Bump version to 2.6.0

Merge pull request #1243 from pretix-translations/weblate-pretix-pretix
Update from Weblate
2025-12-10 01:12:28 +00:00 · 2019-04-03 16:02:39 +02:00 · 2019-04-03 15:02:23 +01:00 · 2019-04-03 14:02:01 +00:00 · 2019-04-03 13:26:15 +00:00 · 2019-04-03 15:19:57 +02:00
415 changed files with 187110 additions and 39768 deletions
--- a/.travis.sh
+++ b/.travis.sh
@@ -38,7 +38,7 @@ if [ "$1" == "translation-spelling" ]; then
 	potypo
 fi
 if [ "$1" == "tests" ]; then
-	pip3 install -r src/requirements.txt -Ur src/requirements/dev.txt pytest-xdist
+	pip3 install -r src/requirements.txt -Ur src/requirements/dev.txt
 	cd src
 	python manage.py check
 	make all compress
--- a/.travis.yml
+++ b/.travis.yml
@@ -22,6 +22,8 @@ matrix:
      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_mysql.cfg
    - python: 3.6
      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_postgres.cfg
+    - python: 3.5
+      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_postgres.cfg
    - python: 3.6
      env: JOB=plugins
    - python: 3.6
@@ -36,6 +38,9 @@ addons:
          - enchant
          - myspell-de-de
          - aspell-en
+          - sqlite3
+  sources:
+    - travis-ci/sqlite3
 branches:
  except:
  - /^weblate-.*/
--- a/43
+++ b/43
@@ -1,10 +1,26 @@
 FROM python:3.6

 RUN apt-get update && \
-    apt-get install -y git libxml2-dev libxslt1-dev python-dev python-virtualenv locales \
-      libffi-dev build-essential python3-dev zlib1g-dev libssl-dev gettext libpq-dev \
-      default-libmysqlclient-dev libmemcached-dev libjpeg-dev supervisor nginx sudo \
-	  --no-install-recommends && \
+    apt-get install -y --no-install-recommends \
+            build-essential \
+            default-libmysqlclient-dev \
+            gettext \
+            git \
+            libffi-dev \
+            libjpeg-dev \
+            libmemcached-dev \
+            libpq-dev \
+            libssl-dev \
+            libxml2-dev \
+            libxslt1-dev \
+            locales \
+            nginx \
+            python-dev \
+            python-virtualenv \
+            python3-dev \
+            sudo \
+            supervisor \
+            zlib1g-dev && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/* && \
    dpkg-reconfigure locales && \
@@ -19,6 +35,22 @@ RUN apt-get update && \
 ENV LC_ALL=C.UTF-8 \
    DJANGO_SETTINGS_MODULE=production_settings

+# To copy only the requirements files needed to install from PIP
+COPY src/requirements /pretix/src/requirements
+COPY src/requirements.txt /pretix/src
+RUN pip3 install -U \
+        pip \
+        setuptools \
+        wheel && \
+    cd /pretix/src && \
+    pip3 install \
+        -r requirements.txt \
+        -r requirements/memcached.txt \
+        -r requirements/mysql.txt \
+        -r requirements/redis.txt \
+        gunicorn && \
+    rm -rf ~/.cache/pip
+
 COPY deployment/docker/pretix.bash /usr/local/bin/pretix
 COPY deployment/docker/supervisord.conf /etc/supervisord.conf
 COPY deployment/docker/nginx.conf /etc/nginx/nginx.conf
@@ -27,11 +59,8 @@ COPY src /pretix/src

 RUN chmod +x /usr/local/bin/pretix && \
    rm /etc/nginx/sites-enabled/default && \
-    pip3 install -U pip wheel setuptools && \
    cd /pretix/src && \
    rm -f pretix.cfg && \
-    pip3 install -r requirements.txt -r requirements/mysql.txt \
-    	-r requirements/memcached.txt -r requirements/redis.txt gunicorn && \
 	mkdir -p data && \
    chown -R pretixuser:pretixuser /pretix /data data && \
 	sudo -u pretixuser make production
--- a/doc/admin/config.rst
+++ b/doc/admin/config.rst
@@ -125,6 +125,23 @@ Example::
    Indicates if the database backend is a MySQL/MariaDB Galera cluster and
    turns on some optimizations/special case handlers. Default: ``False``

+Database replica settings
+-------------------------
+
+If you use a replicated database setup, pretix expects that the default database connection always points to the primary database node.
+Routing read queries to a replica on database layer is **strongly** discouraged since this can lead to inaccurate such as more tickets
+being sold than are actually available.
+
+However, pretix can still make use of a database replica to keep some expensive queries with that can tolerate some latency from your
+primary database, such as backend search queries. The ``replica`` configuration section can have the same settings as the ``database``
+section (except for the ``backend`` setting) and will default back to the ``database`` settings for all values that are not given. This
+way, you just need to specify the settings that are different for the replica.
+
+Example::
+
+    [replica]
+    host=192.168.0.2
+
 URLs
 ----

@@ -295,5 +312,13 @@ various places like order codes, secrets in the ticket QR codes, etc. Example::
    ; Voucher code needs to be < 255 characters, default is 16
    voucher_code=16

+External tools
+--------------
+
+pretix can make use of some external tools if they are installed. Currently, they are all optional. Example::
+
+    [tools]
+    pdftk=/usr/bin/pdftk
+
 .. _Python documentation: https://docs.python.org/3/library/configparser.html?highlight=configparser#supported-ini-file-structure
 .. _Celery documentation: http://docs.celeryproject.org/en/latest/userguide/configuration.html
--- a/doc/admin/installation/dev_version.rst
+++ b/doc/admin/installation/dev_version.rst
@@ -0,0 +1,37 @@
+.. highlight:: none
+
+Installing a development version
+================================
+
+If you want to use a feature of pretix that is not yet contained in the last monthly release, you can also
+install a development version with pretix.
+
+.. warning:: When in production, we strongly recommend only installing released versions. Development versions might
+             be broken, incompatible to plugins, or in rare cases incompatible to upgrade later on.
+
+
+Manual installation
+-------------------
+
+You can use ``pip`` to update pretix directly to the development branch. Then, upgrade as usual::
+
+    $ source /var/pretix/venv/bin/activate
+    (venv)$ pip3 install -U "git+https://github.com/pretix/pretix.git#egg=pretix&subdirectory=src"
+    (venv)$ python -m pretix migrate
+    (venv)$ python -m pretix rebuild
+    (venv)$ python -m pretix updatestyles
+    # systemctl restart pretix-web pretix-worker
+
+Docker installation
+-------------------
+
+To use the latest development version with Docker, first pull it from Docker Hub::
+
+    $ docker pull pretix/standalone:latest
+
+
+Then change your ``/etc/systemd/system/pretix.service`` file to use the ``:latest`` tag instead of ``:stable`` as well
+and upgrade as usual::
+
+    $ systemctl restart pretix.service
+    $ docker exec -it pretix.service pretix upgrade
--- a/doc/admin/installation/docker_smallscale.rst
+++ b/doc/admin/installation/docker_smallscale.rst
@@ -58,16 +58,29 @@ Database
 --------

 Next, we need a database and a database user. We can create these with any kind of database managing tool or directly on
-our database's shell, e.g. for MySQL::
+our database's shell. For PostgreSQL, we would do::

-    $ mysql -u root -p
-    mysql> CREATE DATABASE pretix DEFAULT CHARACTER SET utf8mb4 DEFAULT COLLATE utf8mb4_unicode_ci;
-    mysql> GRANT ALL PRIVILEGES ON pretix.* TO pretix@'localhost' IDENTIFIED BY '*********';
-    mysql> FLUSH PRIVILEGES;
+    # sudo -u postgres createuser -P pretix
+    # sudo -u postgres createdb -O pretix pretix

-Replace the asterisks with a password of your own. For MySQL, we will use a unix domain socket to connect to the
-database. For PostgreSQL, be sure to configure the interface binding and your firewall so that the docker container
-can reach PostgreSQL.
+Make sure that your database listens on the network. If PostgreSQL on the same same host as docker, but not inside a docker container, we recommend that you just listen on the Docker interface by changing the following line in ``/etc/postgresql/<version>/main/postgresql.conf``::
+
+    listen_addresses = 'localhost,172.17.0.1'
+
+You also need to add a new line to ``/etc/postgresql/<version>/main/pg_hba.conf`` to allow network connections to this user and database::
+
+    host    pretix          pretix          172.17.0.1/16           md5
+
+Restart PostgreSQL after you changed these files::
+
+    # systemctl restart postgresql
+
+If you have a firewall running, you should also make sure that port 5432 is reachable from the ``172.17.0.1/16`` subnet.
+
+For MySQL, you can either also use network-based connections or mount the ``/var/run/mysqld/mysqld.sock`` socket into the docker container.
+When using MySQL, make sure you set the character set of the database to ``utf8mb4``, e.g. like this::
+
+    mysql > CREATE DATABASE pretix DEFAULT CHARACTER SET utf8mb4 DEFAULT COLLATE utf8mb4_unicode_ci;

 Redis
 -----
@@ -114,13 +127,16 @@ Fill the configuration file ``/etc/pretix/pretix.cfg`` with the following conten
    datadir=/data

    [database]
-    ; Replace mysql with postgresql_psycopg2 for PostgreSQL
-    backend=mysql
+    ; Replace postgresql with mysql for MySQL
+    backend=postgresql
    name=pretix
    user=pretix
+    ; Replace with the password you chose above
    password=*********
-    ; Replace with host IP address for PostgreSQL
-    host=/var/run/mysqld/mysqld.sock
+    ; In most docker setups, 172.17.0.1 is the address of the docker host. Adjuts
+    ; this to wherever your database is running, e.g. the name of a linked container
+    ; or of a mounted MySQL socket.
+    host=172.17.0.1

    [mail]
    ; See config file documentation for more options
@@ -164,14 +180,15 @@ named ``/etc/systemd/system/pretix.service`` with the following content::
        -v /var/pretix-data:/data \
        -v /etc/pretix:/etc/pretix \
        -v /var/run/redis:/var/run/redis \
-        -v /var/run/mysqld:/var/run/mysqld \
        pretix/standalone:stable all
    ExecStop=/usr/bin/docker stop %n

    [Install]
    WantedBy=multi-user.target

-You can leave the MySQL socket volume out if you're using PostgreSQL. You can now run the following commands
+When using MySQL and socket mounting, you'll need the additional flag ``-v /var/run/mysqld:/var/run/mysqld`` in the command.
+
+You can now run the following commands
 to enable and start the service::

    # systemctl daemon-reload
--- a/doc/admin/installation/enterprise.rst
+++ b/doc/admin/installation/enterprise.rst
@@ -0,0 +1,84 @@
+.. highlight:: none
+
+Installing pretix Enterprise plugins
+====================================
+
+If you want to use a feature of pretix that is part of our commercial offering pretix Enterprise, you need to follow
+some extra steps. Installation works similar to normal pretix plugins, but involves a few extra steps.
+
+Buying the license
+------------------
+
+To obtain a license, please get in touch at sales@pretix.eu. Please let us know how many tickets you roughly intend
+to sell per year and how many servers you want to use the plugin on. We recommend having a look at our `price list`_
+first.
+
+
+Manual installation
+-------------------
+
+First, generate an SSH key for the system user that you install pretix as. In our tutorial, that would be the user
+``pretix``. Choose an empty passphrase::
+
+    # su pretix
+    $ ssh-keygen
+    Generating public/private rsa key pair.
+    Enter file in which to save the key (/var/pretix/.ssh/id_rsa):
+    Enter passphrase (empty for no passphrase):
+    Enter same passphrase again:
+    Your identification has been saved in /var/pretix/.ssh/id_rsa.
+    Your public key has been saved in /var/pretix/.ssh/id_rsa.pub.
+
+Next, send the content of the *public* key to your sales representative at pretix::
+
+    $ cat /var/pretix/.ssh/id_rsa.pub
+    ssh-rsa AAAAB3N...744HZawHlD pretix@foo
+
+After we configured your key in our system, you can install the plugin directly using ``pip`` from the URL we told
+you, for example::
+
+    $ source /var/pretix/venv/bin/activate
+    (venv)$ pip3 install -U "git+ssh://git@code.rami.io:10022/pretix/pretix-slack.git@stable#egg=pretix-slack"
+    (venv)$ python -m pretix migrate
+    (venv)$ python -m pretix rebuild
+    # systemctl restart pretix-web pretix-worker
+
+Docker installation
+-------------------
+
+To install a plugin, you need to build your own docker image. To do so, create a new directory to work in. As a first
+step, generate a new SSH key in that directory to use for authentication with us::
+
+    $ cd /home/me/mypretixdocker
+    $ ssh-keygen -N "" -f id_pretix_enterprise
+
+Next, send the content of the *public* key to your sales representative at pretix::
+
+    $ cat id_pretix_enterprise.pub
+    ssh-rsa AAAAB3N...744HZawHlD pretix@foo
+
+After we configured your key in our system, you can add a ``Dockerfile`` in your directory that includes the newly
+generated key and installs the plugin from the URL we told you::
+
+    FROM pretix/standalone:stable
+    USER root
+    COPY id_pretix_enterprise /root/.ssh/id_rsa
+    COPY id_pretix_enterprise.pub /root/.ssh/id_rsa.pub
+    RUN chmod -R 0600 /root/.ssh && \
+        mkdir -p /etc/ssh && \
+        ssh-keyscan -t rsa -p 10022 code.rami.io >> /root/.ssh/known_hosts && \
+        echo StrictHostKeyChecking=no >> /root/.ssh/config && \
+        pip3 install -Ue "git+ssh://git@code.rami.io:10022/pretix/pretix-slack.git@stable#egg=pretix-slack" && \
+        cd /pretix/src && \
+        sudo -u pretixuser make production
+    USER pretixuser
+
+Then, build the image for docker::
+
+    $ docker build -t mypretix
+
+You can now use that image ``mypretix`` instead of ``pretix/standalone:stable`` in your ``/etc/systemd/system/pretix.service``
+service file. Be sure to re-build your custom image after you pulled ``pretix/standalone`` if you want to perform an
+update to a new version of pretix.
+
+.. _price list: https://pretix.eu/about/en/pricing
--- a/doc/admin/installation/index.rst
+++ b/doc/admin/installation/index.rst
@@ -10,3 +10,5 @@ for your needs.
   general
   docker_smallscale
   manual_smallscale
+   dev_version
+   enterprise
--- a/doc/admin/installation/manual_smallscale.rst
+++ b/doc/admin/installation/manual_smallscale.rst
@@ -50,21 +50,27 @@ Database
 --------

 Having the database server installed, we still need a database and a database user. We can create these with any kind
-of database managing tool or directly on our database's shell, e.g. for MySQL::
+of database managing tool or directly on our database's shell. For PostgreSQL, we would do::

-    $ mysql -u root -p
-    mysql> CREATE DATABASE pretix DEFAULT CHARACTER SET utf8mb4 DEFAULT COLLATE utf8mb4_unicode_ci;
-    mysql> GRANT ALL PRIVILEGES ON pretix.* TO pretix@'localhost' IDENTIFIED BY '*********';
-    mysql> FLUSH PRIVILEGES;
+    # sudo -u postgres createuser pretix
+    # sudo -u postgres createdb -O pretix pretix
+
+When using MySQL, make sure you set the character set of the database to ``utf8mb4``, e.g. like this::
+
+    mysql > CREATE DATABASE pretix DEFAULT CHARACTER SET utf8mb4 DEFAULT COLLATE utf8mb4_unicode_ci;

 Package dependencies
 --------------------

 To build and run pretix, you will need the following debian packages::

-    # apt-get install git build-essential python-dev python-virtualenv python3 python3-pip \
+    # apt-get install git build-essential python-dev python3-venv python3 python3-pip \
                      python3-dev libxml2-dev libxslt1-dev libffi-dev zlib1g-dev libssl-dev \
-                      gettext libpq-dev libmysqlclient-dev libjpeg-dev
+                      gettext libpq-dev libmariadbclient-dev libjpeg-dev libopenjp2-7-dev
+
+.. note:: Python 3.7 is not yet supported, so if you run a very recent OS, make sure to get
+          Python 3.6 from somewhere. You can check the current state of things in our
+          `Python 3.7 issue`_.

 Config file
 -----------
@@ -85,13 +91,18 @@ Fill the configuration file ``/etc/pretix/pretix.cfg`` with the following conten
    datadir=/var/pretix/data

    [database]
-    ; Replace mysql with postgresql_psycopg2 for PostgreSQL
-    backend=mysql
+    ; For MySQL, replace with "mysql"
+    backend=postgresql
    name=pretix
    user=pretix
-    password=*********
-    ; Replace with host IP address for PostgreSQL
-    host=/var/run/mysqld/mysqld.sock
+    ; For MySQL, enter the user password. For PostgreSQL on the same host,
+    ; we don't need one because we can use peer authentification if our
+    ; PostgreSQL user matches our unix user.
+    password=
+    ; For MySQL, use local socket, e.g. /var/run/mysqld/mysqld.sock
+    ; For a remote host, supply an IP address
+    ; For local postgres authentication, you can leave it empty
+    host=

    [mail]
    ; See config file documentation for more options
@@ -115,14 +126,14 @@ Now we will install pretix itself. The following steps are to be executed as the
 actually install pretix, we will create a virtual environment to isolate the python packages from your global
 python installation::

-    $ virtualenv -p python3 /var/pretix/venv
+    $ python3 -m venv /var/pretix/venv
    $ source /var/pretix/venv/bin/activate
    (venv)$ pip3 install -U pip setuptools wheel

-We now install pretix, its direct dependencies and gunicorn. Replace ``mysql`` with ``postgres`` in the following
-command if you're running PostgreSQL::
+We now install pretix, its direct dependencies and gunicorn. Replace ``postgres`` with ``mysql`` in the following
+command if you're running MySQL::

-    (venv)$ pip3 install "pretix[mysql]" gunicorn
+    (venv)$ pip3 install "pretix[postgres]" gunicorn

 Note that you need Python 3.5 or newer. You can find out your Python version using ``python -V``.

@@ -268,10 +279,10 @@ Updates
 .. warning:: While we try hard not to break things, **please perform a backup before every upgrade**.

 To upgrade to a new pretix release, pull the latest code changes and run the following commands (again, replace
-``mysql`` with ``postgres`` if necessary)::
+``postgres`` with ``mysql`` if necessary)::

    $ source /var/pretix/venv/bin/activate
-    (venv)$ pip3 install -U pretix[mysql] gunicorn
+    (venv)$ pip3 install -U pretix[postgres] gunicorn
    (venv)$ python -m pretix migrate
    (venv)$ python -m pretix rebuild
    (venv)$ python -m pretix updatestyles
@@ -303,3 +314,4 @@ example::
 .. _redis: https://blog.programster.org/debian-8-install-redis-server/
 .. _ufw: https://en.wikipedia.org/wiki/Uncomplicated_Firewall
 .. _strong encryption settings: https://mozilla.github.io/server-side-tls/ssl-config-generator/
+.. _Python 3.7 issue: https://github.com/pretix/pretix/issues/1025
--- a/doc/api/resources/categories.rst
+++ b/doc/api/resources/categories.rst
@@ -20,7 +20,7 @@ internal_name                         string                     An optional nam
 description                           multi-lingual string       A public description (might include markdown, can
                                                                 be ``null``)
 position                              integer                    An integer, used for sorting the categories
-is_addon                              boolean                    If ``True``, items within this category are not on sale
+is_addon                              boolean                    If ``true``, items within this category are not on sale
                                                                 on their own but the category provides a source for
                                                                 defining add-ons for other products.
 ===================================== ========================== =======================================================
--- a/doc/api/resources/checkinlists.rst
+++ b/doc/api/resources/checkinlists.rst
@@ -156,14 +156,14 @@ Endpoints
        "checkin_count": 17,
        "position_count": 42,
        "event": {
-          "name": "Demo Converence",
+          "name": "Demo Conference"
        },
        "items": [
          {
            "name": "T-Shirt",
            "id": 1,
            "checkin_count": 1,
-            "admission": False,
+            "admission": false,
            "position_count": 1,
            "variations": [
              {
@@ -184,7 +184,7 @@ Endpoints
            "name": "Ticket",
            "id": 2,
            "checkin_count": 15,
-            "admission": True,
+            "admission": true,
            "position_count": 22,
            "variations": []
          }
@@ -445,6 +445,8 @@ Order position endpoints
   The result format is the same as the :ref:`order-position-resource`, with one important difference: the
   ``checkins`` value will only include check-ins for the selected list.

+   **Instead of an ID, you can also use the ``secret`` field as the lookup parameter.**
+
   **Example request**:

   .. sourcecode:: http
@@ -516,6 +518,8 @@ Order position endpoints
   Tries to redeem an order position, identified by its internal ID, i.e. checks the attendee in. This endpoint
   accepts a number of optional requests in the body.

+   **Instead of an ID, you can also use the ``secret`` field as the lookup parameter.**
+
   :<json boolean questions_supported: When this parameter is set to ``true``, handling of questions is supported. If
                                       you do not implement question handling in your user interface, you **must**
                                       set this to ``false``. In that case, questions will just be ignored. Defaults
@@ -561,7 +565,10 @@ Order position endpoints
      Content-Type: application/json

      {
-        "status": "ok"
+        "status": "ok",
+        "position": {
+          …
+        }
      }

   **Example response with required questions**:
@@ -572,7 +579,10 @@ Order position endpoints
      Content-Type: text/json

      {
-        "status": "incomplete"
+        "status": "incomplete",
+        "position": {
+          …
+        },
        "questions": [
          {
            "id": 1,
@@ -617,6 +627,9 @@ Order position endpoints
      {
        "status": "error",
        "reason": "unpaid",
+        "position": {
+          …
+        }
      }

   Possible error reasons:
--- a/doc/api/resources/events.rst
+++ b/doc/api/resources/events.rst
@@ -15,6 +15,7 @@ name                                  multi-lingual string       The event's ful
 slug                                  string                     A short form of the name, used e.g. in URLs.
 live                                  boolean                    If ``true``, the event ticket shop is publicly
                                                                 available.
+testmode                              boolean                    If ``true``, the ticket shop is in test mode.
 currency                              string                     The currency this event is handled in.
 date_from                             datetime                   The event's start date
 date_to                               datetime                   The event's end date (or ``null``)
@@ -24,7 +25,7 @@ is_public                             boolean                    If ``true``, th
 presale_start                         datetime                   The date at which the ticket shop opens (or ``null``)
 presale_end                           datetime                   The date at which the ticket shop closes (or ``null``)
 location                              multi-lingual string       The event location (or ``null``)
-has_subevents                         boolean                    ``True`` if the event series feature is active for this
+has_subevents                         boolean                    ``true`` if the event series feature is active for this
                                                                 event. Cannot change after event is created.
 meta_data                             dict                       Values set for organizer-specific meta data parameters.
 plugins                               list                       A list of package names of the enabled plugins for this
@@ -45,6 +46,10 @@ plugins                               list                       A list of packa

   Filters have been added to the list of events.

+.. versionchanged:: 2.5
+
+   The ``testmode`` attribute has been added.
+
 Endpoints
 ---------

@@ -79,6 +84,7 @@ Endpoints
            "name": {"en": "Sample Conference"},
            "slug": "sampleconf",
            "live": false,
+            "testmode": false,
            "currency": "EUR",
            "date_from": "2017-12-27T10:00:00Z",
            "date_to": null,
@@ -137,6 +143,7 @@ Endpoints
        "name": {"en": "Sample Conference"},
        "slug": "sampleconf",
        "live": false,
+        "testmode": false,
        "currency": "EUR",
        "date_from": "2017-12-27T10:00:00Z",
        "date_to": null,
@@ -183,6 +190,7 @@ Endpoints
        "name": {"en": "Sample Conference"},
        "slug": "sampleconf",
        "live": false,
+        "testmode": false,
        "currency": "EUR",
        "date_from": "2017-12-27T10:00:00Z",
        "date_to": null,
@@ -211,6 +219,7 @@ Endpoints
        "name": {"en": "Sample Conference"},
        "slug": "sampleconf",
        "live": false,
+        "testmode": false,
        "currency": "EUR",
        "date_from": "2017-12-27T10:00:00Z",
        "date_to": null,
@@ -259,6 +268,7 @@ Endpoints
        "name": {"en": "Sample Conference"},
        "slug": "sampleconf",
        "live": false,
+        "testmode": false,
        "currency": "EUR",
        "date_from": "2017-12-27T10:00:00Z",
        "date_to": null,
@@ -287,6 +297,7 @@ Endpoints
        "name": {"en": "Sample Conference"},
        "slug": "sampleconf",
        "live": false,
+        "testmode": false,
        "currency": "EUR",
        "date_from": "2017-12-27T10:00:00Z",
        "date_to": null,
@@ -347,6 +358,7 @@ Endpoints
        "name": {"en": "Sample Conference"},
        "slug": "sampleconf",
        "live": false,
+        "testmode": false,
        "currency": "EUR",
        "date_from": "2017-12-27T10:00:00Z",
        "date_to": null,
@@ -367,7 +379,7 @@ Endpoints

   :param organizer: The ``slug`` field of the organizer of the event to update
   :param event: The ``slug`` field of the event to update
-   :statuscode 201: no error
+   :statuscode 200: no error
   :statuscode 400: The event could not be created due to invalid submitted data.
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create this resource.
--- a/doc/api/resources/index.rst
+++ b/doc/api/resources/index.rst
@@ -11,6 +11,7 @@ Resources and endpoints
   categories
   items
   item_variations
+   item_bundles
   item_add-ons
   questions
   question_options
--- a/doc/api/resources/invoices.rst
+++ b/doc/api/resources/invoices.rst
@@ -13,7 +13,7 @@ Field                                 Type                       Description
 ===================================== ========================== =======================================================
 number                                string                     Invoice number (with prefix)
 order                                 string                     Order code of the order this invoice belongs to
-is_cancellation                       boolean                    ``True``, if this invoice is the cancellation of a
+is_cancellation                       boolean                    ``true``, if this invoice is the cancellation of a
                                                                 different invoice.
 invoice_from                          string                     Sender address
 invoice_to                            string                     Receiver address
--- a/doc/api/resources/item_add-ons.rst
+++ b/doc/api/resources/item_add-ons.rst
@@ -189,7 +189,7 @@ Endpoints

      {
        "min_count": 0,
-        "max_count": 10,
+        "max_count": 10
      }

   **Example response**:
--- a/doc/api/resources/item_bundles.rst
+++ b/doc/api/resources/item_bundles.rst
@@ -0,0 +1,242 @@
+Item bundles
+============
+
+Resource description
+--------------------
+
+With bundles, you can specify products that are included within other products. There are two premier use cases of this:
+
+* Package discounts. For example, you could offer a discounted package that includes three tickets but can only be
+  bought as a whole. With a bundle including three times the usual product, the package will automatically pull three
+  sub-items into the cart, making sure of correct quota calculation and issuance of the correct number of tickets.
+
+* Tax splitting. For example, if your conference ticket includes a part that is subject to different taxation and that
+  you need to put on the invoice separately. When you putting a "designated price" on a bundled sub-item, pretix will
+  use that price to show a split taxation.
+
+The bundles resource contains the following public fields:
+
+.. rst-class:: rest-resource-table
+
+===================================== ========================== =======================================================
+Field                                 Type                       Description
+===================================== ========================== =======================================================
+id                                    integer                    Internal ID of the bundling configuration
+bundled_item                          integer                    Internal ID of the item that is included.
+bundled_variation                     integer                    Internal ID of the variation of the item (or ``null``).
+count                                 integer                    Number of items included
+designated_price                      money (string)             Designated price of the bundled product. This will be
+                                                                 used to split the price of the base item e.g. for mixed
+                                                                 taxation. This is not added to the price.
+===================================== ========================== =======================================================
+
+.. versionchanged:: 2.6
+
+   This resource has been added.
+
+Endpoints
+---------
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/items/(item)/bundles/
+
+   Returns a list of all bundles for a given item.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/items/11/bundles/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "count": 2,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id": 3,
+            "bundled_item": 3,
+            "bundled_variation": null,
+            "count": 1,
+            "designated_price": "0.00"
+          },
+          {
+            "id": 3,
+            "bundled_item": 3,
+            "bundled_variation": null,
+            "count": 2,
+            "designated_price": "1.50"
+          }
+        ]
+      }
+
+   :query integer page: The page number in case of a multi-page result set, default is 1
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param event: The ``slug`` field of the event to fetch
+   :param item: The ``id`` field of the item to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event/item does not exist **or** you have no permission to view this resource.
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/items/(item)/bundles/(id)/
+
+   Returns information on one bundle configuration, identified by its ID.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/items/1/bundles/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 3,
+        "bundled_item": 3,
+        "bundled_variation": null,
+        "count": 2,
+        "designated_price": "1.50"
+      }
+
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param event: The ``slug`` field of the event to fetch
+   :param item: The ``id`` field of the item to fetch
+   :param id: The ``id`` field of the bundle to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+
+.. http:post:: /api/v1/organizers/bigevents/events/sampleconf/items/1/bundles/
+
+   Creates a new bundle configuration
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/(organizer)/events/(event)/items/(item)/bundles/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content: application/json
+
+      {
+        "bundled_item": 3,
+        "bundled_variation": null,
+        "count": 2,
+        "designated_price": "1.50"
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 3,
+        "bundled_item": 3,
+        "bundled_variation": null,
+        "count": 2,
+        "designated_price": "1.50"
+      }
+
+   :param organizer: The ``slug`` field of the organizer of the event/item to create a bundle-configuration for
+   :param event: The ``slug`` field of the event to create a bundle configuration for
+   :param item: The ``id`` field of the item to create a bundle configuration for
+   :statuscode 201: no error
+   :statuscode 400: The bundle could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create this resource.
+
+.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/items/(item)/bundles/(id)/
+
+   Update a bundle configuration. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all
+   fields of the resource, other fields will be reset to default. With ``PATCH``, you only need to provide the fields
+   that you want to change.
+
+   You can change all fields of the resource except the ``id`` field.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/events/sampleconf/items/1/bundles/3/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 94
+
+      {
+        "count": 2
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 3,
+        "bundled_item": 3,
+        "bundled_variation": null,
+        "count": 2,
+        "designated_price": "1.50"
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param item: The ``id`` field of the item to modify
+   :param id: The ``id`` field of the bundle to modify
+   :statuscode 200: no error
+   :statuscode 400: The bundle configuration could not be modified due to invalid submitted data
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to change this resource.
+
+.. http:delete:: /api/v1/organizers/(organizer)/events/(event)/items/(id)/bundles/(id)/
+
+   Delete a bundle configuration.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/events/sampleconf/items/1/bundles/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+      Vary: Accept
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the item to modify
+   :param id: The ``id`` field of the bundle to delete
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to delete this resource.
--- a/doc/api/resources/item_variations.rst
+++ b/doc/api/resources/item_variations.rst
@@ -18,7 +18,7 @@ default_price                         money (string)             The price set d
 price                                 money (string)             The price used for this variation. This is either the
                                                                 same as ``default_price`` if that value is set or equal
                                                                 to the item's ``default_price`` (read-only).
-active                                boolean                    If ``False``, this variation will not be sold or shown.
+active                                boolean                    If ``false``, this variation will not be sold or shown.
 description                           multi-lingual string       A public description of the variation. May contain
                                                                 Markdown syntax or can be ``null``.
 position                              integer                    An integer, used for sorting
--- a/doc/api/resources/items.rst
+++ b/doc/api/resources/items.rst
@@ -21,32 +21,34 @@ default_price                         money (string)             The item price
                                                                 overwritten by variations or other options.
 category                              integer                    The ID of the category this item belongs to
                                                                 (or ``null``).
-active                                boolean                    If ``False``, the item is hidden from all public lists
+active                                boolean                    If ``false``, the item is hidden from all public lists
                                                                 and will not be sold.
 description                           multi-lingual string       A public description of the item. May contain Markdown
                                                                 syntax or can be ``null``.
-free_price                            boolean                    If ``True``, customers can change the price at which
+free_price                            boolean                    If ``true``, customers can change the price at which
                                                                 they buy the product (however, the price can't be set
                                                                 lower than the price defined by ``default_price`` or
                                                                 otherwise).
 tax_rate                              decimal (string)           The VAT rate to be applied for this item.
 tax_rule                              integer                    The internal ID of the applied tax rule (or ``null``).
-admission                             boolean                    ``True`` for items that grant admission to the event
-                                                                 (such as primary tickets) and ``False`` for others
+admission                             boolean                    ``true`` for items that grant admission to the event
+                                                                 (such as primary tickets) and ``false`` for others
                                                                 (such as add-ons or merchandise).
 position                              integer                    An integer, used for sorting
 picture                               string                     A product picture to be displayed in the shop
-                                                                 (read-only).
+                                                                 (read-only, can be ``null``).
+sales_channels                        list of strings            Sales channels this product is available on, such as
+                                                                 ``"web"`` or ``"resellers"``. Defaults to ``["web"]``.
 available_from                        datetime                   The first date time at which this item can be bought
                                                                 (or ``null``).
 available_until                       datetime                   The last date time at which this item can be bought
                                                                 (or ``null``).
-require_voucher                       boolean                    If ``True``, this item can only be bought using a
+require_voucher                       boolean                    If ``true``, this item can only be bought using a
                                                                 voucher that is specifically assigned to this item.
-hide_without_voucher                  boolean                    If ``True``, this item is only shown during the voucher
+hide_without_voucher                  boolean                    If ``true``, this item is only shown during the voucher
                                                                 redemption process, but not in the normal shop
                                                                 frontend.
-allow_cancel                          boolean                    If ``False``, customers cannot cancel orders containing
+allow_cancel                          boolean                    If ``false``, customers cannot cancel orders containing
                                                                 this item.
 min_per_order                         integer                    This product can only be bought if it is included at
                                                                 least this many times in the order (or ``null`` for no
@@ -54,14 +56,21 @@ min_per_order                         integer                    This product ca
 max_per_order                         integer                    This product can only be bought if it is included at
                                                                 most this many times in the order (or ``null`` for no
                                                                 limitation).
-checkin_attention                     boolean                    If ``True``, the check-in app should show a warning
+checkin_attention                     boolean                    If ``true``, the check-in app should show a warning
                                                                 that this ticket requires special attention if such
                                                                 a product is being scanned.
 original_price                        money (string)             An original price, shown for comparison, not used
-                                                                 for price calculations.
-require_approval                      boolean                    If ``True``, orders with this product will need to be
+                                                                 for price calculations (or ``null``).
+require_approval                      boolean                    If ``true``, orders with this product will need to be
                                                                 approved by the event organizer before they can be
                                                                 paid.
+require_bundling                      boolean                    If ``true``, this item is only available as part of bundles.
+generate_tickets                      boolean                    If ``false``, tickets are never generated for this
+                                                                 product, regardless of other settings. If ``true``,
+                                                                 tickets are generated even if this is a
+                                                                 non-admission or add-on product, regardless of event
+                                                                 settings. If this is ``null``, regular ticketing
+                                                                 rules apply.
 has_variations                        boolean                    Shows whether or not this item has variations.
 variations                            list of objects            A list with one object for each variation of this item.
                                                                 Can be empty. Only writable during creation,
@@ -72,7 +81,7 @@ variations                            list of objects            A list with one
 ├ price                               money (string)             The price used for this variation. This is either the
                                                                 same as ``default_price`` if that value is set or equal
                                                                 to the item's ``default_price``.
-├ active                              boolean                    If ``False``, this variation will not be sold or shown.
+├ active                              boolean                    If ``false``, this variation will not be sold or shown.
 ├ description                         multi-lingual string       A public description of the variation. May contain
                                                                 Markdown syntax or can be ``null``.
 └ position                            integer                    An integer, used for sorting
@@ -83,8 +92,17 @@ addons                                list of objects            Definition of a
                                                                 chosen from.
 ├ min_count                           integer                    The minimal number of add-ons that need to be chosen.
 ├ max_count                           integer                    The maximal number of add-ons that can be chosen.
-└ position                            integer                    An integer, used for sorting
+├ position                            integer                    An integer, used for sorting
 └ price_included                      boolean                    Adding this add-on to the item is free
+bundles                               list of objects            Definition of bundles that are included in this item.
+                                                                 Only writable during creation,
+                                                                 use separate endpoint to modify this later.
+├ bundled_item                        integer                    Internal ID of the item that is included.
+├ bundled_variation                   integer                    Internal ID of the variation of the item (or ``null``).
+├ count                               integer                    Number of items included
+└ designated_price                    money (string)             Designated price of the bundled product. This will be
+                                                                 used to split the price of the base item e.g. for mixed
+                                                                 taxation. This is not added to the price.
 ===================================== ========================== =======================================================

 .. versionchanged:: 1.7
@@ -105,15 +123,28 @@ addons                                list of objects            Definition of a

   The field ``require_approval`` has been added.

+.. versionchanged:: 2.3
+
+   The ``sales_channels`` attribute has been added.
+
+.. versionchanged:: 2.4
+
+   The ``generate_tickets`` attribute has been added.
+
+.. versionchanged:: 2.6
+
+   The ``bundles`` and ``require_bundling`` attributes have been added.
+
 Notes
 -----
+
 Please note that an item either always has variations or never has. Once created with variations the item can never
 change to an item without and vice versa. To create an item with variations ensure that you POST an item with at least
 one variation.

-Also note that ``variations`` and ``addons`` are only supported on ``POST``. To update/delete variations and add-ons please
-use the dedicated nested endpoints. By design this endpoint does not support ``PATCH`` and ``PUT`` with nested
-``variations`` and/or ``addons``.
+Also note that ``variations``, ``bundles``, and  ``addons`` are only supported on ``POST``. To update/delete variations,
+bundles, and add-ons please use the dedicated nested endpoints. By design this endpoint does not support ``PATCH`` and ``PUT``
+with nested ``variations``, ``bundles`` and/or ``addons``.

 Endpoints
 ---------
@@ -147,6 +178,7 @@ Endpoints
            "id": 1,
            "name": {"en": "Standard ticket"},
            "internal_name": "",
+            "sales_channels": ["web"],
            "default_price": "23.00",
            "original_price": null,
            "category": null,
@@ -167,7 +199,9 @@ Endpoints
            "max_per_order": null,
            "checkin_attention": false,
            "has_variations": false,
+            "generate_tickets": null,
            "require_approval": false,
+            "require_bundling": false,
            "variations": [
              {
                 "value": {"en": "Student"},
@@ -186,7 +220,8 @@ Endpoints
                 "position": 1
              }
            ],
-            "addons": []
+            "addons": [],
+            "bundles": []
          }
        ]
      }
@@ -232,6 +267,7 @@ Endpoints
        "id": 1,
        "name": {"en": "Standard ticket"},
        "internal_name": "",
+        "sales_channels": ["web"],
        "default_price": "23.00",
        "original_price": null,
        "category": null,
@@ -248,11 +284,13 @@ Endpoints
        "require_voucher": false,
        "hide_without_voucher": false,
        "allow_cancel": true,
+        "generate_tickets": null,
        "min_per_order": null,
        "max_per_order": null,
        "checkin_attention": false,
        "has_variations": false,
        "require_approval": false,
+        "require_bundling": false,
        "variations": [
          {
             "value": {"en": "Student"},
@@ -271,7 +309,8 @@ Endpoints
             "position": 1
          }
        ],
-        "addons": []
+        "addons": [],
+        "bundles": []
      }

   :param organizer: The ``slug`` field of the organizer to fetch
@@ -298,6 +337,7 @@ Endpoints
        "id": 1,
        "name": {"en": "Standard ticket"},
        "internal_name": "",
+        "sales_channels": ["web"],
        "default_price": "23.00",
        "original_price": null,
        "category": null,
@@ -314,10 +354,12 @@ Endpoints
        "require_voucher": false,
        "hide_without_voucher": false,
        "allow_cancel": true,
+        "generate_tickets": null,
        "min_per_order": null,
        "max_per_order": null,
        "checkin_attention": false,
        "require_approval": false,
+        "require_bundling": false,
        "variations": [
          {
             "value": {"en": "Student"},
@@ -336,7 +378,8 @@ Endpoints
             "position": 1
          }
        ],
-        "addons": []
+        "addons": [],
+        "bundles": []
      }

   **Example response**:
@@ -351,6 +394,7 @@ Endpoints
        "id": 1,
        "name": {"en": "Standard ticket"},
        "internal_name": "",
+        "sales_channels": ["web"],
        "default_price": "23.00",
        "original_price": null,
        "category": null,
@@ -369,9 +413,11 @@ Endpoints
        "allow_cancel": true,
        "min_per_order": null,
        "max_per_order": null,
+        "generate_tickets": null,
        "checkin_attention": false,
        "has_variations": true,
        "require_approval": false,
+        "require_bundling": false,
        "variations": [
          {
             "value": {"en": "Student"},
@@ -390,7 +436,8 @@ Endpoints
             "position": 1
          }
        ],
-        "addons": []
+        "addons": [],
+        "bundles": []
      }

   :param organizer: The ``slug`` field of the organizer of the event to create an item for
@@ -436,6 +483,7 @@ Endpoints
        "id": 1,
        "name": {"en": "Ticket"},
        "internal_name": "",
+        "sales_channels": ["web"],
        "default_price": "25.00",
        "original_price": null,
        "category": null,
@@ -451,12 +499,14 @@ Endpoints
        "available_until": null,
        "require_voucher": false,
        "hide_without_voucher": false,
+        "generate_tickets": null,
        "allow_cancel": true,
        "min_per_order": null,
        "max_per_order": null,
        "checkin_attention": false,
        "has_variations": true,
        "require_approval": false,
+        "require_bundling": false,
        "variations": [
          {
             "value": {"en": "Student"},
@@ -475,7 +525,8 @@ Endpoints
             "position": 1
          }
        ],
-        "addons": []
+        "addons": [],
+        "bundles": []
      }

   :param organizer: The ``slug`` field of the organizer to modify
--- a/doc/api/resources/orders.rst
+++ b/doc/api/resources/orders.rst
@@ -26,23 +26,26 @@ status                                string                     Order status, o
                                                                 * ``p`` – paid
                                                                 * ``e`` – expired
                                                                 * ``c`` – canceled
-                                                                 * ``r`` – refunded
+testmode                              boolean                    If ``true``, this order was created when the event was in
+                                                                 test mode. Only orders in test mode can be deleted.
 secret                                string                     The secret contained in the link sent to the customer
 email                                 string                     The customer email address
 locale                                string                     The locale used for communication with this customer
+sales_channel                         string                     Channel this sale was created through, such as
+                                                                 ``"web"``.
 datetime                              datetime                   Time of order creation
 expires                               datetime                   The order will expire, if it is still pending by this time
 payment_date                          date                       **DEPRECATED AND INACCURATE** Date of payment receipt
 payment_provider                      string                     **DEPRECATED AND INACCURATE** Payment provider used for this order
 total                                 money (string)             Total value of this order
 comment                               string                     Internal comment on this order
-checkin_attention                     boolean                    If ``True``, the check-in app should show a warning
+checkin_attention                     boolean                    If ``true``, the check-in app should show a warning
                                                                 that this ticket requires special attention if a ticket
                                                                 of this order is scanned.
 invoice_address                       object                     Invoice address information (can be ``null``)
 ├ last_modified                       datetime                   Last modification date of the address
 ├ company                             string                     Customer company name
-├ is_business                         boolean                    Business or individual customers (always ``False``
+├ is_business                         boolean                    Business or individual customers (always ``false``
                                                                 for orders created before pretix 1.7, do not rely on
                                                                 it).
 ├ name                                string                     Customer name
@@ -53,12 +56,12 @@ invoice_address                       object                     Invoice address
 ├ country                             string                     Customer country
 ├ internal_reference                  string                     Customer's internal reference to be printed on the invoice
 ├ vat_id                              string                     Customer VAT ID
-└ vat_id_validated                    string                     ``True``, if the VAT ID has been validated against the
+└ vat_id_validated                    string                     ``true``, if the VAT ID has been validated against the
                                                                 EU VAT service and validation was successful. This only
                                                                 happens in rare cases.
-positions                             list of objects            List of order positions (see below)
-fees                                  list of objects            List of fees included in the order total (i.e.
-                                                                 payment fees)
+positions                             list of objects            List of non-canceled order positions (see below)
+fees                                  list of objects            List of non-canceled fees included in the order total
+                                                                 (i.e. payment fees)
 ├ fee_type                            string                     Type of fee (currently ``payment``, ``passbook``,
                                                                 ``other``)
 ├ value                               money (string)             Fee amount
@@ -75,9 +78,9 @@ downloads                             list of objects            List of ticket
                                                                 download options.
 ├ output                              string                     Ticket output provider (e.g. ``pdf``, ``passbook``)
 └ url                                 string                     Download URL
-require_approval                      boolean                    If ``True`` and the order is pending, this order
+require_approval                      boolean                    If ``true`` and the order is pending, this order
                                                                 needs approval by an organizer before it can
-                                                                 continue. If ``True`` and the order is canceled,
+                                                                 continue. If ``true`` and the order is canceled,
                                                                 this order has been denied by the event organizer.
 payments                              list of objects            List of payment processes (see below)
 refunds                               list of objects            List of refund processes (see below)
@@ -121,6 +124,19 @@ last_modified                         datetime                   Last modificati
   nested ``payments`` and ``refunds`` resources, but will still be served and removed in 2.2. The ``require_approval``
   attribute has been added, as have been the ``…/approve/`` and ``…/deny/`` endpoints.

+.. versionchanged:: 2.3
+
+   The ``sales_channel`` attribute has been added.
+
+.. versionchanged:: 2.4:
+
+   ``order.status`` can no longer be ``r``, ``…/mark_canceled/`` now accepts a ``cancellation_fee`` parameter and
+   ``…/mark_refunded/`` has been deprecated.
+
+.. versionchanged:: 2.5:
+
+   The ``testmode`` attribute has been added and ``DELETE`` has been implemented for orders.
+
 .. _order-position-resource:

 Order position resource
@@ -262,9 +278,11 @@ List of all orders
          {
            "code": "ABC12",
            "status": "p",
+            "testmode": false,
            "secret": "k24fiuwvu8kxz3y1",
            "email": "tester@example.org",
            "locale": "en",
+            "sales_channel": "web",
            "datetime": "2017-12-01T10:00:00Z",
            "expires": "2017-12-10T10:00:00Z",
            "last_modified": "2017-12-01T10:00:00Z",
@@ -277,7 +295,7 @@ List of all orders
            "require_approval": false,
            "invoice_address": {
                "last_modified": "2017-12-01T10:00:00Z",
-                "is_business": True,
+                "is_business": true,
                "company": "Sample company",
                "name": "John Doe",
                "name_parts": {"full_name": "John Doe"},
@@ -287,7 +305,7 @@ List of all orders
                "country": "Testikistan",
                "internal_reference": "",
                "vat_id": "EU123456789",
-                "vat_id_validated": False
+                "vat_id_validated": false
            },
            "positions": [
              {
@@ -355,15 +373,19 @@ List of all orders
      }

   :query integer page: The page number in case of a multi-page result set, default is 1
-   :query string ordering: Manually set the ordering of results. Valid fields to be used are ``datetime``, ``code`` and
-                           ``status``. Default: ``datetime``
+   :query string ordering: Manually set the ordering of results. Valid fields to be used are ``datetime``, ``code``,
+                           ``last_modified``, and ``status``. Default: ``datetime``
   :query string code: Only return orders that match the given order code
   :query string status: Only return orders in the given order status (see above)
+   :query boolean testmode: Only return orders with ``testmode`` set to ``true`` or ``false``
   :query boolean require_approval: If set to ``true`` or ``false``, only categories with this value for the field
                                    ``require_approval`` will be returned.
   :query string email: Only return orders created with the given email address
   :query string locale: Only return orders with the given customer locale
-   :query datetime modified_since: Only return orders that have changed since the given date
+   :query datetime modified_since: Only return orders that have changed since the given date. Be careful: We only
+       recommend using this in combination with ``testmode=false``, since test mode orders can vanish at any time and
+       you will not notice it using this method.
+   :query datetime created_since: Only return orders that have been created since the given date.
   :param organizer: The ``slug`` field of the organizer to fetch
   :param event: The ``slug`` field of the event to fetch
   :resheader X-Page-Generated: The server time at the beginning of the operation. If you're using this API to fetch
@@ -398,9 +420,11 @@ Fetching individual orders
      {
        "code": "ABC12",
        "status": "p",
+        "testmode": false,
        "secret": "k24fiuwvu8kxz3y1",
        "email": "tester@example.org",
        "locale": "en",
+        "sales_channel": "web",
        "datetime": "2017-12-01T10:00:00Z",
        "expires": "2017-12-10T10:00:00Z",
        "last_modified": "2017-12-01T10:00:00Z",
@@ -414,7 +438,7 @@ Fetching individual orders
        "invoice_address": {
            "last_modified": "2017-12-01T10:00:00Z",
            "company": "Sample company",
-            "is_business": True,
+            "is_business": true,
            "name": "John Doe",
            "name_parts": {"full_name": "John Doe"},
            "street": "Test street 12",
@@ -423,7 +447,7 @@ Fetching individual orders
            "country": "Testikistan",
            "internal_reference": "",
            "vat_id": "EU123456789",
-            "vat_id_validated": False
+            "vat_id_validated": false
        },
        "positions": [
          {
@@ -540,6 +564,123 @@ Order ticket download
   :statuscode 409: The file is not yet ready and will now be prepared. Retry the request after waiting for a few
                          seconds.

+Updating order fields
+---------------------
+
+.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/
+
+   Updates specific fields on an order. Currently, only the following fields are supported:
+
+   * ``email``
+
+   * ``checkin_attention``
+
+   * ``locale``
+
+   * ``comment``
+
+   * ``invoice_address`` (you always need to supply the full object, or ``null`` to delete the current address)
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/events/sampleconf/orders/ABC12/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+
+      {
+        "email": "other@example.org",
+        "locale": "de",
+        "comment": "Foo",
+        "checkin_attention": true
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      (Full order resource, see above.)
+
+   :param organizer: The ``slug`` field of the organizer of the event
+   :param event: The ``slug`` field of the event
+   :param code: The ``code`` field of the order to update
+
+   :statuscode 200: no error
+   :statuscode 400: The order could not be updated due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to update this order.
+
+Generating new secrets
+----------------------
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/regenerate_secrets/
+
+   Triggers generation of new ``secret`` attributes for both the order and all order positions.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/orders/ABC12/regenerate_secrets/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      (Full order resource, see above.)
+
+   :param organizer: The ``slug`` field of the organizer of the event
+   :param event: The ``slug`` field of the event
+   :param code: The ``code`` field of the order to update
+
+   :statuscode 200: no error
+   :statuscode 400: The order could not be updated due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to update this order.
+
+Deleting orders
+---------------
+
+.. http:delete:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/
+
+   Deletes an order. Works only if the order has ``testmode`` set to ``true``.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/events/sampleconf/orders/ABC12/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+      Vary: Accept
+      Content-Type: application/json
+
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param event: The ``slug`` field of the event to fetch
+   :param code: The ``code`` field of the order to delete
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to delete this resource **or** the order may not be deleted.
+   :statuscode 404: The requested order does not exist.
+
 Creating orders
 ---------------

@@ -561,6 +702,8 @@ Creating orders

       * does not validate if products are only to be sold in a specific time frame

+       * does not validate if products are only to be sold on other sales channels
+
       * does not validate if the event's ticket sales are already over or haven't started

       * does not validate the number of items per order or the number of times an item can be included in an order
@@ -592,11 +735,13 @@ Creating orders
     or in state ``confirmed``, depending on this value. If you create a paid order, the ``order_paid`` signal will
     **not** be sent out to plugins and no email will be sent. If you want that behavior, create an unpaid order and
     then call the ``mark_paid`` API method.
+   * ``testmode`` (optional) – Defaults to ``false``
   * ``consume_carts`` (optional) – A list of cart IDs. All cart positions with these IDs will be deleted if the
     order creation is successful. Any quotas that become free by this operation will be credited to your order
     creation.
   * ``email``
   * ``locale``
+   * ``sales_channel``
   * ``payment_provider`` – The identifier of the payment provider set for this order. This needs to be an existing
     payment provider. You should use ``"free"`` for free orders, and we strongly advise to use ``"manual"`` for all
     orders you create as paid.
@@ -644,6 +789,8 @@ Creating orders
      * ``internal_type``
      * ``tax_rule``

+   * ``force`` (optional). If set to ``true``, quotas will be ignored.
+
   If you want to use add-on products, you need to set the ``positionid`` fields of all positions manually
   to incrementing integers starting with ``1``. Then, you can reference one of these
   IDs in the ``addon_to`` field of another position. Note that all add_ons for a specific position need to come
@@ -656,11 +803,12 @@ Creating orders
      POST /api/v1/organizers/bigevents/events/sampleconf/orders/ HTTP/1.1
      Host: pretix.eu
      Accept: application/json, text/javascript
-      Content: application/json
+      Content-Type: application/json

      {
        "email": "dummy@example.org",
        "locale": "en",
+        "sales_channel": "web",
        "fees": [
          {
            "fee_type": "payment",
@@ -672,7 +820,7 @@ Creating orders
        ],
        "payment_provider": "banktransfer",
        "invoice_address": {
-          "is_business": False,
+          "is_business": false,
          "company": "Sample company",
          "name_parts": {"full_name": "John Doe"},
          "street": "Sesam Street 12",
@@ -715,10 +863,10 @@ Creating orders

      (Full order resource, see above.)

-   :param organizer: The ``slug`` field of the organizer of the event to create an item for
-   :param event: The ``slug`` field of the event to create an item for
+   :param organizer: The ``slug`` field of the organizer of the event to create an order for
+   :param event: The ``slug`` field of the event to create an order for
   :statuscode 201: no error
-   :statuscode 400: The item could not be created due to invalid submitted data or lack of quota.
+   :statuscode 400: The order could not be created due to invalid submitted data or lack of quota.
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create this
         order.
@@ -764,7 +912,10 @@ Order state operations

 .. http:post:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/mark_canceled/

-   Marks a pending order as canceled.
+   Cancels an order. For a pending order, this will set the order to status ``c``. For a paid order, this will set
+   the order to status ``c`` if no ``cancellation_fee`` is passed. If you do pass a ``cancellation_fee``, the order
+   will instead stay paid, but all positions will be removed (or marked as canceled) and replaced by the cancellation
+   fee as the only component of the order.

   **Example request**:

@@ -776,7 +927,8 @@ Order state operations
      Content-Type: text/json

      {
-          "send_email": true
+          "send_email": true,
+          "cancellation_fee": null
      }

   **Example response**:
@@ -837,47 +989,9 @@ Order state operations
   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
   :statuscode 404: The requested order does not exist.

-.. http:post:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/mark_refunded/
-
-   Marks a paid order as refunded.
-
-   .. warning:: In the current implementation, this will **bypass** the payment provider, i.e. the money will **not** be
-                transferred back to the user automatically, the order will only be *marked* as refunded within pretix.
-
-   **Example request**:
-
-   .. sourcecode:: http
-
-      POST /api/v1/organizers/bigevents/events/sampleconf/orders/ABC12/mark_expired/ HTTP/1.1
-      Host: pretix.eu
-      Accept: application/json, text/javascript
-
-   **Example response**:
-
-   .. sourcecode:: http
-
-      HTTP/1.1 200 OK
-      Vary: Accept
-      Content-Type: application/json
-
-      {
-        "code": "ABC12",
-        "status": "r",
-        ...
-      }
-
-   :param organizer: The ``slug`` field of the organizer to modify
-   :param event: The ``slug`` field of the event to modify
-   :param code: The ``code`` field of the order to modify
-   :statuscode 200: no error
-   :statuscode 400: The order cannot be marked as expired since the current order status does not allow it.
-   :statuscode 401: Authentication failure
-   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
-   :statuscode 404: The requested order does not exist.
-
 .. http:post:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/mark_expired/

-   Marks a unpaid order as expired.
+   Marks an unpaid order as expired.

   **Example request**:

@@ -1036,9 +1150,82 @@ Order state operations
   :statuscode 200: no error
   :statuscode 400: The order cannot be marked as denied since the current order status does not allow it.
   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to update this resource.
+   :statuscode 404: The requested order does not exist.
+
+Generating invoices
+-------------------
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/create_invoice/
+
+   Creates an invoice for an order which currently does not have an invoice. Returns the
+   invoice object.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/orders/ABC12/create_invoice/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "order": "FOO",
+        "number": "DUMMY-00001",
+        "is_cancellation": false,
+        ...
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param code: The ``code`` field of the order to create an invoice for
+   :statuscode 200: no error
+   :statuscode 400: The invoice can not be created (invoicing disabled, the order already has an invoice, …)
+   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
   :statuscode 404: The requested order does not exist.

+Sending e-mails
+---------------
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/resend_link/
+
+   Sends an email to the buyer with the link to the order page.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/orders/ABC12/resend_link/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+      Vary: Accept
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param code: The ``code`` field of the order to send an email for
+   :statuscode 200: no error
+   :statuscode 400: The order does not have an email address associated
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+   :statuscode 404: The requested order does not exist.
+   :statuscode 503: The email could not be sent.

 List of all order positions
 ---------------------------
@@ -1054,6 +1241,8 @@ List of all order positions
   The order positions endpoint has been extended by the filter queries ``voucher``, ``voucher__code`` and
   ``pseudonymization_id``.

+.. note:: Individually canceled order positions are currently not visible via the API at all.
+
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/orderpositions/

   Returns a list of all order positions within a given event.
@@ -1489,7 +1678,7 @@ Order payment endpoints

      {
        "amount": "23.00",
-        "mark_refunded": false
+        "mark_canceled": false
      }


@@ -1636,7 +1825,7 @@ Order refund endpoints
        "payment": 1,
        "execution_date": null,
        "provider": "manual",
-        "mark_refunded": false
+        "mark_canceled": false
      }

   **Example response**:
@@ -1706,7 +1895,7 @@ Order refund endpoints

 .. http:post:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/refunds/(local_id)/process/

-   Acts on an external refund, either marks the order as refunded or pending. Only allowed in state ``external``.
+   Acts on an external refund, either marks the order as canceled or pending. Only allowed in state ``external``.

   **Example request**:

@@ -1717,7 +1906,7 @@ Order refund endpoints
      Accept: application/json, text/javascript
      Content-Type: application/json

-      {"mark_refunded": false}
+      {"mark_canceled": false}

   **Example response**:

--- a/doc/api/resources/questions.rst
+++ b/doc/api/resources/questions.rst
@@ -30,12 +30,12 @@ type                                  string                     The expected ty
                                                                 * ``D`` – date
                                                                 * ``H`` – time
                                                                 * ``W`` – date and time
-required                              boolean                    If ``True``, the question needs to be filled out.
+required                              boolean                    If ``true``, the question needs to be filled out.
 position                              integer                    An integer, used for sorting
 items                                 list of integers           List of item IDs this question is assigned to.
 identifier                            string                     An arbitrary string that can be used for matching with
                                                                 other sources.
-ask_during_checkin                    boolean                    If ``True``, this question will not be asked while
+ask_during_checkin                    boolean                    If ``true``, this question will not be asked while
                                                                 buying the ticket, but will show up when redeeming
                                                                 the ticket instead.
 options                               list of objects            In case of question type ``C`` or ``M``, this lists the
@@ -46,6 +46,16 @@ options                               list of objects            In case of ques
 ├ identifier                          string                     An arbitrary string that can be used for matching with
                                                                 other sources.
 └ answer                              multi-lingual string       The displayed value of this option
+dependency_question                   integer                    Internal ID of a different question. The current
+                                                                 question will only be shown if the question given in
+                                                                 this attribute is set to the value given in
+                                                                 ``dependency_value``. This cannot be combined with
+                                                                 ``ask_during_checkin``.
+dependency_value                      string                     The value ``dependency_question`` needs to be set to.
+                                                                 If ``dependency_question`` is set to a boolean
+                                                                 question, this should be ``"true"`` or ``"false"``.
+                                                                 Otherwise, it should be the ``identifier`` of a
+                                                                 question option.
 ===================================== ========================== =======================================================

 .. versionchanged:: 1.12
@@ -100,6 +110,8 @@ Endpoints
            "position": 1,
            "identifier": "WY3TP9SL",
            "ask_during_checkin": false,
+            "dependency_question": null,
+            "dependency_value": null,
            "options": [
              {
                "id": 1,
@@ -165,6 +177,8 @@ Endpoints
        "position": 1,
        "identifier": "WY3TP9SL",
        "ask_during_checkin": false,
+        "dependency_question": null,
+        "dependency_value": null,
        "options": [
          {
            "id": 1,
@@ -214,6 +228,8 @@ Endpoints
        "items": [1, 2],
        "position": 1,
        "ask_during_checkin": false,
+        "dependency_question": null,
+        "dependency_value": null,
        "options": [
          {
            "answer": {"en": "S"}
@@ -245,6 +261,8 @@ Endpoints
        "position": 1,
        "identifier": "WY3TP9SL",
        "ask_during_checkin": false,
+        "dependency_question": null,
+        "dependency_value": null,
        "options": [
          {
            "id": 1,
@@ -314,6 +332,8 @@ Endpoints
        "position": 2,
        "identifier": "WY3TP9SL",
        "ask_during_checkin": false,
+        "dependency_question": null,
+        "dependency_value": null,
        "options": [
          {
            "id": 1,
--- a/doc/api/resources/subevents.rst
+++ b/doc/api/resources/subevents.rst
@@ -45,6 +45,8 @@ meta_data                             dict                       Values set for

   The ``event`` field has been added, together with filters on the list of dates and an organizer-level list.

+.. versionchanged:: 2.6
+   The write operations ``POST``, ``PATCH``, ``PUT``, and ``DELETE`` have been added.

 Endpoints
 ---------
@@ -103,11 +105,83 @@ Endpoints
   :query is_past: If set to ``true`` (``false``), only events that are over are (not) returned.
   :query ends_after: If set to a date and time, only events that happen during of after the given time are returned.
   :param organizer: The ``slug`` field of a valid organizer
-   :param event: The ``slug`` field of the event to fetch
+   :param event: The ``slug`` field of the main event
   :statuscode 200: no error
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer does not exist **or** you have no permission to view it.

+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/subevents/
+
+   Creates a new subevent.
+
+   Permission required: "Can create events"
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/subevents/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content: application/json
+
+      {
+        "name": {"en": "First Sample Conference"},
+        "active": false,
+        "date_from": "2017-12-27T10:00:00Z",
+        "date_to": null,
+        "date_admission": null,
+        "presale_start": null,
+        "presale_end": null,
+        "location": null,
+        "item_price_overrides": [
+          {
+            "item": 2,
+            "price": "12.00"
+          }
+        ],
+        "variation_price_overrides": [],
+        "meta_data": {}
+      }
+
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "name": {"en": "First Sample Conference"},
+        "active": false,
+        "date_from": "2017-12-27T10:00:00Z",
+        "date_to": null,
+        "date_admission": null,
+        "presale_start": null,
+        "presale_end": null,
+        "location": null,
+        "item_price_overrides": [
+          {
+            "item": 2,
+            "price": "12.00"
+          }
+        ],
+        "variation_price_overrides": [],
+        "meta_data": {}
+      }
+
+
+   :param organizer: The ``slug`` field of a valid organizer
+   :param event: The ``slug`` field of the main event
+   :statuscode 201: no error
+   :statuscode 400: The sub-event could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to create this resource.
+
+
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/subevents/(id)/

   Returns information on one sub-event, identified by its ID.
@@ -149,13 +223,106 @@ Endpoints
        "meta_data": {}
      }

-   :param organizer: The ``slug`` field of the organizer to fetch
-   :param event: The ``slug`` field of the event to fetch
-   :param id: The ``slug`` field of the sub-event to fetch
+   :param organizer: The ``slug`` field of a valid organizer
+   :param event: The ``slug`` field of the main event
+   :param id: The ``id`` field of the sub-event to fetch
   :statuscode 200: no error
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view it.

+.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/subevents/(id)/
+
+   Updates a sub-event, identified by its ID. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to
+   provide all fields of the resource, other fields will be reset to default. With ``PATCH``, you only need to provide
+   the fields that you want to change.
+
+   Permission required: "Can change event settings"
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/events/sampleconf/subevents/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content: application/json
+
+      {
+        "name": {"en": "New Subevent Name"},
+        "item_price_overrides": [
+          {
+            "item": 2,
+            "price": "23.42"
+          }
+        ],
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "name": {"en": "New Subevent Name"},
+        "event": "sampleconf",
+        "active": false,
+        "date_from": "2017-12-27T10:00:00Z",
+        "date_to": null,
+        "date_admission": null,
+        "presale_start": null,
+        "presale_end": null,
+        "location": null,
+        "item_price_overrides": [
+          {
+            "item": 2,
+            "price": "23.42"
+          }
+        ],
+        "variation_price_overrides": [],
+        "meta_data": {}
+      }
+
+   :param organizer: The ``slug`` field of a valid organizer
+   :param event: The ``slug`` field of the main event
+   :param id: The ``id`` field of the sub-event to update
+   :statuscode 200: no error
+   :statuscode 400: The sub-event could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/sub-event does not exist **or** you have no permission to update this resource.
+
+.. http:delete:: /api/v1/organizers/(organizer)/events/(event)/subevents/(id)/
+
+   Delete a sub-event. Note that events with orders cannot be deleted to ensure data integrity.
+
+   Permission required: "Can change event settings"
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/events/sampleconf/subevents/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+      Vary: Accept
+
+   :param organizer: The ``slug`` field of a valid organizer
+   :param event: The ``slug`` field of the main event
+   :param id: The ``id`` field of the sub-event to delete
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/sub-event does not exist **or** you have no permission to delete this resource.
+
+
 .. http:get:: /api/v1/organizers/(organizer)/subevents/

   Returns a list of all sub-events of any event series you have access to within an organizer account.
--- a/doc/api/resources/vouchers.rst
+++ b/doc/api/resources/vouchers.rst
@@ -18,8 +18,8 @@ max_usages                            integer                    The maximum num
 redeemed                              integer                    The number of times this voucher already has been
                                                                 redeemed.
 valid_until                           datetime                   The voucher expiration date (or ``null``).
-block_quota                           boolean                    If ``True``, quota is blocked for this voucher.
-allow_ignore_quota                    boolean                    If ``True``, this voucher can be redeemed even if a
+block_quota                           boolean                    If ``true``, quota is blocked for this voucher.
+allow_ignore_quota                    boolean                    If ``true``, this voucher can be redeemed even if a
                                                                 product is sold out and even if quota is not blocked
                                                                 for this voucher.
 price_mode                            string                     Determines how this voucher affects product prices.
--- a/doc/api/resources/webhooks.rst
+++ b/doc/api/resources/webhooks.rst
@@ -17,11 +17,11 @@ The webhook resource contains the following public fields:
 Field                                 Type                       Description
 ===================================== ========================== =======================================================
 id                                    integer                    Internal ID of the webhook
-enabled                               boolean                    If ``False``, this webhook will not receive any notifications
+enabled                               boolean                    If ``false``, this webhook will not receive any notifications
 target_url                            string                     The URL to call
-all_events                            boolean                    If ``True``, this webhook will receive notifications
+all_events                            boolean                    If ``true``, this webhook will receive notifications
                                                                 on all events of this organizer
-limit_events                          list of strings            If ``all_events`` is ``False``, this is a list of
+limit_events                          list of strings            If ``all_events`` is ``false``, this is a list of
                                                                 event slugs this webhook is active for
 action_types                          list of strings            A list of action type filters that limit the
                                                                 notifications sent to this webhook. See below for
@@ -38,7 +38,6 @@ The following values for ``action_types`` are valid with pretix core:
    * ``pretix.event.order.contact.changed``
    * ``pretix.event.order.changed.*``
    * ``pretix.event.order.refund.created.externally``
-    * ``pretix.event.order.refunded``
    * ``pretix.event.order.approved``
    * ``pretix.event.order.denied``
    * ``pretix.event.checkin``
--- a/doc/development/api/general.rst
+++ b/doc/development/api/general.rst
@@ -12,7 +12,7 @@ Core

 .. automodule:: pretix.base.signals
   :members: periodic_task, event_live_issues, event_copy_data, email_filter, register_notification_types,
-      item_copy_data
+      item_copy_data, register_sales_channels

 Order events
 """"""""""""
@@ -26,7 +26,7 @@ Frontend
 --------

 .. automodule:: pretix.presale.signals
-   :members: html_head, html_footer, footer_links, front_page_top, front_page_bottom, fee_calculation_for_cart, contact_form_fields, question_form_fields, checkout_confirm_messages, checkout_confirm_page_content
+   :members: html_head, html_footer, footer_link, front_page_top, front_page_bottom, fee_calculation_for_cart, contact_form_fields, question_form_fields, checkout_confirm_messages, checkout_confirm_page_content, checkout_all_optional, html_page_header, sass_preamble, sass_postamble


 .. automodule:: pretix.presale.signals
@@ -49,7 +49,7 @@ Backend

 .. automodule:: pretix.control.signals
   :members: nav_event, html_head, html_page_start, quota_detail_html, nav_topbar, nav_global, nav_organizer, nav_event_settings,
-   order_info, event_settings_widget, oauth_application_registered
+             order_info, event_settings_widget, oauth_application_registered, order_position_buttons


 .. automodule:: pretix.base.signals
--- a/doc/development/api/invoice.rst
+++ b/doc/development/api/invoice.rst
@@ -23,7 +23,7 @@ that we'll provide in this plugin::


    @receiver(register_invoice_renderers, dispatch_uid="output_custom")
-    def register_infoice_renderers(sender, **kwargs):
+    def register_invoice_renderers(sender, **kwargs):
        from .invoice import MyInvoiceRenderer
        return MyInvoiceRenderer

--- a/doc/development/api/payment.rst
+++ b/doc/development/api/payment.rst
@@ -114,6 +114,8 @@ The provider class

   .. autoattribute:: is_meta

+   .. autoattribute:: test_mode_message
+

 Additional views
 ----------------
--- a/doc/development/api/plugins.rst
+++ b/doc/development/api/plugins.rst
@@ -79,6 +79,9 @@ human-readable error messages. We recommend using the ``django.utils.functional.
 decorator, as it might get called a lot. You can also implement ``compatibility_warnings``,
 those will be displayed but not block the plugin execution.

+The ``AppConfig`` class may implement a method ``is_available(event)`` that checks if a plugin
+is available for a specific event. If not, it will not be shown in the plugin list of that event.
+
 Plugin registration
 -------------------

--- a/doc/development/concepts.rst
+++ b/doc/development/concepts.rst
@@ -82,6 +82,12 @@ Orders
 ^^^^^^

 If a customer completes the checkout process, an **Order** will be created containing all the entered information.
-An order can be in one of currently five states that are listed in the diagram below:
+An order can be in one of currently four states that are listed in the diagram below:

 .. image:: /images/order_states.png
+
+There are additional "fake" states that are displayed like states but not represented as states in the system:
+
+* An order is considered **canceled (with paid fee)** if it is in **paid** status but does not include any non-cancelled positions.
+
+* An order is considered **requiring approval** if it is in **pending** status with the ``require_approval`` attribute set to ``True``.
--- a/doc/images/order_states.png
+++ b/doc/images/order_states.png
--- a/doc/images/order_states.puml
+++ b/doc/images/order_states.puml
@@ -4,7 +4,6 @@ Pending: Order is expecting payment\nOrder reduces quotas
 Expired: Payment period is over\nOrder does not affect quotas
 Paid: Order was successful\nOrder reduces quotas
 Canceled: Order has been canceled\nOrder does not affect quotas
-Refunded: Order has been refunded\nOrder does not affect quotas

 [*] --> Pending: customer\nplaces order
 Pending --> Paid: successful payment
@@ -12,8 +11,9 @@ Pending --> Expired: automatically\nor manually\non admin action
 Expired --> Paid: if payment is received\nonly if quota left
 Expired --> Canceled
 Expired --> Pending: manually\non admin action
-Paid --> Refunded: manually on\nadmin action\nor if an external\npayment provider\nnotifies about a\npayment refund
+Paid --> Canceled: manually on\nadmin action\nor if an external\npayment provider\nnotifies about a\npayment refund
 Pending --> Canceled: on admin or\ncustomer action
 Paid -> Pending: manually on admin action
+[*] --> Paid: customer\nplaces free order

@enduml
--- a/doc/plugins/badges.rst
+++ b/doc/plugins/badges.rst
@@ -108,3 +108,43 @@ Endpoints
   :statuscode 200: no error
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view it.
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/badgeitems/
+
+   Returns a list of all assignments of items to layouts
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/democon/badgeitems/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: text/javascript
+
+      {
+        "count": 1,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id": 1,
+            "layout": 2,
+            "item": 3,
+          }
+        ]
+      }
+
+   :query page: The page number in case of a multi-page result set, default is 1
+   :param organizer: The ``slug`` field of a valid organizer
+   :param event: The ``slug`` field of a valid event
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to view it.
--- a/doc/plugins/pretixdroid.rst
+++ b/doc/plugins/pretixdroid.rst
@@ -316,7 +316,7 @@ uses to communicate with the pretix server.
        "total": 42,
        "version": 3,
        "event": {
-          "name": "Demo Converence",
+          "name": "Demo Conference",
          "slug": "democon",
          "date_from": "2016-12-27T17:00:00Z",
          "date_to": "2016-12-30T18:00:00Z",
--- a/doc/plugins/ticketoutputpdf.rst
+++ b/doc/plugins/ticketoutputpdf.rst
@@ -20,6 +20,7 @@ default                               boolean                    ``true`` if thi
 layout                                object                     Layout specification for libpretixprint
 background                            URL                        Background PDF file
 item_assignments                      list of objects            Products this layout is assigned to
+├ sales_channel                       string                     Sales channel (defaults to ``web``).
 └ item                                integer                    Item ID
 ===================================== ========================== =======================================================

@@ -27,6 +28,10 @@ item_assignments                      list of objects            Products this l

   This resource has been added.

+.. versionchanged:: 2.3
+
+   The ``item_assignments.sales_channel`` field has been added.
+

 Endpoints
 ---------
@@ -109,3 +114,44 @@ Endpoints
   :statuscode 200: no error
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view it.
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/ticketlayoutitems/
+
+   Returns a list of all assignments of items to layouts
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/democon/ticketlayoutitems/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: text/javascript
+
+      {
+        "count": 1,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id": 1,
+            "layout": 2,
+            "item": 3,
+            "sales_channel": web
+          }
+        ]
+      }
+
+   :query page: The page number in case of a multi-page result set, default is 1
+   :param organizer: The ``slug`` field of a valid organizer
+   :param event: The ``slug`` field of a valid event
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer does not exist **or** you have no permission to view it.
--- a/doc/spelling_wordlist.txt
+++ b/doc/spelling_wordlist.txt
@@ -1,13 +1,16 @@
 addon
 addons
+Analytics
 anonymize
 api
 auditability
 auth
 autobuild
+availabilities
 backend
 backends
 banktransfer
+Bcc
 boolean
 booleans
 cancelled
@@ -65,6 +68,7 @@ ons
 optimizations
 overpayment
 param
+passphrase
 percental
 positionid
 pre
@@ -91,6 +95,8 @@ renderers
 reportlab
 SaaS
 screenshot
+scss
+searchable
 selectable
 serializers
 serializers
@@ -105,9 +111,11 @@ subdomains
 subevent
 subevents
 submodule
+subnet
 subpath
 Symfony
 systemd
+testmode
 testutils
 timestamp
 tuples
--- a/doc/user/events/display.rst
+++ b/doc/user/events/display.rst
@@ -21,11 +21,18 @@ Frontpage text
    your product types, give more information on the event or for other general notices.
    You can use :ref:`Markdown syntax <markdown-guide>` in this field.

+Voucher explanation
+    This text will be shown above the voucher input box. You can use it to explain how to obtain a voucher and use it.
+
 Show variations of a product expanded by default
    If this is not checked, a product with variations will be shown as one row in the show by default and will expand
    into multiple rows once it is clicked on. With this box checked, the variations will be shown as multiple rows
    right from the beginning.

+Ask search engines not to index the ticket shop
+    If this is checked, we will set a HTML meta attribute asking search engines by Google not to put this ticket shop
+    into their searchable index.
+

 The lower part of the page contains settings that you can **either** set on organizer-level for all your events **or**
 override for this single event individually. Those are:
@@ -35,6 +42,12 @@ Primary color
    customers. We suggest not choosing something to light, since text in that color should be readable on a white
    background and white text should be readable on a background of this color.

+Accent color for success
+    This color will be used for success messages. We suggest to choose a dark shade of green.
+
+Accent color for errors
+    This color will be used for error messages. We suggest to choose a dark shade of red.
+
 Font
    Choose one of multiple fonts to use for your web shop.

--- a/doc/user/events/email.rst
+++ b/doc/user/events/email.rst
@@ -8,8 +8,8 @@ event.
   :align: center
   :class: screenshot

-The page is separated into three parts: "E-mail settings", "E-mail content" and "SMTP settings". We will explain all
-of them in detail on this page.
+The page is separated into four parts: "E-mail settings", "E-mail design", "E-mail content" and "SMTP settings".
+We will explain all of them in detail on this page.

 E-mail settings
 ---------------
@@ -30,10 +30,18 @@ Signature
    This text will be appended to all e-mails in form of a signature. This might be useful e.g. to add your contact
    details or any legal information that needs to be included with the e-mails.

+Bcc address
+    This email address will receive a copy of every event-related email.
+
+E-mail design
+-------------
+
+In this part, you can choose and preview the layout of your emails. More layouts can be added by pretix plugins.
+
 E-mail content
 --------------

-The middle part of the page allows you to customize the exact texts of all e-mails sent by the system automatically.
+The next part of the page allows you to customize the exact texts of all e-mails sent by the system automatically.
 You can click on the different boxes to expand them and see the texts.

 Within the texts, you can use placeholders that will later by replaced by values depending on the event or order. Below
@@ -45,6 +53,7 @@ Placeholder                    Description
 ============================== ===============================================================================
 event                          The event name
 total                          The order's total value
+total_with_currency            The order's total value with a localized currency sign
 currency                       The currency used for the event (three-letter code)
 payment_info                   Information text specific to the payment method (e.g. banking details)
 url                            An URL pointing to the download/status page of the order
@@ -112,6 +121,22 @@ Reminder to download tickets
    attendees to download their tickets. The e-mail should include a link to the ticket download. This e-mail will only
    ever be sent if you specify a number of days.

+Order approval process
+    If you configure one of your products to "require approval", orders of that product will not immediately be confirmed
+    but only after you approved them manually. In this case, the following e-mail templates will be sent out.
+
+    Received order
+        After an order has been received, this e-mail will be sent automatically instead of the "order placed" e-mail from
+        above.
+
+    Approved order
+        This e-mail will be sent after you manually approved an order. This should include instructions to pay for the order,
+        which is why this will only be used for a paid order. For a free order, the "free order" e-mail from above will
+        be sent.
+
+    Denied order
+        This e-mail will be sent out to customers when their order has been denied.
+
 SMTP settings
 -------------

--- a/doc/user/events/invoicing.rst
+++ b/doc/user/events/invoicing.rst
@@ -11,18 +11,6 @@ The settings at "Settings" → "Invoice" allow you to specify if and how pretix

 In particular, you can configure the following things:

-Ask for invoice address
-    If this checkbox is enabled, customers will be able to enter an invoice address during checkout. If you only enable
-    this box, the invoice address will be optional to fill in.
-
-Require invoice address
-    If this checkbox is enabled, entering an invoice address will be obligatory for all customers and it will not be
-    able to create an order without entering an address.
-
-Require customer name
-    If this checkbox is enabled, the street, city, and country fields of the invoice address will still be optional but
-    the name field will be obligatory.
-
 Generate invoices
    This field controls whether pretix should generate an invoice for an order. You have the following options:

@@ -51,6 +39,51 @@ Attach invoices to emails
    "Automatically for all created orders" or to the payment confirmation e-mails if it is set to "Automatically on
    payment".

+Invoice number prefix
+    This is the prefix that will be prepended to all your invoice numbers. For example, if you set this to "Inv", your
+    invoices will be numbered Inv00001, Inv00002, etc. If you leave this field empty, your event slug will be used,
+    followed by a dash, e.g. DEMOCON-00001.
+
+    Within one organizer account, events with the same number prefix will share their number range. For example, if you
+    set this to "Inv" for all of your events, there will be only one invoice numbered Inv00007 across all your events
+    and the numbers will have gaps within one event.
+
+Generate invoices with consecutive numbers
+    If enabled, invoices will be created with numerical invoice numbers in the order of their creation, i.e.
+    PREFIX-00001, PREFIX-00002, and so on. If disabled, invoice numbers will instead be generated from the order code,
+    i.e. PREFIX-YHASD-1. When in doubt, keep this option enabled since it might be legally required in your country,
+    but disabling it has the advantage that your customers can not estimate the number of tickets sold by looking at
+    the invoice numbers.
+
+Invoice language
+    This setting allows you to configure the language of all invoices. You can either set it to one of your event
+    language or dynamically to the language used by the customer.
+
+Show free products on invoices
+    If enabled, products that do not cost anything will still show up on invoices. Note that the order needs to contain
+    at least one non-free product in order to generate an invoice.
+
+Show attendee names on invoices
+    If enabled, the attendee name will be printed on the invoice for admission tickets.
+
+Ask for invoice address
+    If this checkbox is enabled, customers will be able to enter an invoice address during checkout. If you only enable
+    this box, the invoice address will be optional to fill in.
+
+Require invoice address
+    If this checkbox is enabled, entering an invoice address will be obligatory for all customers and it will not be
+    able to create an order without entering an address.
+
+Require customer name
+    If this checkbox is enabled, the street, city, and country fields of the invoice address will still be optional but
+    the name field will be obligatory.
+
+Require a business address
+    If enabled, the invoice address form will require a company name and do not allow personal addresses.
+
+Ask for beneficiary
+    If enabled, the invoice address form will contain an additional field to input the beneficiary of the transaction.
+
 Ask for VAT ID
    If enabled, the invoice address form will not only ask for a postal address, but also for a VAT ID. The VAT ID will
    always be an optional field.
@@ -62,26 +95,13 @@ Generate invoices with consecutive numbers
    but disabling it has the advantage that your customers can not estimate the number of tickets sold by looking at
    the invoice numbers.

-Invoice number prefix
-    This is the prefix that will be prepended to all your invoice numbers. For example, if you set this to "Inv", your
-    invoices will be numbered Inv00001, Inv00002, etc. If you leave this field empty, your event slug will be used,
-    followed by a dash, e.g. DEMOCON-00001.
-
-    Within one organizer account, events with the same number prefix will share their number range. For example, if you
-    set this to "Inv" for all of your events, there will be only one invoice numbered Inv00007 across all your events
-    and the numbers will have gaps within one event.
-
-Show free products on invoices
-    If enabled, products that do not cost anything will still show up on invoices. Note that the order needs to contain
-    at least one non-free product in order to generate an invoice.
-
-Show attendee names on invoices
-    If enabled, the attendee name will be printed on the invoice for admission tickets.
-
-Your address
-    This should be set to the address of the entity issuing the invoice (read: you) and will be printed inside
+Your invoice details
+    These fields should be set to the address of the entity issuing the invoice (read: you) and will be printed inside
    the header of the invoice.

+Invoice style
+    This setting allows you to choose the design of your invoice. Additional designs can be added by pretix plugins.
+
 Introductory text
    A free custom text that will be printed above the list of products on the invoice.

--- a/doc/user/events/structureguide.rst
+++ b/doc/user/events/structureguide.rst
@@ -0,0 +1,260 @@
+Product structure guide
+=======================
+
+Between products, categories, variations, add-ons, bundles, and quotas, pretix provides a wide range of features that allow you to set up your event in the way you want it.
+However, it is easy to get lost in the process or to get started with building your event right.
+Often times, there are multiple ways to do something that come with different advantages and disadvantages.
+This guide will walk you through a number of typical examples of pretix event structures and will explain how to set them up – feel free to just skip ahead to a section relevant for you.
+
+Terminology
+-----------
+
+Products
+    A product is a basic entity that can be bought. You can think of it as a ticket type, but it can be more things than just a ticket, it can also be a piece of merchandise, a parking slot, etc.
+    You might find some places where they are called "items" instead, but we're trying to get rid of that.
+
+Product categories
+    Products can be sorted into categories. Each product can only be in one category. Category are mostly used for grouping related products together to make your event page easier to read for buyers. However, we'll need categories as well to set up some of the structures outlined below.
+
+Product variations
+    During creation of a product, you can decide that your product should have multiple variations. Variations of a product can differ in price, description, and availability, but are otherwise the same. You could use this e.g. for differentiating between a regular ticket and a discounted ticket for students, or when selling merchandise to differentiate the different sizes of a t-shirt.
+
+Product add-ons
+    Add-ons are products that are sold together with another product (which we will call the base product in this case). For example, you could have a base product "Conference ticket" and then define multiple workshops that can be chosen as an add-on.
+
+Product bundles
+    Bundles work very similarly to add-ons, but are different in the way that they are always automatically included with the base product and cannot be optional. In contrast to add-on products, the same product can be included multiple times in a bundle.
+
+Quotas
+    Quotas define the availability of products. A quota has a size (i.e. the number of products in the inventory) and is mapped to one or multiple products or variations.
+
+Questions
+    Questions are user-defined form fields that buyers will need to fill out when purchasing a product.
+
+Use case: Multiple price levels
+-------------------------------
+
+Imagine you're running a concert with general admission that sells a total of 200 tickets for two prices:
+
+* Regular: € 25.00
+* Students: € 19.00
+
+You can either set up two different products called e.g. "Regular ticket" and "Student ticket" with the respective prices, or two variations within the same product. In this simple case, it really doesn't matter.
+
+In addition, you will need quotas. If you do not care how many of your tickets are sold to students, you should set up just **one quota** of 200 called e.g. "General admission" that you link to **both products**.
+
+If you want to limit the number of student tickets to 50 to ensure a certain minimum revenue, but do not want to limit the number of regular tickets artificially, we suggest you to create the same quota of 200 that is linked to both products, and then create a **second quota** of 50 that is only linked to the student ticket. This way, the system will reduce both quotas whenever a student ticket is sold and only the larger quota when a regular ticket is sold.
+
+Use case: Early-bird tiers
+--------------------------
+
+Let's say you run a conference that has the following pricing scheme:
+
+* 12 to 6 months before the event: € 450
+* 6 to 3 months before the event: € 550
+* closer than 3 months to the event: € 650
+
+Of course, you could just set up one product and change its price at the given dates manually, but if you want to set this up automatically, here's how:
+
+Create three products (e.g. "super early bird", "early bird", "regular ticket") with the respective prices and one shared quota of your total event capacity. Then, set the **available from** and **available until** configuration fields of the products to automatically turn them on and off based on the current date.
+
+.. note::
+
+   pretix currently can't do early-bird tiers based on **ticket number** instead of time. We're planning this feature for later in 2019. For now, you'll need to monitor that manually.
+
+Use case: Up-selling of ticket extras
+-------------------------------------
+
+Let's assume you're putting up a great music festival, and to save trouble with handling payments on-site, you want to sell parking spaces together with your ticket. By using our add-on feature, you can prompt all users to book the parking space (to make sure they see it) and ensure that only people with a ticket can book a parking space. You can set it up like this:
+
+* Create a base product "Festival admission"
+* Create a quota for the base product
+* Create a category "Ticket extras" and check "Products in this category are add-on products"
+* Create a product "Parking space" within that category
+* Create a quota for the parking space product
+* Go to the base product and select the tab "Add-Ons" at the top. Click "Add a new add-on" and choose the "Ticket extras" category. You can keep the numbers at 0 and 1.
+
+During checkout, all buyers of the base product will now be prompted if they want to add the parking space.
+
+.. tip::
+
+   You can also use add-on products for free things, just to keep tabs on capacity.
+
+Use case: Conference with workshops
+-----------------------------------
+
+When running a conference, you might also organize a number of workshops with smaller capacity. To be able to plan, it would be great to know which workshops an attendee plans to attend.
+
+Your first and simplest option is to just create a multiple-choice question. This has the upside of making it easy for users to change their mind later on, but will not allow you to restrict the number of attendees signing up for a given workshop – or even charge extra for a given workshop.
+
+The usually better option is to go with add-on products. Let's take for example the following conference schedule, in which the lecture can be attended by anyone, but the workshops only have space for 20 persons each:
+
+==================== =================================== ===================================
+Time                 Room A                              Room B
+==================== =================================== ===================================
+Wednesday morning    Lecture
+Wednesday afternoon  Workshop A                          Workshop B
+Thursday morning     Workshop C                          Workshop D (20 € extra charge)
+==================== =================================== ===================================
+
+Assuming you already created one or more products for your general conference admission, we suggest that you additionally create:
+
+* A category called "Workshops" with the checkbox "Products in this category are add-on products" activated
+
+* A free product called "Wednesday afternoon" within the category "Workshops" and with two variations:
+
+    * Workshop A
+
+    * Workshop B
+
+* A free product called "Thursday morning" within the category "Workshops" and with two variations:
+
+    * Workshop C
+
+    * Workshop D with a price of 20 €
+
+* Four quotas for each of the workshops
+
+* One add-on configuration on your base product that allows users to choose between 0 and 2 products from the category "Workshops"
+
+Use case: Discounted packages
+-----------------------------
+
+Imagine you run a trade show that opens on three consecutive days and you want to have the following pricing:
+
+* Single day: € 10
+* Any two days: € 17
+* All three days:  € 25
+
+In this case, there are multiple different ways you could set this up with pretix.
+
+Option A: Combination products
+""""""""""""""""""""""""""""""
+
+With this option, you just set up all the different combinations someone could by as a separate product. In this case, you would need 7 products:
+
+* Day 1 pass
+* Day 2 pass
+* Day 3 pass
+* Day 1+2 pass
+* Day 2+3 pass
+* Day 1+3 pass
+* All-day pass
+
+Then, you create three quotas, each one with the maximum capacity of your venue on any given day:
+
+* Day 1 quota, linked to "Day 1 pass", "Day 1+2 pass", "Day 1+3 pass", and "All-day pass"
+* Day 2 quota, linked to "Day 2 pass", "Day 1+2 pass", "Day 2+3 pass", and "All-day pass"
+* Day 3 quota, linked to "Day 3 pass", "Day 2+3 pass", "Day 1+3 pass", and "All-day pass"
+
+This way, every person gets exactly one ticket that they can use for all days that they attend. You can later set up check-in lists appropriately to make sure only tickets valid for a certain day can be scanned on that day.
+
+The benefit of this option is that your product structure and order structure stays very simple. However, the two-day packages scale badly when you need many products.
+
+We recommend this setup for most setups in which the number of possible combinations does not exceed the number of parts (here: number of days) by much.
+
+Option B: Add-ons and bundles
+"""""""""""""""""""""""""""""
+
+We can combine the two features "product add-ons" and "product bundles" to set this up in a different way. Here, you would create the following five products:
+
+* Day 1 pass in a category called "Day passes"
+* Day 2 pass in a category called "Day passes"
+* Day 3 pass in a category called "Day passes"
+* Two-day pass
+* All-day pass
+
+This time, you will need five quotas:
+
+* Day 1 quota, linked to "Day 1 pass"
+* Day 2 quota, linked to "Day 2 pass"
+* Day 3 quota, linked to "Day 3 pass"
+* Two-day pass quota, linked to "Two-day pass" (can be unlimited)
+* All-day pass quota, linked to "All-day pass" (can be unlimited)
+
+Then, you open the "Add-On" tab in the settings of the **Two-day pass** product and create a new add-on configuration specifying the following options:
+
+* Category: "Day passes"
+* Minimum number: 2
+* Maximum number: 2
+* Add-Ons are included in the price: Yes
+
+This way, when buying a two-day pass, the user will be able to select *exactly* two days for free, which will then be added to the cart. Depending on your specific configuration, the user will now receive *two separate* tickets, one for each day.
+
+For the all-day pass, you open the "Bundled products" tab in the settings of the **All-day pass** product and add **three** new bundled items with the following options:
+
+* Bundled product: "Day 1/2/3"
+* Bundled variation: None
+* Count: 1
+* Designated price: 0
+
+This way, when buying an all-day pass, three free day passes will *automatically* be added to the cart. Depending on your specific configuration, the user will now receive *three separate* tickets, one for each day.
+
+This approach makes your order data more complicated, since e.g. someone who buys an all-day pass now technically bought **four products**. However, this option allows for more flexibility when you have lots of options to choose from.
+
+.. tip::
+
+   Depending on the packages you offer, you **might not need both the add-on and the bundle feature**, i.e. you only need the add-on feature for the two-day pass and only the bundle feature for the all-day pass. You could also set up the two-day pass like we showed here, but the all-day pass like in option A!
+
+Use case: Group discounts
+-------------------------
+
+Often times, you want to give discounts for whole groups attending your event. pretix can't automatically discount based on volume, but there's still some ways you can set up group tickets.
+
+Flexible group sizes
+""""""""""""""""""""
+
+If you want to give out discounted tickets to groups starting at a given size, but still billed per person, you can do so by creating a special **Group ticket** at the per-person price and set the **Minimum amount per order** option of the ticket to the minimal group size.
+
+This way, your ticket can be bought an arbitrary number of times – but no less than the given minimal amount per order.
+
+Fixed group sizes
+"""""""""""""""""
+
+If you want to sell group tickets in fixed sizes, e.g. a table of eight at your gala dinner, you can use product bundles. Assuming you already set up a ticket for admission of single persons, you then set up a second product **Table (8 persons)** with a discounted full price. Then, head to the **Bundled products** tab of that product and add one bundle configuration to include the single admission product **eight times**. Next, create an unlimited quota mapped to the new product.
+
+This way, the purchase of a table will automatically create eight tickets, leading to a correct calculation of your total quota and, as expected, eight persons on your check-in list. You can even ask for the individual names of the persons during checkout.
+
+Use case: Restricted audience
+-----------------------------
+
+Not all events are for everyone. Sometimes, there is a good reason to restrict access to your event or parts of your event only to a specific, invited group. There's two ways to implement this with pretix:
+
+Option A: Required voucher codes
+""""""""""""""""""""""""""""""""
+
+If you check the option "**This product can only be bought using a voucher**" of one or multiple products, only people holding an applicable voucher code will be able to buy the product.
+
+You can then generate voucher codes for the respective product and send them out to the group of possible attendees. If the recipients should still be able to choose between different products, you can create an additional quota and map the voucher to that quota instead of the products themselves.
+
+There's also the second option "**This product will only be shown if a voucher matching the product is redeemed**". In this case, the existence of the product won't even be shown before a voucher code is entered – useful for a VIP option in a shop where you also sell other products to the general public. Please note that this option does **not** work with vouchers assigned to a quota, only with vouchers assigned directly to the product.
+
+This option is appropriate if you know the group of people beforehand, e.g. members of a club, and you can mail them their access codes.
+
+Option B: Order approvals
+"""""""""""""""""""""""""
+
+If you do not know your audience already, but still want to restrict it to a certain group, e.g. people with a given profession, you can check the "**Buying this product requires approval**" in the settings of your product. If a customer tries to buy such a product, they will be able to place their order but can not proceed to payment. Instead, you will be asked to approve or deny the order and only if you approve it, we will send a payment link to the customer.
+
+This requires the customer to interact with the ticket shop twice (once for the order, once for the payment) which adds a little more friction, but gives you full control over who attends the event.
+
+Use case: Mixed taxation
+------------------------
+
+Let's say you are a charitable organization in Germany and are allowed to charge a reduced tax rate of 7% for your educational event. However, your event includes a significant amount of food, you might need to charge a 19% tax rate on that portion. For example, your desired tax structure might then look like this:
+
+* Conference ticket price: € 450 (incl. € 150 for food)
+
+    * incl. € 19.63 VAT at 7%
+    * incl. € 23.95 VAT at 19%
+
+You can implement this in pretix using product bundles. In order to do so, you should create the following two products:
+
+* Conference ticket at € 450 with a 7% tax rule
+* Conference food at € 150 with a 19% tax rule and the option "**Only sell this product as part of a bundle**" set
+
+In addition to your normal conference quota, you need to create an unlimited quota for the food product.
+
+Then, head to the **Bundled products** tab of the "conference ticket" and add the "conference food" as a bundled product with a **designated price** of € 150.
+
+Once a customer tries to buy the € 450 conference ticket, a sub-product will be added and the price will automatically be split into the two components, leading to a correct computation of taxes.
--- a/doc/user/events/tickets.rst
+++ b/doc/user/events/tickets.rst
@@ -25,6 +25,10 @@ Generate tickets for non-admission products
  By default, tickets will only be generated for products that are marked as admission products. Enable this option to
  generate tickets for all products instead.

+Offer to download tickets even before an order is paid
+  By default, ticket download is only possible for paid orders. If you run an event where people usually pay only after
+  the event, you can check this box to enable ticket download even before.
+
 Below these settings, the detail settings for the various ticket file formats are offered. They differ from format to
 format and only share the common "Enable" setting that can be used to turn them on. By default, pretix ships with
 a PDF output plugin that you can configure through a visual design editor.
--- a/doc/user/events/widget.rst
+++ b/doc/user/events/widget.rst
@@ -114,6 +114,35 @@ If you want to disable voucher input in the widget, you can pass the ``disable-v

   <pretix-widget event="https://pretix.eu/demo/democon/" disable-vouchers></pretix-widget>

+Multi-event selection
+---------------------
+
+If you want to embed multiple events in a single widget, you can do so. If it's multiple dates of an event series, just leave off the ``series`` attribute::
+
+   <pretix-widget event="https://pretix.eu/demo/series/"></pretix-widget>
+
+If you want to include all your public events, you can just reference your organizer::
+
+   <pretix-widget event="https://pretix.eu/demo/"></pretix-widget>
+
+There is an optional ``style`` parameter that let's you choose between a calendar view and a list view. If you do not set it, the choice will be taken from your organizer settings::
+
+   <pretix-widget event="https://pretix.eu/demo/series/" style="list"></pretix-widget>
+   <pretix-widget event="https://pretix.eu/demo/series/" style="calendar"></pretix-widget>
+
+You can see an example here:
+
+.. raw:: html
+
+    <pretix-widget event="https://pretix.eu/demo/series/" style="calendar"></pretix-widget>
+    <noscript>
+       <div class="pretix-widget">
+            <div class="pretix-widget-info-message">
+                JavaScript is disabled in your browser. To access our ticket shop without javascript, please <a target="_blank" href="https://pretix.eu/demo/series/">click here</a>.
+            </div>
+        </div>
+    </noscript>
+
 pretix Button
 -------------

@@ -149,8 +178,101 @@ Just as the widget, the button supports the optional attributes ``voucher`` and

 You can style the button using the ``pretix-button`` CSS class.

-.. versionchanged:: 1.13
+Dynamically loading the widget
+------------------------------

-   The pretix Button has been added in version 1.13.
+If you need to control the way or timing the widget loads, for example because you want to modify user data (see
+below) dynamically via JavaScript, you can register a listener that we will call before creating the widget::
+
+    <script type="text/javascript">
+    window.pretixWidgetCallback = function () {
+        // Will be run before we create the widget.
+    }
+    </script>
+
+If you want, you can suppress us loading the widget and/or modify the user data passed to the widget::
+
+    <script type="text/javascript">
+    window.pretixWidgetCallback = function () {
+        window.PretixWidget.build_widgets = false;
+        window.PretixWidget.widget_data["email"] = "test@example.org";
+    }
+    </script>
+
+If you then later want to trigger loading the widgets, just call ``window.PretixWidget.buildWidgets()``.
+
+
+Passing user data to the widget
+-------------------------------
+
+If you display the widget in a restricted area of your website and you want to pre-fill fields in the checkout process
+with known user data to save your users some typing and increase conversions, you can pass additional data attributes
+with that information::
+
+    <pretix-widget event="https://pretix.eu/demo/democon/"
+        data-attendee-name-given-name="John"
+        data-attendee-name-family-name="Doe"
+        data-invoice-address-name-given-name="John"
+        data-invoice-address-name-family-name="Doe"
+        data-email="test@example.org"
+        data-question-L9G8NG9M="Foobar">
+    </pretix-widget>
+
+This works for the pretix Button as well. Currently, the following attributes are understood by pretix itself:
+
+* ``data-email`` will pre-fill the order email field as well as the attendee email field (if enabled).
+
+* ``data-question-IDENTIFIER`` will pre-fill the answer for the question with the given identifier. You can view and set
+  identifiers in the *Questions* section of the backend.
+
+* Depending on the person name scheme configured in your event settings, you can pass one or more of
+  ``data-attendee-name-full-name``, ``data-attendee-name-given-name``, ``data-attendee-name-family-name``,
+  ``data-attendee-name-middle-name``, ``data-attendee-name-title``, ``data-attendee-name-calling-name``,
+  ``data-attendee-name-latin-transcription``. If you don't know or don't care, you can also just pass a string as
+  ``data-attendee-name``, which will pre-fill the last part of the name, whatever that is.
+
+* ``data-invoice-address-FIELD`` will  pre-fill the corresponding field of the invoice address. Possible values for
+  ``FIELD`` are ``company``, ``street``, ``zipcode``, ``city`` and ``country``, as well as fields specified by the
+  naming scheme such as ``name-title`` or ``name-given-name`` (see above). ``country`` expects a two-character
+  country code.
+
+Any configured pretix plugins might understand more data fields. For example, if the appropriate plugins on pretix
+Hosted or pretix Enterprise are active, you can pass the following fields:
+
+* If you use the campaigns plugin, you can pass a campaign ID as a value to ``data-campaign``. This way, all orders
+  made through this widget will be counted towards this campaign.
+
+* If you use the tracking plugin, you can pass a Google Analytics User ID to enable cross-domain tracking. This will
+  require you to dynamically load the widget, like this::
+
+    <script>
+        (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
+        (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
+        m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
+        })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
+
+        ga('create', 'UA-XXXXXX-1', 'auto');
+        ga('send', 'pageview');
+
+        window.pretixWidgetCallback = function () {
+            window.PretixWidget.build_widgets = false;
+            window.addEventListener('load', function() { // Wait for GA to be loaded
+                if(window.ga && ga.create) {
+                    ga(function(tracker) {
+                        window.PretixWidget.widget_data["tracking-ga-id"] = tracker.get('clientId');
+                        window.PretixWidget.buildWidgets()
+                    });
+                } else { // Tracking is probably blocked
+                       window.PretixWidget.buildWidgets()
+                }
+            });
+        };
+    </script>
+
+
+.. versionchanged:: 2.3
+
+   Data passing options have been added in pretix 2.3. If you use a self-hosted version of pretix, they only work
+   fully if you configured a redis server.

 .. _Let's Encrypt: https://letsencrypt.org/
--- a/doc/user/faq.rst
+++ b/doc/user/faq.rst
@@ -4,22 +4,10 @@ FAQ and Troubleshooting
 How can I test my shop before taking it live?
 ---------------------------------------------

-There are multiple ways to do this.
-
-First, you could just create some orders in your real shop and cancel/refund them later. If you don't want to process
-real payments for the tests, you can either use a "manual" payment method like bank transfer and just mark the orders
-as paid with the button in the backend, or if you want to use e.g. Stripe, you can configure pretix to use your keys
-for the Stripe test system and use their test credit cars. Read our :ref:`Stripe documentation <stripe>` for more
-information.
-
-Second, you could create a separate event, just for testing. In the last step of the :ref:`event creation process <event_create>`,
-you can specify that you want to copy all settings from your real event, so you don't have to do all of it twice.
-
-We are planning to add a dedicated test mode in a later version of pretix.
-
-If you are using the hosted service at pretix.eu and want to get rid of the test orders completely, contact us at
-support@pretix.eu and we can remove them for you. Please note that we only are able to do that *before* you have
-received any real orders (i.e. taken the shop public). We won't charge any fees for test orders or test events.
+On your event dashboard, click on the first tile that shows your shop status. On the lower part of this page, you can
+place your event into "test mode". In "test mode", everything behaves the same, but orders created during test mode can
+later be fully deleted. Be sure to actually delete them when or after you turn off test mode, since test mode orders
+still count toward your quotas and are included in your reports.

 How do I delete an event?
 -------------------------
--- a/doc/user/index.rst
+++ b/doc/user/index.rst
@@ -10,6 +10,7 @@ wanting to use pretix to sell tickets.
   organizers/index
   events/create
   events/settings
+   events/structureguide
   events/widget
   faq
   markdown
--- a/doc/user/payments/paypal.rst
+++ b/doc/user/payments/paypal.rst
@@ -3,6 +3,13 @@
 PayPal
 ======

+.. note::
+
+   If you use pretix Hosted, you do not longer need to go through this tedious process! You can
+   just open the PayPal settings in the payment section of your event, click "Connect to PayPal"
+   and log in to your PayPal account. The following guide is only required for self-hosted
+   versions of pretix.
+
 To integrate PayPal with pretix, you first need to have an active PayPal merchant account. If you do not already have a
 PayPal account, you can create one on `paypal.com`_.
 If you look into pretix' settings, you are required to fill in two keys:
--- a/src/.update-locales
+++ b/src/.update-locales
@@ -34,4 +34,5 @@ git push
 # Unlock Weblate
 for c in $COMPONENTS; do
 	wlc unlock $c;
+	wlc pull $c;
 done
--- a/src/pretix/init.py
+++ b/src/pretix/init.py
@@ -1 +1 @@
-__version__ = "2.2.0"
+__version__ = "2.6.0"
--- a/src/pretix/api/auth/device.py
+++ b/src/pretix/api/auth/device.py
@@ -19,7 +19,7 @@ class DeviceTokenAuthentication(TokenAuthentication):
        if not device.initialized:
            raise exceptions.AuthenticationFailed('Device has not been initialized.')

-        if not device.api_token:
+        if device.revoked:
            raise exceptions.AuthenticationFailed('Device access has been revoked.')

        return AnonymousUser(), device
--- a/src/pretix/api/serializers/event.py
+++ b/src/pretix/api/serializers/event.py
@@ -1,3 +1,4 @@
+from django.conf import settings
 from django.core.exceptions import ValidationError
 from django.db import transaction
 from django.utils.functional import cached_property
@@ -47,7 +48,7 @@ class EventSerializer(I18nAwareModelSerializer):

    class Meta:
        model = Event
-        fields = ('name', 'slug', 'live', 'currency', 'date_from',
+        fields = ('name', 'slug', 'live', 'testmode', 'currency', 'date_from',
                  'date_to', 'date_admission', 'is_public', 'presale_start',
                  'presale_end', 'location', 'has_subevents', 'meta_data', 'plugins')

@@ -95,7 +96,7 @@ class EventSerializer(I18nAwareModelSerializer):
        from pretix.base.plugins import get_all_plugins

        plugins_available = {
-            p.module for p in get_all_plugins()
+            p.module for p in get_all_plugins(self.instance)
            if not p.name.startswith('.') and getattr(p, 'visible', True)
        }

@@ -108,7 +109,7 @@ class EventSerializer(I18nAwareModelSerializer):
    @transaction.atomic
    def create(self, validated_data):
        meta_data = validated_data.pop('meta_data', None)
-        plugins = validated_data.pop('plugins', None)
+        plugins = validated_data.pop('plugins', settings.PRETIX_PLUGINS_DEFAULT.split(','))
        event = super().create(validated_data)

        # Meta data
@@ -122,6 +123,7 @@ class EventSerializer(I18nAwareModelSerializer):
        # Plugins
        if plugins is not None:
            event.set_active_plugins(plugins)
+        event.save(update_fields=['plugins'])

        return event

@@ -189,8 +191,8 @@ class SubEventItemVariationSerializer(I18nAwareModelSerializer):


 class SubEventSerializer(I18nAwareModelSerializer):
-    item_price_overrides = SubEventItemSerializer(source='subeventitem_set', many=True)
-    variation_price_overrides = SubEventItemVariationSerializer(source='subeventitemvariation_set', many=True)
+    item_price_overrides = SubEventItemSerializer(source='subeventitem_set', many=True, required=False)
+    variation_price_overrides = SubEventItemVariationSerializer(source='subeventitemvariation_set', many=True, required=False)
    event = SlugRelatedField(slug_field='slug', read_only=True)
    meta_data = MetaDataField(source='*')

@@ -200,6 +202,103 @@ class SubEventSerializer(I18nAwareModelSerializer):
                  'presale_start', 'presale_end', 'location', 'event',
                  'item_price_overrides', 'variation_price_overrides', 'meta_data')

+    def validate(self, data):
+        data = super().validate(data)
+        event = self.context['request'].event
+
+        full_data = self.to_internal_value(self.to_representation(self.instance)) if self.instance else {}
+        full_data.update(data)
+
+        Event.clean_dates(data.get('date_from'), data.get('date_to'))
+        Event.clean_presale(data.get('presale_start'), data.get('presale_end'))
+
+        SubEvent.clean_items(event, [item['item'] for item in full_data.get('subeventitem_set')])
+        SubEvent.clean_variations(event, [item['variation'] for item in full_data.get('subeventitemvariation_set')])
+        return data
+
+    def validate_item_price_overrides(self, data):
+        return list(filter(lambda i: 'item' in i, data))
+
+    def validate_variation_price_overrides(self, data):
+        return list(filter(lambda i: 'variation' in i, data))
+
+    @cached_property
+    def meta_properties(self):
+        return {
+            p.name: p for p in self.context['request'].organizer.meta_properties.all()
+        }
+
+    def validate_meta_data(self, value):
+        for key in value['meta_data'].keys():
+            if key not in self.meta_properties:
+                raise ValidationError(_('Meta data property \'{name}\' does not exist.').format(name=key))
+        return value
+
+    @transaction.atomic
+    def create(self, validated_data):
+        item_price_overrides_data = validated_data.pop('subeventitem_set') if 'subeventitem_set' in validated_data else {}
+        variation_price_overrides_data = validated_data.pop('subeventitemvariation_set') if 'subeventitemvariation_set' in validated_data else {}
+        meta_data = validated_data.pop('meta_data', None)
+        subevent = super().create(validated_data)
+
+        for item_price_override_data in item_price_overrides_data:
+            SubEventItem.objects.create(subevent=subevent, **item_price_override_data)
+        for variation_price_override_data in variation_price_overrides_data:
+            SubEventItemVariation.objects.create(subevent=subevent, **variation_price_override_data)
+
+        # Meta data
+        if meta_data is not None:
+            for key, value in meta_data.items():
+                subevent.meta_values.create(
+                    property=self.meta_properties.get(key),
+                    value=value
+                )
+
+        return subevent
+
+    @transaction.atomic
+    def update(self, instance, validated_data):
+        item_price_overrides_data = validated_data.pop('subeventitem_set') if 'subeventitem_set' in validated_data else {}
+        variation_price_overrides_data = validated_data.pop('subeventitemvariation_set') if 'subeventitemvariation_set' in validated_data else {}
+        meta_data = validated_data.pop('meta_data', None)
+        subevent = super().update(instance, validated_data)
+
+        existing_item_overrides = {item.item: item.id for item in SubEventItem.objects.filter(subevent=subevent)}
+
+        for item_price_override_data in item_price_overrides_data:
+            id = existing_item_overrides.pop(item_price_override_data['item'], None)
+            SubEventItem(id=id, subevent=subevent, **item_price_override_data).save()
+
+        SubEventItem.objects.filter(id__in=existing_item_overrides.values()).delete()
+
+        existing_variation_overrides = {item.variation: item.id for item in SubEventItemVariation.objects.filter(subevent=subevent)}
+
+        for variation_price_override_data in variation_price_overrides_data:
+            id = existing_variation_overrides.pop(variation_price_override_data['variation'], None)
+            SubEventItemVariation(id=id, subevent=subevent, **variation_price_override_data).save()
+
+        SubEventItemVariation.objects.filter(id__in=existing_variation_overrides.values()).delete()
+
+        # Meta data
+        if meta_data is not None:
+            current = {mv.property: mv for mv in subevent.meta_values.select_related('property')}
+            for key, value in meta_data.items():
+                prop = self.meta_properties.get(key)
+                if prop in current:
+                    current[prop].value = value
+                    current[prop].save()
+                else:
+                    subevent.meta_values.create(
+                        property=self.meta_properties.get(key),
+                        value=value
+                    )
+
+            for prop, current_object in current.items():
+                if prop.name not in meta_data:
+                    current_object.delete()
+
+        return subevent
+

 class TaxRuleSerializer(CountryFieldMixin, I18nAwareModelSerializer):
    class Meta:
--- a/src/pretix/api/serializers/i18n.py
+++ b/src/pretix/api/serializers/i18n.py
@@ -15,13 +15,20 @@ class I18nField(Field):
        super().__init__(**kwargs)

    def to_representation(self, value):
-        if value is None or value.data is None:
+        if hasattr(value, 'data'):
+            if isinstance(value.data, dict):
+                return value.data
+            elif value.data is None:
+                return None
+            else:
+                return {
+                    settings.LANGUAGE_CODE: str(value.data)
+                }
+        elif value is None:
            return None
-        if isinstance(value.data, dict):
-            return value.data
        else:
            return {
-                settings.LANGUAGE_CODE: str(value.data)
+                settings.LANGUAGE_CODE: str(value)
            }

    def to_internal_value(self, data):
--- a/src/pretix/api/serializers/item.py
+++ b/src/pretix/api/serializers/item.py
@@ -7,12 +7,15 @@ from rest_framework import serializers

 from pretix.api.serializers.i18n import I18nAwareModelSerializer
 from pretix.base.models import (
-    Item, ItemAddOn, ItemCategory, ItemVariation, Question, QuestionOption,
-    Quota,
+    Item, ItemAddOn, ItemBundle, ItemCategory, ItemVariation, Question,
+    QuestionOption, Quota,
 )


 class InlineItemVariationSerializer(I18nAwareModelSerializer):
+    price = serializers.DecimalField(read_only=True, decimal_places=2, max_digits=10,
+                                     coerce_to_string=True)
+
    class Meta:
        model = ItemVariation
        fields = ('id', 'value', 'active', 'description',
@@ -20,12 +23,22 @@ class InlineItemVariationSerializer(I18nAwareModelSerializer):


 class ItemVariationSerializer(I18nAwareModelSerializer):
+    price = serializers.DecimalField(read_only=True, decimal_places=2, max_digits=10,
+                                     coerce_to_string=True)
+
    class Meta:
        model = ItemVariation
        fields = ('id', 'value', 'active', 'description',
                  'position', 'default_price', 'price')


+class InlineItemBundleSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = ItemBundle
+        fields = ('bundled_item', 'bundled_variation', 'count',
+                  'designated_price')
+
+
 class InlineItemAddOnSerializer(serializers.ModelSerializer):
    class Meta:
        model = ItemAddOn
@@ -33,6 +46,31 @@ class InlineItemAddOnSerializer(serializers.ModelSerializer):
                  'position', 'price_included')


+class ItemBundleSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = ItemBundle
+        fields = ('id', 'bundled_item', 'bundled_variation', 'count',
+                  'designated_price')
+
+    def validate(self, data):
+        data = super().validate(data)
+        event = self.context['event']
+
+        full_data = self.to_internal_value(self.to_representation(self.instance)) if self.instance else {}
+        full_data.update(data)
+
+        ItemBundle.clean_itemvar(event, full_data.get('bundled_item'), full_data.get('bundled_variation'))
+
+        item = self.context['item']
+        if item == full_data.get('bundled_item'):
+            raise ValidationError(_("The bundled item must not be the same item as the bundling one."))
+        if full_data.get('bundled_item'):
+            if full_data['bundled_item'].bundles.exists():
+                raise ValidationError(_("The bundled item must not have bundles on its own."))
+
+        return data
+
+
 class ItemAddOnSerializer(serializers.ModelSerializer):
    class Meta:
        model = ItemAddOn
@@ -69,17 +107,18 @@ class ItemTaxRateField(serializers.Field):

 class ItemSerializer(I18nAwareModelSerializer):
    addons = InlineItemAddOnSerializer(many=True, required=False)
+    bundles = InlineItemBundleSerializer(many=True, required=False)
    variations = InlineItemVariationSerializer(many=True, required=False)
    tax_rate = ItemTaxRateField(source='*', read_only=True)

    class Meta:
        model = Item
-        fields = ('id', 'category', 'name', 'internal_name', 'active', 'description',
+        fields = ('id', 'category', 'name', 'internal_name', 'active', 'sales_channels', 'description',
                  'default_price', 'free_price', 'tax_rate', 'tax_rule', 'admission',
                  'position', 'picture', 'available_from', 'available_until',
-                  'require_voucher', 'hide_without_voucher', 'allow_cancel',
-                  'min_per_order', 'max_per_order', 'checkin_attention', 'has_variations',
-                  'variations', 'addons', 'original_price', 'require_approval')
+                  'require_voucher', 'hide_without_voucher', 'allow_cancel', 'require_bundling',
+                  'min_per_order', 'max_per_order', 'checkin_attention', 'has_variations', 'variations',
+                  'addons', 'bundles', 'original_price', 'require_approval', 'generate_tickets')
        read_only_fields = ('has_variations', 'picture')

    def get_serializer_context(self):
@@ -87,8 +126,8 @@ class ItemSerializer(I18nAwareModelSerializer):

    def validate(self, data):
        data = super().validate(data)
-        if self.instance and ('addons' in data or 'variations' in data):
-            raise ValidationError(_('Updating add-ons or variations via PATCH/PUT is not supported. Please use the '
+        if self.instance and ('addons' in data or 'variations' in data or 'bundles' in data):
+            raise ValidationError(_('Updating add-ons, bundles, or variations via PATCH/PUT is not supported. Please use the '
                                    'dedicated nested endpoint.'))

        Item.clean_per_order(data.get('min_per_order'), data.get('max_per_order'))
@@ -104,6 +143,12 @@ class ItemSerializer(I18nAwareModelSerializer):
        Item.clean_tax_rule(value, self.context['event'])
        return value

+    def validate_bundles(self, value):
+        if not self.instance:
+            for b_data in value:
+                ItemBundle.clean_itemvar(self.context['event'], b_data['bundled_item'], b_data['bundled_variation'])
+        return value
+
    def validate_addons(self, value):
        if not self.instance:
            for addon_data in value:
@@ -117,11 +162,14 @@ class ItemSerializer(I18nAwareModelSerializer):
    def create(self, validated_data):
        variations_data = validated_data.pop('variations') if 'variations' in validated_data else {}
        addons_data = validated_data.pop('addons') if 'addons' in validated_data else {}
+        bundles_data = validated_data.pop('bundles') if 'bundles' in validated_data else {}
        item = Item.objects.create(**validated_data)
        for variation_data in variations_data:
            ItemVariation.objects.create(item=item, **variation_data)
        for addon_data in addons_data:
            ItemAddOn.objects.create(base_item=item, **addon_data)
+        for bundle_data in bundles_data:
+            ItemBundle.objects.create(base_item=item, **bundle_data)
        return item


@@ -159,12 +207,20 @@ class QuestionSerializer(I18nAwareModelSerializer):
    class Meta:
        model = Question
        fields = ('id', 'question', 'type', 'required', 'items', 'options', 'position',
-                  'ask_during_checkin', 'identifier')
+                  'ask_during_checkin', 'identifier', 'dependency_question', 'dependency_value')

    def validate_identifier(self, value):
        Question._clean_identifier(self.context['event'], value, self.instance)
        return value

+    def validate_dependency_question(self, value):
+        if value:
+            if value.type not in (Question.TYPE_CHOICE, Question.TYPE_BOOLEAN, Question.TYPE_CHOICE_MULTIPLE):
+                raise ValidationError('Question dependencies can only be set to boolean or choice questions.')
+        if value == self.instance:
+            raise ValidationError('A question cannot depend on itself.')
+        return value
+
    def validate(self, data):
        data = super().validate(data)
        if self.instance and 'options' in data:
@@ -176,6 +232,18 @@ class QuestionSerializer(I18nAwareModelSerializer):
        full_data = self.to_internal_value(self.to_representation(self.instance)) if self.instance else {}
        full_data.update(data)

+        if full_data.get('ask_during_checkin') and full_data.get('dependency_question'):
+            raise ValidationError('Dependencies are not supported during check-in.')
+
+        dep = full_data.get('dependency_question')
+        if dep:
+            seen_ids = {self.instance.pk} if self.instance else set()
+            while dep:
+                if dep.pk in seen_ids:
+                    raise ValidationError(_('Circular dependency between questions detected.'))
+                seen_ids.add(dep.pk)
+                dep = dep.dependency_question
+
        Question.clean_items(event, full_data.get('items'))
        return data

--- a/src/pretix/api/serializers/order.py
+++ b/src/pretix/api/serializers/order.py
@@ -11,6 +11,8 @@ from rest_framework.relations import SlugRelatedField
 from rest_framework.reverse import reverse

 from pretix.api.serializers.i18n import I18nAwareModelSerializer
+from pretix.base.channels import get_all_sales_channels
+from pretix.base.i18n import language
 from pretix.base.models import (
    Checkin, Invoice, InvoiceAddress, InvoiceLine, Order, OrderPosition,
    Question, QuestionAnswer,
@@ -113,9 +115,7 @@ class PositionDownloadsField(serializers.Field):
        if instance.order.status != Order.STATUS_PAID:
            if instance.order.status != Order.STATUS_PENDING or instance.order.require_approval or not instance.order.event.settings.ticket_download_pending:
                return []
-        if instance.addon_to_id and not instance.order.event.settings.ticket_download_addons:
-            return []
-        if not instance.item.admission and not instance.order.event.settings.ticket_download_nonadm:
+        if not instance.generate_ticket:
            return []

        request = self.context['request']
@@ -141,20 +141,21 @@ class PdfDataSerializer(serializers.Field):
        res = {}

        ev = instance.subevent or instance.order.event
-        # This needs to have some extra performance improvements to avoid creating hundreds of queries when
-        # we serialize a list.
+        with language(instance.order.locale):
+            # This needs to have some extra performance improvements to avoid creating hundreds of queries when
+            # we serialize a list.

-        if 'vars' not in self.context:
-            self.context['vars'] = get_variables(self.context['request'].event)
+            if 'vars' not in self.context:
+                self.context['vars'] = get_variables(self.context['request'].event)

-        for k, f in self.context['vars'].items():
-            res[k] = f['evaluate'](instance, instance.order, ev)
+            for k, f in self.context['vars'].items():
+                res[k] = f['evaluate'](instance, instance.order, ev)

-        if not hasattr(ev, '_cached_meta_data'):
-            ev._cached_meta_data = ev.meta_data
+            if not hasattr(ev, '_cached_meta_data'):
+                ev._cached_meta_data = ev.meta_data

-        for k, v in ev._cached_meta_data.items():
-            res['meta:' + k] = v
+            for k, v in ev._cached_meta_data.items():
+                res['meta:' + k] = v

        return res

@@ -219,26 +220,73 @@ class OrderRefundSerializer(I18nAwareModelSerializer):


 class OrderSerializer(I18nAwareModelSerializer):
-    invoice_address = InvoiceAddressSerializer()
-    positions = OrderPositionSerializer(many=True)
-    fees = OrderFeeSerializer(many=True)
-    downloads = OrderDownloadsField(source='*')
-    payments = OrderPaymentSerializer(many=True)
-    refunds = OrderRefundSerializer(many=True)
-    payment_date = OrderPaymentDateField(source='*')
-    payment_provider = OrderPaymentTypeField(source='*')
+    invoice_address = InvoiceAddressSerializer(allow_null=True)
+    positions = OrderPositionSerializer(many=True, read_only=True)
+    fees = OrderFeeSerializer(many=True, read_only=True)
+    downloads = OrderDownloadsField(source='*', read_only=True)
+    payments = OrderPaymentSerializer(many=True, read_only=True)
+    refunds = OrderRefundSerializer(many=True, read_only=True)
+    payment_date = OrderPaymentDateField(source='*', read_only=True)
+    payment_provider = OrderPaymentTypeField(source='*', read_only=True)

    class Meta:
        model = Order
-        fields = ('code', 'status', 'secret', 'email', 'locale', 'datetime', 'expires', 'payment_date',
-                  'payment_provider', 'fees', 'total', 'comment', 'invoice_address', 'positions', 'downloads',
-                  'checkin_attention', 'last_modified', 'payments', 'refunds', 'require_approval')
+        fields = (
+            'code', 'status', 'testmode', 'secret', 'email', 'locale', 'datetime', 'expires', 'payment_date',
+            'payment_provider', 'fees', 'total', 'comment', 'invoice_address', 'positions', 'downloads',
+            'checkin_attention', 'last_modified', 'payments', 'refunds', 'require_approval', 'sales_channel'
+        )
+        read_only_fields = (
+            'code', 'status', 'testmode', 'secret', 'datetime', 'expires', 'payment_date',
+            'payment_provider', 'fees', 'total', 'positions', 'downloads',
+            'last_modified', 'payments', 'refunds', 'require_approval', 'sales_channel'
+        )

    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
        if not self.context['request'].query_params.get('pdf_data', 'false') == 'true':
            self.fields['positions'].child.fields.pop('pdf_data')

+    def validate_locale(self, l):
+        if l not in set(k for k in self.instance.event.settings.locales):
+            raise ValidationError('"{}" is not a supported locale for this event.'.format(l))
+        return l
+
+    def update(self, instance, validated_data):
+        # Even though all fields that shouldn't be edited are marked as read_only in the serializer
+        # (hopefully), we'll be extra careful here and be explicit about the model fields we update.
+        update_fields = ['comment', 'checkin_attention', 'email', 'locale']
+        print(validated_data)
+
+        if 'invoice_address' in validated_data:
+            iadata = validated_data.pop('invoice_address')
+
+            if not iadata:
+                try:
+                    instance.invoice_address.delete()
+                except InvoiceAddress.DoesNotExist:
+                    pass
+            else:
+                name = iadata.pop('name', '')
+                if name and not iadata.get('name_parts'):
+                    iadata['name_parts'] = {
+                        '_legacy': name
+                    }
+                try:
+                    ia = instance.invoice_address
+                    if iadata.get('vat_id') != ia.vat_id:
+                        ia.vat_id_validated = False
+                    self.fields['invoice_address'].update(ia, iadata)
+                except InvoiceAddress.DoesNotExist:
+                    InvoiceAddress.objects.create(order=instance, **iadata)
+
+        for attr, value in validated_data.items():
+            if attr in update_fields:
+                setattr(instance, attr, value)
+
+        instance.save(update_fields=update_fields)
+        return instance
+

 class AnswerCreateSerializer(I18nAwareModelSerializer):

@@ -323,7 +371,7 @@ class OrderPositionCreateSerializer(I18nAwareModelSerializer):
                  'secret', 'addon_to', 'subevent', 'answers')

    def validate_secret(self, secret):
-        if secret and OrderPosition.objects.filter(order__event=self.context['event'], secret=secret).exists():
+        if secret and OrderPosition.all.filter(order__event=self.context['event'], secret=secret).exists():
            raise ValidationError(
                'You cannot assign a position secret that already exists.'
            )
@@ -409,17 +457,23 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
    payment_provider = serializers.CharField(required=True)
    payment_info = CompatibleJSONField(required=False)
    consume_carts = serializers.ListField(child=serializers.CharField(), required=False)
+    force = serializers.BooleanField(default=False, required=False)

    class Meta:
        model = Order
-        fields = ('code', 'status', 'email', 'locale', 'payment_provider', 'fees', 'comment',
-                  'invoice_address', 'positions', 'checkin_attention', 'payment_info', 'consume_carts')
+        fields = ('code', 'status', 'testmode', 'email', 'locale', 'payment_provider', 'fees', 'comment', 'sales_channel',
+                  'invoice_address', 'positions', 'checkin_attention', 'payment_info', 'consume_carts', 'force')

    def validate_payment_provider(self, pp):
        if pp not in self.context['event'].get_payment_providers():
            raise ValidationError('The given payment provider is not known.')
        return pp

+    def validate_sales_channel(self, channel):
+        if channel not in get_all_sales_channels():
+            raise ValidationError('Unknown sales channel.')
+        return channel
+
    def validate_code(self, code):
        if code and Order.objects.filter(event__organizer=self.context['event'].organizer, code=code).exists():
            raise ValidationError(
@@ -479,6 +533,7 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
        positions_data = validated_data.pop('positions') if 'positions' in validated_data else []
        payment_provider = validated_data.pop('payment_provider')
        payment_info = validated_data.pop('payment_info', '{}')
+        force = validated_data.pop('force', False)

        if 'invoice_address' in validated_data:
            iadata = validated_data.pop('invoice_address')
@@ -512,29 +567,30 @@ class OrderCreateSerializer(I18nAwareModelSerializer):

            errs = [{} for p in positions_data]

-            for i, pos_data in enumerate(positions_data):
-                new_quotas = (pos_data.get('variation').quotas.filter(subevent=pos_data.get('subevent'))
-                              if pos_data.get('variation')
-                              else pos_data.get('item').quotas.filter(subevent=pos_data.get('subevent')))
-                if len(new_quotas) == 0:
-                    errs[i]['item'] = [ugettext_lazy('The product "{}" is not assigned to a quota.').format(
-                        str(pos_data.get('item'))
-                    )]
-                else:
-                    for quota in new_quotas:
-                        if quota not in quota_avail_cache:
-                            quota_avail_cache[quota] = list(quota.availability())
+            if not force:
+                for i, pos_data in enumerate(positions_data):
+                    new_quotas = (pos_data.get('variation').quotas.filter(subevent=pos_data.get('subevent'))
+                                  if pos_data.get('variation')
+                                  else pos_data.get('item').quotas.filter(subevent=pos_data.get('subevent')))
+                    if len(new_quotas) == 0:
+                        errs[i]['item'] = [ugettext_lazy('The product "{}" is not assigned to a quota.').format(
+                            str(pos_data.get('item'))
+                        )]
+                    else:
+                        for quota in new_quotas:
+                            if quota not in quota_avail_cache:
+                                quota_avail_cache[quota] = list(quota.availability())

-                        if quota_avail_cache[quota][1] is not None:
-                            quota_avail_cache[quota][1] -= 1
-                            if quota_avail_cache[quota][1] < 0:
-                                errs[i]['item'] = [
-                                    ugettext_lazy('There is not enough quota available on quota "{}" to perform the operation.').format(
-                                        quota.name
-                                    )
-                                ]
+                            if quota_avail_cache[quota][1] is not None:
+                                quota_avail_cache[quota][1] -= 1
+                                if quota_avail_cache[quota][1] < 0:
+                                    errs[i]['item'] = [
+                                        ugettext_lazy('There is not enough quota available on quota "{}" to perform the operation.').format(
+                                            quota.name
+                                        )
+                                    ]

-                quotadiff.update(new_quotas)
+                    quotadiff.update(new_quotas)

            if any(errs):
                raise ValidationError({'positions': errs})
@@ -551,7 +607,8 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
                order.status = Order.STATUS_PAID
                order.save()
                order.payments.create(
-                    amount=order.total, provider='free', state=OrderPayment.PAYMENT_STATE_CONFIRMED
+                    amount=order.total, provider='free', state=OrderPayment.PAYMENT_STATE_CONFIRMED,
+                    payment_date=now()
                )
            elif payment_provider == "free" and order.total != Decimal('0.00'):
                raise ValidationError('You cannot use the "free" payment provider for non-free orders.')
--- a/src/pretix/api/urls.py
+++ b/src/pretix/api/urls.py
@@ -44,6 +44,7 @@ question_router.register(r'options', item.QuestionOptionViewSet)
 item_router = routers.DefaultRouter()
 item_router.register(r'variations', item.ItemVariationViewSet)
 item_router.register(r'addons', item.ItemAddOnViewSet)
+item_router.register(r'bundles', item.ItemBundleViewSet)

 order_router = routers.DefaultRouter()
 order_router.register(r'payments', order.PaymentViewSet)
--- a/src/pretix/api/views/checkin.py
+++ b/src/pretix/api/views/checkin.py
@@ -1,5 +1,5 @@
 from django.core.exceptions import ValidationError
-from django.db.models import Count, F, Max, OuterRef, Prefetch, Subquery
+from django.db.models import Count, F, Max, OuterRef, Prefetch, Q, Subquery
 from django.db.models.functions import Coalesce
 from django.http import Http404
 from django.shortcuts import get_object_or_404
@@ -16,7 +16,9 @@ from pretix.api.serializers.item import QuestionSerializer
 from pretix.api.serializers.order import OrderPositionSerializer
 from pretix.api.views import RichOrderingFilter
 from pretix.api.views.order import OrderPositionFilter
-from pretix.base.models import Checkin, CheckinList, Order, OrderPosition
+from pretix.base.models import (
+    Checkin, CheckinList, Event, Order, OrderPosition,
+)
 from pretix.base.services.checkin import (
    CheckInError, RequiredQuestionsError, perform_checkin,
 )
@@ -201,12 +203,39 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
            subevent=self.checkinlist.subevent
        ).annotate(
            last_checked_in=Subquery(cqs)
-        ).prefetch_related(
-            Prefetch(
-                lookup='checkins',
-                queryset=Checkin.objects.filter(list_id=self.checkinlist.pk)
+        )
+        if self.request.query_params.get('pdf_data', 'false') == 'true':
+            qs = qs.prefetch_related(
+                Prefetch(
+                    lookup='checkins',
+                    queryset=Checkin.objects.filter(list_id=self.checkinlist.pk)
+                ),
+                'checkins', 'answers', 'answers__options', 'answers__question',
+                Prefetch('addons', OrderPosition.objects.select_related('item', 'variation')),
+                Prefetch('order', Order.objects.select_related('invoice_address').prefetch_related(
+                    Prefetch(
+                        'event',
+                        Event.objects.select_related('organizer')
+                    ),
+                    Prefetch(
+                        'positions',
+                        OrderPosition.objects.prefetch_related(
+                            'checkins', 'item', 'variation', 'answers', 'answers__options', 'answers__question',
+                        )
+                    )
+                ))
+            ).select_related(
+                'item', 'variation', 'item__category', 'addon_to'
            )
-        ).select_related('item', 'variation', 'order', 'addon_to')
+        else:
+            qs = qs.prefetch_related(
+                Prefetch(
+                    lookup='checkins',
+                    queryset=Checkin.objects.filter(list_id=self.checkinlist.pk)
+                ),
+                'answers', 'answers__options', 'answers__question',
+                Prefetch('addons', OrderPosition.objects.select_related('item', 'variation'))
+            ).select_related('item', 'variation', 'order', 'addon_to', 'order__invoice_address')

        if not self.checkinlist.all_products:
            qs = qs.filter(item__in=self.checkinlist.limit_products.values_list('id', flat=True))
@@ -251,6 +280,8 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
        except RequiredQuestionsError as e:
            return Response({
                'status': 'incomplete',
+                'require_attention': op.item.checkin_attention or op.order.checkin_attention,
+                'position': OrderPositionSerializer(op, context=self.get_serializer_context()).data,
                'questions': [
                    QuestionSerializer(q).data for q in e.questions
                ]
@@ -258,9 +289,21 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
        except CheckInError as e:
            return Response({
                'status': 'error',
-                'reason': e.code
+                'reason': e.code,
+                'require_attention': op.item.checkin_attention or op.order.checkin_attention,
+                'position': OrderPositionSerializer(op, context=self.get_serializer_context()).data
            }, status=400)
        else:
            return Response({
                'status': 'ok',
+                'require_attention': op.item.checkin_attention or op.order.checkin_attention,
+                'position': OrderPositionSerializer(op, context=self.get_serializer_context()).data
            }, status=201)
+
+    def get_object(self):
+        queryset = self.filter_queryset(self.get_queryset())
+        if self.kwargs['pk'].isnumeric():
+            obj = get_object_or_404(queryset, Q(pk=self.kwargs['pk']) | Q(secret=self.kwargs['pk']))
+        else:
+            obj = get_object_or_404(queryset, secret=self.kwargs['pk'])
+        return obj
--- a/src/pretix/api/views/device.py
+++ b/src/pretix/api/views/device.py
@@ -105,7 +105,7 @@ class RevokeKeyView(APIView):

    def post(self, request, format=None):
        device = request.auth
-        device.api_token = None
+        device.revoked = True
        device.save()
        device.log_action('pretix.device.revoked', auth=device)

--- a/src/pretix/api/views/event.py
+++ b/src/pretix/api/views/event.py
@@ -217,9 +217,10 @@ class SubEventFilter(FilterSet):
            return queryset.exclude(expr)


-class SubEventViewSet(ConditionalListView, viewsets.ReadOnlyModelViewSet):
+class SubEventViewSet(ConditionalListView, viewsets.ModelViewSet):
    serializer_class = SubEventSerializer
    queryset = ItemCategory.objects.none()
+    write_permission = 'can_change_event_settings'
    filter_backends = (DjangoFilterBackend, filters.OrderingFilter)
    filterset_class = SubEventFilter

@@ -240,6 +241,42 @@ class SubEventViewSet(ConditionalListView, viewsets.ReadOnlyModelViewSet):
            'subeventitem_set', 'subeventitemvariation_set'
        )

+    def perform_update(self, serializer):
+        super().perform_update(serializer)
+
+        serializer.instance.log_action(
+            'pretix.subevent.changed',
+            user=self.request.user,
+            auth=self.request.auth,
+            data=self.request.data
+        )
+
+    def perform_create(self, serializer):
+        serializer.save(event=self.request.event)
+        serializer.instance.log_action(
+            'pretix.subevent.added',
+            user=self.request.user,
+            auth=self.request.auth,
+            data=self.request.data
+        )
+
+    def perform_destroy(self, instance):
+        if not instance.allow_delete():
+            raise PermissionDenied('The sub-event can not be deleted as it has already been used in orders. Please set'
+                                   ' \'active\' to false instead to hide it from users.')
+        try:
+            with transaction.atomic():
+                instance.log_action(
+                    'pretix.subevent.deleted',
+                    user=self.request.user,
+                    auth=self.request.auth,
+                    data=self.request.data
+                )
+                super().perform_destroy(instance)
+        except ProtectedError:
+            raise PermissionDenied('The sub-event could not be deleted as some constraints (e.g. data created by '
+                                   'plug-ins) do not allow it.')
+

 class TaxRuleViewSet(ConditionalListView, viewsets.ModelViewSet):
    serializer_class = TaxRuleSerializer
--- a/src/pretix/api/views/item.py
+++ b/src/pretix/api/views/item.py
@@ -1,6 +1,7 @@
 import django_filters
 from django.db.models import Q
 from django.shortcuts import get_object_or_404
+from django.utils.functional import cached_property
 from django_filters.rest_framework import DjangoFilterBackend, FilterSet
 from rest_framework import viewsets
 from rest_framework.decorators import detail_route
@@ -9,14 +10,14 @@ from rest_framework.filters import OrderingFilter
 from rest_framework.response import Response

 from pretix.api.serializers.item import (
-    ItemAddOnSerializer, ItemCategorySerializer, ItemSerializer,
-    ItemVariationSerializer, QuestionOptionSerializer, QuestionSerializer,
-    QuotaSerializer,
+    ItemAddOnSerializer, ItemBundleSerializer, ItemCategorySerializer,
+    ItemSerializer, ItemVariationSerializer, QuestionOptionSerializer,
+    QuestionSerializer, QuotaSerializer,
 )
 from pretix.api.views import ConditionalListView
 from pretix.base.models import (
-    Item, ItemAddOn, ItemCategory, ItemVariation, Question, QuestionOption,
-    Quota,
+    Item, ItemAddOn, ItemBundle, ItemCategory, ItemVariation, Question,
+    QuestionOption, Quota,
 )
 from pretix.helpers.dicts import merge_dicts

@@ -46,7 +47,7 @@ class ItemViewSet(ConditionalListView, viewsets.ModelViewSet):
    write_permission = 'can_change_items'

    def get_queryset(self):
-        return self.request.event.items.select_related('tax_rule').prefetch_related('variations', 'addons').all()
+        return self.request.event.items.select_related('tax_rule').prefetch_related('variations', 'addons', 'bundles').all()

    def perform_create(self, serializer):
        serializer.save(event=self.request.event)
@@ -96,17 +97,20 @@ class ItemVariationViewSet(viewsets.ModelViewSet):
    permission = None
    write_permission = 'can_change_items'

+    @cached_property
+    def item(self):
+        return get_object_or_404(Item, pk=self.kwargs['item'], event=self.request.event)
+
    def get_queryset(self):
-        item = get_object_or_404(Item, pk=self.kwargs['item'], event=self.request.event)
-        return item.variations.all()
+        return self.item.variations.all()

    def get_serializer_context(self):
        ctx = super().get_serializer_context()
-        ctx['item'] = get_object_or_404(Item, pk=self.kwargs['item'], event=self.request.event)
+        ctx['item'] = self.item
        return ctx

    def perform_create(self, serializer):
-        item = get_object_or_404(Item, pk=self.kwargs['item'], event=self.request.event)
+        item = self.item
        if not item.has_variations:
            raise PermissionDenied('This variation cannot be created because the item does not have variations. '
                                   'Changing a product without variations to a product with variations is not allowed.')
@@ -149,6 +153,58 @@ class ItemVariationViewSet(viewsets.ModelViewSet):
        )


+class ItemBundleViewSet(viewsets.ModelViewSet):
+    serializer_class = ItemBundleSerializer
+    queryset = ItemBundle.objects.none()
+    filter_backends = (DjangoFilterBackend, OrderingFilter,)
+    ordering_fields = ('id',)
+    ordering = ('id',)
+    permission = None
+    write_permission = 'can_change_items'
+
+    @cached_property
+    def item(self):
+        return get_object_or_404(Item, pk=self.kwargs['item'], event=self.request.event)
+
+    def get_queryset(self):
+        return self.item.bundles.all()
+
+    def get_serializer_context(self):
+        ctx = super().get_serializer_context()
+        ctx['event'] = self.request.event
+        ctx['item'] = self.item
+        return ctx
+
+    def perform_create(self, serializer):
+        item = get_object_or_404(Item, pk=self.kwargs['item'], event=self.request.event)
+        serializer.save(base_item=item)
+        item.log_action(
+            'pretix.event.item.bundles.added',
+            user=self.request.user,
+            auth=self.request.auth,
+            data=merge_dicts(self.request.data, {'id': serializer.instance.pk})
+        )
+
+    def perform_update(self, serializer):
+        serializer.save(event=self.request.event)
+        serializer.instance.base_item.log_action(
+            'pretix.event.item.bundles.changed',
+            user=self.request.user,
+            auth=self.request.auth,
+            data=merge_dicts(self.request.data, {'id': serializer.instance.pk})
+        )
+
+    def perform_destroy(self, instance):
+        super().perform_destroy(instance)
+        instance.base_item.log_action(
+            'pretix.event.item.bundles.removed',
+            user=self.request.user,
+            auth=self.request.auth,
+            data={'bundled_item': instance.bundled_item.pk, 'bundled_variation': instance.bundled_variation.pk if instance.bundled_variation else None,
+                  'count': instance.count, 'designated_price': instance.designated_price}
+        )
+
+
 class ItemAddOnViewSet(viewsets.ModelViewSet):
    serializer_class = ItemAddOnSerializer
    queryset = ItemAddOn.objects.none()
@@ -158,18 +214,21 @@ class ItemAddOnViewSet(viewsets.ModelViewSet):
    permission = None
    write_permission = 'can_change_items'

+    @cached_property
+    def item(self):
+        return get_object_or_404(Item, pk=self.kwargs['item'], event=self.request.event)
+
    def get_queryset(self):
-        item = get_object_or_404(Item, pk=self.kwargs['item'], event=self.request.event)
-        return item.addons.all()
+        return self.item.addons.all()

    def get_serializer_context(self):
        ctx = super().get_serializer_context()
        ctx['event'] = self.request.event
-        ctx['item'] = get_object_or_404(Item, pk=self.kwargs['item'], event=self.request.event)
+        ctx['item'] = self.item
        return ctx

    def perform_create(self, serializer):
-        item = get_object_or_404(Item, pk=self.kwargs['item'], event=self.request.event)
+        item = self.item
        category = get_object_or_404(ItemCategory, pk=self.request.data['addon_category'])
        serializer.save(base_item=item, addon_category=category)
        item.log_action(
--- a/src/pretix/api/views/order.py
+++ b/src/pretix/api/views/order.py
@@ -1,4 +1,5 @@
 import datetime
+from decimal import Decimal

 import django_filters
 import pytz
@@ -8,6 +9,7 @@ from django.db.models.functions import Coalesce, Concat
 from django.http import FileResponse
 from django.shortcuts import get_object_or_404
 from django.utils.timezone import make_aware, now
+from django.utils.translation import ugettext as _
 from django_filters.rest_framework import DjangoFilterBackend, FilterSet
 from rest_framework import mixins, serializers, status, viewsets
 from rest_framework.decorators import detail_route
@@ -25,8 +27,9 @@ from pretix.api.serializers.order import (
    OrderRefundSerializer, OrderSerializer,
 )
 from pretix.base.models import (
-    Device, Invoice, Order, OrderPayment, OrderPosition, OrderRefund, Quota,
-    TeamAPIToken,
+    CachedCombinedTicket, CachedTicket, Device, Event, Invoice, Order,
+    OrderPayment, OrderPosition, OrderRefund, Quota, TeamAPIToken,
+    generate_position_secret, generate_secret,
 )
 from pretix.base.payment import PaymentException
 from pretix.base.services.invoices import (
@@ -38,9 +41,7 @@ from pretix.base.services.orders import (
    OrderChangeManager, OrderError, approve_order, cancel_order, deny_order,
    extend_order, mark_order_expired, mark_order_refunded,
 )
-from pretix.base.services.tickets import (
-    get_cachedticket_for_order, get_cachedticket_for_position,
-)
+from pretix.base.services.tickets import generate
 from pretix.base.signals import order_placed, register_ticket_outputs


@@ -49,13 +50,14 @@ class OrderFilter(FilterSet):
    code = django_filters.CharFilter(field_name='code', lookup_expr='iexact')
    status = django_filters.CharFilter(field_name='status', lookup_expr='iexact')
    modified_since = django_filters.IsoDateTimeFilter(field_name='last_modified', lookup_expr='gte')
+    created_since = django_filters.IsoDateTimeFilter(field_name='datetime', lookup_expr='gte')

    class Meta:
        model = Order
-        fields = ['code', 'status', 'email', 'locale', 'require_approval']
+        fields = ['code', 'status', 'email', 'locale', 'testmode', 'require_approval']


-class OrderViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
+class OrderViewSet(viewsets.ModelViewSet):
    serializer_class = OrderSerializer
    queryset = Order.objects.none()
    filter_backends = (DjangoFilterBackend, OrderingFilter)
@@ -84,6 +86,7 @@ class OrderViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
                    'positions',
                    OrderPosition.objects.all().prefetch_related(
                        'checkins', 'item', 'variation', 'answers', 'answers__options', 'answers__question',
+                        'item__category', 'addon_to',
                        Prefetch('addons', OrderPosition.objects.select_related('item', 'variation'))
                    )
                )
@@ -130,9 +133,11 @@ class OrderViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
        if order.status != Order.STATUS_PAID:
            raise PermissionDenied("Downloads are not available for unpaid orders.")

-        ct = get_cachedticket_for_order(order, provider.identifier)
-
-        if not ct.file:
+        ct = CachedCombinedTicket.objects.filter(
+            order=order, provider=provider.identifier, file__isnull=False
+        ).last()
+        if not ct or not ct.file:
+            generate.apply_async(args=('order', order.pk, provider.identifier))
            raise RetryException()
        else:
            resp = FileResponse(ct.file.file, content_type=ct.type)
@@ -186,6 +191,12 @@ class OrderViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
    @detail_route(methods=['POST'])
    def mark_canceled(self, request, **kwargs):
        send_mail = request.data.get('send_email', True)
+        cancellation_fee = request.data.get('cancellation_fee', None)
+        if cancellation_fee:
+            try:
+                cancellation_fee = float(Decimal(cancellation_fee))
+            except:
+                cancellation_fee = None

        order = self.get_object()
        if not order.cancel_allowed():
@@ -194,14 +205,21 @@ class OrderViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
                status=status.HTTP_400_BAD_REQUEST
            )

-        cancel_order(
-            order,
-            user=request.user if request.user.is_authenticated else None,
-            api_token=request.auth if isinstance(request.auth, TeamAPIToken) else None,
-            device=request.auth if isinstance(request.auth, Device) else None,
-            oauth_application=request.auth.application if isinstance(request.auth, OAuthAccessToken) else None,
-            send_mail=send_mail
-        )
+        try:
+            cancel_order(
+                order,
+                user=request.user if request.user.is_authenticated else None,
+                api_token=request.auth if isinstance(request.auth, TeamAPIToken) else None,
+                device=request.auth if isinstance(request.auth, Device) else None,
+                oauth_application=request.auth.application if isinstance(request.auth, OAuthAccessToken) else None,
+                send_mail=send_mail,
+                cancellation_fee=cancellation_fee
+            )
+        except OrderError as e:
+            return Response(
+                {'detail': str(e)},
+                status=status.HTTP_400_BAD_REQUEST
+            )
        return self.retrieve(request, [], **kwargs)

    @detail_route(methods=['POST'])
@@ -293,6 +311,70 @@ class OrderViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
        )
        return self.retrieve(request, [], **kwargs)

+    @detail_route(methods=['POST'])
+    def create_invoice(self, request, **kwargs):
+        order = self.get_object()
+        has_inv = order.invoices.exists() and not (
+            order.status in (Order.STATUS_PAID, Order.STATUS_PENDING)
+            and order.invoices.filter(is_cancellation=True).count() >= order.invoices.filter(is_cancellation=False).count()
+        )
+        if self.request.event.settings.get('invoice_generate') not in ('admin', 'user', 'paid', 'True') or not invoice_qualified(order):
+            return Response(
+                {'detail': _('You cannot generate an invoice for this order.')},
+                status=status.HTTP_400_BAD_REQUEST
+            )
+        elif has_inv:
+            return Response(
+                {'detail': _('An invoice for this order already exists.')},
+                status=status.HTTP_400_BAD_REQUEST
+            )
+
+        inv = generate_invoice(order)
+        order.log_action(
+            'pretix.event.order.invoice.generated',
+            user=self.request.user,
+            auth=self.request.auth,
+            data={
+                'invoice': inv.pk
+            }
+        )
+        return Response(
+            InvoiceSerializer(inv).data,
+            status=status.HTTP_201_CREATED
+        )
+
+    @detail_route(methods=['POST'])
+    def resend_link(self, request, **kwargs):
+        order = self.get_object()
+        if not order.email:
+            return Response({'detail': 'There is no email address associated with this order.'}, status=status.HTTP_400_BAD_REQUEST)
+        try:
+            order.resend_link(user=self.request.user, auth=self.request.auth)
+        except SendMailException:
+            return Response({'detail': _('There was an error sending the mail. Please try again later.')}, status=status.HTTP_503_SERVICE_UNAVAILABLE)
+
+        return Response(
+            status=status.HTTP_204_NO_CONTENT
+        )
+
+    @detail_route(methods=['POST'])
+    @transaction.atomic
+    def regenerate_secrets(self, request, **kwargs):
+        order = self.get_object()
+        order.secret = generate_secret()
+        for op in order.all_positions.all():
+            op.secret = generate_position_secret()
+            op.save()
+        order.save(update_fields=['secret'])
+        CachedTicket.objects.filter(order_position__order=order).delete()
+        CachedCombinedTicket.objects.filter(order=order).delete()
+        order.log_action(
+            'pretix.event.order.secret.changed',
+            user=self.request.user,
+            auth=self.request.auth,
+        )
+        return self.retrieve(request, [], **kwargs)
+
    @detail_route(methods=['POST'])
    def extend(self, request, **kwargs):
        new_date = request.data.get('expires', None)
@@ -360,9 +442,81 @@ class OrderViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
        headers = self.get_success_headers(serializer.data)
        return Response(serializer.data, status=status.HTTP_201_CREATED, headers=headers)

+    def update(self, request, *args, **kwargs):
+        partial = kwargs.get('partial', False)
+        if not partial:
+            return Response(
+                {"detail": "Method \"PUT\" not allowed."},
+                status=status.HTTP_405_METHOD_NOT_ALLOWED,
+            )
+        return super().update(request, *args, **kwargs)
+
+    @transaction.atomic
+    def perform_update(self, serializer):
+        if 'comment' in self.request.data and serializer.instance.comment != self.request.data.get('comment'):
+            serializer.instance.log_action(
+                'pretix.event.order.comment',
+                user=self.request.user,
+                auth=self.request.auth,
+                data={
+                    'new_comment': self.request.data.get('comment')
+                }
+            )
+
+        if 'checkin_attention' in self.request.data and serializer.instance.checkin_attention != self.request.data.get('checkin_attention'):
+            serializer.instance.log_action(
+                'pretix.event.order.checkin_attention',
+                user=self.request.user,
+                auth=self.request.auth,
+                data={
+                    'new_value': self.request.data.get('checkin_attention')
+                }
+            )
+
+        if 'email' in self.request.data and serializer.instance.email != self.request.data.get('email'):
+            serializer.instance.log_action(
+                'pretix.event.order.contact.changed',
+                user=self.request.user,
+                auth=self.request.auth,
+                data={
+                    'old_email': serializer.instance.email,
+                    'new_email': self.request.data.get('email'),
+                }
+            )
+
+        if 'locale' in self.request.data and serializer.instance.locale != self.request.data.get('locale'):
+            serializer.instance.log_action(
+                'pretix.event.order.locale.changed',
+                user=self.request.user,
+                auth=self.request.auth,
+                data={
+                    'old_locale': serializer.instance.locale,
+                    'new_locale': self.request.data.get('locale'),
+                }
+            )
+
+        if 'invoice_address' in self.request.data:
+            serializer.instance.log_action(
+                'pretix.event.order.modified',
+                user=self.request.user,
+                auth=self.request.auth,
+                data={
+                    'invoice_data': self.request.data.get('invoice_address'),
+                }
+            )
+
+        serializer.save()
+
    def perform_create(self, serializer):
        serializer.save()

+    def perform_destroy(self, instance):
+        if not instance.testmode:
+            raise PermissionDenied('Only test mode orders can be deleted.')
+
+        with transaction.atomic():
+            self.get_object().gracefully_delete(user=self.request.user if self.request.user.is_authenticated else None, auth=self.request.auth)
+

 class OrderPositionFilter(FilterSet):
    order = django_filters.CharFilter(field_name='order', lookup_expr='code__iexact')
@@ -375,8 +529,11 @@ class OrderPositionFilter(FilterSet):
            Q(secret__istartswith=value)
            | Q(attendee_name_cached__icontains=value)
            | Q(addon_to__attendee_name_cached__icontains=value)
+            | Q(attendee_email__icontains=value)
+            | Q(addon_to__attendee_email__icontains=value)
            | Q(order__code__istartswith=value)
            | Q(order__invoice_address__name_cached__icontains=value)
+            | Q(order__email__icontains=value)
        )

    def has_checkin_qs(self, queryset, name, value):
@@ -421,11 +578,33 @@ class OrderPositionViewSet(mixins.DestroyModelMixin, viewsets.ReadOnlyModelViewS
    }

    def get_queryset(self):
-        return OrderPosition.objects.filter(order__event=self.request.event).prefetch_related(
-            'checkins', 'answers', 'answers__options', 'answers__question'
-        ).select_related(
-            'item', 'order', 'order__event', 'order__event__organizer'
-        )
+        qs = OrderPosition.objects.filter(order__event=self.request.event)
+        if self.request.query_params.get('pdf_data', 'false') == 'true':
+            qs = qs.prefetch_related(
+                'checkins', 'answers', 'answers__options', 'answers__question',
+                Prefetch('addons', OrderPosition.objects.select_related('item', 'variation')),
+                Prefetch('order', Order.objects.select_related('invoice_address').prefetch_related(
+                    Prefetch(
+                        'event',
+                        Event.objects.select_related('organizer')
+                    ),
+                    Prefetch(
+                        'positions',
+                        OrderPosition.objects.prefetch_related(
+                            'checkins', 'item', 'variation', 'answers', 'answers__options', 'answers__question',
+                        )
+                    )
+                ))
+            ).select_related(
+                'item', 'variation', 'item__category', 'addon_to'
+            )
+        else:
+            qs = qs.prefetch_related(
+                'checkins', 'answers', 'answers__options', 'answers__question'
+            ).select_related(
+                'item', 'order', 'order__event', 'order__event__organizer'
+            )
+        return qs

    def _get_output_provider(self, identifier):
        responses = register_ticket_outputs.send(self.request.event)
@@ -442,14 +621,14 @@ class OrderPositionViewSet(mixins.DestroyModelMixin, viewsets.ReadOnlyModelViewS

        if pos.order.status != Order.STATUS_PAID:
            raise PermissionDenied("Downloads are not available for unpaid orders.")
-        if pos.addon_to_id and not request.event.settings.ticket_download_addons:
-            raise PermissionDenied("Downloads are not enabled for add-on products.")
-        if not pos.item.admission and not request.event.settings.ticket_download_nonadm:
-            raise PermissionDenied("Downloads are not enabled for non-admission products.")
+        if not pos.generate_ticket:
+            raise PermissionDenied("Downloads are not enabled for this product.")

-        ct = get_cachedticket_for_position(pos, provider.identifier)
-
-        if not ct.file:
+        ct = CachedTicket.objects.filter(
+            order_position=pos, provider=provider.identifier, file__isnull=False
+        ).last()
+        if not ct or not ct.file:
+            generate.apply_async(args=('orderposition', pos.pk, provider.identifier))
            raise RetryException()
        else:
            resp = FileResponse(ct.file.file, content_type=ct.type)
@@ -513,7 +692,10 @@ class PaymentViewSet(viewsets.ReadOnlyModelViewSet):
        amount = serializers.DecimalField(max_digits=10, decimal_places=2).to_internal_value(
            request.data.get('amount', str(payment.amount))
        )
-        mark_refunded = request.data.get('mark_refunded', False)
+        if 'mark_refunded' in request.data:
+            mark_refunded = request.data.get('mark_refunded', False)
+        else:
+            mark_refunded = request.data.get('mark_canceled', False)

        if payment.state != OrderPayment.PAYMENT_STATE_CONFIRMED:
            return Response({'detail': 'Invalid state of payment.'}, status=status.HTTP_400_BAD_REQUEST)
@@ -622,10 +804,14 @@ class RefundViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
            return Response({'detail': 'Invalid state of refund'}, status=status.HTTP_400_BAD_REQUEST)

        refund.done(user=self.request.user if self.request.user.is_authenticated else None, auth=self.request.auth)
-        if request.data.get('mark_refunded', False):
+        if 'mark_refunded' in request.data:
+            mark_refunded = request.data.get('mark_refunded', False)
+        else:
+            mark_refunded = request.data.get('mark_canceled', False)
+        if mark_refunded:
            mark_order_refunded(refund.order, user=self.request.user if self.request.user.is_authenticated else None,
                                auth=self.request.auth)
-        else:
+        elif not (refund.order.status == Order.STATUS_PAID and refund.order.pending_sum <= 0):
            refund.order.status = Order.STATUS_PENDING
            refund.order.set_expires(
                now(),
@@ -651,7 +837,10 @@ class RefundViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
        return ctx

    def create(self, request, *args, **kwargs):
-        mark_refunded = request.data.pop('mark_refunded', False)
+        if 'mark_refunded' in request.data:
+            mark_refunded = request.data.pop('mark_refunded', False)
+        else:
+            mark_refunded = request.data.pop('mark_canceled', False)
        serializer = OrderRefundCreateSerializer(data=request.data, context=self.get_serializer_context())
        serializer.is_valid(raise_exception=True)
        with transaction.atomic():
@@ -768,7 +957,7 @@ class InvoiceViewSet(viewsets.ReadOnlyModelViewSet):
            raise PermissionDenied('The invoice file is no longer stored on the server.')
        else:
            c = generate_cancellation(inv)
-            if inv.order.status not in (Order.STATUS_CANCELED, Order.STATUS_REFUNDED):
+            if inv.order.status != Order.STATUS_CANCELED:
                inv = generate_invoice(inv.order)
            else:
                inv = c
--- a/src/pretix/api/views/voucher.py
+++ b/src/pretix/api/views/voucher.py
@@ -124,12 +124,12 @@ class VoucherViewSet(viewsets.ModelViewSet):
            serializer.is_valid(raise_exception=True)
            with transaction.atomic():
                serializer.save(event=self.request.event)
-                for i in serializer.instance:
-                    i.log_action(
+                for i, v in enumerate(serializer.instance):
+                    v.log_action(
                        'pretix.voucher.added',
                        user=self.request.user,
                        auth=self.request.auth,
-                        data=self.request.data
+                        data=self.request.data[i]
                    )
        headers = self.get_success_headers(serializer.data)
        return Response(serializer.data, status=status.HTTP_201_CREATED, headers=headers)
--- a/src/pretix/api/webhooks.py
+++ b/src/pretix/api/webhooks.py
@@ -102,6 +102,7 @@ class ParametrizedOrderPositionWebhookEvent(ParametrizedOrderWebhookEvent):
        d['orderposition_positionid'] = logentry.parsed_data.get('positionid')
        d['checkin_list'] = logentry.parsed_data.get('list')
        d['first_checkin'] = logentry.parsed_data.get('first_checkin')
+        return d


@receiver(register_webhook_events, dispatch_uid="base_register_default_webhook_events")
@@ -111,6 +112,10 @@ def register_default_webhook_events(sender, **kwargs):
            'pretix.event.order.placed',
            _('New order placed'),
        ),
+        ParametrizedOrderWebhookEvent(
+            'pretix.event.order.placed.require_approval',
+            _('New order requires approval'),
+        ),
        ParametrizedOrderWebhookEvent(
            'pretix.event.order.paid',
            _('Order marked as paid'),
@@ -139,10 +144,6 @@ def register_default_webhook_events(sender, **kwargs):
            'pretix.event.order.refund.created.externally',
            _('External refund of payment'),
        ),
-        ParametrizedOrderWebhookEvent(
-            'pretix.event.order.refunded',
-            _('Order refunded'),
-        ),
        ParametrizedOrderWebhookEvent(
            'pretix.event.order.approved',
            _('Order approved'),
--- a/src/pretix/base/channels.py
+++ b/src/pretix/base/channels.py
@@ -0,0 +1,66 @@
+import logging
+from collections import OrderedDict
+
+from django.dispatch import receiver
+from django.utils.translation import ugettext_lazy as _
+
+from pretix.base.signals import register_sales_channels
+
+logger = logging.getLogger(__name__)
+_ALL_CHANNELS = None
+
+
+class SalesChannel:
+    def __repr__(self):
+        return '<SalesChannel: {}>'.format(self.identifier)
+
+    @property
+    def identifier(self) -> str:
+        """
+        The internal identifier of this sales channel.
+        """
+        raise NotImplementedError()  # NOQA
+
+    @property
+    def verbose_name(self) -> str:
+        """
+        A human-readable name of this sales channel.
+        """
+        raise NotImplementedError()  # NOQA
+
+    @property
+    def icon(self) -> str:
+        """
+        The name of a Font Awesome icon to represent this channel
+        """
+        return "circle"
+
+
+def get_all_sales_channels():
+    global _ALL_CHANNELS
+
+    if _ALL_CHANNELS:
+        return _ALL_CHANNELS
+
+    types = OrderedDict()
+    for recv, ret in register_sales_channels.send(None):
+        if isinstance(ret, (list, tuple)):
+            for r in ret:
+                types[r.identifier] = r
+        else:
+            types[ret.identifier] = ret
+    _ALL_CHANNELS = types
+    return types
+
+
+class WebshopSalesChannel(SalesChannel):
+    identifier = "web"
+    verbose_name = _('Online shop')
+    icon = "globe"
+
+
+@receiver(register_sales_channels, dispatch_uid="base_register_default_sales_channels")
+def base_sales_channels(sender, **kwargs):
+    return (
+        WebshopSalesChannel(),
+    )
--- a/src/pretix/base/email.py
+++ b/src/pretix/base/email.py
@@ -1,8 +1,6 @@
 import logging
 from smtplib import SMTPResponseException

-import bleach
-import markdown
 from django.conf import settings
 from django.core.mail.backends.smtp import EmailBackend
 from django.dispatch import receiver
@@ -12,7 +10,7 @@ from inlinestyler.utils import inline_css

 from pretix.base.models import Event, Order
 from pretix.base.signals import register_html_mail_renderers
-from pretix.base.templatetags.rich_text import markdown_compile
+from pretix.base.templatetags.rich_text import markdown_compile_email

 logger = logging.getLogger('pretix.base.email')

@@ -27,7 +25,7 @@ class CustomSMTPBackend(EmailBackend):
            if code != 250:
                logger.warn('Error testing mail settings, code %d, resp: %s' % (code, resp))
                raise SMTPResponseException(code, resp)
-            (code, resp) = self.connection.rcpt('test@example.com')
+            (code, resp) = self.connection.rcpt('testdummy@pretix.eu')
            if (code != 250) and (code != 251):
                logger.warn('Error testing mail settings, code %d, resp: %s' % (code, resp))
                raise SMTPResponseException(code, resp)
@@ -98,7 +96,7 @@ class TemplateBasedMailRenderer(BaseHTMLMailRenderer):
        raise NotImplementedError()

    def render(self, plain_body: str, plain_signature: str, subject: str, order: Order) -> str:
-        body_md = bleach.linkify(markdown_compile(plain_body))
+        body_md = markdown_compile_email(plain_body)
        htmlctx = {
            'site': settings.PRETIX_INSTANCE_NAME,
            'site_url': settings.SITE_URL,
@@ -112,7 +110,7 @@ class TemplateBasedMailRenderer(BaseHTMLMailRenderer):

        if plain_signature:
            signature_md = plain_signature.replace('\n', '<br>\n')
-            signature_md = bleach.linkify(bleach.clean(markdown.markdown(signature_md), tags=bleach.ALLOWED_TAGS + ['p', 'br']))
+            signature_md = markdown_compile_email(signature_md)
            htmlctx['signature'] = signature_md

        if order:
--- a/src/pretix/base/exporter.py
+++ b/src/pretix/base/exporter.py
@@ -1,5 +1,14 @@
+import io
+import tempfile
+from collections import OrderedDict
 from typing import Tuple

+from defusedcsv import csv
+from django import forms
+from django.utils.translation import ugettext, ugettext_lazy as _
+from openpyxl import Workbook
+from openpyxl.cell.cell import KNOWN_TYPES
+

 class BaseExporter:
    """
@@ -55,7 +64,7 @@ class BaseExporter:
        """
        return {}

-    def render(self, form_data: dict) -> Tuple[str, str, str]:
+    def render(self, form_data: dict) -> Tuple[str, str, bytes]:
        """
        Render the exported file and return a tuple consisting of a filename, a file type
        and file content.
@@ -69,3 +78,138 @@ class BaseExporter:
        tasks.
        """
        raise NotImplementedError()  # NOQA
+
+
+class ListExporter(BaseExporter):
+
+    @property
+    def export_form_fields(self) -> dict:
+        ff = OrderedDict(
+            [
+                ('_format',
+                 forms.ChoiceField(
+                     label=_('Export format'),
+                     choices=(
+                         ('xlsx', _('Excel (.xlsx)')),
+                         ('default', _('CSV (with commas)')),
+                         ('csv-excel', _('CSV (Excel-style)')),
+                         ('semicolon', _('CSV (with semicolons)')),
+                     ),
+                 )),
+            ]
+        )
+        ff.update(self.additional_form_fields)
+        return ff
+
+    @property
+    def additional_form_fields(self) -> dict:
+        return {}
+
+    def iterate_list(self, form_data):
+        raise NotImplementedError()  # noqa
+
+    def get_filename(self):
+        return 'export.csv'
+
+    def _render_csv(self, form_data, **kwargs):
+        output = io.StringIO()
+        writer = csv.writer(output, **kwargs)
+        for line in self.iterate_list(form_data):
+            writer.writerow(line)
+        return self.get_filename() + '.csv', 'text/csv', output.getvalue().encode("utf-8")
+
+    def _render_xlsx(self, form_data):
+        wb = Workbook()
+        ws = wb.get_active_sheet()
+        try:
+            ws.title = str(self.verbose_name)
+        except:
+            pass
+        for i, line in enumerate(self.iterate_list(form_data)):
+            for j, val in enumerate(line):
+                ws.cell(row=i + 1, column=j + 1).value = str(val) if not isinstance(val, KNOWN_TYPES) else val
+
+        with tempfile.NamedTemporaryFile(suffix='.xlsx') as f:
+            wb.save(f.name)
+            f.seek(0)
+            return self.get_filename() + '.xlsx', 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', f.read()
+
+    def render(self, form_data: dict) -> Tuple[str, str, bytes]:
+        if form_data.get('_format') == 'xlsx':
+            return self._render_xlsx(form_data)
+        elif form_data.get('_format') == 'default':
+            return self._render_csv(form_data, quoting=csv.QUOTE_NONNUMERIC, delimiter=',')
+        elif form_data.get('_format') == 'csv-excel':
+            return self._render_csv(form_data, dialect='excel')
+        elif form_data.get('_format') == 'semicolon':
+            return self._render_csv(form_data, dialect='excel', delimiter=';')
+
+
+class MultiSheetListExporter(ListExporter):
+
+    @property
+    def sheets(self):
+        raise NotImplementedError()
+
+    @property
+    def export_form_fields(self) -> dict:
+        choices = [
+            ('xlsx', _('Combined Excel (.xlsx)')),
+        ]
+        for s, l in self.sheets:
+            choices += [
+                (s + ':default', str(l) + ' – ' + ugettext('CSV (with commas)')),
+                (s + ':excel', str(l) + ' – ' + ugettext('CSV (Excel-style)')),
+                (s + ':semicolon', str(l) + ' – ' + ugettext('CSV (with semicolons)')),
+            ]
+        ff = OrderedDict(
+            [
+                ('_format',
+                 forms.ChoiceField(
+                     label=_('Export format'),
+                     choices=choices,
+                 )),
+            ]
+        )
+        ff.update(self.additional_form_fields)
+        return ff
+
+    def iterate_list(self, form_data):
+        pass
+
+    def iterate_sheet(self, form_data, sheet):
+        raise NotImplementedError()  # noqa
+
+    def _render_sheet_csv(self, form_data, sheet, **kwargs):
+        output = io.StringIO()
+        writer = csv.writer(output, **kwargs)
+        for line in self.iterate_sheet(form_data, sheet):
+            writer.writerow(line)
+        return self.get_filename() + '.csv', 'text/csv', output.getvalue().encode("utf-8")
+
+    def _render_xlsx(self, form_data):
+        wb = Workbook()
+        ws = wb.get_active_sheet()
+        wb.remove(ws)
+        for s, l in self.sheets:
+            ws = wb.create_sheet(str(l))
+            for i, line in enumerate(self.iterate_sheet(form_data, sheet=s)):
+                for j, val in enumerate(line):
+                    ws.cell(row=i + 1, column=j + 1).value = str(val) if not isinstance(val, KNOWN_TYPES) else val
+
+        with tempfile.NamedTemporaryFile(suffix='.xlsx') as f:
+            wb.save(f.name)
+            f.seek(0)
+            return self.get_filename() + '.xlsx', 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', f.read()
+
+    def render(self, form_data: dict) -> Tuple[str, str, bytes]:
+        if form_data.get('_format') == 'xlsx':
+            return self._render_xlsx(form_data)
+        elif ':' in form_data.get('_format'):
+            sheet, f = form_data.get('_format').split(':')
+            if f == 'default':
+                return self._render_sheet_csv(form_data, sheet, quoting=csv.QUOTE_NONNUMERIC, delimiter=',')
+            elif f == 'excel':
+                return self._render_sheet_csv(form_data, sheet, dialect='excel')
+            elif f == 'semicolon':
+                return self._render_sheet_csv(form_data, sheet, dialect='excel', delimiter=';')
--- a/src/pretix/base/exporters/json.py
+++ b/src/pretix/base/exporters/json.py
@@ -10,7 +10,7 @@ from ..signals import register_data_exporters

 class JSONExporter(BaseExporter):
    identifier = 'json'
-    verbose_name = 'JSON'
+    verbose_name = 'Order data (JSON)'

    def render(self, form_data):
        jo = {
--- a/src/pretix/base/exporters/orderlist.py
+++ b/src/pretix/base/exporters/orderlist.py
@@ -1,29 +1,37 @@
-import io
 from collections import OrderedDict
 from decimal import Decimal

 import pytz
-from defusedcsv import csv
 from django import forms
-from django.db.models import DateTimeField, Max, OuterRef, Subquery, Sum
+from django.db.models import DateTimeField, F, Max, OuterRef, Subquery, Sum
 from django.dispatch import receiver
-from django.utils.formats import localize
+from django.utils.formats import date_format, localize
 from django.utils.translation import ugettext as _, ugettext_lazy

-from pretix.base.models import InvoiceAddress, Order, OrderPosition
+from pretix.base.models import (
+    InvoiceAddress, InvoiceLine, Order, OrderPosition,
+)
 from pretix.base.models.orders import OrderFee, OrderPayment, OrderRefund
 from pretix.base.settings import PERSON_NAME_SCHEMES

-from ..exporter import BaseExporter
+from ..exporter import ListExporter, MultiSheetListExporter
 from ..signals import register_data_exporters


-class OrderListExporter(BaseExporter):
-    identifier = 'orderlistcsv'
-    verbose_name = ugettext_lazy('List of orders (CSV)')
+class OrderListExporter(MultiSheetListExporter):
+    identifier = 'orderlist'
+    verbose_name = ugettext_lazy('Order data')

    @property
-    def export_form_fields(self):
+    def sheets(self):
+        return (
+            ('orders', _('Orders')),
+            ('positions', _('Order positions')),
+            ('fees', _('Order fees')),
+        )
+
+    @property
+    def additional_form_fields(self):
        return OrderedDict(
            [
                ('paid_only',
@@ -51,10 +59,16 @@ class OrderListExporter(BaseExporter):
        tax_rates = sorted(tax_rates)
        return tax_rates

-    def render(self, form_data: dict):
-        output = io.StringIO()
+    def iterate_sheet(self, form_data, sheet):
+        if sheet == 'orders':
+            return self.iterate_orders(form_data)
+        elif sheet == 'positions':
+            return self.iterate_positions(form_data)
+        elif sheet == 'fees':
+            return self.iterate_fees(form_data)
+
+    def iterate_orders(self, form_data: dict):
        tz = pytz.timezone(self.event.settings.timezone)
-        writer = csv.writer(output, quoting=csv.QUOTE_NONNUMERIC, delimiter=",")

        p_date = OrderPayment.objects.filter(
            order=OuterRef('pk'),
@@ -94,8 +108,9 @@ class OrderListExporter(BaseExporter):
            ]

        headers.append(_('Invoice numbers'))
+        headers.append(_('Sales channel'))

-        writer.writerow(headers)
+        yield headers

        full_fee_sum_cache = {
            o['order__id']: o['grosssum'] for o in
@@ -162,17 +177,196 @@ class OrderListExporter(BaseExporter):
                ]

            row.append(', '.join([i.number for i in order.invoices.all()]))
-            writer.writerow(row)
+            row.append(order.sales_channel)
+            yield row

-        return '{}_orders.csv'.format(self.event.slug), 'text/csv', output.getvalue().encode("utf-8")
+    def iterate_fees(self, form_data: dict):
+        tz = pytz.timezone(self.event.settings.timezone)
+
+        qs = OrderFee.objects.filter(
+            order__event=self.event,
+        ).select_related('order', 'order__invoice_address', 'tax_rule')
+        if form_data['paid_only']:
+            qs = qs.filter(order__status=Order.STATUS_PAID)
+
+        headers = [
+            _('Order code'),
+            _('Status'),
+            _('Email'),
+            _('Order date'),
+            _('Fee type'),
+            _('Description'),
+            _('Price'),
+            _('Tax rate'),
+            _('Tax rule'),
+            _('Tax value'),
+            _('Company'),
+            _('Invoice address name'),
+        ]
+        name_scheme = PERSON_NAME_SCHEMES[self.event.settings.name_scheme]
+        if len(name_scheme['fields']) > 1:
+            for k, label, w in name_scheme['fields']:
+                headers.append(_('Invoice address name') + ': ' + str(label))
+        headers += [
+            _('Address'), _('ZIP code'), _('City'), _('Country'), _('VAT ID'),
+        ]
+
+        yield headers
+
+        for op in qs.order_by('order__datetime'):
+            order = op.order
+            row = [
+                order.code,
+                order.get_status_display(),
+                order.email,
+                order.datetime.astimezone(tz).strftime('%Y-%m-%d'),
+                op.get_fee_type_display(),
+                op.description,
+                op.value,
+                op.tax_rate,
+                str(op.tax_rule) if op.tax_rule else '',
+                op.tax_value,
+            ]
+            try:
+                row += [
+                    order.invoice_address.company,
+                    order.invoice_address.name,
+                ]
+                if len(name_scheme['fields']) > 1:
+                    for k, label, w in name_scheme['fields']:
+                        row.append(
+                            order.invoice_address.name_parts.get(k, '')
+                        )
+                row += [
+                    order.invoice_address.street,
+                    order.invoice_address.zipcode,
+                    order.invoice_address.city,
+                    order.invoice_address.country if order.invoice_address.country else
+                    order.invoice_address.country_old,
+                    order.invoice_address.vat_id,
+                ]
+            except InvoiceAddress.DoesNotExist:
+                row += [''] * (7 + (len(name_scheme['fields']) if len(name_scheme['fields']) > 1 else 0))
+            yield row
+
+    def iterate_positions(self, form_data: dict):
+        tz = pytz.timezone(self.event.settings.timezone)
+
+        qs = OrderPosition.objects.filter(
+            order__event=self.event,
+        ).select_related(
+            'order', 'order__invoice_address', 'item', 'variation',
+            'voucher', 'tax_rule'
+        ).prefetch_related(
+            'answers', 'answers__question'
+        )
+        if form_data['paid_only']:
+            qs = qs.filter(order__status=Order.STATUS_PAID)
+
+        headers = [
+            _('Order code'),
+            _('Position ID'),
+            _('Status'),
+            _('Email'),
+            _('Order date'),
+            _('Product'),
+            _('Variation'),
+            _('Price'),
+            _('Tax rate'),
+            _('Tax rule'),
+            _('Tax value'),
+            _('Attendee name'),
+        ]
+        name_scheme = PERSON_NAME_SCHEMES[self.event.settings.name_scheme]
+        if len(name_scheme['fields']) > 1:
+            for k, label, w in name_scheme['fields']:
+                headers.append(_('Attendee name') + ': ' + str(label))
+        headers += [
+            _('Attendee email'),
+            _('Voucher'),
+            _('Pseudonymization ID'),
+        ]
+        questions = list(self.event.questions.all())
+        for q in questions:
+            headers.append(str(q.question))
+        headers += [
+            _('Company'),
+            _('Invoice address name'),
+        ]
+        if len(name_scheme['fields']) > 1:
+            for k, label, w in name_scheme['fields']:
+                headers.append(_('Invoice address name') + ': ' + str(label))
+        headers += [
+            _('Address'), _('ZIP code'), _('City'), _('Country'), _('VAT ID'),
+        ]
+        headers.append(_('Sales channel'))
+
+        yield headers
+
+        for op in qs.order_by('order__datetime', 'positionid'):
+            order = op.order
+            row = [
+                order.code,
+                op.positionid,
+                order.get_status_display(),
+                order.email,
+                order.datetime.astimezone(tz).strftime('%Y-%m-%d'),
+                str(op.item),
+                str(op.variation) if op.variation else '',
+                op.price,
+                op.tax_rate,
+                str(op.tax_rule) if op.tax_rule else '',
+                op.tax_value,
+                op.attendee_name,
+            ]
+            if len(name_scheme['fields']) > 1:
+                for k, label, w in name_scheme['fields']:
+                    row.append(
+                        op.attendee_name_parts.get(k, '')
+                    )
+            row += [
+                op.attendee_email,
+                op.voucher.code if op.voucher else '',
+                op.pseudonymization_id,
+            ]
+            acache = {}
+            for a in op.answers.all():
+                acache[a.question_id] = str(a)
+            for q in questions:
+                row.append(acache.get(q.pk, ''))
+            try:
+                row += [
+                    order.invoice_address.company,
+                    order.invoice_address.name,
+                ]
+                if len(name_scheme['fields']) > 1:
+                    for k, label, w in name_scheme['fields']:
+                        row.append(
+                            order.invoice_address.name_parts.get(k, '')
+                        )
+                row += [
+                    order.invoice_address.street,
+                    order.invoice_address.zipcode,
+                    order.invoice_address.city,
+                    order.invoice_address.country if order.invoice_address.country else
+                    order.invoice_address.country_old,
+                    order.invoice_address.vat_id,
+                ]
+            except InvoiceAddress.DoesNotExist:
+                row += [''] * (7 + (len(name_scheme['fields']) if len(name_scheme['fields']) > 1 else 0))
+            row.append(order.sales_channel)
+            yield row
+
+    def get_filename(self):
+        return '{}_orders'.format(self.event.slug)


-class PaymentListExporter(BaseExporter):
-    identifier = 'paymentlistcsv'
-    verbose_name = ugettext_lazy('List of payments and refunds (CSV)')
+class PaymentListExporter(ListExporter):
+    identifier = 'paymentlist'
+    verbose_name = ugettext_lazy('Order payments and refunds')

    @property
-    def export_form_fields(self):
+    def additional_form_fields(self):
        return OrderedDict(
            [
                ('successful_only',
@@ -184,10 +378,8 @@ class PaymentListExporter(BaseExporter):
            ]
        )

-    def render(self, form_data: dict):
-        output = io.StringIO()
+    def iterate_list(self, form_data):
        tz = pytz.timezone(self.event.settings.timezone)
-        writer = csv.writer(output, quoting=csv.QUOTE_NONNUMERIC, delimiter=",")

        provider_names = {
            k: v.verbose_name
@@ -213,9 +405,9 @@ class PaymentListExporter(BaseExporter):

        headers = [
            _('Order'), _('Payment ID'), _('Creation date'), _('Completion date'), _('Status'),
-            _('Amount'), _('Payment method')
+            _('Status code'), _('Amount'), _('Payment method')
        ]
-        writer.writerow(headers)
+        yield headers

        for obj in objs:
            if isinstance(obj, OrderPayment) and obj.payment_date:
@@ -230,27 +422,26 @@ class PaymentListExporter(BaseExporter):
                obj.created.astimezone(tz).date().strftime('%Y-%m-%d'),
                d2,
                obj.get_state_display(),
+                obj.state,
                localize(obj.amount * (-1 if isinstance(obj, OrderRefund) else 1)),
                provider_names.get(obj.provider, obj.provider)
            ]
-            writer.writerow(row)
+            yield row

-        return '{}_payments.csv'.format(self.event.slug), 'text/csv', output.getvalue().encode("utf-8")
+    def get_filename(self):
+        return '{}_payments'.format(self.event.slug)


-class QuotaListExporter(BaseExporter):
-    identifier = 'quotalistcsv'
-    verbose_name = ugettext_lazy('Quota availabilities (CSV)')
-
-    def render(self, form_data: dict):
-        output = io.StringIO()
-        writer = csv.writer(output, quoting=csv.QUOTE_NONNUMERIC, delimiter=",")
+class QuotaListExporter(ListExporter):
+    identifier = 'quotalist'
+    verbose_name = ugettext_lazy('Quota availabilities')

+    def iterate_list(self, form_data):
        headers = [
            _('Quota name'), _('Total quota'), _('Paid orders'), _('Pending orders'), _('Blocking vouchers'),
            _('Current user\'s carts'), _('Waiting list'), _('Current availability')
        ]
-        writer.writerow(headers)
+        yield headers

        for quota in self.event.quotas.all():
            avail = quota.availability()
@@ -264,9 +455,180 @@ class QuotaListExporter(BaseExporter):
                quota.count_waiting_list_pending(),
                _('Infinite') if avail[1] is None else avail[1]
            ]
-            writer.writerow(row)
+            yield row

-        return '{}_quotas.csv'.format(self.event.slug), 'text/csv', output.getvalue().encode("utf-8")
+    def get_filename(self):
+        return '{}_quotas'.format(self.event.slug)
+
+
+class InvoiceDataExporter(MultiSheetListExporter):
+    identifier = 'invoicedata'
+    verbose_name = ugettext_lazy('Invoice data')
+
+    @property
+    def sheets(self):
+        return (
+            ('invoices', _('Invoices')),
+            ('lines', _('Invoice lines')),
+        )
+
+    def iterate_sheet(self, form_data, sheet):
+        if sheet == 'invoices':
+            yield [
+                _('Invoice number'),
+                _('Date'),
+                _('Order code'),
+                _('E-mail address'),
+                _('Invoice type'),
+                _('Cancellation of'),
+                _('Language'),
+                _('Invoice sender:') + ' ' + _('Name'),
+                _('Invoice sender:') + ' ' + _('Address'),
+                _('Invoice sender:') + ' ' + _('ZIP code'),
+                _('Invoice sender:') + ' ' + _('City'),
+                _('Invoice sender:') + ' ' + _('Country'),
+                _('Invoice sender:') + ' ' + _('Tax ID'),
+                _('Invoice sender:') + ' ' + _('VAT ID'),
+                _('Invoice recipient:') + ' ' + _('Company'),
+                _('Invoice recipient:') + ' ' + _('Name'),
+                _('Invoice recipient:') + ' ' + _('Street address'),
+                _('Invoice recipient:') + ' ' + _('ZIP code'),
+                _('Invoice recipient:') + ' ' + _('City'),
+                _('Invoice recipient:') + ' ' + _('Country'),
+                _('Invoice recipient:') + ' ' + _('VAT ID'),
+                _('Invoice recipient:') + ' ' + _('Beneficiary'),
+                _('Invoice recipient:') + ' ' + _('Internal reference'),
+                _('Reverse charge'),
+                _('Shown foreign currency'),
+                _('Foreign currency rate'),
+                _('Total value (with taxes)'),
+                _('Total value (without taxes)'),
+            ]
+            qs = self.event.invoices.order_by('full_invoice_no').select_related(
+                'order', 'refers'
+            ).annotate(
+                total_gross=Subquery(
+                    InvoiceLine.objects.filter(
+                        invoice=OuterRef('pk')
+                    ).order_by().values('invoice').annotate(
+                        s=Sum('gross_value')
+                    ).values('s')
+                ),
+                total_net=Subquery(
+                    InvoiceLine.objects.filter(
+                        invoice=OuterRef('pk')
+                    ).order_by().values('invoice').annotate(
+                        s=Sum(F('gross_value') - F('tax_value'))
+                    ).values('s')
+                )
+            )
+            for i in qs:
+                yield [
+                    i.full_invoice_no,
+                    date_format(i.date, "SHORT_DATE_FORMAT"),
+                    i.order.code,
+                    i.order.email,
+                    _('Cancellation') if i.is_cancellation else _('Invoice'),
+                    i.refers.full_invoice_no if i.refers else '',
+                    i.locale,
+                    i.invoice_from_name,
+                    i.invoice_from,
+                    i.invoice_from_zipcode,
+                    i.invoice_from_city,
+                    i.invoice_from_country,
+                    i.invoice_from_tax_id,
+                    i.invoice_from_vat_id,
+                    i.invoice_to_company,
+                    i.invoice_to_name,
+                    i.invoice_to_street or i.invoice_to,
+                    i.invoice_to_zipcode,
+                    i.invoice_to_city,
+                    i.invoice_to_country,
+                    i.invoice_to_vat_id,
+                    i.invoice_to_beneficiary,
+                    i.internal_reference,
+                    _('Yes') if i.reverse_charge else _('No'),
+                    i.foreign_currency_display,
+                    i.foreign_currency_rate,
+                    i.total_gross if i.total_gross else Decimal('0.00'),
+                    Decimal(i.total_net if i.total_net else '0.00').quantize(Decimal('0.01')),
+                ]
+        elif sheet == 'lines':
+            yield [
+                _('Invoice number'),
+                _('Line number'),
+                _('Description'),
+                _('Gross price'),
+                _('Net price'),
+                _('Tax value'),
+                _('Tax rate'),
+                _('Tax name'),
+                _('Event start date'),
+
+                _('Date'),
+                _('Order code'),
+                _('E-mail address'),
+                _('Invoice type'),
+                _('Cancellation of'),
+                _('Invoice sender:') + ' ' + _('Name'),
+                _('Invoice sender:') + ' ' + _('Address'),
+                _('Invoice sender:') + ' ' + _('ZIP code'),
+                _('Invoice sender:') + ' ' + _('City'),
+                _('Invoice sender:') + ' ' + _('Country'),
+                _('Invoice sender:') + ' ' + _('Tax ID'),
+                _('Invoice sender:') + ' ' + _('VAT ID'),
+                _('Invoice recipient:') + ' ' + _('Company'),
+                _('Invoice recipient:') + ' ' + _('Name'),
+                _('Invoice recipient:') + ' ' + _('Street address'),
+                _('Invoice recipient:') + ' ' + _('ZIP code'),
+                _('Invoice recipient:') + ' ' + _('City'),
+                _('Invoice recipient:') + ' ' + _('Country'),
+                _('Invoice recipient:') + ' ' + _('VAT ID'),
+                _('Invoice recipient:') + ' ' + _('Beneficiary'),
+                _('Invoice recipient:') + ' ' + _('Internal reference'),
+            ]
+            qs = InvoiceLine.objects.filter(
+                invoice__event=self.event
+            ).order_by('invoice__full_invoice_no', 'position').select_related(
+                'invoice', 'invoice__order', 'invoice__refers'
+            )
+            for l in qs:
+                i = l.invoice
+                yield [
+                    i.full_invoice_no,
+                    l.position + 1,
+                    l.description.replace("<br />", " - "),
+                    l.gross_value,
+                    l.net_value,
+                    l.tax_value,
+                    l.tax_rate,
+                    l.tax_name,
+                    date_format(l.event_date_from, "SHORT_DATE_FORMAT") if l.event_date_from else "",
+                    date_format(i.date, "SHORT_DATE_FORMAT"),
+                    i.order.code,
+                    i.order.email,
+                    _('Cancellation') if i.is_cancellation else _('Invoice'),
+                    i.refers.full_invoice_no if i.refers else '',
+                    i.invoice_from_name,
+                    i.invoice_from,
+                    i.invoice_from_zipcode,
+                    i.invoice_from_city,
+                    i.invoice_from_country,
+                    i.invoice_from_tax_id,
+                    i.invoice_from_vat_id,
+                    i.invoice_to_company,
+                    i.invoice_to_name,
+                    i.invoice_to_street or i.invoice_to,
+                    i.invoice_to_zipcode,
+                    i.invoice_to_city,
+                    i.invoice_to_country,
+                    i.invoice_to_vat_id,
+                    i.invoice_to_beneficiary,
+                    i.internal_reference,
+                ]
+
+    def get_filename(self):
+        return '{}_invoices'.format(self.event.slug)


@receiver(register_data_exporters, dispatch_uid="exporter_orderlist")
@@ -282,3 +644,8 @@ def register_paymentlist_exporter(sender, **kwargs):
@receiver(register_data_exporters, dispatch_uid="exporter_quotalist")
 def register_quotalist_exporter(sender, **kwargs):
    return QuotaListExporter
+
+
+@receiver(register_data_exporters, dispatch_uid="exporter_invoicedata")
+def register_invoicedata_exporter(sender, **kwargs):
+    return InvoiceDataExporter
--- a/src/pretix/base/forms/init.py
+++ b/src/pretix/base/forms/init.py
@@ -1,9 +1,11 @@
 import logging

 import i18nfield.forms
+from django import forms
 from django.forms.models import ModelFormMetaclass
 from django.utils import six
 from django.utils.crypto import get_random_string
+from formtools.wizard.views import SessionWizardView
 from hierarkey.forms import HierarkeyForm

 from pretix.base.models import Event
@@ -71,3 +73,29 @@ class SettingsForm(i18nfield.forms.I18nFormMixin, HierarkeyForm):
            fname = '%s/%s.%s.%s' % (self.obj.slug, name, nonce, name.split('.')[-1])
        # TODO: make sure pub is always correct
        return 'pub/' + fname
+
+
+class PrefixForm(forms.Form):
+    prefix = forms.CharField(widget=forms.HiddenInput)
+
+
+class SafeSessionWizardView(SessionWizardView):
+    def get_prefix(self, request, *args, **kwargs):
+        if hasattr(request, '_session_wizard_prefix'):
+            return request._session_wizard_prefix
+        prefix_form = PrefixForm(self.request.POST, prefix=super().get_prefix(request, *args, **kwargs))
+        if not prefix_form.is_valid():
+            request._session_wizard_prefix = get_random_string(length=24)
+        else:
+            request._session_wizard_prefix = prefix_form.cleaned_data['prefix']
+        return request._session_wizard_prefix
+
+    def get_context_data(self, form, **kwargs):
+        context = super().get_context_data(form=form, **kwargs)
+        context['wizard']['prefix_form'] = PrefixForm(
+            prefix=super().get_prefix(self.request),
+            initial={
+                'prefix': self.get_prefix(self.request)
+            }
+        )
+        return context
--- a/src/pretix/base/forms/auth.py
+++ b/src/pretix/base/forms/auth.py
@@ -120,7 +120,7 @@ class RegistrationForm(forms.Form):

    def clean_email(self):
        email = self.cleaned_data['email']
-        if User.objects.filter(email=email).exists():
+        if User.objects.filter(email__iexact=email).exists():
            raise forms.ValidationError(
                self.error_messages['duplicate_email'],
                code='duplicate_email'
--- a/src/pretix/base/forms/questions.py
+++ b/src/pretix/base/forms/questions.py
@@ -9,6 +9,7 @@ import vat_moss.id
 from django import forms
 from django.contrib import messages
 from django.core.exceptions import ValidationError
+from django.utils.html import escape
 from django.utils.safestring import mark_safe
 from django.utils.translation import ugettext_lazy as _

@@ -16,7 +17,7 @@ from pretix.base.forms.widgets import (
    BusinessBooleanRadio, DatePickerWidget, SplitDateTimePickerWidget,
    TimePickerWidget, UploadedFileWidget,
 )
-from pretix.base.models import InvoiceAddress, Question
+from pretix.base.models import InvoiceAddress, Question, QuestionOption
 from pretix.base.models.tax import EU_COUNTRIES
 from pretix.base.settings import PERSON_NAME_SCHEMES
 from pretix.base.templatetags.rich_text import rich_text
@@ -144,6 +145,7 @@ class BaseQuestionsForm(forms.Form):
        item = pos.item
        questions = pos.item.questions_to_ask
        event = kwargs.pop('event')
+        self.all_optional = kwargs.pop('all_optional', False)

        super().__init__(*args, **kwargs)

@@ -171,6 +173,8 @@ class BaseQuestionsForm(forms.Form):
                initial = None
            tz = pytz.timezone(event.settings.timezone)
            help_text = rich_text(q.help_text)
+            label = escape(q.question)  # django-bootstrap3 calls mark_safe
+            required = q.required and not self.all_optional
            if q.type == Question.TYPE_BOOLEAN:
                if q.required:
                    # For some reason, django-bootstrap3 does not set the required attribute
@@ -185,26 +189,26 @@ class BaseQuestionsForm(forms.Form):
                    initialbool = False

                field = forms.BooleanField(
-                    label=q.question, required=q.required,
+                    label=label, required=required,
                    help_text=help_text,
                    initial=initialbool, widget=widget,
                )
            elif q.type == Question.TYPE_NUMBER:
                field = forms.DecimalField(
-                    label=q.question, required=q.required,
+                    label=label, required=required,
                    help_text=q.help_text,
                    initial=initial.answer if initial else None,
                    min_value=Decimal('0.00'),
                )
            elif q.type == Question.TYPE_STRING:
                field = forms.CharField(
-                    label=q.question, required=q.required,
+                    label=label, required=required,
                    help_text=help_text,
                    initial=initial.answer if initial else None,
                )
            elif q.type == Question.TYPE_TEXT:
                field = forms.CharField(
-                    label=q.question, required=q.required,
+                    label=label, required=required,
                    help_text=help_text,
                    widget=forms.Textarea,
                    initial=initial.answer if initial else None,
@@ -212,44 +216,46 @@ class BaseQuestionsForm(forms.Form):
            elif q.type == Question.TYPE_CHOICE:
                field = forms.ModelChoiceField(
                    queryset=q.options,
-                    label=q.question, required=q.required,
+                    label=label, required=required,
                    help_text=help_text,
                    widget=forms.Select,
+                    to_field_name='identifier',
                    empty_label='',
                    initial=initial.options.first() if initial else None,
                )
            elif q.type == Question.TYPE_CHOICE_MULTIPLE:
                field = forms.ModelMultipleChoiceField(
                    queryset=q.options,
-                    label=q.question, required=q.required,
+                    label=label, required=required,
                    help_text=help_text,
+                    to_field_name='identifier',
                    widget=forms.CheckboxSelectMultiple,
                    initial=initial.options.all() if initial else None,
                )
            elif q.type == Question.TYPE_FILE:
                field = forms.FileField(
-                    label=q.question, required=q.required,
+                    label=label, required=required,
                    help_text=help_text,
                    initial=initial.file if initial else None,
                    widget=UploadedFileWidget(position=pos, event=event, answer=initial),
                )
            elif q.type == Question.TYPE_DATE:
                field = forms.DateField(
-                    label=q.question, required=q.required,
+                    label=label, required=required,
                    help_text=help_text,
                    initial=dateutil.parser.parse(initial.answer).date() if initial and initial.answer else None,
                    widget=DatePickerWidget(),
                )
            elif q.type == Question.TYPE_TIME:
                field = forms.TimeField(
-                    label=q.question, required=q.required,
+                    label=label, required=required,
                    help_text=help_text,
                    initial=dateutil.parser.parse(initial.answer).time() if initial and initial.answer else None,
                    widget=TimePickerWidget(time_format=get_format_without_seconds('TIME_INPUT_FORMATS')),
                )
            elif q.type == Question.TYPE_DATETIME:
                field = SplitDateTimeField(
-                    label=q.question, required=q.required,
+                    label=label, required=required,
                    help_text=help_text,
                    initial=dateutil.parser.parse(initial.answer).astimezone(tz) if initial and initial.answer else None,
                    widget=SplitDateTimePickerWidget(time_format=get_format_without_seconds('TIME_INPUT_FORMATS')),
@@ -258,6 +264,15 @@ class BaseQuestionsForm(forms.Form):
            if answers:
                # Cache the answer object for later use
                field.answer = answers[0]
+
+            if q.dependency_question_id:
+                field.widget.attrs['data-question-dependency'] = q.dependency_question_id
+                field.widget.attrs['data-question-dependency-value'] = q.dependency_value
+                if q.type != 'M':
+                    field.widget.attrs['required'] = q.required and not self.all_optional
+                    field._required = q.required and not self.all_optional
+                field.required = False
+
            self.fields['question_%s' % q.id] = field

        responses = question_form_fields.send(sender=event, position=pos)
@@ -268,6 +283,40 @@ class BaseQuestionsForm(forms.Form):
                self.fields[key] = value
                value.initial = data.get('question_form_data', {}).get(key)

+    def clean(self):
+        d = super().clean()
+
+        question_cache = {f.question.pk: f.question for f in self.fields.values() if getattr(f, 'question', None)}
+
+        def question_is_visible(parentid, qval):
+            parentq = question_cache[parentid]
+            if parentq.dependency_question_id and not question_is_visible(parentq.dependency_question_id, parentq.dependency_value):
+                return False
+            if 'question_%d' % parentid not in d:
+                return False
+            dval = d.get('question_%d' % parentid)
+            if qval == 'True':
+                return dval
+            elif qval == 'False':
+                return not dval
+            elif isinstance(dval, QuestionOption):
+                return dval.identifier == qval
+            else:
+                return qval in [o.identifier for o in dval]
+
+        def question_is_required(q):
+            return (
+                q.required and
+                (not q.dependency_question_id or question_is_visible(q.dependency_question_id, q.dependency_value))
+            )
+
+        if not self.all_optional:
+            for q in question_cache.values():
+                if question_is_required(q) and not d.get('question_%d' % q.pk):
+                    raise ValidationError({'question_%d' % q.pk: [_('This field is required')]})
+
+        return d
+

 class BaseInvoiceAddressForm(forms.ModelForm):
    vat_warning = False
@@ -275,10 +324,11 @@ class BaseInvoiceAddressForm(forms.ModelForm):
    class Meta:
        model = InvoiceAddress
        fields = ('is_business', 'company', 'name_parts', 'street', 'zipcode', 'city', 'country', 'vat_id',
-                  'internal_reference')
+                  'internal_reference', 'beneficiary')
        widgets = {
            'is_business': BusinessBooleanRadio,
            'street': forms.Textarea(attrs={'rows': 2, 'placeholder': _('Street and Number')}),
+            'beneficiary': forms.Textarea(attrs={'rows': 3}),
            'company': forms.TextInput(attrs={'data-display-dependency': '#id_is_business_1'}),
            'vat_id': forms.TextInput(attrs={'data-display-dependency': '#id_is_business_1'}),
            'internal_reference': forms.TextInput,
@@ -291,17 +341,18 @@ class BaseInvoiceAddressForm(forms.ModelForm):
        self.event = event = kwargs.pop('event')
        self.request = kwargs.pop('request', None)
        self.validate_vat_id = kwargs.pop('validate_vat_id')
+        self.all_optional = kwargs.pop('all_optional', False)
        super().__init__(*args, **kwargs)
        if not event.settings.invoice_address_vatid:
            del self.fields['vat_id']

-        if not event.settings.invoice_address_required:
+        if not event.settings.invoice_address_required or self.all_optional:
            for k, f in self.fields.items():
                f.required = False
                f.widget.is_required = False
                if 'required' in f.widget.attrs:
                    del f.widget.attrs['required']
-        elif event.settings.invoice_address_company_required:
+        elif event.settings.invoice_address_company_required and not self.all_optional:
            self.initial['is_business'] = True

            self.fields['is_business'].widget = BusinessBooleanRadio(require_business=True)
@@ -314,16 +365,19 @@ class BaseInvoiceAddressForm(forms.ModelForm):

        self.fields['name_parts'] = NamePartsFormField(
            max_length=255,
-            required=event.settings.invoice_name_required,
+            required=event.settings.invoice_name_required and not self.all_optional,
            scheme=event.settings.name_scheme,
            label=_('Name'),
            initial=(self.instance.name_parts if self.instance else self.instance.name_parts),
        )
-        if event.settings.invoice_address_required and not event.settings.invoice_address_company_required:
+        if event.settings.invoice_address_required and not event.settings.invoice_address_company_required and not self.all_optional:
            self.fields['name_parts'].widget.attrs['data-required-if'] = '#id_is_business_0'
            self.fields['name_parts'].widget.attrs['data-no-required-attr'] = '1'
            self.fields['company'].widget.attrs['data-required-if'] = '#id_is_business_1'

+        if not event.settings.invoice_address_beneficiary:
+            del self.fields['beneficiary']
+
    def clean(self):
        data = self.cleaned_data
        if not data.get('is_business'):
--- a/src/pretix/base/forms/user.py
+++ b/src/pretix/base/forms/user.py
@@ -69,7 +69,7 @@ class UserSettingsForm(forms.ModelForm):

    def clean_email(self):
        email = self.cleaned_data['email']
-        if User.objects.filter(Q(email=email) & ~Q(pk=self.instance.pk)).exists():
+        if User.objects.filter(Q(email__iexact=email) & ~Q(pk=self.instance.pk)).exists():
            raise forms.ValidationError(
                self.error_messages['duplicate_identifier'],
                code='duplicate_identifier',
--- a/src/pretix/base/forms/widgets.py
+++ b/src/pretix/base/forms/widgets.py
@@ -90,6 +90,8 @@ class SplitDateTimePickerWidget(forms.SplitDateTimeWidget):
        time_attrs = dict(attrs)
        date_attrs.setdefault('class', 'form-control splitdatetimepart')
        time_attrs.setdefault('class', 'form-control splitdatetimepart')
+        date_attrs.setdefault('autocomplete', 'off')
+        time_attrs.setdefault('autocomplete', 'off')
        date_attrs['class'] += ' datepickerfield'
        time_attrs['class'] += ' timepickerfield'

--- a/src/pretix/base/invoice.py
+++ b/src/pretix/base/invoice.py
@@ -4,11 +4,12 @@ from decimal import Decimal
 from io import BytesIO
 from typing import Tuple

+import bleach
 import vat_moss.exchange_rates
 from django.contrib.staticfiles import finders
 from django.dispatch import receiver
 from django.utils.formats import date_format, localize
-from django.utils.translation import pgettext
+from django.utils.translation import get_language, pgettext, ugettext
 from PIL.Image import BICUBIC
 from reportlab.lib import pagesizes
 from reportlab.lib.enums import TA_LEFT
@@ -31,6 +32,31 @@ from pretix.base.templatetags.money import money_filter
 logger = logging.getLogger(__name__)


+class NumberedCanvas(Canvas):
+    def __init__(self, *args, **kwargs):
+        self.font_regular = kwargs.pop('font_regular')
+        super().__init__(*args, **kwargs)
+        self._saved_page_states = []
+
+    def showPage(self):
+        self._saved_page_states.append(dict(self.__dict__))
+        self._startPage()
+
+    def save(self):
+        num_pages = len(self._saved_page_states)
+        for state in self._saved_page_states:
+            self.__dict__.update(state)
+            self.draw_page_number(num_pages)
+            Canvas.showPage(self)
+        Canvas.save(self)
+
+    def draw_page_number(self, page_count):
+        self.saveState()
+        self.setFont(self.font_regular, 8)
+        self.drawRightString(self._pagesize[0] - 20 * mm, 10 * mm, pgettext("invoice", "Page %d of %d") % (self._pageNumber, page_count,))
+        self.restoreState()
+
+
 class BaseInvoiceRenderer:
    """
    This is the base class for all invoice renderers.
@@ -79,6 +105,9 @@ class BaseReportlabInvoiceRenderer(BaseInvoiceRenderer):
    top_margin = 20 * mm
    bottom_margin = 15 * mm
    doc_template_class = BaseDocTemplate
+    canvas_class = Canvas
+    font_regular = 'OpenSans'
+    font_bold = 'OpenSansBd'

    def _init(self):
        """
@@ -92,10 +121,10 @@ class BaseReportlabInvoiceRenderer(BaseInvoiceRenderer):
        Get a stylesheet. By default, this contains the "Normal" and "Heading1" styles.
        """
        stylesheet = StyleSheet1()
-        stylesheet.add(ParagraphStyle(name='Normal', fontName='OpenSans', fontSize=10, leading=12))
-        stylesheet.add(ParagraphStyle(name='Heading1', fontName='OpenSansBd', fontSize=15, leading=15 * 1.2))
-        stylesheet.add(ParagraphStyle(name='FineprintHeading', fontName='OpenSansBd', fontSize=8, leading=12))
-        stylesheet.add(ParagraphStyle(name='Fineprint', fontName='OpenSans', fontSize=8, leading=10))
+        stylesheet.add(ParagraphStyle(name='Normal', fontName=self.font_regular, fontSize=10, leading=12))
+        stylesheet.add(ParagraphStyle(name='Heading1', fontName=self.font_bold, fontSize=15, leading=15 * 1.2))
+        stylesheet.add(ParagraphStyle(name='FineprintHeading', fontName=self.font_bold, fontSize=8, leading=12))
+        stylesheet.add(ParagraphStyle(name='Fineprint', fontName=self.font_regular, fontSize=8, leading=10))
        return stylesheet

    def _register_fonts(self):
@@ -109,6 +138,12 @@ class BaseReportlabInvoiceRenderer(BaseInvoiceRenderer):
        pdfmetrics.registerFontFamily('OpenSans', normal='OpenSans', bold='OpenSansBd',
                                      italic='OpenSansIt', boldItalic='OpenSansBI')

+    def _upper(self, val):
+        # We uppercase labels, but not in every language
+        if get_language() == 'el':
+            return val
+        return val.upper()
+
    def _on_other_page(self, canvas: Canvas, doc):
        """
        Called when a new page is rendered that is *not* the first page.
@@ -171,7 +206,7 @@ class BaseReportlabInvoiceRenderer(BaseInvoiceRenderer):
            )
        ])
        story = self._get_story(doc)
-        doc.build(story)
+        doc.build(story, canvasmaker=self.canvas_class)
        return doc

    def generate(self, invoice: Invoice):
@@ -206,10 +241,13 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
    identifier = 'classic'
    verbose_name = pgettext('invoice', 'Classic renderer (pretix 1.0)')

+    def canvas_class(self, *args, **kwargs):
+        kwargs['font_regular'] = self.font_regular
+        return NumberedCanvas(*args, **kwargs)
+
    def _on_other_page(self, canvas: Canvas, doc):
        canvas.saveState()
-        canvas.setFont('OpenSans', 8)
-        canvas.drawRightString(self.pagesize[0] - 20 * mm, 10 * mm, pgettext("invoice", "Page %d") % (doc.page,))
+        canvas.setFont(self.font_regular, 8)

        for i, line in enumerate(self.invoice.footer_text.split('\n')[::-1]):
            canvas.drawCentredString(self.pagesize[0] / 2, 25 + (3.5 * i) * mm, line.strip())
@@ -233,72 +271,78 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
        canvas.setTitle(pgettext('invoice', 'Invoice {num}').format(num=self.invoice.number))

        canvas.saveState()
-        canvas.setFont('OpenSans', 8)
-        canvas.drawRightString(self.pagesize[0] - 20 * mm, 10 * mm, pgettext("invoice", "Page %d") % (doc.page,))
+        canvas.setFont(self.font_regular, 8)
+
+        if self.invoice.order.testmode:
+            canvas.saveState()
+            canvas.setFont('OpenSansBd', 30)
+            canvas.setFillColorRGB(32, 0, 0)
+            canvas.drawRightString(self.pagesize[0] - 20 * mm, (297 - 100) * mm, ugettext('TEST MODE'))
+            canvas.restoreState()

        for i, line in enumerate(self.invoice.footer_text.split('\n')[::-1]):
            canvas.drawCentredString(self.pagesize[0] / 2, 25 + (3.5 * i) * mm, line.strip())

        textobject = canvas.beginText(25 * mm, (297 - 15) * mm)
-        textobject.setFont('OpenSansBd', 8)
-        textobject.textLine(pgettext('invoice', 'Invoice from').upper())
+        textobject.setFont(self.font_bold, 8)
+        textobject.textLine(self._upper(pgettext('invoice', 'Invoice from')))
        canvas.drawText(textobject)

        self._draw_invoice_from(canvas)

        textobject = canvas.beginText(25 * mm, (297 - 50) * mm)
-        textobject.setFont('OpenSansBd', 8)
-        textobject.textLine(pgettext('invoice', 'Invoice to').upper())
+        textobject.setFont(self.font_bold, 8)
+        textobject.textLine(self._upper(pgettext('invoice', 'Invoice to')))
        canvas.drawText(textobject)

        self._draw_invoice_to(canvas)

        textobject = canvas.beginText(125 * mm, (297 - 38) * mm)
-        textobject.setFont('OpenSansBd', 8)
-        textobject.textLine(pgettext('invoice', 'Order code').upper())
+        textobject.setFont(self.font_bold, 8)
+        textobject.textLine(self._upper(pgettext('invoice', 'Order code')))
        textobject.moveCursor(0, 5)
-        textobject.setFont('OpenSans', 10)
+        textobject.setFont(self.font_regular, 10)
        textobject.textLine(self.invoice.order.full_code)
        canvas.drawText(textobject)

        textobject = canvas.beginText(125 * mm, (297 - 50) * mm)
-        textobject.setFont('OpenSansBd', 8)
+        textobject.setFont(self.font_bold, 8)
        if self.invoice.is_cancellation:
-            textobject.textLine(pgettext('invoice', 'Cancellation number').upper())
+            textobject.textLine(self._upper(pgettext('invoice', 'Cancellation number')))
            textobject.moveCursor(0, 5)
-            textobject.setFont('OpenSans', 10)
+            textobject.setFont(self.font_regular, 10)
            textobject.textLine(self.invoice.number)
            textobject.moveCursor(0, 5)
-            textobject.setFont('OpenSansBd', 8)
-            textobject.textLine(pgettext('invoice', 'Original invoice').upper())
+            textobject.setFont(self.font_bold, 8)
+            textobject.textLine(self._upper(pgettext('invoice', 'Original invoice')))
            textobject.moveCursor(0, 5)
-            textobject.setFont('OpenSans', 10)
+            textobject.setFont(self.font_regular, 10)
            textobject.textLine(self.invoice.refers.number)
        else:
-            textobject.textLine(pgettext('invoice', 'Invoice number').upper())
+            textobject.textLine(self._upper(pgettext('invoice', 'Invoice number')))
            textobject.moveCursor(0, 5)
-            textobject.setFont('OpenSans', 10)
+            textobject.setFont(self.font_regular, 10)
            textobject.textLine(self.invoice.number)
        textobject.moveCursor(0, 5)

        if self.invoice.is_cancellation:
-            textobject.setFont('OpenSansBd', 8)
-            textobject.textLine(pgettext('invoice', 'Cancellation date').upper())
+            textobject.setFont(self.font_bold, 8)
+            textobject.textLine(self._upper(pgettext('invoice', 'Cancellation date')))
            textobject.moveCursor(0, 5)
-            textobject.setFont('OpenSans', 10)
+            textobject.setFont(self.font_regular, 10)
            textobject.textLine(date_format(self.invoice.date, "DATE_FORMAT"))
            textobject.moveCursor(0, 5)
-            textobject.setFont('OpenSansBd', 8)
-            textobject.textLine(pgettext('invoice', 'Original invoice date').upper())
+            textobject.setFont(self.font_bold, 8)
+            textobject.textLine(self._upper(pgettext('invoice', 'Original invoice date')))
            textobject.moveCursor(0, 5)
-            textobject.setFont('OpenSans', 10)
+            textobject.setFont(self.font_regular, 10)
            textobject.textLine(date_format(self.invoice.refers.date, "DATE_FORMAT"))
            textobject.moveCursor(0, 5)
        else:
-            textobject.setFont('OpenSansBd', 8)
-            textobject.textLine(pgettext('invoice', 'Invoice date').upper())
+            textobject.setFont(self.font_bold, 8)
+            textobject.textLine(self._upper(pgettext('invoice', 'Invoice date')))
            textobject.moveCursor(0, 5)
-            textobject.setFont('OpenSans', 10)
+            textobject.setFont(self.font_regular, 10)
            textobject.textLine(date_format(self.invoice.date, "DATE_FORMAT"))
            textobject.moveCursor(0, 5)

@@ -349,8 +393,8 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
        p.drawOn(canvas, 125 * mm, (297 - 17) * mm - p_size[1])

        textobject = canvas.beginText(125 * mm, (297 - 15) * mm)
-        textobject.setFont('OpenSansBd', 8)
-        textobject.textLine(pgettext('invoice', 'Event').upper())
+        textobject.setFont(self.font_bold, 8)
+        textobject.textLine(self._upper(pgettext('invoice', 'Event')))
        canvas.drawText(textobject)

        canvas.restoreState()
@@ -390,6 +434,13 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
                self.stylesheet['Normal']
            ))

+        if self.invoice.invoice_to_beneficiary:
+            story.append(Paragraph(
+                pgettext('invoice', 'Beneficiary') + ':<br />' +
+                bleach.clean(self.invoice.invoice_to_beneficiary, tags=[]).replace("\n", "<br />\n"),
+                self.stylesheet['Normal']
+            ))
+
        if self.invoice.introductory_text:
            story.append(Paragraph(self.invoice.introductory_text, self.stylesheet['Normal']))
            story.append(Spacer(1, 10 * mm))
@@ -400,8 +451,8 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
        tstyledata = [
            ('ALIGN', (1, 0), (-1, -1), 'RIGHT'),
            ('VALIGN', (0, 0), (-1, -1), 'TOP'),
-            ('FONTNAME', (0, 0), (-1, 0), 'OpenSansBd'),
-            ('FONTNAME', (0, -1), (-1, -1), 'OpenSansBd'),
+            ('FONTNAME', (0, 0), (-1, 0), self.font_bold),
+            ('FONTNAME', (0, -1), (-1, -1), self.font_bold),
            ('LEFTPADDING', (0, 0), (0, -1), 0),
            ('RIGHTPADDING', (-1, 0), (-1, -1), 0),
        ]
@@ -469,7 +520,7 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
            ('LEFTPADDING', (0, 0), (0, -1), 0),
            ('RIGHTPADDING', (-1, 0), (-1, -1), 0),
            ('FONTSIZE', (0, 0), (-1, -1), 8),
-            ('FONTNAME', (0, 0), (-1, -1), 'OpenSans'),
+            ('FONTNAME', (0, 0), (-1, -1), self.font_regular),
        ]
        thead = [
            pgettext('invoice', 'Tax rate'),
--- a/src/pretix/base/middleware.py
+++ b/src/pretix/base/middleware.py
@@ -129,13 +129,22 @@ def get_language_from_request(request: HttpRequest) -> str:
    if _supported is None:
        _supported = OrderedDict(settings.LANGUAGES)

-    return (
-        get_language_from_user_settings(request)
-        or get_language_from_session_or_cookie(request)
-        or get_language_from_browser(request)
-        or get_language_from_event(request)
-        or get_default_language()
-    )
+    if request.path.startswith(get_script_prefix() + 'control'):
+        return (
+            get_language_from_user_settings(request)
+            or get_language_from_session_or_cookie(request)
+            or get_language_from_browser(request)
+            or get_language_from_event(request)
+            or get_default_language()
+        )
+    else:
+        return (
+            get_language_from_session_or_cookie(request)
+            or get_language_from_user_settings(request)
+            or get_language_from_browser(request)
+            or get_language_from_event(request)
+            or get_default_language()
+        )


 def _parse_csp(header):
@@ -189,6 +198,7 @@ class SecurityMiddleware(MiddlewareMixin):
            'connect-src': ["{dynamic}", "{media}", "https://checkout.stripe.com"],
            'img-src': ["{static}", "{media}", "data:", "https://*.stripe.com"],
            'font-src': ["{static}"],
+            'media-src': ["{static}", "data:"],
            # form-action is not only used to match on form actions, but also on URLs
            # form-actions redirect to. In the context of e.g. payment providers or
            # single-sign-on this can be nearly anything so we cannot really restrict
--- a/src/pretix/base/migrations/0103_auto_20181121_1224.py
+++ b/src/pretix/base/migrations/0103_auto_20181121_1224.py
@@ -0,0 +1,29 @@
+# Generated by Django 2.1.1 on 2018-11-21 12:24
+
+import django.db.models.deletion
+import jsonfallback.fields
+from django.db import migrations, models
+
+import pretix.base.models.fields
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0102_auto_20181017_0024'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='item',
+            name='sales_channels',
+            field=pretix.base.models.fields.MultiStringField(default=['web'], verbose_name='Sales channels'),
+            preserve_default=False,
+        ),
+        migrations.AddField(
+            model_name='order',
+            name='sales_channel',
+            field=models.CharField(default='web', max_length=190),
+            preserve_default=False,
+        ),
+    ]
--- a/src/pretix/base/migrations/0104_auto_20181114_1526.py
+++ b/src/pretix/base/migrations/0104_auto_20181114_1526.py
@@ -0,0 +1,62 @@
+# Generated by Django 2.1.1 on 2018-11-14 15:26
+
+import django.db.models.deletion
+import django.db.models.manager
+import jsonfallback.fields
+from django.db import migrations, models
+
+
+def change_refunded_to_canceled(apps, schema_editor):
+    Order = apps.get_model('pretixbase', 'Order')
+    Order.objects.filter(status='r').update(status='c')
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0103_auto_20181121_1224'),
+    ]
+
+    operations = [
+        migrations.AlterModelManagers(
+            name='orderposition',
+            managers=[
+                ('all', django.db.models.manager.Manager()),
+            ],
+        ),
+        migrations.AddField(
+            model_name='orderposition',
+            name='canceled',
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AlterField(
+            model_name='orderfee',
+            name='fee_type',
+            field=models.CharField(choices=[('payment', 'Payment fee'), ('shipping', 'Shipping fee'), ('service', 'Service fee'), ('cancellation', 'Cancellation fee'), ('other', 'Other fees'), ('giftcard', 'Gift card')], max_length=100),
+        ),
+        migrations.AlterField(
+            model_name='orderposition',
+            name='order',
+            field=models.ForeignKey(on_delete=django.db.models.deletion.PROTECT, related_name='all_positions',
+                                    to='pretixbase.Order', verbose_name='Order'),
+        ),
+        migrations.AlterModelManagers(
+            name='orderfee',
+            managers=[
+                ('all', django.db.models.manager.Manager()),
+            ],
+        ),
+        migrations.AddField(
+            model_name='orderfee',
+            name='canceled',
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AlterField(
+            model_name='orderfee',
+            name='order',
+            field=models.ForeignKey(on_delete=django.db.models.deletion.PROTECT, related_name='all_fees', to='pretixbase.Order', verbose_name='Order'),
+        ),
+        migrations.RunPython(
+            change_refunded_to_canceled, migrations.RunPython.noop
+        )
+    ]
--- a/src/pretix/base/migrations/0105_auto_20190112_1512.py
+++ b/src/pretix/base/migrations/0105_auto_20190112_1512.py
@@ -0,0 +1,27 @@
+# Generated by Django 2.1 on 2019-01-12 15:12
+
+import django.db.models.deletion
+import jsonfallback.fields
+from django.db import migrations, models
+
+import pretix.base.models.fields
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0104_auto_20181114_1526'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='invoiceaddress',
+            name='beneficiary',
+            field=models.TextField(blank=True, verbose_name='Beneficiary'),
+        ),
+        migrations.AddField(
+            model_name='invoice',
+            name='invoice_to_beneficiary',
+            field=models.TextField(blank=True, null=True, verbose_name='Beneficiary'),
+        ),
+    ]
--- a/src/pretix/base/migrations/0105_auto_20190112_1512_squashed_0107_auto_20190129_1337.py
+++ b/src/pretix/base/migrations/0105_auto_20190112_1512_squashed_0107_auto_20190129_1337.py
@@ -0,0 +1,54 @@
+# Generated by Django 2.1.5 on 2019-02-04 13:02
+
+import django.db.migrations.operations.special
+from django.db import migrations, models
+
+
+def enable_notifications_for_everyone(apps, schema_editor):
+    NotificationSetting = apps.get_model('pretixbase', 'NotificationSetting')
+    User = apps.get_model('pretixbase', 'User')
+    create = []
+    for u in User.objects.iterator():
+        create.append(NotificationSetting(
+            user=u,
+            action_type='pretix.event.order.refund.requested',
+            event=None,
+            method='mail',
+            enabled=True
+        ))
+        if len(create) > 200:
+            NotificationSetting.objects.bulk_create(create)
+            create.clear()
+    NotificationSetting.objects.bulk_create(create)
+    create.clear()
+
+
+class Migration(migrations.Migration):
+    replaces = [('pretixbase', '0105_auto_20190112_1512'), ('pretixbase', '0106_auto_20190118_1527'),
+                ('pretixbase', '0107_auto_20190129_1337')]
+
+    dependencies = [
+        ('pretixbase', '0104_auto_20181114_1526'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='invoiceaddress',
+            name='beneficiary',
+            field=models.TextField(blank=True, verbose_name='Beneficiary'),
+        ),
+        migrations.AddField(
+            model_name='invoice',
+            name='invoice_to_beneficiary',
+            field=models.TextField(blank=True, null=True, verbose_name='Beneficiary'),
+        ),
+        migrations.RunPython(
+            code=enable_notifications_for_everyone,
+            reverse_code=django.db.migrations.operations.special.RunPython.noop,
+        ),
+        migrations.AlterField(
+            model_name='order',
+            name='datetime',
+            field=models.DateTimeField(db_index=True, verbose_name='Date'),
+        ),
+    ]
--- a/src/pretix/base/migrations/0106_auto_20190118_1527.py
+++ b/src/pretix/base/migrations/0106_auto_20190118_1527.py
@@ -0,0 +1,31 @@
+# Generated by Django 2.1.5 on 2019-01-18 15:27
+from django.db import migrations
+
+
+def enable_notifications_for_everyone(apps, schema_editor):
+    NotificationSetting = apps.get_model('pretixbase', 'NotificationSetting')
+    User = apps.get_model('pretixbase', 'User')
+    create = []
+    for u in User.objects.iterator():
+        create.append(NotificationSetting(
+            user=u,
+            action_type='pretix.event.order.refund.requested',
+            event=None,
+            method='mail',
+            enabled=True
+        ))
+        if len(create) > 200:
+            NotificationSetting.objects.bulk_create(create)
+            create.clear()
+    NotificationSetting.objects.bulk_create(create)
+    create.clear()
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ('pretixbase', '0105_auto_20190112_1512'),
+    ]
+
+    operations = [
+        migrations.RunPython(enable_notifications_for_everyone, migrations.RunPython.noop)
+    ]
--- a/src/pretix/base/migrations/0107_auto_20190129_1337.py
+++ b/src/pretix/base/migrations/0107_auto_20190129_1337.py
@@ -0,0 +1,22 @@
+# Generated by Django 2.1.5 on 2019-01-29 13:37
+
+import django.db.models.deletion
+import jsonfallback.fields
+from django.db import migrations, models
+
+import pretix.base.models.fields
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0106_auto_20190118_1527'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='order',
+            name='datetime',
+            field=models.DateTimeField(db_index=True, verbose_name='Date'),
+        ),
+    ]
--- a/src/pretix/base/migrations/0108_auto_20190201_1527.py
+++ b/src/pretix/base/migrations/0108_auto_20190201_1527.py
@@ -0,0 +1,22 @@
+# Generated by Django 2.1.5 on 2019-02-01 15:27
+
+import django.db.models.deletion
+import jsonfallback.fields
+from django.db import migrations, models
+
+import pretix.base.models.fields
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0107_auto_20190129_1337'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='item',
+            name='generate_tickets',
+            field=models.NullBooleanField(verbose_name='Allow ticket download'),
+        ),
+    ]
--- a/src/pretix/base/migrations/0109_auto_20190208_1432.py
+++ b/src/pretix/base/migrations/0109_auto_20190208_1432.py
@@ -0,0 +1,27 @@
+# Generated by Django 2.1 on 2019-02-08 14:32
+
+import django.db.models.deletion
+import jsonfallback.fields
+from django.db import migrations, models
+
+import pretix.base.models.fields
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0108_auto_20190201_1527'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='invoiceline',
+            name='event_date_from',
+            field=models.DateTimeField(null=True),
+        ),
+        migrations.AddField(
+            model_name='invoiceline',
+            name='subevent',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.PROTECT, to='pretixbase.SubEvent'),
+        ),
+    ]
--- a/src/pretix/base/migrations/0110_auto_20190219_1245.py
+++ b/src/pretix/base/migrations/0110_auto_20190219_1245.py
@@ -0,0 +1,23 @@
+# Generated by Django 2.1.5 on 2019-02-19 12:45
+
+import django.db.models.deletion
+import jsonfallback.fields
+from django.db import migrations, models
+
+import pretix.base.models.fields
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0109_auto_20190208_1432'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='event',
+            name='plugins',
+            field=models.TextField(blank=True, default='', verbose_name='Plugins'),
+            preserve_default=False,
+        ),
+    ]
--- a/src/pretix/base/migrations/0111_auto_20190219_0949.py
+++ b/src/pretix/base/migrations/0111_auto_20190219_0949.py
@@ -0,0 +1,27 @@
+# Generated by Django 2.1.5 on 2019-02-19 09:49
+
+import django.db.models.deletion
+import jsonfallback.fields
+from django.db import migrations, models
+
+import pretix.base.models.fields
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0110_auto_20190219_1245'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='order',
+            name='testmode',
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AddField(
+            model_name='event',
+            name='testmode',
+            field=models.BooleanField(default=False),
+        ),
+    ]
--- a/src/pretix/base/migrations/0112_auto_20190304_1726.py
+++ b/src/pretix/base/migrations/0112_auto_20190304_1726.py
@@ -0,0 +1,27 @@
+# Generated by Django 2.1.5 on 2019-03-04 17:26
+
+from django.db import migrations
+from django.db.models import Count
+
+
+def make_checkins_unique(apps, se):
+    Checkin = apps.get_model('pretixbase', 'Checkin')
+    for d in Checkin.objects.order_by().values('list_id', 'position_id').annotate(c=Count('id')).filter(c__gt=1):
+        for c in Checkin.objects.filter(list_id=d['list_id'], position_id=d['position_id'])[:d['c'] - 1]:
+            c.delete()
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ('pretixbase', '0111_auto_20190219_0949'),
+    ]
+
+    operations = [
+        migrations.RunPython(
+            make_checkins_unique, migrations.RunPython.noop,
+        ),
+        migrations.AlterUniqueTogether(
+            name='checkin',
+            unique_together={('list', 'position')},
+        ),
+    ]
--- a/src/pretix/base/migrations/0113_auto_20190312_0942.py
+++ b/src/pretix/base/migrations/0113_auto_20190312_0942.py
@@ -0,0 +1,27 @@
+# Generated by Django 2.1.5 on 2019-03-12 09:42
+
+import django.db.models.deletion
+import jsonfallback.fields
+from django.db import migrations, models
+
+import pretix.base.models.fields
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0112_auto_20190304_1726'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='question',
+            name='dependency_question',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='dependent_questions', to='pretixbase.Question'),
+        ),
+        migrations.AddField(
+            model_name='question',
+            name='dependency_value',
+            field=models.TextField(blank=True, null=True),
+        ),
+    ]
--- a/src/pretix/base/migrations/0114_auto_20190316_1014.py
+++ b/src/pretix/base/migrations/0114_auto_20190316_1014.py
@@ -0,0 +1,60 @@
+# Generated by Django 2.1.7 on 2019-03-16 10:14
+
+import django.db.models.deletion
+import jsonfallback.fields
+from django.db import migrations, models
+
+import pretix.base.models.fields
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0113_auto_20190312_0942'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='ItemBundle',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('count', models.PositiveIntegerField(default=1, verbose_name='Number')),
+                ('designated_price', models.DecimalField(blank=True, decimal_places=2, help_text="If set, it will be shown that this bundled item is responsible for the given value of the total price. This might be important in cases of mixed taxation, but can be kept blank otherwise. This value will NOT be added to the base item's price.", max_digits=10, null=True, verbose_name='Designated price part')),
+            ],
+        ),
+        migrations.AddField(
+            model_name='cartposition',
+            name='is_bundled',
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AlterField(
+            model_name='cartposition',
+            name='addon_to',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.PROTECT, related_name='addons', to='pretixbase.CartPosition'),
+        ),
+        migrations.AlterField(
+            model_name='orderposition',
+            name='addon_to',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.PROTECT, related_name='addons', to='pretixbase.OrderPosition'),
+        ),
+        migrations.AddField(
+            model_name='itembundle',
+            name='base_item',
+            field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='bundles', to='pretixbase.Item'),
+        ),
+        migrations.AddField(
+            model_name='itembundle',
+            name='bundled_item',
+            field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='bundled_with', to='pretixbase.Item', verbose_name='Bundled item'),
+        ),
+        migrations.AddField(
+            model_name='itembundle',
+            name='bundled_variation',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, related_name='bundled_with', to='pretixbase.ItemVariation', verbose_name='Bundled variation'),
+        ),
+        migrations.AddField(
+            model_name='item',
+            name='require_bundling',
+            field=models.BooleanField(default=False, help_text='If this option is set, the product will only be sold as part of bundle products.', verbose_name='Only sell this product as part of a bundle'),
+        ),
+    ]
--- a/src/pretix/base/migrations/0115_auto_20190323_2238.py
+++ b/src/pretix/base/migrations/0115_auto_20190323_2238.py
@@ -0,0 +1,24 @@
+# Generated by Django 2.1.7 on 2019-03-23 22:38
+
+from decimal import Decimal
+
+import django.db.models.deletion
+import jsonfallback.fields
+from django.db import migrations, models
+
+import pretix.base.models.fields
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0114_auto_20190316_1014'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='itembundle',
+            name='designated_price',
+            field=models.DecimalField(blank=True, decimal_places=2, default=Decimal('0.00'), help_text="If set, it will be shown that this bundled item is responsible for the given value of the total gross price. This might be important in cases of mixed taxation, but can be kept blank otherwise. This value will NOT be added to the base item's price.", max_digits=10, verbose_name='Designated price part'),
+        ),
+    ]
--- a/src/pretix/base/migrations/0116_auto_20190402_0722.py
+++ b/src/pretix/base/migrations/0116_auto_20190402_0722.py
@@ -0,0 +1,22 @@
+# Generated by Django 2.1.5 on 2019-04-02 07:22
+
+import django.db.models.deletion
+import jsonfallback.fields
+from django.db import migrations, models
+
+import pretix.base.models.fields
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('pretixbase', '0115_auto_20190323_2238'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='device',
+            name='revoked',
+            field=models.BooleanField(default=False),
+        ),
+    ]
--- a/src/pretix/base/models/init.py
+++ b/src/pretix/base/models/init.py
@@ -9,8 +9,9 @@ from .event import (
 )
 from .invoices import Invoice, InvoiceLine, invoice_filename
 from .items import (
-    Item, ItemAddOn, ItemCategory, ItemVariation, Question, QuestionOption,
-    Quota, SubEventItem, SubEventItemVariation, itempicture_upload_to,
+    Item, ItemAddOn, ItemBundle, ItemCategory, ItemVariation, Question,
+    QuestionOption, Quota, SubEventItem, SubEventItemVariation,
+    itempicture_upload_to,
 )
 from .log import LogEntry
 from .notifications import NotificationSetting
--- a/src/pretix/base/models/auth.py
+++ b/src/pretix/base/models/auth.py
@@ -114,7 +114,15 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):

    def save(self, *args, **kwargs):
        self.email = self.email.lower()
+        is_new = not self.pk
        super().save(*args, **kwargs)
+        if is_new:
+            self.notification_settings.create(
+                action_type='pretix.event.order.refund.requested',
+                event=None,
+                method='mail',
+                enabled=True
+            )

    def __str__(self):
        return self.email
--- a/src/pretix/base/models/base.py
+++ b/src/pretix/base/models/base.py
@@ -76,8 +76,17 @@ class LoggingMixin:
            kwargs['api_token'] = api_token

        logentry = LogEntry(content_object=self, user=user, action_type=action, event=event, **kwargs)
-        if data:
+        if isinstance(data, dict):
+            sensitivekeys = ['password', 'secret', 'api_key']
+
+            for sensitivekey in sensitivekeys:
+                for k, v in data.items():
+                    if (sensitivekey in k) and v:
+                        data[k] = "********"
+
            logentry.data = json.dumps(data, cls=CustomJSONEncoder)
+        elif data:
+            raise TypeError("You should only supply dictionaries as log data.")
        if save:
            logentry.save()

--- a/src/pretix/base/models/checkin.py
+++ b/src/pretix/base/models/checkin.py
@@ -20,6 +20,9 @@ class CheckinList(LoggedModel):
                                                      'order have not been paid. This only works with pretixdesk '
                                                      '0.3.0 or newer or pretixdroid 1.9 or newer.'))

+    class Meta:
+        ordering = ('subevent__date_from', 'name')
+
    @staticmethod
    def annotate_with_numbers(qs, event):
        """
@@ -164,6 +167,9 @@ class Checkin(models.Model):
        'pretixbase.CheckinList', related_name='checkins', on_delete=models.PROTECT,
    )

+    class Meta:
+        unique_together = (('list', 'position'),)
+
    def __repr__(self):
        return "<Checkin: pos {} on list '{}' at {}>".format(
            self.position, self.list, self.datetime
--- a/src/pretix/base/models/devices.py
+++ b/src/pretix/base/models/devices.py
@@ -41,6 +41,7 @@ class Device(LoggedModel):
    api_token = models.CharField(max_length=190, unique=True, null=True)
    all_events = models.BooleanField(default=False, verbose_name=_("All events (including newly created ones)"))
    limit_events = models.ManyToManyField('Event', verbose_name=_("Limit to events"), blank=True)
+    revoked = models.BooleanField(default=False)
    name = models.CharField(
        max_length=190,
        verbose_name=_('Name')
--- a/src/pretix/base/models/event.py
+++ b/src/pretix/base/models/event.py
@@ -1,7 +1,7 @@
 import string
 import uuid
 from collections import OrderedDict
-from datetime import datetime, time
+from datetime import datetime, time, timedelta
 from operator import attrgetter

 import pytz
@@ -11,7 +11,7 @@ from django.core.files.storage import default_storage
 from django.core.mail import get_connection
 from django.core.validators import RegexValidator
 from django.db import models
-from django.db.models import Exists, OuterRef, Q
+from django.db.models import Exists, OuterRef, Prefetch, Q, Subquery
 from django.template.defaultfilters import date as _date
 from django.utils.crypto import get_random_string
 from django.utils.functional import cached_property
@@ -22,6 +22,7 @@ from i18nfield.fields import I18nCharField, I18nTextField
 from pretix.base.models.base import LoggedModel
 from pretix.base.reldate import RelativeDateWrapper
 from pretix.base.validators import EventSlugBlacklistValidator
+from pretix.helpers.database import GroupConcat
 from pretix.helpers.daterange import daterange
 from pretix.helpers.json import safe_string

@@ -159,6 +160,79 @@ class EventMixin:

        return safe_string(json.dumps(eventdict))

+    @classmethod
+    def annotated(cls, qs, channel='web'):
+        from pretix.base.models import Item, ItemVariation, Quota
+
+        sq_active_item = Item.objects.filter_available(channel=channel).filter(
+            Q(variations__isnull=True)
+            & Q(quotas__pk=OuterRef('pk'))
+        ).order_by().values_list('quotas__pk').annotate(
+            items=GroupConcat('pk', delimiter=',')
+        ).values('items')
+        sq_active_variation = ItemVariation.objects.filter(
+            Q(active=True)
+            & Q(item__active=True)
+            & Q(Q(item__available_from__isnull=True) | Q(item__available_from__lte=now()))
+            & Q(Q(item__available_until__isnull=True) | Q(item__available_until__gte=now()))
+            & Q(Q(item__category__isnull=True) | Q(item__category__is_addon=False))
+            & Q(item__sales_channels__contains=channel)
+            & Q(item__hide_without_voucher=False)  # TODO: does this make sense?
+            & Q(quotas__pk=OuterRef('pk'))
+        ).order_by().values_list('quotas__pk').annotate(
+            items=GroupConcat('pk', delimiter=',')
+        ).values('items')
+        return qs.prefetch_related(
+            Prefetch(
+                'quotas',
+                to_attr='active_quotas',
+                queryset=Quota.objects.annotate(
+                    active_items=Subquery(sq_active_item, output_field=models.TextField()),
+                    active_variations=Subquery(sq_active_variation, output_field=models.TextField()),
+                ).exclude(
+                    Q(active_items="") & Q(active_variations="")
+                ).select_related('event', 'subevent')
+            )
+        )
+
+    @cached_property
+    def best_availability_state(self):
+        from .items import Quota
+
+        if not hasattr(self, 'active_quotas'):
+            raise TypeError("Call this only if you fetched the subevents via Event/SubEvent.annotated()")
+        items_available = set()
+        vars_available = set()
+        items_reserved = set()
+        vars_reserved = set()
+        items_gone = set()
+        vars_gone = set()
+        for q in self.active_quotas:
+            res = q.availability(allow_cache=True)
+
+            if res[0] == Quota.AVAILABILITY_OK:
+                if q.active_items:
+                    items_available.update(q.active_items.split(","))
+                if q.active_variations:
+                    vars_available.update(q.active_variations.split(","))
+            elif res[0] == Quota.AVAILABILITY_RESERVED:
+                if q.active_items:
+                    items_reserved.update(q.active_items.split(","))
+                if q.active_variations:
+                    vars_available.update(q.active_variations.split(","))
+            elif res[0] < Quota.AVAILABILITY_RESERVED:
+                if q.active_items:
+                    items_gone.update(q.active_items.split(","))
+                if q.active_variations:
+                    vars_gone.update(q.active_variations.split(","))
+        if not self.active_quotas:
+            return None
+        if items_available - items_reserved - items_gone or vars_available - vars_reserved - vars_gone:
+            return Quota.AVAILABILITY_OK
+        if items_reserved - items_gone or vars_reserved - vars_gone:
+            return Quota.AVAILABILITY_RESERVED
+        return Quota.AVAILABILITY_GONE
+

@settings_hierarkey.add(parent_field='organizer', cache_namespace='event')
 class Event(EventMixin, LoggedModel):
@@ -168,6 +242,8 @@ class Event(EventMixin, LoggedModel):

    :param organizer: The organizer this event belongs to
    :type organizer: Organizer
+    :param testmode: This event is in test mode
+    :type testmode: bool
    :param name: This event's full title
    :type name: str
    :param slug: A short, alphanumeric, all-lowercase name for use in URLs. The slug has to
@@ -197,6 +273,7 @@ class Event(EventMixin, LoggedModel):
    settings_namespace = 'event'
    CURRENCY_CHOICES = [(c.alpha_3, c.alpha_3 + " - " + c.name) for c in settings.CURRENCIES]
    organizer = models.ForeignKey(Organizer, related_name="events", on_delete=models.PROTECT)
+    testmode = models.BooleanField(default=False)
    name = I18nCharField(
        max_length=200,
        verbose_name=_("Event name"),
@@ -227,10 +304,9 @@ class Event(EventMixin, LoggedModel):
                                   verbose_name=_("Event end time"))
    date_admission = models.DateTimeField(null=True, blank=True,
                                          verbose_name=_("Admission time"))
-    is_public = models.BooleanField(default=False,
-                                    verbose_name=_("Visible in public lists"),
-                                    help_text=_("If selected, this event may show up on the ticket system's start page "
-                                                "or an organization profile."))
+    is_public = models.BooleanField(default=True,
+                                    verbose_name=_("Show in lists"),
+                                    help_text=_("If selected, this event will show up publicly on the list of events for your organizer account."))
    presale_end = models.DateTimeField(
        null=True, blank=True,
        verbose_name=_("End of presale"),
@@ -248,7 +324,7 @@ class Event(EventMixin, LoggedModel):
        verbose_name=_("Location"),
    )
    plugins = models.TextField(
-        null=True, blank=True,
+        null=False, blank=True,
        verbose_name=_("Plugins"),
    )
    comment = models.TextField(
@@ -282,10 +358,11 @@ class Event(EventMixin, LoggedModel):
        if not really:
            raise TypeError("Pass really=True as a parameter.")

-        OrderPosition.objects.filter(order__event=self).delete()
+        OrderPosition.all.filter(order__event=self, addon_to__isnull=False).delete()
+        OrderPosition.all.filter(order__event=self).delete()
        OrderFee.objects.filter(order__event=self).delete()
-        OrderPayment.objects.filter(order__event=self).delete()
        OrderRefund.objects.filter(order__event=self).delete()
+        OrderPayment.objects.filter(order__event=self).delete()
        self.orders.all().delete()

    def save(self, *args, **kwargs):
@@ -438,6 +515,10 @@ class Event(EventMixin, LoggedModel):
                o.question = q
                o.save()

+        for q in self.questions.filter(dependency_question__isnull=False):
+            q.dependency_question = question_map[q.dependency_question_id]
+            q.save(update_fields=['dependency_question'])
+
        for cl in other.checkin_lists.filter(subevent__isnull=True).prefetch_related('limit_products'):
            items = list(cl.limit_products.all())
            cl.pk = None
@@ -469,6 +550,7 @@ class Event(EventMixin, LoggedModel):
            else:
                s.save()

+        self.settings.flush()
        event_copy_data.send(
            sender=self, other=other,
            tax_map=tax_map, category_map=category_map, item_map=item_map, variation_map=variation_map,
@@ -573,8 +655,10 @@ class Event(EventMixin, LoggedModel):
            )
        ).order_by('date_from', 'name')

-    @property
-    def subevent_list_subevents(self):
+    def subevents_annotated(self, channel):
+        return SubEvent.annotated(self.subevents, channel)
+
+    def subevents_sorted(self, queryset):
        ordering = self.settings.get('frontpage_subevent_ordering', default='date_ascending', as_type=str)
        orderfields = {
            'date_ascending': ('date_from', 'name'),
@@ -582,10 +666,10 @@ class Event(EventMixin, LoggedModel):
            'name_ascending': ('name', 'date_from'),
            'name_descending': ('-name', 'date_from'),
        }[ordering]
-        subevs = self.subevents.filter(
+        subevs = queryset.filter(
            Q(active=True) & (
-                Q(Q(date_to__isnull=True) & Q(date_from__gte=now()))
-                | Q(date_to__gte=now())
+                Q(Q(date_to__isnull=True) & Q(date_from__gte=now() - timedelta(hours=24)))
+                | Q(date_to__gte=now() - timedelta(hours=24))
            )
        )  # order_by doesn't make sense with I18nField
        for f in reversed(orderfields):
@@ -675,6 +759,7 @@ class Event(EventMixin, LoggedModel):
        return not self.orders.exists() and not self.invoices.exists()

    def delete_sub_objects(self):
+        self.cartposition_set.all().delete()
        self.items.all().delete()
        self.subevents.all().delete()

@@ -683,7 +768,7 @@ class Event(EventMixin, LoggedModel):

        plugins_active = self.get_plugins()
        plugins_available = {
-            p.module: p for p in get_all_plugins()
+            p.module: p for p in get_all_plugins(self)
            if not p.name.startswith('.') and getattr(p, 'visible', True)
        }

@@ -851,6 +936,18 @@ class SubEvent(EventMixin, LoggedModel):
        if self.event:
            self.event.cache.clear()

+    @staticmethod
+    def clean_items(event, items):
+        for item in items:
+            if event != item.event:
+                raise ValidationError(_('One or more items do not belong to this event.'))
+
+    @staticmethod
+    def clean_variations(event, variations):
+        for variation in variations:
+            if event != variation.item.event:
+                raise ValidationError(_('One or more variations do not belong to this event.'))
+

 def generate_invite_token():
    return get_random_string(length=32, allowed_chars=string.ascii_lowercase + string.digits)
--- a/src/pretix/base/models/fields.py
+++ b/src/pretix/base/models/fields.py
@@ -0,0 +1,94 @@
+from django.core import exceptions
+from django.db.models import TextField, lookups as builtin_lookups
+from django.utils.translation import gettext_lazy as _
+from rest_framework import serializers
+from rest_framework.exceptions import ValidationError
+
+DELIMITER = "\x1F"
+
+
+class MultiStringField(TextField):
+    default_error_messages = {
+        'delimiter_found': _('No value can contain the delimiter character.')
+    }
+
+    def __init__(self, verbose_name=None, name=None, **kwargs):
+        super().__init__(verbose_name, name, **kwargs)
+
+    def deconstruct(self):
+        name, path, args, kwargs = super().deconstruct()
+        return name, path, args, kwargs
+
+    def to_python(self, value):
+        if isinstance(value, (list, tuple)):
+            return value
+        elif value:
+            return [v for v in value.split(DELIMITER) if v]
+        else:
+            return []
+
+    def get_prep_value(self, value):
+        if isinstance(value, (list, tuple)):
+            return DELIMITER + DELIMITER.join(value) + DELIMITER
+        elif value is None:
+            return ""
+        raise TypeError("Invalid data type passed.")
+
+    def get_prep_lookup(self, lookup_type, value):  # NOQA
+        raise TypeError('Lookups on multi strings are currently not supported.')
+
+    def from_db_value(self, value, expression, connection, context):
+        if value:
+            return [v for v in value.split(DELIMITER) if v]
+        else:
+            return []
+
+    def validate(self, value, model_instance):
+        super().validate(value, model_instance)
+        for l in value:
+            if DELIMITER in l:
+                raise exceptions.ValidationError(
+                    self.error_messages['delimiter_found'],
+                    code='delimiter_found',
+                )
+
+    def get_lookup(self, lookup_name):
+        if lookup_name == 'contains':
+            return MultiStringContains
+        elif lookup_name == 'icontains':
+            return MultiStringIContains
+        raise NotImplementedError(
+            "Lookup '{}' doesn't work with MultiStringField".format(lookup_name),
+        )
+
+
+class MultiStringContains(builtin_lookups.Contains):
+    def process_rhs(self, qn, connection):
+        sql, params = super().process_rhs(qn, connection)
+        params[0] = "%" + DELIMITER + params[0][1:-1] + DELIMITER + "%"
+        return sql, params
+
+
+class MultiStringIContains(builtin_lookups.IContains):
+    def process_rhs(self, qn, connection):
+        sql, params = super().process_rhs(qn, connection)
+        params[0] = "%" + DELIMITER + params[0][1:-1] + DELIMITER + "%"
+        return sql, params
+
+
+class MultiStringSerializer(serializers.Field):
+    def __init__(self, **kwargs):
+        self.allow_blank = kwargs.pop('allow_blank', False)
+        super().__init__(**kwargs)
+
+    def to_representation(self, value):
+        return value
+
+    def to_internal_value(self, data):
+        if isinstance(data, list):
+            return data
+        else:
+            raise ValidationError('Invalid data type.')
+
+
+serializers.ModelSerializer.serializer_field_mapping[MultiStringField] = MultiStringSerializer
--- a/src/pretix/base/models/invoices.py
+++ b/src/pretix/base/models/invoices.py
@@ -2,6 +2,8 @@ import string
 from decimal import Decimal

 from django.db import DatabaseError, models, transaction
+from django.db.models import Max
+from django.db.models.functions import Cast
 from django.utils import timezone
 from django.utils.crypto import get_random_string
 from django.utils.functional import cached_property
@@ -89,6 +91,7 @@ class Invoice(models.Model):
    invoice_to_city = models.TextField(null=True)
    invoice_to_country = CountryField(null=True)
    invoice_to_vat_id = models.TextField(null=True)
+    invoice_to_beneficiary = models.TextField(null=True)
    date = models.DateField(default=today)
    locale = models.CharField(max_length=50, default='en')
    introductory_text = models.TextField(blank=True)
@@ -115,8 +118,8 @@ class Invoice(models.Model):
            self.invoice_from,
            (self.invoice_from_zipcode or "") + " " + (self.invoice_from_city or ""),
            str(self.invoice_from_country),
-            pgettext("invoice", "VAT-ID: %s" % self.invoice_from_vat_id) if self.invoice_from_vat_id else "",
-            pgettext("invoice", "Tax ID: %s" % self.invoice_from_tax_id) if self.invoice_from_tax_id else "",
+            pgettext("invoice", "VAT-ID: %s") % self.invoice_from_vat_id if self.invoice_from_vat_id else "",
+            pgettext("invoice", "Tax ID: %s") % self.invoice_from_tax_id if self.invoice_from_tax_id else "",
        ]
        return '\n'.join([p.strip() for p in parts if p and p.strip()])

@@ -124,8 +127,12 @@ class Invoice(models.Model):
        numeric_invoices = Invoice.objects.filter(
            event__organizer=self.event.organizer,
            prefix=self.prefix,
-        ).exclude(invoice_no__contains='-')
-        return self._to_numeric_invoice_number(numeric_invoices.count() + 1)
+        ).exclude(invoice_no__contains='-').annotate(
+            numeric_number=Cast('invoice_no', models.IntegerField())
+        ).aggregate(
+            max=Max('numeric_number')
+        )['max'] or 0
+        return self._to_numeric_invoice_number(numeric_invoices + 1)

    def _get_invoice_number_from_order(self):
        return '{order}-{count}'.format(
@@ -143,6 +150,8 @@ class Invoice(models.Model):
        if not self.prefix:
            self.prefix = self.event.settings.invoice_numbers_prefix or (self.event.slug.upper() + '-')
        if not self.invoice_no:
+            if self.order.testmode:
+                self.prefix += 'TEST-'
            for i in range(10):
                if self.event.settings.get('invoice_numbers_consecutive'):
                    self.invoice_no = self._get_numeric_invoice_number()
@@ -183,7 +192,10 @@ class Invoice(models.Model):

    class Meta:
        unique_together = ('organizer', 'prefix', 'invoice_no')
-        ordering = ('invoice_no',)
+        ordering = ('date', 'invoice_no',)
+
+    def __repr__(self):
+        return '<Invoice {} / {}>'.format(self.full_invoice_no, self.pk)


 class InvoiceLine(models.Model):
@@ -202,6 +214,10 @@ class InvoiceLine(models.Model):
    :type tax_rate: decimal.Decimal
    :param tax_name: The name of the applied tax rate
    :type tax_name: str
+    :param subevent: The subevent this line refers to
+    :type subevent: SubEvent
+    :param event_date_from: Event date of the (sub)event at the time the invoice was created
+    :type event_date_from: datetime
    """
    invoice = models.ForeignKey('Invoice', related_name='lines', on_delete=models.CASCADE)
    position = models.PositiveIntegerField(default=0)
@@ -210,6 +226,8 @@ class InvoiceLine(models.Model):
    tax_value = models.DecimalField(max_digits=10, decimal_places=2, default=Decimal('0.00'))
    tax_rate = models.DecimalField(max_digits=7, decimal_places=2, default=Decimal('0.00'))
    tax_name = models.CharField(max_length=190)
+    subevent = models.ForeignKey('SubEvent', null=True, blank=True, on_delete=models.PROTECT)
+    event_date_from = models.DateTimeField(null=True)

    @property
    def net_value(self):
@@ -217,3 +235,6 @@ class InvoiceLine(models.Model):

    class Meta:
        ordering = ('position', 'pk')
+
+    def __str__(self):
+        return 'Line {} of invoice {}'.format(self.position, self.invoice)
--- a/src/pretix/base/models/items.py
+++ b/src/pretix/base/models/items.py
@@ -1,5 +1,6 @@
 import sys
 import uuid
+from collections import Counter
 from datetime import date, datetime, time
 from decimal import Decimal, DecimalException
 from typing import Tuple
@@ -17,6 +18,7 @@ from django.utils.timezone import is_naive, make_aware, now
 from django.utils.translation import pgettext_lazy, ugettext_lazy as _
 from i18nfield.fields import I18nCharField, I18nTextField

+from pretix.base.models import fields
 from pretix.base.models.base import LoggedModel
 from pretix.base.models.tax import TaxedPrice

@@ -152,6 +154,30 @@ class SubEventItemVariation(models.Model):
            self.subevent.event.cache.clear()


+class ItemQuerySet(models.QuerySet):
+    def filter_available(self, channel='web', voucher=None, allow_addons=False):
+        q = (
+            # IMPORTANT: If this is updated, also update the ItemVariation query
+            # in models/event.py: EventMixin.annotated()
+            Q(active=True)
+            & Q(Q(available_from__isnull=True) | Q(available_from__lte=now()))
+            & Q(Q(available_until__isnull=True) | Q(available_until__gte=now()))
+            & Q(sales_channels__contains=channel) & Q(require_bundling=False)
+        )
+        if not allow_addons:
+            q &= Q(Q(category__isnull=True) | Q(category__is_addon=False))
+        qs = self.filter(q)
+
+        vouchq = Q(hide_without_voucher=False)
+        if voucher:
+            if voucher.item_id:
+                vouchq |= Q(pk=voucher.item_id)
+                qs = qs.filter(pk=voucher.item_id)
+            elif voucher.quota_id:
+                qs = qs.filter(quotas__in=[voucher.quota_id])
+        return qs.filter(vouchq)
+
+
 class Item(LoggedModel):
    """
    An item is a thing which can be sold. It belongs to an event and may or may not belong to a category.
@@ -195,8 +221,12 @@ class Item(LoggedModel):
    :type original_price: decimal.Decimal
    :param require_approval: If set to ``True``, orders containing this product can only be processed and paid after approved by an administrator
    :type require_approval: bool
+    :param sales_channels: Sales channels this item is available on.
+    :type sales_channels: bool
    """

+    objects = ItemQuerySet.as_manager()
+
    event = models.ForeignKey(
        Event,
        on_delete=models.PROTECT,
@@ -258,6 +288,10 @@ class Item(LoggedModel):
        ),
        default=False
    )
+    generate_tickets = models.NullBooleanField(
+        verbose_name=_("Generate tickets"),
+        blank=True, null=True,
+    )
    position = models.IntegerField(
        default=0
    )
@@ -295,12 +329,16 @@ class Item(LoggedModel):
        help_text=_('This product will be hidden from the event page until the user enters a voucher '
                    'code that is specifically tied to this product (and not via a quota).')
    )
+    require_bundling = models.BooleanField(
+        verbose_name=_('Only sell this product as part of a bundle'),
+        default=False,
+        help_text=_('If this option is set, the product will only be sold as part of bundle products.')
+    )
    allow_cancel = models.BooleanField(
        verbose_name=_('Allow product to be canceled'),
        default=True,
-        help_text=_('If this is active and the general event settings allow it, orders containing this product can be '
-                    'canceled by the user until the order is paid for. Users cannot cancel paid orders on their own '
-                    'and you can cancel orders at all times, regardless of this setting')
+        help_text=_('If this is checked, the usual cancellation settings of this event apply. If this is unchecked, '
+                    'orders containing this product can not be canceled by users but only by you.')
    )
    min_per_order = models.IntegerField(
        verbose_name=_('Minimum amount per order'),
@@ -329,6 +367,10 @@ class Item(LoggedModel):
        help_text=_('If set, this will be displayed next to the current price to show that the current price is a '
                    'discounted one. This is just a cosmetic setting and will not actually impact pricing.')
    )
+    sales_channels = fields.MultiStringField(
+        verbose_name=_('Sales channels'),
+        default=['web']
+    )
    # !!! Attention: If you add new fields here, also add them to the copying code in
    # pretix/control/forms/item.py if applicable.

@@ -350,12 +392,36 @@ class Item(LoggedModel):
        if self.event:
            self.event.cache.clear()

-    def tax(self, price=None, base_price_is='auto'):
+    def tax(self, price=None, base_price_is='auto', currency=None, include_bundled=False):
        price = price if price is not None else self.default_price
+
        if not self.tax_rule:
-            return TaxedPrice(gross=price, net=price, tax=Decimal('0.00'),
-                              rate=Decimal('0.00'), name='')
-        return self.tax_rule.tax(price, base_price_is=base_price_is)
+            t = TaxedPrice(gross=price, net=price, tax=Decimal('0.00'),
+                           rate=Decimal('0.00'), name='')
+        else:
+            t = self.tax_rule.tax(price, base_price_is=base_price_is, currency=currency)
+
+        if include_bundled:
+            for b in self.bundles.all():
+                if b.designated_price and b.bundled_item.tax_rule_id != self.tax_rule_id:
+                    if b.bundled_variation:
+                        bprice = b.bundled_variation.tax(b.designated_price * b.count, base_price_is='gross', currency=currency)
+                    else:
+                        bprice = b.bundled_item.tax(b.designated_price * b.count, base_price_is='gross', currency=currency)
+                    compare_price = self.tax_rule.tax(b.designated_price * b.count, base_price_is='gross', currency=currency)
+                    t.net += bprice.net - compare_price.net
+                    t.tax += bprice.tax - compare_price.tax
+                    t.name = "MIXED!"
+
+        return t
+
+    def is_available_by_time(self, now_dt: datetime=None) -> bool:
+        now_dt = now_dt or now()
+        if self.available_from and self.available_from > now_dt:
+            return False
+        if self.available_until and self.available_until < now_dt:
+            return False
+        return True

    def is_available(self, now_dt: datetime=None) -> bool:
        """
@@ -363,15 +429,22 @@ class Item(LoggedModel):
        and its ``available_from`` and ``available_until`` fields
        """
        now_dt = now_dt or now()
-        if not self.active:
-            return False
-        if self.available_from and self.available_from > now_dt:
-            return False
-        if self.available_until and self.available_until < now_dt:
+        if not self.active or not self.is_available_by_time(now_dt):
            return False
        return True

-    def check_quotas(self, ignored_quotas=None, count_waitinglist=True, subevent=None, _cache=None):
+    def _get_quotas(self, ignored_quotas=None, subevent=None):
+        check_quotas = set(getattr(
+            self, '_subevent_quotas',  # Utilize cache in product list
+            self.quotas.filter(subevent=subevent).select_related('subevent')
+            if subevent else self.quotas.all()
+        ))
+        if ignored_quotas:
+            check_quotas -= set(ignored_quotas)
+        return check_quotas
+
+    def check_quotas(self, ignored_quotas=None, count_waitinglist=True, subevent=None, _cache=None,
+                     include_bundled=False, trust_parameters=False):
        """
        This method is used to determine whether this Item is currently available
        for sale.
@@ -380,32 +453,59 @@ class Item(LoggedModel):
                               quotas will be ignored in the calculation. If this leads
                               to no quotas being checked at all, this method will return
                               unlimited availability.
+        :param include_bundled: Also take availability of bundled items into consideration.
+        :param trust_parameters: Disable checking of the subevent parameter and disable checking if
+                                 any variations exist (performance optimization).
        :returns: any of the return codes of :py:meth:`Quota.availability()`.

        :raises ValueError: if you call this on an item which has variations associated with it.
                            Please use the method on the ItemVariation object you are interested in.
        """
-        check_quotas = set(getattr(
-            self, '_subevent_quotas',  # Utilize cache in product list
-            self.quotas.select_related('subevent').filter(subevent=subevent)
-            if subevent else self.quotas.all()
-        ))
-        if not subevent and self.event.has_subevents:
+        if not trust_parameters and not subevent and self.event.has_subevents:
            raise TypeError('You need to supply a subevent.')
-        if ignored_quotas:
-            check_quotas -= set(ignored_quotas)
-        if not check_quotas:
-            return Quota.AVAILABILITY_OK, sys.maxsize
-        if self.has_variations:  # NOQA
-            raise ValueError('Do not call this directly on items which have variations '
-                             'but call this on their ItemVariation objects')
-        return min([q.availability(count_waitinglist=count_waitinglist, _cache=_cache) for q in check_quotas],
-                   key=lambda s: (s[0], s[1] if s[1] is not None else sys.maxsize))
+        check_quotas = self._get_quotas(ignored_quotas=ignored_quotas, subevent=subevent)
+        quotacounter = Counter()
+        res = Quota.AVAILABILITY_OK, None
+        for q in check_quotas:
+            quotacounter[q] += 1
+
+        if include_bundled:
+            for b in self.bundles.all():
+                bundled_check_quotas = (b.bundled_variation or b.bundled_item)._get_quotas(ignored_quotas=ignored_quotas, subevent=subevent)
+                if not bundled_check_quotas:
+                    return Quota.AVAILABILITY_GONE, 0
+                for q in bundled_check_quotas:
+                    quotacounter[q] += b.count
+
+        for q, n in quotacounter.items():
+            a = q.availability(count_waitinglist=count_waitinglist, _cache=_cache)
+            if a[1] is None:
+                continue
+
+            num_avail = a[1] // n
+            code_avail = Quota.AVAILABILITY_GONE if a[1] >= 1 and num_avail < 1 else a[0]
+            # this is not entirely accurate, as it shows "sold out" even if it is actually just "reserved",
+            # since we do not know that distinction here if at least one item is available. However, this
+            # is only relevant in connection with bundles.
+
+            if code_avail < res[0] or res[1] is None or num_avail < res[1]:
+                res = (code_avail, num_avail)
+
+        if len(quotacounter) == 0:
+            return Quota.AVAILABILITY_OK, sys.maxsize  # backwards compatibility
+        return res

    def allow_delete(self):
        from pretix.base.models.orders import OrderPosition

-        return not OrderPosition.objects.filter(item=self).exists()
+        return not OrderPosition.all.filter(item=self).exists()
+
+    @property
+    def includes_mixed_tax_rate(self):
+        for b in self.bundles.all():
+            if b.designated_price and b.bundled_item.tax_rule_id != self.tax_rule_id:
+                return True
+        return False

    @cached_property
    def has_variations(self):
@@ -491,11 +591,28 @@ class ItemVariation(models.Model):
    def price(self):
        return self.default_price if self.default_price is not None else self.item.default_price

-    def tax(self, price=None):
+    def tax(self, price=None, base_price_is='auto', currency=None, include_bundled=False):
        price = price if price is not None else self.price
+
        if not self.item.tax_rule:
-            return TaxedPrice(gross=price, net=price, tax=Decimal('0.00'), rate=Decimal('0.00'), name='')
-        return self.item.tax_rule.tax(price)
+            t = TaxedPrice(gross=price, net=price, tax=Decimal('0.00'),
+                           rate=Decimal('0.00'), name='')
+        else:
+            t = self.item.tax_rule.tax(price, base_price_is=base_price_is, currency=currency)
+
+        if include_bundled:
+            for b in self.item.bundles.all():
+                if b.designated_price and b.bundled_item.tax_rule_id != self.item.tax_rule_id:
+                    if b.bundled_variation:
+                        bprice = b.bundled_variation.tax(b.designated_price * b.count, base_price_is='gross', currency=currency)
+                    else:
+                        bprice = b.bundled_item.tax(b.designated_price * b.count, base_price_is='gross', currency=currency)
+                    compare_price = self.item.tax_rule.tax(b.designated_price * b.count, base_price_is='gross', currency=currency)
+                    t.net += bprice.net - compare_price.net
+                    t.tax += bprice.tax - compare_price.tax
+                    t.name = "MIXED!"
+
+        return t

    def delete(self, *args, **kwargs):
        super().delete(*args, **kwargs)
@@ -507,7 +624,18 @@ class ItemVariation(models.Model):
        if self.item:
            self.item.event.cache.clear()

-    def check_quotas(self, ignored_quotas=None, count_waitinglist=True, subevent=None, _cache=None) -> Tuple[int, int]:
+    def _get_quotas(self, ignored_quotas=None, subevent=None):
+        check_quotas = set(getattr(
+            self, '_subevent_quotas',  # Utilize cache in product list
+            self.quotas.filter(subevent=subevent).select_related('subevent')
+            if subevent else self.quotas.all()
+        ))
+        if ignored_quotas:
+            check_quotas -= set(ignored_quotas)
+        return check_quotas
+
+    def check_quotas(self, ignored_quotas=None, count_waitinglist=True, subevent=None, _cache=None,
+                     include_bundled=False, trust_parameters=False) -> Tuple[int, int]:
        """
        This method is used to determine whether this ItemVariation is currently
        available for sale in terms of quotas.
@@ -519,19 +647,38 @@ class ItemVariation(models.Model):
        :param count_waitinglist: If ``False``, waiting list entries will be ignored for quota calculation.
        :returns: any of the return codes of :py:meth:`Quota.availability()`.
        """
-        check_quotas = set(getattr(
-            self, '_subevent_quotas',  # Utilize cache in product list
-            self.quotas.filter(subevent=subevent).select_related('subevent')
-            if subevent else self.quotas.all()
-        ))
-        if ignored_quotas:
-            check_quotas -= set(ignored_quotas)
-        if not subevent and self.item.event.has_subevents:  # NOQA
+        if not trust_parameters and not subevent and self.item.event.has_subevents:  # NOQA
            raise TypeError('You need to supply a subevent.')
-        if not check_quotas:
-            return Quota.AVAILABILITY_OK, sys.maxsize
-        return min([q.availability(count_waitinglist=count_waitinglist, _cache=_cache) for q in check_quotas],
-                   key=lambda s: (s[0], s[1] if s[1] is not None else sys.maxsize))
+        check_quotas = self._get_quotas(ignored_quotas=ignored_quotas, subevent=subevent)
+        quotacounter = Counter()
+        res = Quota.AVAILABILITY_OK, None
+        for q in check_quotas:
+            quotacounter[q] += 1
+
+        if include_bundled:
+            for b in self.item.bundles.all():
+                bundled_check_quotas = (b.bundled_variation or b.bundled_item)._get_quotas(ignored_quotas=ignored_quotas, subevent=subevent)
+                if not bundled_check_quotas:
+                    return Quota.AVAILABILITY_GONE, 0
+                for q in bundled_check_quotas:
+                    quotacounter[q] += b.count
+
+        for q, n in quotacounter.items():
+            a = q.availability(count_waitinglist=count_waitinglist, _cache=_cache)
+            if a[1] is None:
+                continue
+
+            num_avail = a[1] // n
+            code_avail = Quota.AVAILABILITY_GONE if a[1] >= 1 and num_avail < 1 else a[0]
+            # this is not entirely accurate, as it shows "sold out" even if it is actually just "reserved",
+            # since we do not know that distinction here if at least one item is available. However, this
+            # is only relevant in connection with bundles.
+
+            if code_avail < res[0] or res[1] is None or num_avail < res[1]:
+                res = (code_avail, num_avail)
+        if len(quotacounter) == 0:
+            return Quota.AVAILABILITY_OK, sys.maxsize  # backwards compatibility
+        return res

    def __lt__(self, other):
        if self.position == other.position:
@@ -632,6 +779,83 @@ class ItemAddOn(models.Model):
            raise ValidationError(_('The maximum count needs to be greater than the minimum count.'))


+class ItemBundle(models.Model):
+    """
+    An instance of this model indicates that buying a ticket of the type ``base_item``
+    automatically also buys ``count`` items of type ``bundled_item``.
+
+    :param base_item: The base item the bundle is attached to
+    :type base_item: Item
+    :param bundled_item: The bundled item
+    :type bundled_item: Item
+    :param bundled_variation: The variation, if the bundled item has variations
+    :type bundled_variation: ItemVariation
+    :param count: The number of items to bundle
+    :type count: int
+    :param designated_price: The designated part price (optional)
+    :type designated_price: bool
+    """
+    base_item = models.ForeignKey(
+        Item,
+        related_name='bundles',
+        on_delete=models.CASCADE
+    )
+    bundled_item = models.ForeignKey(
+        Item,
+        related_name='bundled_with',
+        verbose_name=_('Bundled item'),
+        on_delete=models.CASCADE
+    )
+    bundled_variation = models.ForeignKey(
+        ItemVariation,
+        related_name='bundled_with',
+        verbose_name=_('Bundled variation'),
+        null=True, blank=True,
+        on_delete=models.CASCADE
+    )
+    count = models.PositiveIntegerField(
+        default=1,
+        verbose_name=_('Number')
+    )
+    designated_price = models.DecimalField(
+        default=Decimal('0.00'), blank=True,
+        decimal_places=2, max_digits=10,
+        verbose_name=_('Designated price part'),
+        help_text=_('If set, it will be shown that this bundled item is responsible for the given value of the total '
+                    'gross price. This might be important in cases of mixed taxation, but can be kept blank otherwise. This '
+                    'value will NOT be added to the base item\'s price.')
+    )
+
+    def clean(self):
+        self.clean_count(self.count)
+
+    def describe(self):
+        if self.count == 1:
+            if self.bundled_variation_id:
+                return "{} – {}".format(self.bundled_item.name, self.bundled_variation.value)
+            else:
+                return self.bundled_item.name
+        else:
+            if self.bundled_variation_id:
+                return "{}× {} – {}".format(self.count, self.bundled_item.name, self.bundled_variation.value)
+            else:
+                return "{}x {}".format(self.count, self.bundled_item.name)
+
+    @staticmethod
+    def clean_itemvar(event, bundled_item, bundled_variation):
+        if event != bundled_item.event:
+            raise ValidationError(_('The bundled item must belong to the same event as the item.'))
+        if bundled_item.has_variations and not bundled_variation:
+            raise ValidationError(_('A variation needs to be set for this item.'))
+        if bundled_variation and bundled_variation.item != bundled_item:
+            raise ValidationError(_('The chosen variation does not belong to this item.'))
+
+    @staticmethod
+    def clean_count(count):
+        if count < 0:
+            raise ValidationError(_('The count needs to be equal to or greater than zero.'))
+
+
 class Question(LoggedModel):
    """
    A question is an input field that can be used to extend a ticket by custom information,
@@ -662,6 +886,10 @@ class Question(LoggedModel):
    :type ask_during_checkin: bool
    :param identifier: An arbitrary, internal identifier
    :type identifier: str
+    :param dependency_question: This question will only show up if the referenced question is set to `dependency_value`.
+    :type dependency_question: Question
+    :param dependency_value: The value that `dependency_question` needs to be set to for this question to be applicable.
+    :type dependency_value: str
    """
    TYPE_NUMBER = "N"
    TYPE_STRING = "S"
@@ -731,6 +959,10 @@ class Question(LoggedModel):
                    'pretixdesk 0.2 or newer.'),
        default=False
    )
+    dependency_question = models.ForeignKey(
+        'Question', null=True, blank=True, on_delete=models.SET_NULL, related_name='dependent_questions'
+    )
+    dependency_value = models.TextField(null=True, blank=True)

    class Meta:
        verbose_name = _("Question")
@@ -750,7 +982,7 @@ class Question(LoggedModel):

    @staticmethod
    def _clean_identifier(event, code, instance=None):
-        qs = Question.objects.filter(event=event, identifier=code)
+        qs = Question.objects.filter(event=event, identifier__iexact=code)
        if instance:
            qs = qs.exclude(pk=instance.pk)
        if qs.exists():
@@ -919,6 +1151,16 @@ class Quota(LoggedModel):
    :type size: int
    :param items: The set of :py:class:`Item` objects this quota applies to
    :param variations: The set of :py:class:`ItemVariation` objects this quota applies to
+
+    This model keeps a cache of the quota availability that is used in places where up-to-date
+    data is not important. This cache might be out of date even though a more recent quota was
+    calculated. This is intentional to keep database writes low. Currently, the cached values
+    are written whenever the quota is being calculated throughout the system and the cache is
+    at least 120 seconds old or if the new value is qualitatively "better" than the cached one
+    (i.e. more free quota).
+
+    There's also a cronjob that refreshes the cache of every quota if there is any log entry in
+    the event that is newer than the quota's cached time.
    """

    AVAILABILITY_GONE = 0
@@ -1001,6 +1243,15 @@ class Quota(LoggedModel):
        This method is used to determine whether Items or ItemVariations belonging
        to this quota should currently be available for sale.

+        :param count_waitinglist: Whether or not take waiting list reservations into account. Defaults
+                                  to ``True``.
+        :param _cache: A dictionary mapping quota IDs to availabilities. If this quota is already
+                       contained in that dictionary, this value will be used. Otherwise, the dict
+                       will be populated accordingly.
+        :param allow_cache: Allow for values to be returned from the longer-term cache, see also
+                            the documentation of this model class. Only works if ``count_waitinglist`` is
+                            set to ``True``.
+
        :returns: a tuple where the first entry is one of the ``Quota.AVAILABILITY_`` constants
                  and the second is the number of available tickets.
        """
@@ -1016,7 +1267,10 @@ class Quota(LoggedModel):
        res = self._availability(now_dt, count_waitinglist)

        self.event.cache.delete('item_quota_cache')
-        if count_waitinglist and not self.cache_is_hot(now_dt):
+        rewrite_cache = count_waitinglist and (
+            not self.cache_is_hot(now_dt) or res[0] > self.cached_availability_state
+        )
+        if rewrite_cache:
            self.cached_availability_state = res[0]
            self.cached_availability_number = res[1]
            self.cached_availability_time = now_dt
@@ -1053,16 +1307,16 @@ class Quota(LoggedModel):

        size_left -= self.count_blocking_vouchers(now_dt)
        if size_left <= 0:
-            return Quota.AVAILABILITY_RESERVED, 0
-
-        size_left -= self.count_in_cart(now_dt)
-        if size_left <= 0:
-            return Quota.AVAILABILITY_RESERVED, 0
+            return Quota.AVAILABILITY_ORDERED, 0

        if count_waitinglist:
            size_left -= self.count_waiting_list_pending()
            if size_left <= 0:
-                return Quota.AVAILABILITY_RESERVED, 0
+                return Quota.AVAILABILITY_ORDERED, 0
+
+        size_left -= self.count_in_cart(now_dt)
+        if size_left <= 0:
+            return Quota.AVAILABILITY_RESERVED, 0

        return Quota.AVAILABILITY_OK, size_left

--- a/src/pretix/base/models/orders.py
+++ b/src/pretix/base/models/orders.py
@@ -28,6 +28,7 @@ from django_countries.fields import CountryField
 from i18nfield.strings import LazyI18nString
 from jsonfallback.fields import FallbackJSONField

+from pretix.base.decimal import round_decimal
 from pretix.base.i18n import language
 from pretix.base.models import User
 from pretix.base.reldate import RelativeDateWrapper
@@ -70,12 +71,13 @@ class Order(LockModel, LoggedModel):
        * ``STATUS_PAID``
        * ``STATUS_EXPIRED``
        * ``STATUS_CANCELED``
-        * ``STATUS_REFUNDED``

    :param event: The event this order belongs to
    :type event: Event
    :param email: The email of the person who ordered this
    :type email: str
+    :param testmode: Whether this is a test mode order
+    :type testmode: bool
    :param locale: The locale of this order
    :type locale: str
    :param secret: A secret string that is required to modify the order
@@ -94,19 +96,20 @@ class Order(LockModel, LoggedModel):
    :type require_approval: bool
    :param meta_info: Additional meta information on the order, JSON-encoded.
    :type meta_info: str
+    :param sales_channel: Identifier of the sales channel this order was created through.
+    :type sales_channel: str
    """

    STATUS_PENDING = "n"
    STATUS_PAID = "p"
    STATUS_EXPIRED = "e"
    STATUS_CANCELED = "c"
-    STATUS_REFUNDED = "r"
+    STATUS_REFUNDED = "c"  # deprecated
    STATUS_CHOICE = (
        (STATUS_PENDING, _("pending")),
        (STATUS_PAID, _("paid")),
        (STATUS_EXPIRED, _("expired")),
        (STATUS_CANCELED, _("canceled")),
-        (STATUS_REFUNDED, _("refunded"))
    )

    code = models.CharField(
@@ -120,6 +123,7 @@ class Order(LockModel, LoggedModel):
        verbose_name=_("Status"),
        db_index=True
    )
+    testmode = models.BooleanField(default=False)
    event = models.ForeignKey(
        Event,
        verbose_name=_("Event"),
@@ -136,7 +140,7 @@ class Order(LockModel, LoggedModel):
    )
    secret = models.CharField(max_length=32, default=generate_secret)
    datetime = models.DateTimeField(
-        verbose_name=_("Date")
+        verbose_name=_("Date"), db_index=True
    )
    expires = models.DateTimeField(
        verbose_name=_("Expiration date")
@@ -174,6 +178,7 @@ class Order(LockModel, LoggedModel):
    require_approval = models.BooleanField(
        default=False
    )
+    sales_channel = models.CharField(max_length=190, default="web")

    class Meta:
        verbose_name = _("Order")
@@ -183,8 +188,49 @@ class Order(LockModel, LoggedModel):
    def __str__(self):
        return self.full_code

+    def gracefully_delete(self, user=None, auth=None):
+        if not self.testmode:
+            raise TypeError("Only test mode orders can be deleted.")
+        self.event.log_action(
+            'pretix.event.order.deleted', user=user, auth=auth,
+            data={
+                'code': self.code,
+            }
+        )
+        OrderPosition.all.filter(order=self, addon_to__isnull=False).delete()
+        OrderPosition.all.filter(order=self).delete()
+        OrderFee.all.filter(order=self).delete()
+        self.refunds.all().delete()
+        self.payments.all().delete()
+        self.event.cache.delete('complain_testmode_orders')
+        self.delete()
+
+    @property
+    def fees(self):
+        """
+        Related manager for all non-canceled fees. Use ``all_fees`` instead if you want
+        canceled positions as well.
+        """
+        return self.all_fees(manager='objects')
+
+    @cached_property
+    def count_positions(self):
+        if hasattr(self, 'pcnt'):
+            return self.pcnt or 0
+        return self.positions.count()
+
+    @property
+    def positions(self):
+        """
+        Related manager for all non-canceled positions. Use ``all_positions`` instead if you want
+        canceled positions as well.
+        """
+        return self.all_positions(manager='objects')
+
    @cached_property
    def meta_info_data(self):
+        if not self.meta_info:
+            return {}
        try:
            return json.loads(self.meta_info)
        except TypeError:
@@ -204,8 +250,8 @@ class Order(LockModel, LoggedModel):
    @property
    def pending_sum(self):
        total = self.total
-        if self.status in (Order.STATUS_REFUNDED, Order.STATUS_CANCELED):
-            total = 0
+        if self.status == Order.STATUS_CANCELED:
+            total = Decimal('0.00')
        payment_sum = self.payments.filter(
            state__in=(OrderPayment.PAYMENT_STATE_CONFIRMED, OrderPayment.PAYMENT_STATE_REFUNDED)
        ).aggregate(s=Sum('amount'))['s'] or Decimal('0.00')
@@ -216,7 +262,7 @@ class Order(LockModel, LoggedModel):
        return total - payment_sum + refund_sum

    @classmethod
-    def annotate_overpayments(cls, qs):
+    def annotate_overpayments(cls, qs, results=True, refunds=True, sums=False):
        payment_sum = OrderPayment.objects.filter(
            state__in=(OrderPayment.PAYMENT_STATE_CONFIRMED, OrderPayment.PAYMENT_STATE_REFUNDED),
            order=OuterRef('pk')
@@ -234,38 +280,47 @@ class Order(LockModel, LoggedModel):
            state__in=(OrderRefund.REFUND_STATE_CREATED, OrderRefund.REFUND_STATE_TRANSIT),
            order=OuterRef('pk')
        )
+        payment_sum_sq = Subquery(payment_sum, output_field=models.DecimalField(decimal_places=2, max_digits=10))
+        refund_sum_sq = Subquery(refund_sum, output_field=models.DecimalField(decimal_places=2, max_digits=10))
+        if sums:
+            qs = qs.annotate(
+                payment_sum=payment_sum_sq,
+                refund_sum=refund_sum_sq,
+            )

        qs = qs.annotate(
-            payment_sum=Subquery(payment_sum, output_field=models.DecimalField(decimal_places=2, max_digits=10)),
-            refund_sum=Subquery(refund_sum, output_field=models.DecimalField(decimal_places=2, max_digits=10)),
-            has_external_refund=Exists(external_refund),
-            has_pending_refund=Exists(pending_refund),
-        ).annotate(
-            pending_sum_t=F('total') - Coalesce(F('payment_sum'), 0) + Coalesce(F('refund_sum'), 0),
-            pending_sum_rc=-1 * Coalesce(F('payment_sum'), 0) + Coalesce(F('refund_sum'), 0),
-        ).annotate(
-            is_overpaid=Case(
-                When(~Q(status__in=(Order.STATUS_REFUNDED, Order.STATUS_CANCELED)) & Q(pending_sum_t__lt=0),
-                     then=Value('1')),
-                When(Q(status__in=(Order.STATUS_REFUNDED, Order.STATUS_CANCELED)) & Q(pending_sum_rc__lt=0),
-                     then=Value('1')),
-                default=Value('0'),
-                output_field=models.IntegerField()
-            ),
-            is_pending_with_full_payment=Case(
-                When(Q(status__in=(Order.STATUS_EXPIRED, Order.STATUS_PENDING)) & Q(pending_sum_t__lte=0)
-                     & Q(require_approval=False),
-                     then=Value('1')),
-                default=Value('0'),
-                output_field=models.IntegerField()
-            ),
-            is_underpaid=Case(
-                When(Q(status=Order.STATUS_PAID) & Q(pending_sum_t__gt=0),
-                     then=Value('1')),
-                default=Value('0'),
-                output_field=models.IntegerField()
-            )
+            pending_sum_t=F('total') - Coalesce(payment_sum_sq, 0) + Coalesce(refund_sum_sq, 0),
+            pending_sum_rc=-1 * Coalesce(payment_sum_sq, 0) + Coalesce(refund_sum_sq, 0),
        )
+        if refunds:
+            qs = qs.annotate(
+                has_external_refund=Exists(external_refund),
+                has_pending_refund=Exists(pending_refund),
+            )
+        if results:
+            qs = qs.annotate(
+                is_overpaid=Case(
+                    When(~Q(status=Order.STATUS_CANCELED) & Q(pending_sum_t__lt=-1e-8),
+                         then=Value('1')),
+                    When(Q(status=Order.STATUS_CANCELED) & Q(pending_sum_rc__lt=-1e-8),
+                         then=Value('1')),
+                    default=Value('0'),
+                    output_field=models.IntegerField()
+                ),
+                is_pending_with_full_payment=Case(
+                    When(Q(status__in=(Order.STATUS_EXPIRED, Order.STATUS_PENDING)) & Q(pending_sum_t__lte=1e-8)
+                         & Q(require_approval=False),
+                         then=Value('1')),
+                    default=Value('0'),
+                    output_field=models.IntegerField()
+                ),
+                is_underpaid=Case(
+                    When(Q(status=Order.STATUS_PAID) & Q(pending_sum_t__gt=1e-8),
+                         then=Value('1')),
+                    default=Value('0'),
+                    output_field=models.IntegerField()
+                )
+            )
        return qs

    @property
@@ -333,10 +388,112 @@ class Order(LockModel, LoggedModel):

    def cancel_allowed(self):
        return (
-            self.status == Order.STATUS_PENDING
-            or (self.status == Order.STATUS_PAID and self.total == Decimal('0.00'))
+            self.status in (Order.STATUS_PENDING, Order.STATUS_PAID) and self.count_positions
        )

+    @cached_property
+    def user_cancel_deadline(self):
+        if self.status == Order.STATUS_PAID and self.total != Decimal('0.00'):
+            until = self.event.settings.get('cancel_allow_user_paid_until', as_type=RelativeDateWrapper)
+        else:
+            until = self.event.settings.get('cancel_allow_user_until', as_type=RelativeDateWrapper)
+        if until:
+            if self.event.has_subevents:
+                return min([
+                    until.datetime(se)
+                    for se in self.event.subevents.filter(id__in=self.positions.values_list('subevent', flat=True))
+                ])
+            else:
+                return until.datetime(self.event)
+
+    @cached_property
+    def user_cancel_fee(self):
+        fee = Decimal('0.00')
+        if self.event.settings.cancel_allow_user_paid_keep:
+            fee += self.event.settings.cancel_allow_user_paid_keep
+        if self.event.settings.cancel_allow_user_paid_keep_percentage:
+            fee += self.event.settings.cancel_allow_user_paid_keep_percentage / Decimal('100.0') * self.total
+        if self.event.settings.cancel_allow_user_paid_keep_fees:
+            fee += self.fees.filter(
+                fee_type__in=(OrderFee.FEE_TYPE_PAYMENT, OrderFee.FEE_TYPE_SHIPPING, OrderFee.FEE_TYPE_SERVICE)
+            ).aggregate(
+                s=Sum('value')
+            )['s'] or 0
+        return round_decimal(fee, self.event.currency)
+
+    @property
+    def user_cancel_allowed(self) -> bool:
+        """
+        Returns whether or not this order can be canceled by the user.
+        """
+        from .checkin import Checkin
+
+        positions = list(
+            self.positions.all().annotate(
+                has_checkin=Exists(Checkin.objects.filter(position_id=OuterRef('pk')))
+            ).select_related('item')
+        )
+        cancelable = all([op.item.allow_cancel and not op.has_checkin for op in positions])
+        if not cancelable or not positions:
+            return False
+        if self.user_cancel_deadline and now() > self.user_cancel_deadline:
+            return False
+        if self.status == Order.STATUS_PENDING:
+            return self.event.settings.cancel_allow_user
+        elif self.status == Order.STATUS_PAID:
+            if self.total == Decimal('0.00'):
+                return self.event.settings.cancel_allow_user
+            return self.event.settings.cancel_allow_user_paid
+        return False
+
+    def propose_auto_refunds(self, amount: Decimal, payments: list=None):
+        # Algorithm to choose which payments are to be refunded to create the least hassle
+        payments = payments or self.payments.filter(state=OrderPayment.PAYMENT_STATE_CONFIRMED)
+        for p in payments:
+            p.full_refund_possible = p.payment_provider.payment_refund_supported(p)
+            p.partial_refund_possible = p.payment_provider.payment_partial_refund_supported(p)
+            p.propose_refund = Decimal('0.00')
+            p.available_amount = p.amount - p.refunded_amount
+
+        unused_payments = set(p for p in payments if p.full_refund_possible or p.partial_refund_possible)
+        to_refund = amount
+        proposals = {}
+
+        while to_refund and unused_payments:
+            bigger = sorted([
+                p for p in unused_payments
+                if p.available_amount > to_refund
+                and p.partial_refund_possible
+            ], key=lambda p: p.available_amount)
+            same = [
+                p for p in unused_payments
+                if p.available_amount == to_refund
+                and (p.full_refund_possible or p.partial_refund_possible)
+            ]
+            smaller = sorted([
+                p for p in unused_payments
+                if p.available_amount < to_refund
+                and (p.full_refund_possible or p.partial_refund_possible)
+            ], key=lambda p: p.available_amount, reverse=True)
+            if same:
+                payment = same[0]
+                proposals[payment] = payment.available_amount
+                to_refund -= payment.available_amount
+                unused_payments.remove(payment)
+            elif bigger:
+                payment = bigger[0]
+                proposals[payment] = to_refund
+                to_refund -= to_refund
+                unused_payments.remove(payment)
+            elif smaller:
+                payment = smaller[0]
+                proposals[payment] = payment.available_amount
+                to_refund -= payment.available_amount
+                unused_payments.remove(payment)
+            else:
+                break
+        return proposals
+
    @staticmethod
    def normalize_code(code):
        tr = str.maketrans({
@@ -355,6 +512,10 @@ class Order(LockModel, LoggedModel):
        charset = list('ABCDEFGHJKLMNPQRSTUVWXYZ3789')
        while True:
            code = get_random_string(length=settings.ENTROPY['order_code'], allowed_chars=charset)
+            if self.testmode:
+                # Subtle way to recognize test orders while debugging: They all contain a 0 at the second place,
+                # even though zeros are not used outside test mode.
+                code = code[0] + "0" + code[2:]
            if not Order.objects.filter(event__organizer=self.event.organizer, code=code).exists():
                self.code = code
                return
@@ -389,15 +550,6 @@ class Order(LockModel, LoggedModel):

        return False  # nothing there to modify

-    @property
-    def can_user_cancel(self) -> bool:
-        """
-        Returns whether or not this order can be canceled by the user.
-        """
-        positions = self.positions.all().select_related('item')
-        cancelable = all([op.item.allow_cancel for op in positions])
-        return self.cancel_allowed() and self.event.settings.cancel_allow_user and cancelable
-
    @property
    def is_expired_by_time(self):
        return (
@@ -535,6 +687,9 @@ class Order(LockModel, LoggedModel):
        if not self.email:
            return

+        for k, v in self.event.meta_data.items():
+            context['meta_' + k] = v
+
        with language(self.locale):
            recipient = self.email
            try:
@@ -555,10 +710,45 @@ class Order(LockModel, LoggedModel):
                        'subject': subject,
                        'message': email_content,
                        'recipient': recipient,
-                        'invoices': [i.pk for i in invoices] if invoices else []
+                        'invoices': [i.pk for i in invoices] if invoices else [],
+                        'attach_tickets': attach_tickets,
                    }
                )

+    def resend_link(self, user=None, auth=None):
+        from pretix.multidomain.urlreverse import build_absolute_uri
+
+        with language(self.locale):
+            try:
+                invoice_name = self.invoice_address.name
+                invoice_company = self.invoice_address.company
+            except InvoiceAddress.DoesNotExist:
+                invoice_name = ""
+                invoice_company = ""
+            email_template = self.event.settings.mail_text_resend_link
+            email_context = {
+                'event': self.event.name,
+                'url': build_absolute_uri(self.event, 'presale:event.order', kwargs={
+                    'order': self.code,
+                    'secret': self.secret
+                }),
+                'invoice_name': invoice_name,
+                'invoice_company': invoice_company,
+            }
+            email_subject = _('Your order: %(code)s') % {'code': self.code}
+            self.send_mail(
+                email_subject, email_template, email_context,
+                'pretix.event.order.email.resend', user=user, auth=auth,
+                attach_tickets=True
+            )
+
+    @property
+    def positions_with_tickets(self):
+        for op in self.positions.all():
+            if not op.generate_ticket:
+                continue
+            yield op
+

 def answerfile_name(instance, filename: str) -> str:
    secret = get_random_string(length=32, allowed_chars=string.ascii_letters + string.digits)
@@ -715,7 +905,7 @@ class AbstractPosition(models.Model):
    subevent = models.ForeignKey(
        SubEvent,
        null=True, blank=True,
-        on_delete=models.CASCADE,
+        on_delete=models.PROTECT,
        verbose_name=pgettext_lazy("subevent", "Date"),
    )
    item = models.ForeignKey(
@@ -748,10 +938,10 @@ class AbstractPosition(models.Model):
        help_text=_("Empty, if this product is not an admission ticket")
    )
    voucher = models.ForeignKey(
-        'Voucher', null=True, blank=True, on_delete=models.CASCADE
+        'Voucher', null=True, blank=True, on_delete=models.PROTECT
    )
    addon_to = models.ForeignKey(
-        'self', null=True, blank=True, on_delete=models.CASCADE, related_name='addons'
+        'self', null=True, blank=True, on_delete=models.PROTECT, related_name='addons'
    )
    meta_info = models.TextField(
        verbose_name=_("Meta information"),
@@ -783,16 +973,38 @@ class AbstractPosition(models.Model):
        # selected via prefetch_related
        if not all:
            if hasattr(self.item, 'questions_to_ask'):
-                self.questions = list(copy.copy(q) for q in self.item.questions_to_ask)
+                questions = list(copy.copy(q) for q in self.item.questions_to_ask)
            else:
-                self.questions = list(copy.copy(q) for q in self.item.questions.filter(ask_during_checkin=False))
+                questions = list(copy.copy(q) for q in self.item.questions.filter(ask_during_checkin=False))
        else:
-            self.questions = list(copy.copy(q) for q in self.item.questions.all())
-        for q in self.questions:
+            questions = list(copy.copy(q) for q in self.item.questions.all())
+
+        question_cache = {
+            q.pk: q for q in questions
+        }
+
+        def question_is_visible(parentid, qval):
+            parentq = question_cache[parentid]
+            if parentq.dependency_question_id and not question_is_visible(parentq.dependency_question_id, parentq.dependency_value):
+                return False
+            if parentid not in self.answ:
+                return False
+            if qval == 'True':
+                return self.answ[parentid].answer == 'True'
+            elif qval == 'False':
+                return self.answ[parentid].answer == 'False'
+            else:
+                return qval in [o.identifier for o in self.answ[parentid].options.all()]
+
+        self.questions = []
+        for q in questions:
            if q.id in self.answ:
                q.answer = self.answ[q.id]
+                q.answer.question = q  # cache object
            else:
                q.answer = ""
+            if not q.dependency_question_id or question_is_visible(q.dependency_question_id, q.dependency_value):
+                self.questions.append(q)

    @property
    def net_price(self):
@@ -903,6 +1115,9 @@ class OrderPayment(models.Model):
    class Meta:
        ordering = ('local_id',)

+    def __str__(self):
+        return self.full_id
+
    @property
    def info_data(self):
        """
@@ -922,7 +1137,7 @@ class OrderPayment(models.Model):
        """
        return self.order.event.get_payment_providers().get(self.provider)

-    def _mark_paid(self, force, count_waitinglist, user, auth):
+    def _mark_paid(self, force, count_waitinglist, user, auth, overpaid=False):
        from pretix.base.signals import order_paid
        can_be_paid = self.order._can_be_paid(count_waitinglist=count_waitinglist)
        if not force and can_be_paid is not True:
@@ -939,6 +1154,9 @@ class OrderPayment(models.Model):
            'date': self.payment_date,
            'force': force
        }, user=user, auth=auth)
+
+        if overpaid:
+            self.order.log_action('pretix.event.order.overpaid', {}, user=user, auth=auth)
        order_paid.send(self.order.event, order=self.order)

    def confirm(self, count_waitinglist=True, send_mail=True, force=False, user=None, auth=None, mail_text=''):
@@ -964,9 +1182,23 @@ class OrderPayment(models.Model):
        from pretix.base.services.mail import SendMailException
        from pretix.multidomain.urlreverse import build_absolute_uri

-        self.state = self.PAYMENT_STATE_CONFIRMED
-        self.payment_date = now()
-        self.save()
+        with transaction.atomic():
+            locked_instance = OrderPayment.objects.select_for_update().get(pk=self.pk)
+            if locked_instance.state == self.PAYMENT_STATE_CONFIRMED:
+                # Race condition detected, this payment is already confirmed
+                return
+
+            locked_instance.state = self.PAYMENT_STATE_CONFIRMED
+            locked_instance.payment_date = now()
+            locked_instance.info = self.info  # required for backwards compatibility
+            locked_instance.save(update_fields=['state', 'payment_date', 'info'])
+
+            # Do a cheap manual "refresh from db" on non-complex fields
+            for field in self._meta.concrete_fields:
+                if not field.is_relation:
+                    setattr(self, field.attname, getattr(locked_instance, field.attname))
+
+        self.refresh_from_db()

        self.order.log_action('pretix.event.order.payment.confirmed', {
            'local_id': self.local_id,
@@ -990,10 +1222,10 @@ class OrderPayment(models.Model):
            # Performance optimization. In this case, there's really no reason to lock everything and an atomic
            # database transaction is more than enough.
            with transaction.atomic():
-                self._mark_paid(force, count_waitinglist, user, auth)
+                self._mark_paid(force, count_waitinglist, user, auth, overpaid=payment_sum - refund_sum > self.order.total)
        else:
            with self.order.event.lock():
-                self._mark_paid(force, count_waitinglist, user, auth)
+                self._mark_paid(force, count_waitinglist, user, auth, overpaid=payment_sum - refund_sum > self.order.total)

        invoice = None
        if invoice_qualified(self.order):
@@ -1195,6 +1427,9 @@ class OrderRefund(models.Model):
    class Meta:
        ordering = ('local_id',)

+    def __str__(self):
+        return self.full_id
+
    @property
    def info_data(self):
        """
@@ -1250,11 +1485,19 @@ class OrderRefund(models.Model):
        super().save(*args, **kwargs)


+class ActivePositionManager(models.Manager):
+    def get_queryset(self):
+        return super().get_queryset().filter(canceled=False)
+
+
 class OrderFee(models.Model):
    """
    An OrderFee object represents a fee that is added to the order total independently of
    the actual positions. This might for example be a payment or a shipping fee.

+    The default ``OrderFee.objects`` manager only contains fees that are not ``canceled``. If
+    you ant all objects, you need to use ``OrderFee.all`` instead.
+
    :param value: Gross price of this fee
    :type value: Decimal
    :param order: Order this fee is charged with
@@ -1271,16 +1514,20 @@ class OrderFee(models.Model):
    :type tax_rule: TaxRule
    :param tax_value: The tax amount included in the price
    :type tax_value: Decimal
+    :param canceled: True, if this position is canceled and should no longer be regarded
+    :type canceled: bool
    """
    FEE_TYPE_PAYMENT = "payment"
    FEE_TYPE_SHIPPING = "shipping"
    FEE_TYPE_SERVICE = "service"
+    FEE_TYPE_CANCELLATION = "cancellation"
    FEE_TYPE_OTHER = "other"
    FEE_TYPE_GIFTCARD = "giftcard"
    FEE_TYPES = (
        (FEE_TYPE_PAYMENT, _("Payment fee")),
        (FEE_TYPE_SHIPPING, _("Shipping fee")),
        (FEE_TYPE_SERVICE, _("Service fee")),
+        (FEE_TYPE_CANCELLATION, _("Cancellation fee")),
        (FEE_TYPE_OTHER, _("Other fees")),
        (FEE_TYPE_GIFTCARD, _("Gift card")),
    )
@@ -1292,7 +1539,7 @@ class OrderFee(models.Model):
    order = models.ForeignKey(
        Order,
        verbose_name=_("Order"),
-        related_name='fees',
+        related_name='all_fees',
        on_delete=models.PROTECT
    )
    fee_type = models.CharField(
@@ -1313,6 +1560,10 @@ class OrderFee(models.Model):
        max_digits=10, decimal_places=2,
        verbose_name=_('Tax value')
    )
+    canceled = models.BooleanField(default=False)
+
+    all = models.Manager()
+    objects = ActivePositionManager()

    @property
    def net_value(self):
@@ -1367,6 +1618,9 @@ class OrderPosition(AbstractPosition):
    of a specified type (or variation). This has all properties of
    AbstractPosition.

+    The default ``OrderPosition.objects`` manager only contains fees that are not ``canceled``. If
+    you ant all objects, you need to use ``OrderPosition.all`` instead.
+
    :param order: The order this position is a part of
    :type order: Order
    :param positionid: A local ID of this position, counted for each order individually
@@ -1379,6 +1633,8 @@ class OrderPosition(AbstractPosition):
    :type tax_value: Decimal
    :param secret: The secret used for ticket QR codes
    :type secret: str
+    :param canceled: True, if this position is canceled and should no longer be regarded
+    :type canceled: bool
    :param pseudonymization_id: The QR code content for lead scanning
    :type pseudonymization_id: str
    """
@@ -1386,7 +1642,7 @@ class OrderPosition(AbstractPosition):
    order = models.ForeignKey(
        Order,
        verbose_name=_("Order"),
-        related_name='positions',
+        related_name='all_positions',
        on_delete=models.PROTECT
    )
    tax_rate = models.DecimalField(
@@ -1408,6 +1664,10 @@ class OrderPosition(AbstractPosition):
        unique=True,
        db_index=True
    )
+    canceled = models.BooleanField(default=False)
+
+    all = models.Manager()
+    objects = ActivePositionManager()

    class Meta:
        verbose_name = _("Order position")
@@ -1418,6 +1678,15 @@ class OrderPosition(AbstractPosition):
    def sort_key(self):
        return self.addon_to.positionid if self.addon_to else self.positionid, self.addon_to_id or 0

+    @property
+    def generate_ticket(self):
+        if self.item.generate_tickets is not None:
+            return self.item.generate_tickets
+        return (
+            (self.order.event.settings.ticket_download_addons or not self.addon_to_id) and
+            (self.event.settings.ticket_download_nonadm or self.item.admission)
+        )
+
    @classmethod
    def transform_cart_positions(cls, cp: List, order) -> list:
        from . import Voucher
@@ -1449,7 +1718,9 @@ class OrderPosition(AbstractPosition):
        # Delete afterwards. Deleting in between might cause deletion of things related to add-ons
        # due to the deletion cascade.
        for cartpos in cp:
-            cartpos.delete()
+            if cartpos.pk:
+                cartpos.addons.all().delete()
+                cartpos.delete()
        return ops

    def __str__(self):
@@ -1487,7 +1758,7 @@ class OrderPosition(AbstractPosition):
            self._calculate_tax()
        self.order.touch()
        if self.pk is None:
-            while OrderPosition.objects.filter(secret=self.secret).exists():
+            while OrderPosition.all.filter(secret=self.secret).exists():
                self.secret = generate_position_secret()

        if not self.pseudonymization_id:
@@ -1503,7 +1774,7 @@ class OrderPosition(AbstractPosition):
        charset = list('ABCDEFGHJKLMNPQRSTUVWXYZ3789')
        while True:
            code = get_random_string(length=10, allowed_chars=charset)
-            if not OrderPosition.objects.filter(pseudonymization_id=code).exists():
+            if not OrderPosition.all.filter(pseudonymization_id=code).exists():
                self.pseudonymization_id = code
                return

@@ -1546,6 +1817,7 @@ class CartPosition(AbstractPosition):
    includes_tax = models.BooleanField(
        default=True
    )
+    is_bundled = models.BooleanField(default=False)

    class Meta:
        verbose_name = _("Cart position")
@@ -1591,6 +1863,10 @@ class InvoiceAddress(models.Model):
        help_text=_('This reference will be printed on your invoice for your convenience.'),
        blank=True
    )
+    beneficiary = models.TextField(
+        verbose_name=_('Beneficiary'),
+        blank=True
+    )

    def save(self, **kwargs):
        if self.order:
@@ -1600,6 +1876,7 @@ class InvoiceAddress(models.Model):
            self.name_cached = self.name
        else:
            self.name_cached = ""
+            self.name_parts = {}
        super().save(**kwargs)

    @property
--- a/src/pretix/base/models/tax.py
+++ b/src/pretix/base/models/tax.py
@@ -33,6 +33,32 @@ class TaxedPrice:
            money_filter(self.gross, currency)
        )

+    def __sub__(self, other):
+        newgross = self.gross - other.gross
+        newnet = round_decimal(newgross - (newgross * (1 - 100 / (100 + self.rate)))).quantize(
+            Decimal('10') ** self.gross.as_tuple().exponent
+        )
+        return TaxedPrice(
+            gross=newgross,
+            net=newnet,
+            tax=newgross - newnet,
+            rate=self.rate,
+            name=self.name,
+        )
+
+    def __mul__(self, other):
+        newgross = self.gross * other
+        newnet = round_decimal(newgross - (newgross * (1 - 100 / (100 + self.rate)))).quantize(
+            Decimal('10') ** self.gross.as_tuple().exponent
+        )
+        return TaxedPrice(
+            gross=newgross,
+            net=newnet,
+            tax=newgross - newnet,
+            rate=self.rate,
+            name=self.name,
+        )
+

 TAXED_ZERO = TaxedPrice(
    gross=Decimal('0.00'),
@@ -97,7 +123,7 @@ class TaxRule(LoggedModel):

        return (
            not OrderFee.objects.filter(tax_rule=self, order__event=self.event).exists()
-            and not OrderPosition.objects.filter(tax_rule=self, order__event=self.event).exists()
+            and not OrderPosition.all.filter(tax_rule=self, order__event=self.event).exists()
            and not self.event.items.filter(tax_rule=self).exists()
            and self.event.settings.tax_rate_default != self
        )
@@ -129,7 +155,12 @@ class TaxRule(LoggedModel):
    def has_custom_rules(self):
        return self.custom_rules and self.custom_rules != '[]'

-    def tax(self, base_price, base_price_is='auto'):
+    def tax(self, base_price, base_price_is='auto', currency=None):
+        from .event import Event
+        try:
+            currency = currency or self.event.currency
+        except Event.DoesNotExist:
+            pass
        if self.rate == Decimal('0.00'):
            return TaxedPrice(
                net=base_price, gross=base_price, tax=Decimal('0.00'),
@@ -145,11 +176,11 @@ class TaxRule(LoggedModel):
        if base_price_is == 'gross':
            gross = base_price
            net = round_decimal(gross - (base_price * (1 - 100 / (100 + self.rate))),
-                                self.event.currency if self.event else None)
+                                currency)
        elif base_price_is == 'net':
            net = base_price
            gross = round_decimal((net * (1 + self.rate / 100)),
-                                  self.event.currency if self.event else None)
+                                  currency)
        else:
            raise ValueError('Unknown base price type: {}'.format(base_price_is))

--- a/src/pretix/base/models/vouchers.py
+++ b/src/pretix/base/models/vouchers.py
@@ -13,6 +13,7 @@ from ..decimal import round_decimal
 from .base import LoggedModel
 from .event import Event, SubEvent
 from .items import Item, ItemVariation, Quota
+from .orders import Order


 def _generate_random_code(prefix=None):
@@ -182,7 +183,7 @@ class Voucher(LoggedModel):
        return self.code

    def allow_delete(self):
-        return self.redeemed == 0
+        return self.redeemed == 0 and not self.orderposition_set.exists()

    def clean(self):
        Voucher.clean_item_properties(
@@ -380,3 +381,11 @@ class Voucher(LoggedModel):
                return p.quantize(Decimal('1') / 10 ** places, ROUND_HALF_UP)
            return p
        return original_price
+
+    def distinct_orders(self):
+        """
+        Return the list of orders where this voucher has been used.
+        Each order will appear at most once.
+        """
+
+        return Order.objects.filter(all_positions__voucher__in=[self]).distinct()
--- a/src/pretix/base/models/waitinglist.py
+++ b/src/pretix/base/models/waitinglist.py
@@ -159,7 +159,7 @@ class WaitingListEntry(LoggedModel):
    @staticmethod
    def clean_duplicate(email, item, variation, subevent, pk):
        if WaitingListEntry.objects.filter(
-                item=item, variation=variation, email=email, voucher__isnull=True, subevent=subevent
+                item=item, variation=variation, email__iexact=email, voucher__isnull=True, subevent=subevent
        ).exclude(pk=pk).exists():
            raise ValidationError(_('You are already on this waiting list! We will notify '
                                    'you as soon as we have a ticket available for you.'))
--- a/src/pretix/base/notifications.py
+++ b/src/pretix/base/notifications.py
@@ -177,6 +177,7 @@ class ParametrizedOrderNotificationType(NotificationType):
        n.add_attribute(_('Event'), order.event.name)
        n.add_attribute(_('Order code'), order.code)
        n.add_attribute(_('Order total'), money_filter(order.total, logentry.event.currency))
+        n.add_attribute(_('Pending amount'), money_filter(order.pending_sum, logentry.event.currency))
        n.add_attribute(_('Order date'), date_format(order.datetime, 'SHORT_DATETIME_FORMAT'))
        n.add_attribute(_('Order status'), order.get_status_display())
        n.add_attribute(_('Order positions'), str(order.positions.count()))
@@ -193,6 +194,12 @@ def register_default_notification_types(sender, **kwargs):
            _('New order placed'),
            _('A new order has been placed: {order.code}'),
        ),
+        ParametrizedOrderNotificationType(
+            sender,
+            'pretix.event.order.placed.require_approval',
+            _('New order requires approval'),
+            _('A new order has been placed that requires approval: {order.code}'),
+        ),
        ParametrizedOrderNotificationType(
            sender,
            'pretix.event.order.paid',
@@ -229,6 +236,12 @@ def register_default_notification_types(sender, **kwargs):
            _('Order changed'),
            _('Order {order.code} has been changed.')
        ),
+        ParametrizedOrderNotificationType(
+            sender,
+            'pretix.event.order.overpaid',
+            _('Order has been overpaid'),
+            _('Order {order.code} has been overpaid.')
+        ),
        ParametrizedOrderNotificationType(
            sender,
            'pretix.event.order.refund.created.externally',
@@ -237,9 +250,9 @@ def register_default_notification_types(sender, **kwargs):
        ),
        ParametrizedOrderNotificationType(
            sender,
-            'pretix.event.order.refunded',
-            _('Order refunded'),
-            _('Order {order.code} has been refunded.')
+            'pretix.event.order.refund.requested',
+            _('Refund requested'),
+            _('You have been requested to issue a refund for {order.code}.')
        ),
        ActionRequiredNotificationType(
            sender,
--- a/src/pretix/base/payment.py
+++ b/src/pretix/base/payment.py
@@ -88,6 +88,18 @@ class BasePaymentProvider:
        """
        return self.settings.get('_enabled', as_type=bool)

+    @property
+    def test_mode_message(self) -> str:
+        """
+        If this property is set to a string, this will be displayed when this payment provider is selected
+        while the event is in test mode. You should use it to explain to your user how your plugin behaves,
+        e.g. if it falls back to a test mode automatically as well or if actual payments will be performed.
+
+        If you do not set this (or, return ``None``), pretix will show a default message warning the user
+        that this plugin does not support test mode payments.
+        """
+        return None
+
    def calculate_fee(self, price: Decimal) -> Decimal:
        """
        Calculate the fee for this payment provider which will be added to
@@ -299,7 +311,7 @@ class BasePaymentProvider:
    @property
    def payment_form_fields(self) -> dict:
        """
-        This is used by the default implementation of :py:meth:`checkout_form`.
+        This is used by the default implementation of :py:meth:`payment_form`.
        It should return an object similar to :py:attr:`settings_form_fields`.

        The default implementation returns an empty dictionary.
@@ -308,10 +320,10 @@ class BasePaymentProvider:

    def payment_form(self, request: HttpRequest) -> Form:
        """
-        This is called by the default implementation of :py:meth:`checkout_form_render`
+        This is called by the default implementation of :py:meth:`payment_form_render`
        to obtain the form that is displayed to the user during the checkout
        process. The default implementation constructs the form using
-        :py:attr:`checkout_form_fields` and sets appropriate prefixes for the form
+        :py:attr:`payment_form_fields` and sets appropriate prefixes for the form
        and all fields and fills the form with data form the user's session.

        If you overwrite this, we strongly suggest that you inherit from
@@ -425,7 +437,7 @@ class BasePaymentProvider:
        When the user selects this provider as their preferred payment method,
        they will be shown the HTML you return from this method.

-        The default implementation will call :py:meth:`checkout_form`
+        The default implementation will call :py:meth:`payment_form`
        and render the returned form. If your payment method doesn't require
        the user to fill out form fields, you should just return a paragraph
        of explanatory text.
@@ -708,11 +720,39 @@ class BoxOfficeProvider(BasePaymentProvider):
    def order_change_allowed(self, order: Order) -> bool:
        return False

+    def payment_control_render(self, request, payment) -> str:
+        template = None
+        payment_info = None
+
+        if payment.info:
+            payment_info = json.loads(payment.info)
+            if payment_info['payment_type'] == "sumup":
+                template = get_template('pretixcontrol/boxoffice/payment_sumup.html')
+
+        ctx = {
+            'request': request,
+            'event': self.event,
+            'settings': self.settings,
+            'payment_info': payment_info,
+            'payment': payment,
+            'provider': self,
+        }
+
+        if template:
+            return template.render(ctx)
+        else:
+            return
+

 class ManualPayment(BasePaymentProvider):
    identifier = 'manual'
    verbose_name = _('Manual payment')

+    @property
+    def test_mode_message(self):
+        return _('In test mode, you can just manually mark this order as paid in the backend after it has been '
+                 'created.')
+
    @property
    def is_implicit(self):
        return 'pretix.plugins.manualpayment' not in self.event.plugins
@@ -788,9 +828,9 @@ class ManualPayment(BasePaymentProvider):
        msg = str(self.settings.get('email_instructions', as_type=LazyI18nString)).format_map(self.format_map(order))
        return msg

-    def order_pending_render(self, request, order) -> str:
+    def payment_pending_render(self, request, payment) -> str:
        return rich_text(
-            str(self.settings.get('pending_description', as_type=LazyI18nString)).format_map(self.format_map(order))
+            str(self.settings.get('pending_description', as_type=LazyI18nString)).format_map(self.format_map(payment.order))
        )


--- a/Show More
+++ b/Show More