blocking quota and haven't
+        # before (or have blocked a different quota before)
+        if data.get('block_quota', False):
+            is_valid = data.get('valid_until') is None or data.get('valid_until') >= now()
+            if not is_valid:
+                # If the voucher is not valid, it won't block any quota
+                return False
+
+            if creating:
+                # This is a new voucher
+                return True
+
+            if not old_instance.block_quota:
+                # Change from nonblocking to blocking
+                return True
+
+            if old_instance.valid_until is not None and old_instance.valid_until < now():
+                # This voucher has been expired and is now valid again and therefore blocks quota again
+                return True
+
+            if item_changed:
+                # The voucher has been reassigned to a different item, variation or quota
+                return True
+
+            if data.get('subevent') != old_instance.subevent:
+                # The voucher has been reassigned to a different subevent
+                return True
+
+        return False
+
+    @staticmethod
+    def clean_quota_get_ignored(old_instance):
+        quotas = set()
+        was_valid = old_instance and (
+            old_instance.valid_until is None or old_instance.valid_until >= now()
+        )
+        if old_instance and old_instance.block_quota and was_valid:
+            if old_instance.quota:
+                quotas.add(old_instance.quota)
+            elif old_instance.variation:
+                quotas |= set(old_instance.variation.quotas.filter(
+                    subevent=old_instance.subevent))
+            elif old_instance.item:
+                quotas |= set(old_instance.item.quotas.filter(
+                    subevent=old_instance.subevent))
+        return quotas
+
+    @staticmethod
+    def clean_quota_check(data, cnt, old_instance, event, quota, item, variation):
+        old_quotas = Voucher.clean_quota_get_ignored(old_instance)
+
+        if event.has_subevents and data.get('block_quota') and not data.get('subevent'):
+            raise ValidationError(_('If you want this voucher to block quota, you need to select a specific date.'))
+
+        if quota:
+            if quota in old_quotas:
+                return
+            else:
+                avail = quota.availability(count_waitinglist=False)
+        elif item and item.has_variations and not variation:
+            raise ValidationError(_('You can only block quota if you specify a specific product variation. '
+                                    'Otherwise it might be unclear which quotas to block.'))
+        elif item and variation:
+            avail = variation.check_quotas(ignored_quotas=old_quotas, subevent=data.get('subevent'))
+        elif item and not item.has_variations:
+            avail = item.check_quotas(ignored_quotas=old_quotas, subevent=data.get('subevent'))
+        else:
+            raise ValidationError(_('You need to specify either a quota or a product.'))
+
+        if avail[0] != Quota.AVAILABILITY_OK or (avail[1] is not None and avail[1] < cnt):
+            raise ValidationError(_('You cannot create a voucher that blocks quota as the selected product or '
+                                    'quota is currently sold out or completely reserved.'))
+
+    @staticmethod
+    def clean_voucher_code(data, event, pk):
+        if 'code' in data and Voucher.objects.filter(Q(code=data['code']) & Q(event=event) & ~Q(pk=pk)).exists():
+            raise ValidationError(_('A voucher with this code already exists.'))
 
     def save(self, *args, **kwargs):
         self.code = self.code.upper()
         super().save(*args, **kwargs)
-        self.event.get_cache().set('vouchers_exist', True)
+        self.event.cache.set('vouchers_exist', True)
 
     def delete(self, using=None, keep_parents=False):
         super().delete(using, keep_parents)
-        self.event.get_cache().delete('vouchers_exist')
+        self.event.cache.delete('vouchers_exist')
 
     def is_in_cart(self) -> bool:
         """
@@ -251,7 +370,7 @@ class Voucher(LoggedModel):
             if self.price_mode == 'set':
                 return self.value
             elif self.price_mode == 'subtract':
-                return original_price - self.value
+                return max(original_price - self.value, Decimal('0.00'))
             elif self.price_mode == 'percent':
                 return round_decimal(original_price * (Decimal('100.00') - self.value) / Decimal('100.00'))
         return original_price