Bump version to 3.3.0

Fix outdated API documentation
Pass cart positions to fee_calculation_for_cart
2025-12-13 12:42:26 +00:00 · 2019-11-06 13:10:40 +01:00 · 2019-11-05 19:00:09 +01:00 · 2019-11-04 11:00:48 +01:00 · 2019-11-04 09:55:00 +01:00 · 2019-11-04 09:18:23 +01:00
565 changed files with 176974 additions and 90879 deletions
--- a/.travis.sh
+++ b/.travis.sh
@@ -14,18 +14,18 @@ if [ "$PRETIX_CONFIG_FILE" == "tests/travis_postgres.cfg" ]; then
 fi
 if [ "$1" == "style" ]; then
-	XDG_CACHE_HOME=/cache pip3 install -Ur src/requirements.txt -r src/requirements/dev.txt
+	XDG_CACHE_HOME=/cache pip3 install --no-use-pep517 -Ur src/requirements.txt -r src/requirements/dev.txt
 	cd src
    flake8 .
    isort -c -rc -df .
 fi
 if [ "$1" == "doctests" ]; then
-	XDG_CACHE_HOME=/cache pip3 install -Ur doc/requirements.txt
+	XDG_CACHE_HOME=/cache pip3 install --no-use-pep517 -Ur doc/requirements.txt
 	cd doc
 	make doctest
 fi
 if [ "$1" == "doc-spelling" ]; then
-	XDG_CACHE_HOME=/cache pip3 install -Ur doc/requirements.txt
+	XDG_CACHE_HOME=/cache pip3 install --no-use-pep517 -Ur doc/requirements.txt
 	cd doc
 	make spelling
 	if [ -s _build/spelling/output.txt ]; then
@@ -33,26 +33,26 @@ if [ "$1" == "doc-spelling" ]; then
 	fi
 fi
 if [ "$1" == "translation-spelling" ]; then
-	XDG_CACHE_HOME=/cache pip3 install -Ur src/requirements/dev.txt
+	XDG_CACHE_HOME=/cache pip3 install --no-use-pep517 -Ur src/requirements/dev.txt
 	cd src
 	potypo
 fi
 if [ "$1" == "tests" ]; then
-	pip3 install -r src/requirements.txt -Ur src/requirements/dev.txt
+	pip3 install -r src/requirements.txt --no-use-pep517 -Ur src/requirements/dev.txt
 	cd src
 	python manage.py check
 	make all compress
 	py.test --reruns 5 -n 3 tests
 fi
 if [ "$1" == "tests-cov" ]; then
-	pip3 install -r src/requirements.txt -Ur src/requirements/dev.txt
+	pip3 install -r src/requirements.txt --no-use-pep517 -Ur src/requirements/dev.txt
 	cd src
 	python manage.py check
 	make all compress
 	coverage run -m py.test --reruns 5 tests && codecov
 fi
 if [ "$1" == "plugins" ]; then
-	pip3 install -r src/requirements.txt -Ur src/requirements/dev.txt
+	pip3 install -r src/requirements.txt --no-use-pep517 -Ur src/requirements/dev.txt
 	cd src
 	python setup.py develop
 	make all compress
--- a/.travis.yml
+++ b/.travis.yml
@@ -25,8 +25,6 @@ matrix:
      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_postgres.cfg
    - python: 3.5
      env: JOB=tests PRETIX_CONFIG_FILE=tests/travis_postgres.cfg
    - python: 3.7
      env: JOB=plugins
    - python: 3.7
      env: JOB=doc-spelling
    - python: 3.7
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -3,7 +3,7 @@ Contributing to pretix
 Hey there and welcome to pretix!
-We've got an contributors guide in [our documentation](https://docs.pretix.eu/en/latest/development/contribution/)
+We've got a contributors guide in [our documentation](https://docs.pretix.eu/en/latest/development/contribution/)
 together with notes on the [development setup](https://docs.pretix.eu/en/latest/development/setup.html).
 Please note that we have a [Code of Conduct](https://docs.pretix.eu/en/latest/development/contribution/codeofconduct.html)
--- a/2
+++ b/2
@@ -57,6 +57,8 @@ COPY deployment/docker/nginx.conf /etc/nginx/nginx.conf
 COPY deployment/docker/production_settings.py /pretix/src/production_settings.py
 COPY src /pretix/src
 RUN cd /pretix/src && pip3 install .
 RUN chmod +x /usr/local/bin/pretix && \
    rm /etc/nginx/sites-enabled/default && \
    cd /pretix/src && \
--- a/doc/admin/config.rst
+++ b/doc/admin/config.rst
@@ -57,6 +57,9 @@ Example::
    A comma-separated list of plugins that are not available even though they are installed.
    Defaults to an empty string.
 ``auth_backends``
    A comma-separated list of available auth backends. Defaults to ``pretix.base.auth.NativeAuthBackend``.
 ``cookie_domain``
    The cookie domain to be set. Defaults to ``None``.
@@ -78,6 +81,15 @@ Example::
    Enables or disables nagging staff users for leaving comments on their sessions for auditability.
    Defaults to ``off``.
 ``obligatory_2fa``
    Enables or disables obligatory usage of Two-Factor Authentication for users of the pretix backend.
    Defaults to ``False``
 ``trust_x_forwarded_for``
    Specifies whether the ``X-Forwarded-For`` header can be trusted. Only set to ``on`` if you have a reverse
    proxy that actively removes and re-adds the header to make sure the correct client IP is the first value.
    Defaults to ``off``.
 Locale settings
 ---------------
--- a/doc/admin/installation/docker_smallscale.rst
+++ b/doc/admin/installation/docker_smallscale.rst
@@ -276,7 +276,7 @@ choice)::
 Then, go to that directory and build the image::
-    $ docker build -t mypretix
+    $ docker build . -t mypretix
 You can now use that image ``mypretix`` instead of ``pretix/standalone`` in your service file (see above). Be sure
 to re-build your custom image after you pulled ``pretix/standalone`` if you want to perform an update.
--- a/doc/admin/installation/enterprise.rst
+++ b/doc/admin/installation/enterprise.rst
@@ -68,7 +68,7 @@ generated key and installs the plugin from the URL we told you::
        mkdir -p /etc/ssh && \
        ssh-keyscan -t rsa -p 10022 code.rami.io >> /root/.ssh/known_hosts && \
        echo StrictHostKeyChecking=no >> /root/.ssh/config && \
-        pip3 install -Ue "git+ssh://git@code.rami.io:10022/pretix/pretix-slack.git@stable#egg=pretix-slack" && \
+        DJANGO_SETTINGS_MODULE=pretix.settings pip3 install -U "git+ssh://git@code.rami.io:10022/pretix/pretix-slack.git@stable#egg=pretix-slack" && \
        cd /pretix/src && \
        sudo -u pretixuser make production
    USER pretixuser
--- a/doc/api/guides/custom_checkout.rst
+++ b/doc/api/guides/custom_checkout.rst
@@ -0,0 +1,132 @@
 Creating an external checkout process
 =====================================
 Occasionally, we get asked whether it is possible to just use pretix' powerful backend as a ticketing engine but use
 a fully-customized checkout process that only communicates via the API. This is possible, but with a few limitations.
 If you go down this route, you will miss out on many of pretix features and safeguards, as well as the added flexibility
 by most of pretix' plugins. We strongly recommend to talk this through with us before you decide this is the way to go.
 However, this is really useful if you need to tightly integrate pretix into existing web applications that e.g. control
 the pricing of your products in a way that cannot be mapped to pretix' product structures.
 Creating orders
 ---------------
 After letting your user select the products to  buy in your application, you should create a new order object inside
 pretix. Below, you can see an example of such an order, but most fields are optional and there are some more features
 supported. Read :ref:`rest-orders-create` to learn more about this endpoint.
 Please note that this endpoint assumes trustworthy input for the most part. By default, the endpoint checks that
 you do not exceed any quotas, do not sell any seats twice, or do not use any redeemed vouchers. However, it will not
 complain about violation of any other availability constraints, such as violation of time frames or minimum/maximum
 amounts of either your product or event. Bundled products will not be added in automatically and fees will not be
 calculated automatically.
 .. sourcecode:: http
    POST /api/v1/organizers/democon/events/3vjrh/orders/ HTTP/1.1
    Host: test.pretix.eu
    Accept: application/json, text/javascript
    Content-Type: application/json
    Authorization: …
    {
      "email": "dummy@example.org",
      "locale": "en",
      "sales_channel": "web",
      "payment_provider": "banktransfer",
      "invoice_address": {
        "is_business": false,
        "company": "Sample company",
        "name_parts": {"full_name": "John Doe"},
        "street": "Sesam Street 12",
        "zipcode": "12345",
        "city": "Sample City",
        "country": "US",
        "state": "NY",
        "internal_reference": "",
        "vat_id": ""
      },
      "positions": [
        {
          "item": 21,
          "variation": null,
          "attendee_name_parts": {
            "full_name": "Peter"
          },
          "answers": [
            {
              "question": 1,
              "answer": "23",
              "options": []
            }
          ],
          "subevent": null
        }
      ],
      "fees": []
    }
 You will be returned a full order object that you can inspect, store, or use to build emails or confirmation pages for
 the user. If you don't want to do that yourself, it will also contain the URL to our confirmation page in the ``url``
 attribute. If you pass the ``"send_mail": true`` option, pretix will also send order confirmations for you.
 Handling payments yourself
 --------------------------
 If you want to handle payments in your application, you can either just create the orders with status "paid" or you can
 create them in "pending" state (the default) and later confirm the payment. We strongly advise to use the payment
 provider ``"manual"`` in this case to avoid interference with payment code with pretix.
 However, it is often unfeasible to implement the payment process yourself, and it also requires you to give up a
 lot of pretix functionality, such as automatic refunds. Therefore, it is also possible to utilize pretix' native
 payment process even in this case:
 Using pretix payment providers
 ------------------------------
 If you passed a ``payment_provider`` during order creation above, pretix will have created a payment object with state
 ``created`` that you can see in the returned order object. This payment object will have an attribute ``payment_url``
 that you can use to let the user pay. For example, you could link or redirect to this page.
 If you want the user to return to your application after the payment is complete, you can pass a query parameter
 ``return_url``. To prepare your event for this, open your event in the pretix backend and go to "Settings", then
 "Plugins". Enable the plugin "Redirection from order page". Then, go to the new page "Settings", then "Redirection".
 Enter the base URL of your web application. This will allow you to redirect to pages under this base URL later on.
 For example, if you want users to be redirected to ``https://example.org/order/return?tx_id=1234``, you could now
 either enter ``https://example.org`` or ``https://example.org/order/``.
 The user will be redirected back to your page instead of pretix' order confirmation page after the payment,
 **regardless of whether it was successful or not**. Make sure you use our API to check if the payment actually
 worked! Your final URL could look like this::
    https://test.pretix.eu/democon/3vjrh/order/NSLEZ/ujbrnsjzbq4dzhck/pay/123/?return_url=https%3A%2F%2Fexample.org%2Forder%2Freturn%3Ftx_id%3D1234
 You can also embed this page in an ``<iframe>`` instead. Note, however, that this causes problems with some payment
 methods such as PayPal which do not allow being opened in an iframe. pretix can partly work around these issues by
 opening a new window, but will only to so if you also append an ``iframe=1`` parameter to the URL::
    https://test.pretix.eu/democon/3vjrh/order/NSLEZ/ujbrnsjzbq4dzhck/pay/123/?return_url=https%3A%2F%2Fexample.org%2Forder%2Freturn%3Ftx_id%3D1234&iframe=1
 If you did **not** pass a payment method since you want us to ask the user which payment method they want to use, you
 need to construct the URL from the ``url`` attribute of the order and the sub-path ``pay/change```. For example, you
 would end up with the following URL::
    https://test.pretix.eu/democon/3vjrh/order/NSLEZ/ujbrnsjzbq4dzhck/pay/change
 Of course, you can also use the ``iframe`` and ``return_url`` parameters here.
 Optional: Cart reservations
 ---------------------------
 Creating orders is an atomic operation: The order is either created as a whole or not at all. However, pretix'
 built-in checkout automatically reserves tickets in a user's cart for a configurable amount of time to ensure users
 will actually get their tickets once they started entering all their details. If you want a similar behavior in your
 application, you need to create :ref:`rest-carts` through the API.
 When creating your order, you can pass a ``consume_carts`` parameter with the cart ID(s) of your user. This way, the
 quota reserved by the cart will be credited towards the order and the carts will be destroyed if (and only if) the
 order creation succeeds.
 Cart creation is currently even more limited than the order creation endpoints, as cart creation currently does not
 support vouchers or automatic price calculation. If you require these features, please get in touch with us.
--- a/doc/api/guides/index.rst
+++ b/doc/api/guides/index.rst
@@ -0,0 +1,11 @@
 .. _`rest-api-guides`:
 API Usage Guides
 ================
 This part of the documentation contains how-to guides on some special use cases of our API.
 .. toctree::
   :maxdepth: 2
   custom_checkout
--- a/doc/api/index.rst
+++ b/doc/api/index.rst
@@ -18,3 +18,4 @@ in functionality over time.
   resources/index
   ratelimit
   webhooks
   guides/index
--- a/doc/api/resources/carts.rst
+++ b/doc/api/resources/carts.rst
@@ -36,12 +36,20 @@ answers                               list of objects            Answers to user
 ├ question_identifier                 string                     The question's ``identifier`` field
 ├ options                             list of integers           Internal IDs of selected option(s)s (only for choice types)
 └ option_identifiers                  list of strings            The ``identifier`` fields of the selected option(s)s
 seat                                  objects                    The assigned seat. Can be ``null``.
 ├ id                                  integer                    Internal ID of the seat instance
 ├ name                                string                     Human-readable seat name
 └ seat_guid                           string                     Identifier of the seat within the seating plan
 ===================================== ========================== =======================================================
 .. versionchanged:: 1.17
   This resource has been added.
 .. versionchanged:: 3.0
   This ``seat`` attribute has been added.
 Cart position endpoints
 -----------------------
@@ -87,6 +95,7 @@ Cart position endpoints
            "datetime": "2018-06-11T10:00:00Z",
            "expires": "2018-06-11T10:00:00Z",
            "includes_tax": true,
            "seat": null,
            "answers": []
          }
        ]
@@ -132,6 +141,7 @@ Cart position endpoints
        "datetime": "2018-06-11T10:00:00Z",
        "expires": "2018-06-11T10:00:00Z",
        "includes_tax": true,
        "seat": null,
        "answers": []
      }
@@ -178,6 +188,7 @@ Cart position endpoints
   * ``item``
   * ``variation`` (optional)
   * ``price``
   * ``seat`` (The ``seat_guid`` attribute of a seat. Required when the specified ``item`` requires a seat, otherwise must be ``null``.)
   * ``attendee_name`` **or** ``attendee_name_parts`` (optional)
   * ``attendee_email`` (optional)
   * ``subevent`` (optional)
@@ -196,7 +207,7 @@ Cart position endpoints
      POST /api/v1/organizers/bigevents/events/sampleconf/cartpositions/ HTTP/1.1
      Host: pretix.eu
      Accept: application/json, text/javascript
-      Content: application/json
+      Content-Type: application/json
      {
        "item": 1,
--- a/doc/api/resources/categories.rst
+++ b/doc/api/resources/categories.rst
@@ -131,7 +131,7 @@ Endpoints
      POST /api/v1/organizers/bigevents/events/sampleconf/categories/ HTTP/1.1
      Host: pretix.eu
      Accept: application/json, text/javascript
-      Content: application/json
+      Content-Type: application/json
      {
        "name": {"en": "Tickets"},
--- a/doc/api/resources/checkinlists.rst
+++ b/doc/api/resources/checkinlists.rst
@@ -1,3 +1,5 @@
 .. spelling:: checkin
 Check-in lists
 ==============
@@ -27,6 +29,7 @@ subevent                              integer                    ID of the date
 position_count                        integer                    Number of tickets that match this list (read-only).
 checkin_count                         integer                    Number of check-ins performed on this list (read-only).
 include_pending                       boolean                    If ``true``, the check-in list also contains tickets from orders in pending state.
 auto_checkin_sales_channels           list of strings            All items on the check-in list will be automatically marked as checked-in when purchased through any of the listed sales channels.
 ===================================== ========================== =======================================================
 .. versionchanged:: 1.10
@@ -41,6 +44,10 @@ include_pending                       boolean                    If ``true``, th
   The ``include_pending`` field has been added.
 .. versionchanged:: 3.2
    The ``auto_checkin_sales_channels`` field has been added.
 Endpoints
 ---------
@@ -81,7 +88,10 @@ Endpoints
            "all_products": true,
            "limit_products": [],
            "include_pending": false,
-            "subevent": null
+            "subevent": null,
            "auto_checkin_sales_channels": [
              "pretixpos"
            ]
          }
        ]
      }
@@ -122,7 +132,10 @@ Endpoints
        "all_products": true,
        "limit_products": [],
        "include_pending": false,
-        "subevent": null
+        "subevent": null,
        "auto_checkin_sales_channels": [
          "pretixpos"
        ]
      }
   :param organizer: The ``slug`` field of the organizer to fetch
@@ -209,13 +222,16 @@ Endpoints
      POST /api/v1/organizers/bigevents/events/sampleconf/checkinlists/ HTTP/1.1
      Host: pretix.eu
      Accept: application/json, text/javascript
-      Content: application/json
+      Content-Type: application/json
      {
        "name": "VIP entry",
        "all_products": false,
        "limit_products": [1, 2],
-        "subevent": null
+        "subevent": null,
        "auto_checkin_sales_channels": [
          "pretixpos"
        ]
      }
   **Example response**:
@@ -234,7 +250,10 @@ Endpoints
        "all_products": false,
        "limit_products": [1, 2],
        "include_pending": false,
-        "subevent": null
+        "subevent": null,
        "auto_checkin_sales_channels": [
          "pretixpos"
        ]
      }
   :param organizer: The ``slug`` field of the organizer of the event/item to create a list for
@@ -283,7 +302,10 @@ Endpoints
        "all_products": false,
        "limit_products": [1, 2],
        "include_pending": false,
-        "subevent": null
+        "subevent": null,
        "auto_checkin_sales_channels": [
          "pretixpos"
        ]
      }
   :param organizer: The ``slug`` field of the organizer to modify
@@ -342,6 +364,11 @@ Order position endpoints
   ``ignore_status`` filter. The ``attendee_name`` field is now "smart" (see below) and the redemption endpoint
   returns ``400`` instead of ``404`` on tickets which are known but not paid.
 .. versionchanged:: 3.2
    The ``checkins`` dict now also contains a ``auto_checked_in`` value to indicate if the check-in has been performed
    automatically by the system.
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/checkinlists/(list)/positions/
   Returns a list of all order positions within a given event. The result is the same as
@@ -396,10 +423,12 @@ Order position endpoints
            "addon_to": null,
            "subevent": null,
            "pseudonymization_id": "MQLJvANO3B",
            "seat": null,
            "checkins": [
              {
                "list": 1,
-                "datetime": "2017-12-25T12:45:23Z"
+                "datetime": "2017-12-25T12:45:23Z",
                "auto_checked_in": true
              }
            ],
            "answers": [
@@ -505,10 +534,12 @@ Order position endpoints
        "addon_to": null,
        "subevent": null,
        "pseudonymization_id": "MQLJvANO3B",
        "seat": null,
        "checkins": [
          {
            "list": 1,
-            "datetime": "2017-12-25T12:45:23Z"
+            "datetime": "2017-12-25T12:45:23Z",
            "auto_checked_in": true
          }
        ],
        "answers": [
@@ -546,6 +577,8 @@ Order position endpoints
                                       you do not implement question handling in your user interface, you **must**
                                       set this to ``false``. In that case, questions will just be ignored. Defaults
                                       to ``true``.
   :<json boolean canceled_supported: When this parameter is set to ``true``, the response code ``canceled`` may be
                                      returned. Otherwise, canceled orders will return ``unpaid``.
   :<json datetime datetime: Specifies the datetime of the check-in. If not supplied, the current time will be used.
   :<json boolean force: Specifies that the check-in should succeed regardless of previous check-ins or required
                         questions that have not been filled. Defaults to ``false``.
@@ -574,6 +607,7 @@ Order position endpoints
        "nonce": "Pvrk50vUzQd0DhdpNRL4I4OcXsvg70uA",
        "datetime": null,
        "questions_supported": true,
        "canceled_supported": true,
        "answers": {
          "4": "XS"
        }
@@ -657,7 +691,9 @@ Order position endpoints
   Possible error reasons:
-   * ``unpaid`` - Ticket is not paid for or has been refunded
+   * ``unpaid`` - Ticket is not paid for
   * ``canceled`` – Ticket is canceled or expired. This reason is only sent when your request sets
     ``canceled_supported`` to ``true``, otherwise these orders return ``unpaid``.
   * ``already_redeemed`` - Ticket already has been redeemed
   * ``product`` - Tickets with this product may not be scanned at this device
--- a/doc/api/resources/events.rst
+++ b/doc/api/resources/events.rst
@@ -1,3 +1,9 @@
 .. spelling::
   geo
   lat
   lon
 Events
 ======
@@ -25,11 +31,17 @@ is_public                             boolean                    If ``true``, th
 presale_start                         datetime                   The date at which the ticket shop opens (or ``null``)
 presale_end                           datetime                   The date at which the ticket shop closes (or ``null``)
 location                              multi-lingual string       The event location (or ``null``)
 geo_lat                               float                      Latitude of the location (or ``null``)
 geo_lon                               float                      Longitude of the location (or ``null``)
 has_subevents                         boolean                    ``true`` if the event series feature is active for this
                                                                 event. Cannot change after event is created.
-meta_data                             dict                       Values set for organizer-specific meta data parameters.
+meta_data                             object                     Values set for organizer-specific meta data parameters.
 plugins                               list                       A list of package names of the enabled plugins for this
                                                                 event.
 seating_plan                          integer                    If reserved seating is in use, the ID of a seating
                                                                 plan. Otherwise ``null``.
 seat_category_mapping                 object                     An object mapping categories of the seating plan
                                                                 (strings) to items in the event (integers or ``null``).
 ===================================== ========================== =======================================================
@@ -54,9 +66,21 @@ plugins                               list                       A list of packa
    When cloning events, the ``testmode`` attribute will now be cloned, too.
 .. versionchanged:: 3.0
   The attributes ``seating_plan`` and ``seat_category_mapping`` have been added.
 .. versionchanged:: 3.3
   The attributes ``geo_lat`` and ``geo_lon`` have been added.
 Endpoints
 ---------
 .. versionchanged:: 3.3
    The events resource can now be filtered by meta data attributes.
 .. http:get:: /api/v1/organizers/(organizer)/events/
   Returns a list of all events within a given organizer the authenticated user/token has access to.
@@ -97,8 +121,12 @@ Endpoints
            "presale_start": null,
            "presale_end": null,
            "location": null,
            "geo_lat": null,
            "geo_lon": null,
            "has_subevents": false,
            "meta_data": {},
            "seating_plan": null,
            "seat_category_mapping": {},
            "plugins": [
              "pretix.plugins.banktransfer"
              "pretix.plugins.stripe"
@@ -119,6 +147,10 @@ Endpoints
   :query string ordering: Manually set the ordering of results. Valid fields to be used are ``date_from`` and
                           ``slug``. Keep in mind that ``date_from`` of event series does not really tell you anything.
                           Default: ``slug``.
   :query array attr[meta_data_key]: By providing the key and value of a meta data attribute, the list of events will
        only contain the events matching the set criteria. Providing ``?attr[Format]=Seminar`` would return only those
        events having set their ``Format`` meta data to ``Seminar``, ``?attr[Format]=`` only those, that have no value
        set. Please note that this filter will respect default values set on organizer level.
   :param organizer: The ``slug`` field of a valid organizer
   :statuscode 200: no error
   :statuscode 401: Authentication failure
@@ -159,7 +191,11 @@ Endpoints
        "presale_start": null,
        "presale_end": null,
        "location": null,
        "geo_lat": null,
        "geo_lon": null,
        "has_subevents": false,
        "seating_plan": null,
        "seat_category_mapping": {},
        "meta_data": {},
        "plugins": [
          "pretix.plugins.banktransfer"
@@ -191,7 +227,7 @@ Endpoints
      POST /api/v1/organizers/bigevents/events/ HTTP/1.1
      Host: pretix.eu
      Accept: application/json, text/javascript
-      Content: application/json
+      Content-Type: application/json
      {
        "name": {"en": "Sample Conference"},
@@ -205,7 +241,11 @@ Endpoints
        "is_public": false,
        "presale_start": null,
        "presale_end": null,
        "seating_plan": null,
        "seat_category_mapping": {},
        "location": null,
        "geo_lat": null,
        "geo_lon": null,
        "has_subevents": false,
        "meta_data": {},
        "plugins": [
@@ -235,6 +275,10 @@ Endpoints
        "presale_start": null,
        "presale_end": null,
        "location": null,
        "geo_lat": null,
        "geo_lon": null,
        "seating_plan": null,
        "seat_category_mapping": {},
        "has_subevents": false,
        "meta_data": {},
        "plugins": [
@@ -252,11 +296,11 @@ Endpoints
 .. http:post:: /api/v1/organizers/(organizer)/events/(event)/clone/
-   Creates a new event with properties as set in the request body. The properties that are copied are: 'is_public',
+   Creates a new event with properties as set in the request body. The properties that are copied are: ``is_public``,
-   `testmode`, settings, plugin settings, items, variations, add-ons, quotas, categories, tax rules, questions.
+   ``testmode``, ``has_subevents``, settings, plugin settings, items, variations, add-ons, quotas, categories, tax rules, questions.
-   If the 'plugins' and/or 'is_public' fields are present in the post body this will determine their value. Otherwise
+   If the ``plugins``, ``has_subevents`` and/or ``is_public`` fields are present in the post body this will determine their
-   their value will be copied from the existing event.
+   value. Otherwise their value will be copied from the existing event.
   Please note that you can only copy from events under the same organizer.
@@ -269,7 +313,7 @@ Endpoints
      POST /api/v1/organizers/bigevents/events/sampleconf/clone/ HTTP/1.1
      Host: pretix.eu
      Accept: application/json, text/javascript
-      Content: application/json
+      Content-Type: application/json
      {
        "name": {"en": "Sample Conference"},
@@ -284,6 +328,10 @@ Endpoints
        "presale_start": null,
        "presale_end": null,
        "location": null,
        "geo_lat": null,
        "geo_lon": null,
        "seating_plan": null,
        "seat_category_mapping": {},
        "has_subevents": false,
        "meta_data": {},
        "plugins": [
@@ -313,7 +361,11 @@ Endpoints
        "presale_start": null,
        "presale_end": null,
        "location": null,
        "geo_lat": null,
        "geo_lon": null,
        "has_subevents": false,
        "seating_plan": null,
        "seat_category_mapping": {},
        "meta_data": {},
        "plugins": [
          "pretix.plugins.stripe",
@@ -342,7 +394,7 @@ Endpoints
      PATCH /api/v1/organizers/bigevents/events/sampleconf/ HTTP/1.1
      Host: pretix.eu
      Accept: application/json, text/javascript
-      Content: application/json
+      Content-Type: application/json
      {
        "plugins": [
@@ -374,7 +426,11 @@ Endpoints
        "presale_start": null,
        "presale_end": null,
        "location": null,
        "geo_lat": null,
        "geo_lon": null,
        "has_subevents": false,
        "seating_plan": null,
        "seat_category_mapping": {},
        "meta_data": {},
        "plugins": [
          "pretix.plugins.banktransfer",
--- a/doc/api/resources/giftcards.rst
+++ b/doc/api/resources/giftcards.rst
@@ -0,0 +1,229 @@
 .. _`rest-giftcards`:
 Gift cards
 ==========
 Resource description
 --------------------
 The gift card resource contains the following public fields:
 .. rst-class:: rest-resource-table
 ===================================== ========================== =======================================================
 Field                                 Type                       Description
 ===================================== ========================== =======================================================
 id                                    integer                    Internal ID of the gift card
 secret                                string                     Gift card code (can not be modified later)
 value                                 money (string)             Current gift card value
 currency                              string                     Currency of the value (can not be modified later)
 testmode                              boolean                    Whether this is a test gift card
 ===================================== ========================== =======================================================
 Endpoints
 ---------
 .. http:get:: /api/v1/organizers/(organizer)/giftcards/
   Returns a list of all gift cards issued by a given organizer.
   **Example request**:
   .. sourcecode:: http
      GET /api/v1/organizers/bigevents/giftcards/ HTTP/1.1
      Host: pretix.eu
      Accept: application/json, text/javascript
   **Example response**:
   .. sourcecode:: http
      HTTP/1.1 200 OK
      Vary: Accept
      Content-Type: application/json
      {
        "count": 1,
        "next": null,
        "previous": null,
        "results": [
          {
            "id": 1,
            "secret": "HLBYVELFRC77NCQY",
            "currency": "EUR",
            "testmode": false,
            "value": "13.37"
          }
        ]
      }
   :query integer page: The page number in case of a multi-page result set, default is 1
   :param organizer: The ``slug`` field of the organizer to fetch
   :statuscode 200: no error
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer does not exist **or** you have no permission to view this resource.
 .. http:get:: /api/v1/organizers/(organizer)/giftcards/(id)/
   Returns information on one gift card, identified by its ID.
   **Example request**:
   .. sourcecode:: http
      GET /api/v1/organizers/bigevents/giftcards/1/ HTTP/1.1
      Host: pretix.eu
      Accept: application/json, text/javascript
   **Example response**:
   .. sourcecode:: http
      HTTP/1.1 200 OK
      Vary: Accept
      Content-Type: application/json
      {
        "id": 1,
        "secret": "HLBYVELFRC77NCQY",
        "currency": "EUR",
        "testmode": false,
        "value": "13.37"
      }
   :param organizer: The ``slug`` field of the organizer to fetch
   :param id: The ``id`` field of the gift card to fetch
   :statuscode 200: no error
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer does not exist **or** you have no permission to view this resource.
 .. http:post:: /api/v1/organizers/(organizer)/giftcards/
   Creates a new gift card
   **Example request**:
   .. sourcecode:: http
      POST /api/v1/organizers/bigevents/giftcards/ HTTP/1.1
      Host: pretix.eu
      Accept: application/json, text/javascript
      Content-Type: application/json
      {
        "secret": "HLBYVELFRC77NCQY",
        "currency": "EUR",
        "value": "13.37"
      }
   **Example response**:
   .. sourcecode:: http
      HTTP/1.1 201 Created
      Vary: Accept
      Content-Type: application/json
      {
        "id": 1,
        "secret": "HLBYVELFRC77NCQY",
        "testmode": false,
        "currency": "EUR",
        "value": "13.37"
      }
   :param organizer: The ``slug`` field of the organizer to create a gift card for
   :statuscode 201: no error
   :statuscode 400: The gift card could not be created due to invalid submitted data.
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer does not exist **or** you have no permission to create this resource.
 .. http:patch:: /api/v1/organizers/(organizer)/giftcards/(id)/
   Update a gift card. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all fields of
   the resource, other fields will be reset to default. With ``PATCH``, you only need to provide the fields that you
   want to change.
   You can change all fields of the resource except the ``id``, ``secret``, ``testmode``, and ``currency`` fields. Be
   careful when modifying the ``value`` field to avoid race conditions. We recommend to use the ``transact`` method
   described below.
   **Example request**:
   .. sourcecode:: http
      PATCH /api/v1/organizers/bigevents/giftcards/1/ HTTP/1.1
      Host: pretix.eu
      Accept: application/json, text/javascript
      Content-Type: application/json
      Content-Length: 94
      {
        "value": "14.00"
      }
   **Example response**:
   .. sourcecode:: http
      HTTP/1.1 200 OK
      Vary: Accept
      Content-Type: application/json
      {
        "id": 1,
        "secret": "HLBYVELFRC77NCQY",
        "testmode": false,
        "currency": "EUR",
        "value": "14.00"
      }
   :param organizer: The ``slug`` field of the organizer to modify
   :param id: The ``id`` field of the gift card to modify
   :statuscode 200: no error
   :statuscode 400: The gift card could not be modified due to invalid submitted data
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer does not exist **or** you have no permission to change this resource.
 .. http:post:: /api/v1/organizers/(organizer)/giftcards/(id)/transact/
   Atomically change the value of a gift card. A positive amount will increase the value of the gift card,
   a negative amount will decrease it.
   **Example request**:
   .. sourcecode:: http
      PATCH /api/v1/organizers/bigevents/giftcards/1/transact/ HTTP/1.1
      Host: pretix.eu
      Accept: application/json, text/javascript
      Content-Type: application/json
      Content-Length: 94
      {
        "value": "2.00"
      }
   **Example response**:
   .. sourcecode:: http
      HTTP/1.1 200 OK
      Vary: Accept
      Content-Type: application/json
      {
        "id": 1,
        "secret": "HLBYVELFRC77NCQY",
        "currency": "EUR",
        "testmode": false,
        "value": "15.37"
      }
   :param organizer: The ``slug`` field of the organizer to modify
   :param id: The ``id`` field of the gift card to modify
   :statuscode 200: no error
   :statuscode 400: The gift card could not be modified due to invalid submitted data
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer does not exist **or** you have no permission to change this resource.
--- a/doc/api/resources/index.rst
+++ b/doc/api/resources/index.rst
@@ -21,6 +21,8 @@ Resources and endpoints
   vouchers
   checkinlists
   waitinglist
   giftcards
   carts
   webhooks
   seatingplans
   billing_invoices
--- a/doc/api/resources/item_add-ons.rst
+++ b/doc/api/resources/item_add-ons.rst
@@ -134,7 +134,7 @@ Endpoints
      POST /api/v1/organizers/(organizer)/events/(event)/items/(item)/addons/ HTTP/1.1
      Host: pretix.eu
      Accept: application/json, text/javascript
-      Content: application/json
+      Content-Type: application/json
      {
        "addon_category": 1,
--- a/doc/api/resources/item_bundles.rst
+++ b/doc/api/resources/item_bundles.rst
@@ -134,7 +134,7 @@ Endpoints
      POST /api/v1/organizers/(organizer)/events/(event)/items/(item)/bundles/ HTTP/1.1
      Host: pretix.eu
      Accept: application/json, text/javascript
-      Content: application/json
+      Content-Type: application/json
      {
        "bundled_item": 3,
--- a/doc/api/resources/item_variations.rst
+++ b/doc/api/resources/item_variations.rst
@@ -152,7 +152,7 @@ Endpoints
      POST /api/v1/organizers/bigevents/events/sampleconf/items/1/variations/ HTTP/1.1
      Host: pretix.eu
      Accept: application/json, text/javascript
-      Content: application/json
+      Content-Type: application/json
      {
        "value": {"en": "Student"},
--- a/doc/api/resources/items.rst
+++ b/doc/api/resources/items.rst
@@ -44,6 +44,9 @@ available_from                        datetime                   The first date
                                                                 (or ``null``).
 available_until                       datetime                   The last date time at which this item can be bought
                                                                 (or ``null``).
 hidden_if_available                   integer                    The internal ID of a quota object, or ``null``. If
                                                                 set, this item won't be shown publicly as long as this
                                                                 quota is available.
 require_voucher                       boolean                    If ``true``, this item can only be bought using a
                                                                 voucher that is specifically assigned to this item.
 hide_without_voucher                  boolean                    If ``true``, this item is only shown during the voucher
@@ -72,6 +75,11 @@ generate_tickets                      boolean                    If ``false``, t
                                                                 non-admission or add-on product, regardless of event
                                                                 settings. If this is ``null``, regular ticketing
                                                                 rules apply.
 allow_waitinglist                     boolean                    If ``false``, no waiting list will be shown for this
                                                                 product when it is sold out.
 issue_giftcard                        boolean                    If ``true``, buying this product will yield a gift card.
 show_quota_left                       boolean                    Publicly show how many tickets are still available.
                                                                 If this is ``null``, the event default is used.
 has_variations                        boolean                    Shows whether or not this item has variations.
 variations                            list of objects            A list with one object for each variation of this item.
                                                                 Can be empty. Only writable during creation,
@@ -142,6 +150,10 @@ bundles                               list of objects            Definition of b
   The ``bundles`` and ``require_bundling`` attributes have been added.
 .. versionchanged:: 3.0
   The ``show_quota_left``, ``allow_waitinglist``, and ``hidden_if_available`` attributes have been added.
 Notes
 -----
@@ -195,10 +207,12 @@ Endpoints
            "tax_rate": "0.00",
            "tax_rule": 1,
            "admission": false,
            "issue_giftcard": false,
            "position": 0,
            "picture": null,
            "available_from": null,
            "available_until": null,
            "hidden_if_available": null,
            "require_voucher": false,
            "hide_without_voucher": false,
            "allow_cancel": true,
@@ -207,6 +221,8 @@ Endpoints
            "checkin_attention": false,
            "has_variations": false,
            "generate_tickets": null,
            "allow_waitinglist": true,
            "show_quota_left": null,
            "require_approval": false,
            "require_bundling": false,
            "variations": [
@@ -286,14 +302,18 @@ Endpoints
        "tax_rate": "0.00",
        "tax_rule": 1,
        "admission": false,
        "issue_giftcard": false,
        "position": 0,
        "picture": null,
        "available_from": null,
        "available_until": null,
        "hidden_if_available": null,
        "require_voucher": false,
        "hide_without_voucher": false,
        "allow_cancel": true,
        "generate_tickets": null,
        "allow_waitinglist": true,
        "show_quota_left": null,
        "min_per_order": null,
        "max_per_order": null,
        "checkin_attention": false,
@@ -342,7 +362,7 @@ Endpoints
      POST /api/v1/organizers/bigevents/events/sampleconf/items/ HTTP/1.1
      Host: pretix.eu
      Accept: application/json, text/javascript
-      Content: application/json
+      Content-Type: application/json
      {
        "id": 1,
@@ -358,14 +378,18 @@ Endpoints
        "tax_rate": "0.00",
        "tax_rule": 1,
        "admission": false,
        "issue_giftcard": false,
        "position": 0,
        "picture": null,
        "available_from": null,
        "available_until": null,
        "hidden_if_available": null,
        "require_voucher": false,
        "hide_without_voucher": false,
        "allow_cancel": true,
        "generate_tickets": null,
        "allow_waitinglist": true,
        "show_quota_left": null,
        "min_per_order": null,
        "max_per_order": null,
        "checkin_attention": false,
@@ -417,16 +441,20 @@ Endpoints
        "tax_rate": "0.00",
        "tax_rule": 1,
        "admission": false,
        "issue_giftcard": false,
        "position": 0,
        "picture": null,
        "available_from": null,
        "available_until": null,
        "hidden_if_available": null,
        "require_voucher": false,
        "hide_without_voucher": false,
        "allow_cancel": true,
        "min_per_order": null,
        "max_per_order": null,
        "generate_tickets": null,
        "allow_waitinglist": true,
        "show_quota_left": null,
        "checkin_attention": false,
        "has_variations": true,
        "require_approval": false,
@@ -508,13 +536,17 @@ Endpoints
        "tax_rate": "0.00",
        "tax_rule": 1,
        "admission": false,
        "issue_giftcard": false,
        "position": 0,
        "picture": null,
        "available_from": null,
        "available_until": null,
        "hidden_if_available": null,
        "require_voucher": false,
        "hide_without_voucher": false,
        "generate_tickets": null,
        "allow_waitinglist": true,
        "show_quota_left": null,
        "allow_cancel": true,
        "min_per_order": null,
        "max_per_order": null,
--- a/doc/api/resources/orders.rst
+++ b/doc/api/resources/orders.rst
@@ -53,7 +53,9 @@ invoice_address                       object                     Invoice address
 ├ street                              string                     Customer street
 ├ zipcode                             string                     Customer ZIP code
 ├ city                                string                     Customer city
-├ country                             string                     Customer country
+├ country                             string                     Customer country code
 ├ state                               string                     Customer state (ISO 3166-2 code). Only supported in
                                                                 AU, BR, CA, CN, MY, MX, and US.
 ├ internal_reference                  string                     Customer's internal reference to be printed on the invoice
 ├ vat_id                              string                     Customer VAT ID
 └ vat_id_validated                    string                     ``true``, if the VAT ID has been validated against the
@@ -82,6 +84,7 @@ require_approval                      boolean                    If ``true`` and
                                                                 needs approval by an organizer before it can
                                                                 continue. If ``true`` and the order is canceled,
                                                                 this order has been denied by the event organizer.
 url                                   string                     The full URL to the order confirmation page
 payments                              list of objects            List of payment processes (see below)
 refunds                               list of objects            List of refund processes (see below)
 last_modified                         datetime                   Last modification of this object
@@ -128,15 +131,21 @@ last_modified                         datetime                   Last modificati
   The ``sales_channel`` attribute has been added.
-.. versionchanged:: 2.4:
+.. versionchanged:: 2.4
   ``order.status`` can no longer be ``r``, ``…/mark_canceled/`` now accepts a ``cancellation_fee`` parameter and
   ``…/mark_refunded/`` has been deprecated.
-.. versionchanged:: 2.5:
+.. versionchanged:: 2.5
   The ``testmode`` attribute has been added and ``DELETE`` has been implemented for orders.
 .. versionchanged:: 3.1
   The ``invoice_address.state`` and ``url`` attributes have been added. When creating orders through the API,
   vouchers are now supported and many fields are now optional.
 .. _order-position-resource:
 Order position resource
@@ -166,7 +175,8 @@ subevent                              integer                    ID of the date
 pseudonymization_id                   string                     A random ID, e.g. for use in lead scanning apps
 checkins                              list of objects            List of check-ins with this ticket
 ├ list                                integer                    Internal ID of the check-in list
-└ datetime                            datetime                   Time of check-in
+├ datetime                            datetime                   Time of check-in
 └ auto_checked_in                     boolean                    Indicates if this check-in been performed automatically by the system
 downloads                             list of objects            List of ticket download options
 ├ output                              string                     Ticket output provider (e.g. ``pdf``, ``passbook``)
 └ url                                 string                     Download URL
@@ -176,6 +186,10 @@ answers                               list of objects            Answers to user
 ├ question_identifier                 string                     The question's ``identifier`` field
 ├ options                             list of integers           Internal IDs of selected option(s)s (only for choice types)
 └ option_identifiers                  list of strings            The ``identifier`` fields of the selected option(s)s
 seat                                  objects                    The assigned seat. Can be ``null``.
 ├ id                                  integer                    Internal ID of the seat instance
 ├ name                                string                     Human-readable seat name
 └ seat_guid                           string                     Identifier of the seat within the seating plan
 pdf_data                              object                     Data object required for ticket PDF generation. By default,
                                                                 this field is missing. It will be added only if you add the
                                                                 ``pdf_data=true`` query parameter to your request.
@@ -197,6 +211,19 @@ pdf_data                              object                     Data object req
  The attributes ``pseudonymization_id`` and ``pdf_data`` have been added.
 .. versionchanged:: 3.0
  The attribute ``seat`` has been added.
 .. versionchanged:: 3.2
  The value ``auto_checked_in`` has been added to the ``checkins``-attribute.
 .. versionchanged:: 3.3
  The ``url`` of a ticket ``download`` can now also return a ``text/uri-list`` instead of a file. See
  :ref:`order-position-ticket-download` for details.
 .. _order-payment-resource:
 Order payment resource
@@ -213,13 +240,27 @@ amount                                money (string)             Payment amount
 created                               datetime                   Date and time of creation of this payment
 payment_date                          datetime                   Date and time of completion of this payment (or ``null``)
 provider                              string                     Identification string of the payment provider
 payment_url                           string                     The URL where an user can continue with the payment (or ``null``)
 details                               object                     Payment-specific information. This is a dictionary
                                                                 with various fields that can be different between
                                                                 payment providers, versions, payment states, etc. If
                                                                 you read this field, you always need to be able to
                                                                 deal with situations where values that you expect are
                                                                 missing. Mostly, the field contains various IDs that
                                                                 can be used for matching with other systems. If a
                                                                 payment provider does not implement this feature,
                                                                 the object is empty.
 ===================================== ========================== =======================================================
 .. versionchanged:: 2.0
  This resource has been added.
-.. _order-payment-resource:
+.. versionchanged:: 3.1
  The attributes ``payment_url`` and ``details`` have been added.
 .. _order-refund-resource:
 Order refund resource
 ---------------------
@@ -280,6 +321,7 @@ List of all orders
            "status": "p",
            "testmode": false,
            "secret": "k24fiuwvu8kxz3y1",
            "url": "https://test.pretix.eu/dummy/dummy/order/ABC12/k24fiuwvu8kxz3y1/",
            "email": "tester@example.org",
            "locale": "en",
            "sales_channel": "web",
@@ -302,7 +344,8 @@ List of all orders
                "street": "Test street 12",
                "zipcode": "12345",
                "city": "Testington",
-                "country": "Testikistan",
+                "country": "DE",
                "state": "",
                "internal_reference": "",
                "vat_id": "EU123456789",
                "vat_id_validated": false
@@ -328,10 +371,12 @@ List of all orders
                "addon_to": null,
                "subevent": null,
                "pseudonymization_id": "MQLJvANO3B",
                "seat": null,
                "checkins": [
                  {
                    "list": 44,
-                    "datetime": "2017-12-25T12:45:23Z"
+                    "datetime": "2017-12-25T12:45:23Z",
                    "auto_checked_in": false
                  }
                ],
                "answers": [
@@ -364,6 +409,8 @@ List of all orders
                "amount": "23.00",
                "created": "2017-12-01T10:00:00Z",
                "payment_date": "2017-12-04T12:13:12Z",
                "payment_url": null,
                "details": {},
                "provider": "banktransfer"
              }
            ],
@@ -422,6 +469,7 @@ Fetching individual orders
        "status": "p",
        "testmode": false,
        "secret": "k24fiuwvu8kxz3y1",
        "url": "https://test.pretix.eu/dummy/dummy/order/ABC12/k24fiuwvu8kxz3y1/",
        "email": "tester@example.org",
        "locale": "en",
        "sales_channel": "web",
@@ -444,7 +492,8 @@ Fetching individual orders
            "street": "Test street 12",
            "zipcode": "12345",
            "city": "Testington",
-            "country": "Testikistan",
+            "country": "DE",
            "state": "",
            "internal_reference": "",
            "vat_id": "EU123456789",
            "vat_id_validated": false
@@ -470,10 +519,12 @@ Fetching individual orders
            "addon_to": null,
            "subevent": null,
            "pseudonymization_id": "MQLJvANO3B",
            "seat": null,
            "checkins": [
              {
                "list": 44,
-                "datetime": "2017-12-25T12:45:23Z"
+                "datetime": "2017-12-25T12:45:23Z",
                "auto_checked_in": false
              }
            ],
            "answers": [
@@ -506,6 +557,8 @@ Fetching individual orders
            "amount": "23.00",
            "created": "2017-12-01T10:00:00Z",
            "payment_date": "2017-12-04T12:13:12Z",
            "payment_url": null,
            "details": {},
            "provider": "banktransfer"
          }
        ],
@@ -681,6 +734,8 @@ Deleting orders
   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to delete this resource **or** the order may not be deleted.
   :statuscode 404: The requested order does not exist.
 .. _rest-orders-create:
 Creating orders
 ---------------
@@ -688,8 +743,6 @@ Creating orders
   Creates a new order.
   .. warning:: This endpoint is considered **experimental**. It might change at any time without prior notice.
   .. warning::
       This endpoint is intended for advanced users. It is not designed to be used to build your own shop frontend,
@@ -708,25 +761,21 @@ Creating orders
       * does not validate the number of items per order or the number of times an item can be included in an order
-       * does not validate any requirements related to add-on products
+       * does not validate any requirements related to add-on products and does not add bundled products automatically
-       * does not check or calculate prices but believes any prices you send
+       * does not check prices but believes any prices you send
       * does not support the redemption of vouchers
       * does not prevent you from buying items that can only be bought with a voucher
-       * does not calculate fees
+       * does not calculate fees automatically
       * does not allow to pass data to plugins and will therefore cause issues with some plugins like the shipping
         module
       * does not send order confirmations via email
       * does not support reverse charge taxation
       * does not support file upload questions
       * does not support redeeming gift cards
   You can supply the following fields of the resource:
   * ``code`` (optional)
@@ -737,14 +786,15 @@ Creating orders
     then call the ``mark_paid`` API method.
   * ``testmode`` (optional) – Defaults to ``false``
   * ``consume_carts`` (optional) – A list of cart IDs. All cart positions with these IDs will be deleted if the
-     order creation is successful. Any quotas that become free by this operation will be credited to your order
+     order creation is successful. Any quotas or seats that become free by this operation will be credited to your order
     creation.
   * ``email``
   * ``locale``
   * ``sales_channel``
-   * ``payment_provider`` – The identifier of the payment provider set for this order. This needs to be an existing
+   * ``payment_provider`` (optional) – The identifier of the payment provider set for this order. This needs to be an
-     payment provider. You should use ``"free"`` for free orders, and we strongly advise to use ``"manual"`` for all
+     existing payment provider. You should use ``"free"`` for free orders, and we strongly advise to use ``"manual"``
-     orders you create as paid.
+     for all orders you create as paid. This field is optional when the order status is ``"n"`` or the order total is
     zero, otherwise it is required.
   * ``payment_info`` (optional) – You can pass a nested JSON object that will be set as the internal ``info``
     value of the payment object that will be created. How this value is handled is up to the payment provider and you
     should only use this if you know the specific payment provider in detail. Please keep in mind that the payment
@@ -762,16 +812,22 @@ Creating orders
      * ``zipcode``
      * ``city``
      * ``country``
      * ``state``
      * ``internal_reference``
      * ``vat_id``
      * ``vat_id_validated`` (optional) – If you need support for reverse charge (rarely the case), you need to check
       yourself if the passed VAT ID is a valid EU VAT ID. In that case, set this to ``true``. Only valid VAT IDs will
       trigger reverse charge taxation. Don't forget to set ``is_business`` as well!
   * ``positions``
      * ``positionid`` (optional, see below)
      * ``item``
      * ``variation``
-      * ``price``
+      * ``price`` (optional, if set to ``null`` or missing the price will be computed from the given product)
      * ``seat`` (The ``seat_guid`` attribute of a seat. Required when the specified ``item`` requires a seat, otherwise must be ``null``.)
      * ``attendee_name`` **or** ``attendee_name_parts``
      * ``voucher`` (optional, the ``code`` attribute of a valid voucher)
      * ``attendee_email``
      * ``secret`` (optional)
      * ``addon_to`` (optional, see below)
@@ -791,6 +847,8 @@ Creating orders
      * ``tax_rule``
   * ``force`` (optional). If set to ``true``, quotas will be ignored.
   * ``send_mail`` (optional). If set to ``true``, the same emails will be sent as for a regular order. Defaults to
     ``false``.
   If you want to use add-on products, you need to set the ``positionid`` fields of all positions manually
   to incrementing integers starting with ``1``. Then, you can reference one of these
@@ -828,6 +886,7 @@ Creating orders
          "zipcode": "12345",
          "city": "Sample City",
          "country": "UK",
          "state": "",
          "internal_reference": "",
          "vat_id": ""
        },
@@ -851,7 +910,7 @@ Creating orders
            ],
            "subevent": null
          }
-        ],
+        ]
      }
   **Example response**:
@@ -1242,6 +1301,11 @@ List of all order positions
   The order positions endpoint has been extended by the filter queries ``voucher``, ``voucher__code`` and
   ``pseudonymization_id``.
 .. versionchanged:: 3.2
  The value ``auto_checked_in`` has been added to the ``checkins``-attribute.
 .. note:: Individually canceled order positions are currently not visible via the API at all.
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/orderpositions/
@@ -1287,12 +1351,14 @@ List of all order positions
            "tax_value": "0.00",
            "secret": "z3fsn8jyufm5kpk768q69gkbyr5f4h6w",
            "pseudonymization_id": "MQLJvANO3B",
            "seat": null,
            "addon_to": null,
            "subevent": null,
            "checkins": [
              {
                "list": 44,
-                "datetime": "2017-12-25T12:45:23Z"
+                "datetime": "2017-12-25T12:45:23Z",
                "auto_checked_in": false
              }
            ],
            "answers": [
@@ -1389,10 +1455,12 @@ Fetching individual positions
        "addon_to": null,
        "subevent": null,
        "pseudonymization_id": "MQLJvANO3B",
        "seat": null,
        "checkins": [
          {
            "list": 44,
-            "datetime": "2017-12-25T12:45:23Z"
+            "datetime": "2017-12-25T12:45:23Z",
            "auto_checked_in": false
          }
        ],
        "answers": [
@@ -1420,6 +1488,8 @@ Fetching individual positions
   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
   :statuscode 404: The requested order position does not exist.
 .. _`order-position-ticket-download`:
 Order position ticket download
 ------------------------------
@@ -1429,6 +1499,11 @@ Order position ticket download
   Depending on the chosen output, the response might be a ZIP file, PDF file or something else. The order details
   response contains a list of output options for this particular order position.
   Be aware that the output does not have to be a file, but can also be a regular HTTP response with a ``Content-Type``
   set to ``text/uri-list``. In this case, the user is expected to navigate to that URL in order to access their ticket.
   The referenced URL can provide a download or a regular, human-viewable website - so it is advised to open this URL
   in a webbrowser and leave it up to the user to handle the result.
   Tickets can be only downloaded if the order is paid and if ticket downloads are active. Also, depending on event
   configuration downloads might be only unavailable for add-on products or non-admission products.
   Note that in some cases the ticket file might not yet have been created. In that case, you will receive a status
@@ -1535,6 +1610,8 @@ Order payment endpoints
            "amount": "23.00",
            "created": "2017-12-01T10:00:00Z",
            "payment_date": "2017-12-04T12:13:12Z",
            "payment_url": null,
            "details": {},
            "provider": "banktransfer"
          }
        ]
@@ -1575,6 +1652,8 @@ Order payment endpoints
        "amount": "23.00",
        "created": "2017-12-01T10:00:00Z",
        "payment_date": "2017-12-04T12:13:12Z",
        "payment_url": null,
        "details": {},
        "provider": "banktransfer"
      }
--- a/doc/api/resources/questions.rst
+++ b/doc/api/resources/questions.rst
@@ -41,6 +41,8 @@ ask_during_checkin                    boolean                    If ``true``, th
                                                                 the ticket instead.
 hidden                                boolean                    If ``true``, the question will only be shown in the
                                                                 backend.
 print_on_invoice                      boolean                    If ``true``, the question will only be shown on
                                                                 invoices.
 options                               list of objects            In case of question type ``C`` or ``M``, this lists the
                                                                 available objects. Only writable during creation,
                                                                 use separate endpoint to modify this later.
@@ -54,11 +56,12 @@ dependency_question                   integer                    Internal ID of
                                                                 this attribute is set to the value given in
                                                                 ``dependency_value``. This cannot be combined with
                                                                 ``ask_during_checkin``.
-dependency_value                      string                     The value ``dependency_question`` needs to be set to.
+dependency_values                     list of strings            If ``dependency_question`` is set to a boolean
-                                                                 If ``dependency_question`` is set to a boolean
+                                                                 question, this should be ``["True"]`` or ``["False"]``.
-                                                                 question, this should be ``"true"`` or ``"false"``.
+                                                                 Otherwise, it should be a list of ``identifier`` values
-                                                                 Otherwise, it should be the ``identifier`` of a
+                                                                 of question options.
-                                                                 question option.
+dependency_value                      string                     An old version of ``dependency_values`` that only allows
                                                                 for one value. **Deprecated.**
 ===================================== ========================== =======================================================
 .. versionchanged:: 1.12
@@ -75,6 +78,14 @@ dependency_value                      string                     The value ``dep
  The attribute ``hidden`` and the question type ``CC`` have been added.
 .. versionchanged:: 3.0
  The attribute ``dependency_values`` has been added.
 .. versionchanged:: 3.1
  The attribute ``print_on_invoice`` has been added.
 Endpoints
 ---------
@@ -118,8 +129,10 @@ Endpoints
            "identifier": "WY3TP9SL",
            "ask_during_checkin": false,
            "hidden": false,
            "print_on_invoice": false,
            "dependency_question": null,
            "dependency_value": null,
            "dependency_values": [],
            "options": [
              {
                "id": 1,
@@ -186,8 +199,10 @@ Endpoints
        "identifier": "WY3TP9SL",
        "ask_during_checkin": false,
        "hidden": false,
        "print_on_invoice": false,
        "dependency_question": null,
        "dependency_value": null,
        "dependency_values": [],
        "options": [
          {
            "id": 1,
@@ -228,7 +243,7 @@ Endpoints
      POST /api/v1/organizers/bigevents/events/sampleconf/questions/ HTTP/1.1
      Host: pretix.eu
      Accept: application/json, text/javascript
-      Content: application/json
+      Content-Type: application/json
      {
        "question": {"en": "T-Shirt size"},
@@ -238,8 +253,9 @@ Endpoints
        "position": 1,
        "ask_during_checkin": false,
        "hidden": false,
        "print_on_invoice": false,
        "dependency_question": null,
-        "dependency_value": null,
+        "dependency_values": [],
        "options": [
          {
            "answer": {"en": "S"}
@@ -272,8 +288,10 @@ Endpoints
        "identifier": "WY3TP9SL",
        "ask_during_checkin": false,
        "hidden": false,
        "print_on_invoice": false,
        "dependency_question": null,
        "dependency_value": null,
        "dependency_values": [],
        "options": [
          {
            "id": 1,
@@ -344,8 +362,10 @@ Endpoints
        "identifier": "WY3TP9SL",
        "ask_during_checkin": false,
        "hidden": false,
        "print_on_invoice": false,
        "dependency_question": null,
        "dependency_value": null,
        "dependency_values": [],
        "options": [
          {
            "id": 1,
--- a/doc/api/resources/quotas.rst
+++ b/doc/api/resources/quotas.rst
@@ -20,12 +20,22 @@ size                                  integer                    The size of the
 items                                 list of integers           List of item IDs this quota acts on.
 variations                            list of integers           List of item variation IDs this quota acts on.
 subevent                              integer                    ID of the date inside an event series this quota belongs to (or ``null``).
 close_when_sold_out                   boolean                    If ``true``, the quota will "close" as soon as it is
                                                                 sold out once. Even if tickets become available again,
                                                                 they will not be sold unless the quota is set to open
                                                                 again.
 closed                                boolean                    Whether the quota is currently closed (see above
                                                                 field).
 ===================================== ========================== =======================================================
 .. versionchanged:: 1.10
   The write operations ``POST``, ``PATCH``, ``PUT``, and ``DELETE`` have been added.
 .. versionchanged:: 3.0
   The attributes ``close_when_sold_out`` and ``closed`` have been added.
 Endpoints
 ---------
@@ -61,7 +71,9 @@ Endpoints
            "size": 200,
            "items": [1, 2],
            "variations": [1, 4, 5, 7],
-            "subevent": null
+            "subevent": null,
            "close_when_sold_out": false,
            "closed": false
          }
        ]
      }
@@ -102,7 +114,9 @@ Endpoints
        "size": 200,
        "items": [1, 2],
        "variations": [1, 4, 5, 7],
-        "subevent": null
+        "subevent": null,
        "close_when_sold_out": false,
        "closed": false
      }
   :param organizer: The ``slug`` field of the organizer to fetch
@@ -123,14 +137,16 @@ Endpoints
      POST /api/v1/organizers/bigevents/events/sampleconf/quotas/ HTTP/1.1
      Host: pretix.eu
      Accept: application/json, text/javascript
-      Content: application/json
+      Content-Type: application/json
      {
        "name": "Ticket Quota",
        "size": 200,
        "items": [1, 2],
        "variations": [1, 4, 5, 7],
-        "subevent": null
+        "subevent": null,
        "close_when_sold_out": false,
        "closed": false
      }
   **Example response**:
@@ -147,7 +163,9 @@ Endpoints
        "size": 200,
        "items": [1, 2],
        "variations": [1, 4, 5, 7],
-        "subevent": null
+        "subevent": null,
        "close_when_sold_out": false,
        "closed": false
      }
   :param organizer: The ``slug`` field of the organizer of the event/item to create a quota for
@@ -200,7 +218,9 @@ Endpoints
          1,
          2
        ],
-        "subevent": null
+        "subevent": null,
        "close_when_sold_out": false,
        "closed": false
      }
   :param organizer: The ``slug`` field of the organizer to modify
--- a/doc/api/resources/seatingplans.rst
+++ b/doc/api/resources/seatingplans.rst
@@ -0,0 +1,209 @@
 .. _`rest-seatingplans`:
 Seating plans
 =============
 Resource description
 --------------------
 The seating plan resource contains the following public fields:
 .. rst-class:: rest-resource-table
 ===================================== ========================== =======================================================
 Field                                 Type                       Description
 ===================================== ========================== =======================================================
 id                                    integer                    Internal ID of the plan
 name                                  string                     Human-readable name of the plan
 layout                                object                     JSON representation of the seating plan. These
                                                                 representations follow a JSON schema that currently
                                                                 still evolves. The version in use can be found `here`_.
 ===================================== ========================== =======================================================
 .. versionchanged:: 3.0
   This endpoint has been added.
 Endpoints
 ---------
 .. http:get:: /api/v1/organizers/(organizer)/seatingplans/
   Returns a list of all seating plans within a given organizer.
   **Example request**:
   .. sourcecode:: http
      GET /api/v1/organizers/bigevents/seatingplans/ HTTP/1.1
      Host: pretix.eu
      Accept: application/json, text/javascript
   **Example response**:
   .. sourcecode:: http
      HTTP/1.1 200 OK
      Vary: Accept
      Content-Type: application/json
      {
        "count": 1,
        "next": null,
        "previous": null,
        "results": [
          {
            "id": 2,
            "name": "Main plan",
            "layout": { … }
          }
        ]
      }
   :query integer page: The page number in case of a multi-page result set, default is 1
   :param organizer: The ``slug`` field of the organizer to fetch
   :statuscode 200: no error
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer does not exist **or** you have no permission to view this resource.
 .. http:get:: /api/v1/organizers/(organizer)/seatingplans/(id)/
   Returns information on one plan, identified by its ID.
   **Example request**:
   .. sourcecode:: http
      GET /api/v1/organizers/bigevents/seatingplans/1/ HTTP/1.1
      Host: pretix.eu
      Accept: application/json, text/javascript
   **Example response**:
   .. sourcecode:: http
      HTTP/1.1 200 OK
      Vary: Accept
      Content-Type: application/json
      {
        "id": 2,
        "name": "Main plan",
        "layout": { … }
      }
   :param organizer: The ``slug`` field of the organizer to fetch
   :param id: The ``id`` field of the seating plan to fetch
   :statuscode 200: no error
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer does not exist **or** you have no permission to view this resource.
 .. http:post:: /api/v1/organizers/(organizer)/seatingplans/
   Creates a new seating plan
   **Example request**:
   .. sourcecode:: http
      POST /api/v1/organizers/bigevents/seatingplans/ HTTP/1.1
      Host: pretix.eu
      Accept: application/json, text/javascript
      Content-Type: application/json
      {
        "name": "Main plan",
        "layout": { … }
      }
   **Example response**:
   .. sourcecode:: http
      HTTP/1.1 201 Created
      Vary: Accept
      Content-Type: application/json
      {
        "id": 3,
        "name": "Main plan",
        "layout": { … }
      }
   :param organizer: The ``slug`` field of the organizer to create a seating plan for
   :statuscode 201: no error
   :statuscode 400: The seating plan could not be created due to invalid submitted data.
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer does not exist **or** you have no permission to create this resource.
 .. http:patch:: /api/v1/organizers/(organizer)/seatingplans/(id)/
   Update a plan. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all fields of
   the resource, other fields will be reset to default. With ``PATCH``, you only need to provide the fields that you
   want to change.
   You can change all fields of the resource except the ``id`` field. **You can not change a plan while it is in use for
   any events.**
   **Example request**:
   .. sourcecode:: http
      PATCH /api/v1/organizers/bigevents/seatingplans/1/ HTTP/1.1
      Host: pretix.eu
      Accept: application/json, text/javascript
      Content-Type: application/json
      Content-Length: 94
      {
        "name": "Old plan"
      }
   **Example response**:
   .. sourcecode:: http
      HTTP/1.1 200 OK
      Vary: Accept
      Content-Type: application/json
      {
        "id": 1,
        "name": "Old plan",
        "layout": { … }
      }
   :param organizer: The ``slug`` field of the organizer to modify
   :param id: The ``id`` field of the plan to modify
   :statuscode 200: no error
   :statuscode 400: The plan could not be modified due to invalid submitted data
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer does not exist **or** you have no permission to change this resource **or** the plan is currently in use.
 .. http:delete:: /api/v1/organizers/(organizer)/seatingplans/(id)/
   Delete a plan. You can not delete plans which are currently in use by any events.
   **Example request**:
   .. sourcecode:: http
      DELETE /api/v1/organizers/bigevents/seatingplans/1/ HTTP/1.1
      Host: pretix.eu
      Accept: application/json, text/javascript
   **Example response**:
   .. sourcecode:: http
      HTTP/1.1 204 No Content
      Vary: Accept
   :param organizer: The ``slug`` field of the organizer to modify
   :param id: The ``id`` field of the plan to delete
   :statuscode 204: no error
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer does not exist **or** you have no permission to delete this resource **or** the plan is currently in use.
 .. _here: https://github.com/pretix/pretix/blob/master/src/pretix/static/seating/seating-plan.schema.json
--- a/doc/api/resources/subevents.rst
+++ b/doc/api/resources/subevents.rst
@@ -1,3 +1,9 @@
 .. spelling::
   geo
   lat
   lon
 .. _rest-subevents:
 Event series dates / Sub-events
@@ -28,6 +34,8 @@ date_admission                        datetime                   The sub-event's
 presale_start                         datetime                   The sub-date at which the ticket shop opens (or ``null``)
 presale_end                           datetime                   The sub-date at which the ticket shop closes (or ``null``)
 location                              multi-lingual string       The sub-event location (or ``null``)
 geo_lat                               float                      Latitude of the location (or ``null``)
 geo_lon                               float                      Longitude of the location (or ``null``)
 item_price_overrides                  list of objects            List of items for which this sub-event overrides the
                                                                 default price
 ├ item                                integer                    The internal item ID
@@ -36,7 +44,11 @@ variation_price_overrides             list of objects            List of variati
                                                                 the default price
 ├ variation                           integer                    The internal variation ID
 └ price                               money (string)             The price or ``null`` for the default price
-meta_data                             dict                       Values set for organizer-specific meta data parameters.
+meta_data                             object                     Values set for organizer-specific meta data parameters.
 seating_plan                          integer                    If reserved seating is in use, the ID of a seating
                                                                 plan. Otherwise ``null``.
 seat_category_mapping                 object                     An object mapping categories of the seating plan
                                                                 (strings) to items in the event (integers or ``null``).
 ===================================== ========================== =======================================================
 .. versionchanged:: 1.7
@@ -54,9 +66,21 @@ meta_data                             dict                       Values set for
   The attribute ``is_public`` has been added.
 .. versionchanged:: 3.0
   The attributes ``seating_plan`` and ``seat_category_mapping`` have been added.
 .. versionchanged:: 3.3
   The attributes ``geo_lat`` and ``geo_lon`` have been added.
 Endpoints
 ---------
 .. versionchanged:: 3.3
    The sub-events resource can now be filtered by meta data attributes.
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/subevents/
   Returns a list of all sub-events of an event.
@@ -93,7 +117,11 @@ Endpoints
            "date_admission": null,
            "presale_start": null,
            "presale_end": null,
            "seating_plan": null,
            "seat_category_mapping": {},
            "location": null,
            "geo_lat": null,
            "geo_lon": null,
            "item_price_overrides": [
              {
                "item": 2,
@@ -113,6 +141,11 @@ Endpoints
   :query ends_after: If set to a date and time, only events that happen during of after the given time are returned.
   :param organizer: The ``slug`` field of a valid organizer
   :param event: The ``slug`` field of the main event
   :query array attr[meta_data_key]: By providing the key and value of a meta data attribute, the list of sub-events
        will only contain the sub-events matching the set criteria. Providing ``?attr[Format]=Seminar`` would return
        only those sub-events having set their ``Format`` meta data to ``Seminar``, ``?attr[Format]=`` only those, that
        have no value set. Please note that this filter will respect default values set on 
        organizer or event level.
   :statuscode 200: no error
   :statuscode 401: Authentication failure
   :statuscode 403: The requested organizer does not exist **or** you have no permission to view it.
@@ -130,7 +163,7 @@ Endpoints
      POST /api/v1/organizers/bigevents/events/sampleconf/subevents/ HTTP/1.1
      Host: pretix.eu
      Accept: application/json, text/javascript
-      Content: application/json
+      Content-Type: application/json
      {
        "name": {"en": "First Sample Conference"},
@@ -142,6 +175,10 @@ Endpoints
        "presale_start": null,
        "presale_end": null,
        "location": null,
        "geo_lat": null,
        "geo_lon": null,
        "seating_plan": null,
        "seat_category_mapping": {},
        "item_price_overrides": [
          {
            "item": 2,
@@ -172,6 +209,10 @@ Endpoints
        "presale_start": null,
        "presale_end": null,
        "location": null,
        "geo_lat": null,
        "geo_lon": null,
        "seating_plan": null,
        "seat_category_mapping": {},
        "item_price_overrides": [
          {
            "item": 2,
@@ -223,6 +264,10 @@ Endpoints
        "presale_start": null,
        "presale_end": null,
        "location": null,
        "geo_lat": null,
        "geo_lon": null,
        "seating_plan": null,
        "seat_category_mapping": {},
        "item_price_overrides": [
          {
            "item": 2,
@@ -255,7 +300,7 @@ Endpoints
      PATCH /api/v1/organizers/bigevents/events/sampleconf/subevents/1/ HTTP/1.1
      Host: pretix.eu
      Accept: application/json, text/javascript
-      Content: application/json
+      Content-Type: application/json
      {
        "name": {"en": "New Subevent Name"},
@@ -287,6 +332,10 @@ Endpoints
        "presale_start": null,
        "presale_end": null,
        "location": null,
        "geo_lat": null,
        "geo_lon": null,
        "seating_plan": null,
        "seat_category_mapping": {},
        "item_price_overrides": [
          {
            "item": 2,
@@ -371,6 +420,10 @@ Endpoints
            "presale_start": null,
            "presale_end": null,
            "location": null,
            "geo_lat": null,
            "geo_lon": null,
            "seating_plan": null,
            "seat_category_mapping": {},
            "item_price_overrides": [
              {
                "item": 2,
--- a/doc/api/resources/vouchers.rst
+++ b/doc/api/resources/vouchers.rst
@@ -41,6 +41,7 @@ quota                                 integer                    An ID of a quot
 tag                                   string                     A string that is used for grouping vouchers
 comment                               string                     An internal comment on the voucher
 subevent                              integer                    ID of the date inside an event series this voucher belongs to (or ``null``).
 show_hidden_items                     boolean                    Only if set to ``true``, this voucher allows to buy products with the property ``hide_without_voucher``. Defaults to ``true``.
 ===================================== ========================== =======================================================
@@ -48,6 +49,10 @@ subevent                              integer                    ID of the date
   The write operations ``POST``, ``PATCH``, ``PUT``, and ``DELETE`` have been added.
 .. versionchanged:: 3.0
   The attribute ``show_hidden_items`` has been added.
 Endpoints
 ---------
--- a/doc/api/resources/webhooks.rst
+++ b/doc/api/resources/webhooks.rst
@@ -137,7 +137,7 @@ Endpoints
      POST /api/v1/organizers/bigevents/webhooks/ HTTP/1.1
      Host: pretix.eu
      Accept: application/json, text/javascript
-      Content: application/json
+      Content-Type: application/json
      {
        "enabled": true,
--- a/doc/development/api/auth.rst
+++ b/doc/development/api/auth.rst
@@ -0,0 +1,70 @@
 .. highlight:: python
   :linenothreshold: 5
 Pluggable authentication backends
 =================================
 Plugins can supply additional authentication backends. This is mainly useful in self-hosted installations
 and allows you to use company-wide login mechanisms such as LDAP or OAuth for accessing pretix' backend.
 Every authentication backend contains an implementation of the interface defined in ``pretix.base.auth.BaseAuthBackend``
 (see below). Note that pretix authentication backends work differently than plain Django authentication backends.
 Basically, three pre-defined flows are supported:
 * Authentication mechanisms that rely on a **set of input parameters**, e.g. a username and a password. These can be
  implemented by supplying the ``login_form_fields`` property and a ``form_authenticate`` method.
 * Authentication mechanisms that rely on **external sessions**, e.g. a cookie or a proxy HTTP header. These can be
  implemented by supplying a ``request_authenticate`` method.
 * Authentication mechanisms that rely on **redirection**, e.g. to an OAuth provider. These can be implemented by
  supplying a ``authentication_url`` method and implementing a custom return view.
 Authentication backends are *not* collected through a signal. Instead, they must explicitly be set through the
 ``auth_backends`` directive in the ``pretix.cfg`` :ref:`configuration file <config>`.
 In each of these methods (``form_authenticate``, ``request_authenticate`` or your custom view) you are supposed to
 either get an existing :py:class:`pretix.base.models.User` object from the database or create a new one. There are a
 few rules you need to follow:
 * You **MUST** only return users with the ``auth_backend`` attribute set to the ``identifier`` value of your backend.
 * You **MUST** create new users with the ``auth_backend`` attribute set to the ``identifier`` value of your backend.
 * Every user object **MUST** have an email address. Email addresses are globally unique. If the email address is
  already registered to a user who signs in through a different backend, you **SHOULD** refuse the login.
 The backend interface
 ---------------------
 .. class:: pretix.base.auth.BaseAuthBackend
   The central object of each backend is the subclass of ``BaseAuthBackend``.
   .. autoattribute:: identifier
      This is an abstract attribute, you **must** override this!
   .. autoattribute:: verbose_name
      This is an abstract attribute, you **must** override this!
   .. autoattribute:: login_form_fields
   .. autoattribute:: visible
   .. automethod:: form_authenticate
   .. automethod:: request_authenticate
   .. automethod:: authentication_url
 Logging users in
 ----------------
 If you return a user from ``form_authenticate`` or ``request_authenticate``, the system will handle everything else
 for you correctly. However, if you use a redirection method and build a custom view to verify the login, we strongly
 recommend that you use the following utility method to correctly set session values and enforce two-factor
 authentication (if activated):
 .. autofunction:: pretix.control.views.auth.process_login
--- a/doc/development/api/email.rst
+++ b/doc/development/api/email.rst
@@ -101,9 +101,12 @@ The template is passed the following context variables:
   The ``Event`` object
 ``signature`` (optional, only if configured)
-   The body as markdown (render with ``{{ signature|safe }}``)
+   The signature with event organizer contact details as markdown (render with ``{{ signature|safe }}``)
 ``order`` (optional, only if applicable)
   The ``Order`` object
 ``position`` (optional, only if applicable)
   The ``OrderPosition`` object
 .. _inlinestyler: https://pypi.org/project/inlinestyler/
--- a/doc/development/api/general.rst
+++ b/doc/development/api/general.rst
@@ -12,7 +12,7 @@ Core
 .. automodule:: pretix.base.signals
   :members: periodic_task, event_live_issues, event_copy_data, email_filter, register_notification_types,
-      item_copy_data, register_sales_channels, register_global_settings
+      item_copy_data, register_sales_channels, register_global_settings, quota_availability, global_email_filter
 Order events
 """"""""""""
@@ -20,13 +20,17 @@ Order events
 There are multiple signals that will be sent out in the ordering cycle:
 .. automodule:: pretix.base.signals
-   :members: validate_cart, validate_order, order_fee_calculation, order_paid, order_placed, order_canceled, order_expired, order_modified, order_changed, order_approved, order_denied, order_fee_type_name, allow_ticket_download
+   :members: validate_cart, validate_cart_addons, validate_order, order_fee_calculation, order_paid, order_placed, order_canceled, order_expired, order_modified, order_changed, order_approved, order_denied, order_fee_type_name, allow_ticket_download, order_split, order_gracefully_delete
 Frontend
 --------
 .. automodule:: pretix.presale.signals
-   :members: html_head, html_footer, footer_link, front_page_top, front_page_bottom, fee_calculation_for_cart, contact_form_fields, question_form_fields, checkout_confirm_messages, checkout_confirm_page_content, checkout_all_optional, html_page_header, sass_preamble, sass_postamble, checkout_flow_steps, order_info, order_meta_from_request, position_info
+   :members: html_head, html_footer, footer_link, front_page_top, front_page_bottom, fee_calculation_for_cart, contact_form_fields, question_form_fields, checkout_confirm_messages, checkout_confirm_page_content, checkout_all_optional, html_page_header, sass_preamble, sass_postamble, render_seating_plan, checkout_flow_steps, position_info
 .. automodule:: pretix.presale.signals
   :members: order_info, order_meta_from_request
 Request flow
 """"""""""""
@@ -45,7 +49,7 @@ Backend
 .. automodule:: pretix.control.signals
   :members: nav_event, html_head, html_page_start, quota_detail_html, nav_topbar, nav_global, nav_organizer, nav_event_settings,
-             order_info, event_settings_widget, oauth_application_registered, order_position_buttons
+             order_info, event_settings_widget, oauth_application_registered, order_position_buttons, subevent_forms, item_formsets
 .. automodule:: pretix.base.signals
--- a/doc/development/api/index.rst
+++ b/doc/development/api/index.rst
@@ -12,8 +12,10 @@ Contents:
   payment
   payment_2.0
   email
   placeholder
   invoice
   shredder
   customview
   auth
   general
   quality
--- a/doc/development/api/payment.rst
+++ b/doc/development/api/payment.rst
@@ -108,6 +108,8 @@ The provider class
   .. automethod:: execute_refund
   .. automethod:: api_payment_details
   .. automethod:: shred_payment_info
   .. autoattribute:: is_implicit
--- a/doc/development/api/placeholder.rst
+++ b/doc/development/api/placeholder.rst
@@ -0,0 +1,79 @@
 .. highlight:: python
   :linenothreshold: 5
 Writing an e-mail placeholder plugin
 ====================================
 An email placeholder is a dynamic value that pretix users can use in their email templates.
 Please read :ref:`Creating a plugin <pluginsetup>` first, if you haven't already.
 Placeholder registration
 ------------------------
 The placeholder API does not make a lot of usage from signals, however, it
 does use a signal to get a list of all available email placeholders. Your plugin
 should listen for this signal and return an instance of a subclass of ``pretix.base.email.BaseMailTextPlaceholder``::
    from django.dispatch import receiver
    from pretix.base.signals import register_mail_placeholders
    @receiver(register_mail_placeholders, dispatch_uid="placeholder_custom")
    def register_mail_renderers(sender, **kwargs):
        from .email import MyPlaceholderClass
        return MyPlaceholder()
 Context mechanism
 -----------------
 Emails are sent in different "contexts" within pretix. For example, many emails are sent in the
 the context of an order, but some are not, such as the notification of a waiting list voucher.
 Not all placeholders make sense in every email, and placeholders usually depend some parameters
 themselves, such as the ``Order`` object. Therefore, placeholders are expected to explicitly declare
 what values they depend on and they will only be available in an email if all those dependencies are
 met. Currently, placeholders can depend on the following context parameters:
 * ``event``
 * ``order``
 * ``position``
 * ``waiting_list_entry``
 * ``invoice_address``
 * ``payment``
 There are a few more that are only to be used internally but not by plugins.
 The placeholder class
 ---------------------
 .. class:: pretix.base.email.BaseMailTextPlaceholder
   .. autoattribute:: identifier
      This is an abstract attribute, you **must** override this!
   .. autoattribute:: required_context
      This is an abstract attribute, you **must** override this!
   .. automethod:: render
      This is an abstract method, you **must** implement this!
   .. automethod:: render_sample
      This is an abstract method, you **must** implement this!
 Helper class for simple placeholders
 ------------------------------------
 pretix ships with a helper class that makes it easy to provide placeholders based on simple
 functions::
     placeholder = SimpleFunctionalMailTextPlaceholder(
         'code', ['order'], lambda order: order.code, sample='F8VVL'
     )
--- a/doc/development/api/shredder.rst
+++ b/doc/development/api/shredder.rst
@@ -35,9 +35,9 @@ The shredder class
 .. class:: pretix.base.shredder.BaseDataShredder
-   The central object of each invoice renderer is the subclass of ``BaseInvoiceRenderer``.
+   The central object of each data shredder is the subclass of ``BaseDataShredder``.
-   .. py:attribute:: BaseInvoiceRenderer.event
+   .. py:attribute:: BaseDataShredder.event
      The default constructor sets this property to the event we are currently
      working for.
--- a/doc/development/api/ticketoutput.rst
+++ b/doc/development/api/ticketoutput.rst
@@ -69,3 +69,9 @@ The output class
   .. automethod:: generate_order
   .. autoattribute:: download_button_text
   .. autoattribute:: download_button_icon
   .. autoattribute:: preview_allowed
   .. autoattribute:: javascript_required
--- a/doc/development/setup.rst
+++ b/doc/development/setup.rst
@@ -65,9 +65,7 @@ Then, create the local database::
    python manage.py migrate
 A first user with username ``admin@localhost`` and password ``admin`` will be automatically
-created. If you want to generate more test data, run::
+created.
    python make_testdata.py
 If you want to see pretix in a different language than English, you have to compile our language
 files::
@@ -83,8 +81,7 @@ To run the local development webserver, execute::
 and head to http://localhost:8000/
 As we did not implement an overall front page yet, you need to go directly to
-http://localhost:8000/control/ for the admin view or, if you imported the test
+http://localhost:8000/control/ for the admin view.
 data as suggested above, to the event page at http://localhost:8000/bigevents/2019/
 .. note:: If you want the development server to listen on a different interface or
          port (for example because you develop on `pretixdroid`_), you can check
--- a/doc/spelling_wordlist.txt
+++ b/doc/spelling_wordlist.txt
@@ -31,18 +31,24 @@ deprovision
 discoverable
 django
 dockerfile
 downloadable
 durations
 eu
 filename
 filesystem
 fontawesome
 formset
 formsets
 frontend
 frontpage
 gettext
 giftcard
 gunicorn
 guid
 hardcoded
 hostname
 idempotency
 iframe
 incrementing
 inofficial
 invalidations
@@ -51,6 +57,7 @@ Jimdo
 libpretixprint
 libsass
 linters
 login
 memcached
 metadata
 middleware
@@ -72,6 +79,7 @@ overpayment
 param
 passphrase
 percental
 pluggable
 positionid
 pre
 prepend
@@ -101,6 +109,7 @@ screenshot
 scss
 searchable
 selectable
 serializable
 serializers
 serializers
 sexualized
@@ -132,8 +141,10 @@ username
 url
 versa
 versioning
 viewable
 viewset
 viewsets
 waitinglist
 webhook
 webhooks
 webserver
--- a/doc/user/events/giftcards.rst
+++ b/doc/user/events/giftcards.rst
@@ -0,0 +1,71 @@
 .. spelling::
   Warengutschein
   Wertgutschein
 Gift cards
 ==========
 Gift cards, also known as "gift coupons" or "gift certificates" are a mechanism that allows you to sell tokens that
 can later be used to pay for tickets.
 Gift cards are very different feature than **vouchers**. The difference is:
 * Vouchers can be used to give a discount. When a voucher is used, the price of a ticket is reduced by the configured
  discount and sold at a lower price. They therefore reduce both revenue as well as taxes. Vouchers (in pretix) are
  always specific to a certain product in an order. Vouchers are usually not sold but given out as part of a
  marketing campaign or to specific groups of people. Vouchers in pretix are bound to a specific event.
 * Gift cards are not a discount, but rather a means of payment. If you buy a €20 ticket with a €10 gift card, it is
  still a €20 ticket and will still count towards your revenue with €20. Gift cards are usually bought for the money
  that they are worth. Gift cards in pretix can be used across events (and even organizers).
 Selling gift cards
 ------------------
 Selling gift cards works like selling every other type of product in pretix: Create a new product, then head to
 "Additional settings" and select the option "This product is a gift card". Whenever someone buys this product and
 pays for it, a new gift card will be created.
 In this case, the gift card code corresponds to the "ticket secret" in the PDF ticket. Therefore, if selling gift cards,
 you can use ticket downloads just as with normal tickets and use our ticket editor to create beautiful gift certificates
 people can give to their loved ones.
 Of course, you can use pretix' flexible options to modify your product. For example, you can configure that the customer
 can freely choose the price of the gift card.
 .. note::
   pretix currently does not support charging sales tax or VAT when selling gift cards, but instead charges VAT on
   the full price when the gift card is redeemed. This is the correct behavior in Germany and some other countries for
   gift cards which are not bound to a very specific service ("Warengutschein"), but instead to a monetary amount
   ("Wertgutschein").
 .. note::
   The ticket PDF will not contain the correct gift card code before the order has been paid, so we recommend not
   selling gift cards in events where tickets are issued before payments arrive.
 Accepting gift cards
 --------------------
 All your events have have the payment provider "Gift card" enabled by default, but it will only show up in the ticket
 shop once the very first gift card has been issued on your organizer account. Of course, you can turn off gift card
 payments if you do not want them for a specific event.
 If gift card payments are enabled, buyers will be able to select "Gift card" as a payment method during checkout. If
 a gift card with a value less than the order total is used, the buyer will be asked to select a second payment method
 for the remaining payment. If a gift card with a value greater than the order total is used, the surplus amount
 remains on the gift card and can be used in a different purchase.
 If it possible to accept gift cards across organizer accounts. To do so, you need to have access to both organizer
 accounts. Then, you will see a configuration section at the bottom of the "Gift cards" page of your organizer settings
 where you can specify which gift cards should be accepted.
 Manually issuing or using gift cards
 ------------------------------------
 Of course, you can also issue or redeem gift cards manually through our backend using the "Gift cards" menu item in your
 organizer profile or using our API. These gift cards will be tracked by pretix, but do not correspond to any purchase
 within pretix. You will therefore need to account for them in your books separately.
--- a/doc/user/events/structureguide.rst
+++ b/doc/user/events/structureguide.rst
@@ -45,8 +45,8 @@ In addition, you will need quotas. If you do not care how many of your tickets a
 If you want to limit the number of student tickets to 50 to ensure a certain minimum revenue, but do not want to limit the number of regular tickets artificially, we suggest you to create the same quota of 200 that is linked to both products, and then create a **second quota** of 50 that is only linked to the student ticket. This way, the system will reduce both quotas whenever a student ticket is sold and only the larger quota when a regular ticket is sold.
-Use case: Early-bird tiers
+Use case: Early-bird tiers based on dates
--------------------------
+-----------------------------------------
 Let's say you run a conference that has the following pricing scheme:
@@ -58,9 +58,53 @@ Of course, you could just set up one product and change its price at the given d
 Create three products (e.g. "super early bird", "early bird", "regular ticket") with the respective prices and one shared quota of your total event capacity. Then, set the **available from** and **available until** configuration fields of the products to automatically turn them on and off based on the current date.
-.. note::
+Use case: Early-bird tiers based on ticket numbers
 --------------------------------------------------
-   pretix currently can't do early-bird tiers based on **ticket number** instead of time. We're planning this feature for later in 2019. For now, you'll need to monitor that manually.
+Let's say you run a conference with 400 tickets that has the following pricing scheme:
 * First 100 tickets ("super early bird"): € 450
 * Next 100 tickets ("early bird"): € 550
 * Remaining tickets ("regular"): € 650
 First of all, create three products:
 * "Super early bird ticket"
 * "Early bird ticket"
 * "Regular ticket"
 Then, create three quotas:
 * "Super early bird" with a **size of 100** and the "Super early bird ticket" product selected. At "Advanced options",
  select the box "Close this quota permanently once it is sold out".
 * "Early bird and lower" with a **size of 200** and both of the "Super early bird ticket" and "Early bird ticket"
  products selected. At "Advanced options", select the box "Close this quota permanently once it is sold out".
 * "All participants" with a **size of 400**, all three products selected and **no additional options**.
 Next, modify the product "Regular ticket". In the section "Availability", you should look for the option "Only show
 after sellout of" and select your quota "Early bird and lower". Do the same for the "Early bird ticket" with the quota
 "Super early bird ticket".
 This will ensure the following things:
 * Each ticket level is only visible after the previous level is sold out.
 * As soon as one level is really sold out, it's not coming back, because the quota "closes", i.e. locks in place.
 * By creating a total quota of 400 with all tickets included, you can still make sure to sell the maximum number of
  tickets, even if e.g. early-bird tickets are canceled.
 Optionally, if you want to hide the early bird prices once they are sold out, go to "Settings", then "Display" and
 select "Hide all products that are sold out". Of course, it might be a nice idea to keep showing the prices to remind
 people to buy earlier next time ;)
 Please note that there might be short time intervals where the prices switch back and forth: When the last early bird
 tickets are in someone's cart (but not yet sold!), the early bird tickets will show as "Reserved" and the regular
 tickets start showing up. However, if the customers holding the reservations do not complete their order,
 the early bird tickets will become available again. This is not avoidable if we want to prevent malicious users
 from blocking all the cheap tickets without an actual sale happening.
 Use case: Up-selling of ticket extras
 -------------------------------------
@@ -85,8 +129,14 @@ Use case: Conference with workshops
 When running a conference, you might also organize a number of workshops with smaller capacity. To be able to plan, it would be great to know which workshops an attendee plans to attend.
 Option A: Questions
 """""""""""""""""""
 Your first and simplest option is to just create a multiple-choice question. This has the upside of making it easy for users to change their mind later on, but will not allow you to restrict the number of attendees signing up for a given workshop – or even charge extra for a given workshop.
 Option B: Add-on products with fixed time slots
 """""""""""""""""""""""""""""""""""""""""""""""
 The usually better option is to go with add-on products. Let's take for example the following conference schedule, in which the lecture can be attended by anyone, but the workshops only have space for 20 persons each:
 ==================== =================================== ===================================
@@ -117,6 +167,42 @@ Assuming you already created one or more products for your general conference ad
 * One add-on configuration on your base product that allows users to choose between 0 and 2 products from the category "Workshops"
 Option C: Add-on products with variable time slots
 """"""""""""""""""""""""""""""""""""""""""""""""""
 The above option only works if your conference uses fixed time slots and every workshop uses exactly one time slot. If
 your schedule looks like this, it's not going to work great:
 +-------------+------------+-----------+
 | Time        | Room A     | Room B    |
 +=============+============+===========+
 | 09:00-11:00 | Talk 1     | Long      |
 +-------------+------------+ Workshop 1|
 | 11:00-13:00 | Talk 2     |           |
 +-------------+------------+-----------+
 | 14:00-16:00 | Long       | Talk 3    |
 +-------------+ workshop 2 +-----------+
 | 16:00-18:00 |            | Talk 4    |
 +-------------+------------+-----------+
 In this case, we recommend that you go to *Settings*, then *Plugins* and activate the plugin **Agenda constraints**.
 Then, create a product (without variations) for every single part that should be bookable (talks 1-4 and long workshops
 1 and 2) as well as appropriate quotas for each of them.
 All of these products should be part of the same category. In your base product (e.g. your conference ticket), you
 can then create an add-on product configuration allowing users to add products from this category.
 If you edit these products, you will be able to enter the "Start date" and "End date" of the talk or workshop close
 to the bottom of the page. If you fill in these values, pretix will automatically ensure no overlapping talks are
 booked.
 .. note::
    This option is currently only available on pretix Hosted. If you are interested in using it with pretix Enterprise,
    please contact sales@pretix.eu.
 Use case: Discounted packages
 -----------------------------
--- a/doc/user/events/widget.rst
+++ b/doc/user/events/widget.rst
@@ -143,6 +143,11 @@ You can see an example here:
        </div>
    </noscript>
 You can filter events by meta data attributes. You can create those attributes in your order profile and set their values in both event and series date
 settings. For example, if you set up a meta data property called "Promoted" that you set to "Yes" on some events, you can pass a filter like this::
   <pretix-widget event="https://pretix.eu/demo/series/" style="list" filter="attr[Promoted]=Yes"></pretix-widget>
 pretix Button
 -------------
@@ -201,6 +206,21 @@ If you want, you can suppress us loading the widget and/or modify the user data
 If you then later want to trigger loading the widgets, just call ``window.PretixWidget.buildWidgets()``.
 Waiting for the widget to load
 ------------------------------
 If you want to run custom JavaScript once the widget is fully loaded, you can register a callback function. Note that
 this function might be run multiple times, for example if you have multiple widgets on a page or if the user switches
 e.g. from an event list to an event detail view::
    <script type="text/javascript">
    window.pretixWidgetCallback = function () {
        window.PretixWidget.addLoadListener(function () {
            console.log("Widget has loaded!");
        });
    }
    </script>
 Passing user data to the widget
 -------------------------------
@@ -269,6 +289,9 @@ Hosted or pretix Enterprise are active, you can pass the following fields:
        };
    </script>
  In some combinations with Google Tag Manager, the widget does not load this way. In this case, try replacing
  ``tracker.get('clientId')`` with ``ga.getAll()[0].get('clientId')``.
 .. versionchanged:: 2.3
--- a/doc/user/index.rst
+++ b/doc/user/index.rst
@@ -12,5 +12,6 @@ wanting to use pretix to sell tickets.
   events/settings
   events/structureguide
   events/widget
   events/giftcards
   faq
-   markdown
+   markdown
--- a/src/MANIFEST.in
+++ b/src/MANIFEST.in
@@ -22,3 +22,5 @@ recursive-include pretix/plugins/ticketoutputpdf/templates *
 recursive-include pretix/plugins/ticketoutputpdf/static *
 recursive-include pretix/plugins/badges/templates *
 recursive-include pretix/plugins/badges/static *
 recursive-include pretix/plugins/returnurl/templates *
 recursive-include pretix/plugins/returnurl/static *
--- a/src/make_testdata.py
+++ b/src/make_testdata.py
@@ -1,71 +0,0 @@
 #!/usr/bin/env python
 import os
 import sys
 from datetime import datetime
 os.environ.setdefault("DJANGO_SETTINGS_MODULE", "pretix.settings")
 import django
 django.setup()
 from pretix.base.models import *  # NOQA
 from django.utils.timezone import now
 if Organizer.objects.exists():
    print("There already is data in your DB!")
    sys.exit(0)
 user = User.objects.get_or_create(
    email='admin@localhost',
 )[0]
 user.set_password('admin')
 user.save()
 organizer = Organizer.objects.create(
    name='BigEvents LLC', slug='bigevents'
 )
 year = now().year + 1
 event = Event.objects.create(
    organizer=organizer, name='Demo Conference {}'.format(year),
    slug=year, currency='EUR', live=True,
    date_from=datetime(year, 9, 4, 17, 0, 0),
    date_to=datetime(year, 9, 6, 17, 0, 0),
 )
 t = Team.objects.get_or_create(
    organizer=organizer, name='Admin Team',
    all_events=True, can_create_events=True, can_change_teams=True,
    can_change_organizer_settings=True, can_change_event_settings=True, can_change_items=True,
    can_view_orders=True, can_change_orders=True, can_view_vouchers=True, can_change_vouchers=True
 )
 t[0].members.add(user)
 cat_tickets = ItemCategory.objects.create(
    event=event, name='Tickets'
 )
 cat_merch = ItemCategory.objects.create(
    event=event, name='Merchandise'
 )
 question = Question.objects.create(
    event=event, question='Age',
    type=Question.TYPE_NUMBER, required=False
 )
 tr19 = event.tax_rules.create(rate=19)
 item_ticket = Item.objects.create(
    event=event, category=cat_tickets, name='Ticket',
    default_price=23, tax_rule=tr19, admission=True
 )
 item_ticket.questions.add(question)
 item_shirt = Item.objects.create(
    event=event, category=cat_merch, name='T-Shirt',
    default_price=15, tax_rule=tr19
 )
 var_s = ItemVariation.objects.create(item=item_shirt, value='S')
 var_m = ItemVariation.objects.create(item=item_shirt, value='M')
 var_l = ItemVariation.objects.create(item=item_shirt, value='L')
 ticket_quota = Quota.objects.create(
    event=event, name='Ticket quota', size=400,
 )
 ticket_quota.items.add(item_ticket)
 ticket_shirts = Quota.objects.create(
    event=event, name='Shirt quota', size=200,
 )
 ticket_quota.items.add(item_shirt)
 ticket_quota.variations.add(var_s, var_m, var_l)
--- a/src/pretix/init.py
+++ b/src/pretix/init.py
@@ -1 +1 @@
-__version__ = "2.8.2"
+__version__ = "3.3.0"
--- a/src/pretix/api/auth/device.py
+++ b/src/pretix/api/auth/device.py
@@ -1,4 +1,5 @@
 from django.contrib.auth.models import AnonymousUser
 from django_scopes import scopes_disabled
 from rest_framework import exceptions
 from rest_framework.authentication import TokenAuthentication
@@ -12,7 +13,8 @@ class DeviceTokenAuthentication(TokenAuthentication):
    def authenticate_credentials(self, key):
        model = self.get_model()
        try:
-            device = model.objects.select_related('organizer').get(api_token=key)
+            with scopes_disabled():
                device = model.objects.select_related('organizer').get(api_token=key)
        except model.DoesNotExist:
            raise exceptions.AuthenticationFailed('Invalid token.')
--- a/src/pretix/api/auth/permission.py
+++ b/src/pretix/api/auth/permission.py
@@ -3,7 +3,7 @@ from rest_framework.permissions import SAFE_METHODS, BasePermission
 from pretix.api.models import OAuthAccessToken
 from pretix.base.models import Device, Event, User
 from pretix.base.models.auth import SuperuserPermissionSet
-from pretix.base.models.organizer import Organizer, TeamAPIToken
+from pretix.base.models.organizer import TeamAPIToken
 from pretix.helpers.security import (
    SessionInvalid, SessionReauthRequired, assert_session_valid,
 )
@@ -50,9 +50,6 @@ class EventPermission(BasePermission):
                return False
        elif 'organizer' in request.resolver_match.kwargs:
            request.organizer = Organizer.objects.filter(
                slug=request.resolver_match.kwargs['organizer'],
            ).first()
            if not request.organizer or not perm_holder.has_organizer_permission(request.organizer, request=request):
                return False
            if isinstance(perm_holder, User) and perm_holder.has_active_staff_session(request.session.session_key):
--- a/src/pretix/api/middleware.py
+++ b/src/pretix/api/middleware.py
@@ -4,10 +4,13 @@ from hashlib import sha1
 from django.conf import settings
 from django.db import transaction
 from django.http import HttpRequest, HttpResponse, JsonResponse
 from django.urls import resolve
 from django.utils.timezone import now
 from django_scopes import scope
 from rest_framework import status
 from pretix.api.models import ApiCall
 from pretix.base.models import Organizer
 class IdempotencyMiddleware:
@@ -89,3 +92,21 @@ class IdempotencyMiddleware:
            for k, v in json.loads(call.response_headers).values():
                r[k] = v
            return r
 class ApiScopeMiddleware:
    def __init__(self, get_response):
        self.get_response = get_response
    def __call__(self, request: HttpRequest):
        if not request.path.startswith('/api/'):
            return self.get_response(request)
        url = resolve(request.path_info)
        if 'organizer' in url.kwargs:
            request.organizer = Organizer.objects.filter(
                slug=url.kwargs['organizer'],
            ).first()
        with scope(organizer=getattr(request, 'organizer', None)):
            return self.get_response(request)
--- a/src/pretix/api/migrations/0005_auto_20191028_1541.py
+++ b/src/pretix/api/migrations/0005_auto_20191028_1541.py
@@ -0,0 +1,18 @@
 # Generated by Django 2.2.1 on 2019-10-28 15:41
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ('pretixapi', '0004_auto_20190405_1048'),
    ]
    operations = [
        migrations.AlterField(
            model_name='oauthgrant',
            name='redirect_uri',
            field=models.CharField(max_length=2500),
        ),
    ]
--- a/src/pretix/api/models.py
+++ b/src/pretix/api/models.py
@@ -43,6 +43,7 @@ class OAuthGrant(AbstractGrant):
        OAuthApplication, on_delete=models.CASCADE
    )
    organizers = models.ManyToManyField('pretixbase.Organizer')
    redirect_uri = models.CharField(max_length=2500)  # Only 255 in AbstractGrant, which caused problems
 class OAuthAccessToken(AbstractAccessToken):
--- a/src/pretix/api/serializers/cart.py
+++ b/src/pretix/api/serializers/cart.py
@@ -8,31 +8,33 @@ from rest_framework.exceptions import ValidationError
 from pretix.api.serializers.i18n import I18nAwareModelSerializer
 from pretix.api.serializers.order import (
-    AnswerCreateSerializer, AnswerSerializer,
+    AnswerCreateSerializer, AnswerSerializer, InlineSeatSerializer,
 )
-from pretix.base.models import Quota
+from pretix.base.models import Quota, Seat
 from pretix.base.models.orders import CartPosition
 class CartPositionSerializer(I18nAwareModelSerializer):
    answers = AnswerSerializer(many=True)
    seat = InlineSeatSerializer()
    class Meta:
        model = CartPosition
        fields = ('id', 'cart_id', 'item', 'variation', 'price', 'attendee_name', 'attendee_name_parts',
                  'attendee_email', 'voucher', 'addon_to', 'subevent', 'datetime', 'expires', 'includes_tax',
-                  'answers',)
+                  'answers', 'seat')
 class CartPositionCreateSerializer(I18nAwareModelSerializer):
    answers = AnswerCreateSerializer(many=True, required=False)
    expires = serializers.DateTimeField(required=False)
    attendee_name = serializers.CharField(required=False, allow_null=True)
    seat = serializers.CharField(required=False, allow_null=True)
    class Meta:
        model = CartPosition
        fields = ('cart_id', 'item', 'variation', 'price', 'attendee_name', 'attendee_name_parts', 'attendee_email',
-                  'subevent', 'expires', 'includes_tax', 'answers',)
+                  'subevent', 'expires', 'includes_tax', 'answers', 'seat')
    def create(self, validated_data):
        answers_data = validated_data.pop('answers')
@@ -71,6 +73,24 @@ class CartPositionCreateSerializer(I18nAwareModelSerializer):
                validated_data['attendee_name_parts'] = {
                    '_legacy': attendee_name
                }
            seated = validated_data.get('item').seat_category_mappings.filter(subevent=validated_data.get('subevent')).exists()
            if validated_data.get('seat'):
                if not seated:
                    raise ValidationError('The specified product does not allow to choose a seat.')
                try:
                    seat = self.context['event'].seats.get(seat_guid=validated_data['seat'], subevent=validated_data.get('subevent'))
                except Seat.DoesNotExist:
                    raise ValidationError('The specified seat does not exist.')
                except Seat.MultipleObjectsReturned:
                    raise ValidationError('The specified seat ID is not unique.')
                else:
                    validated_data['seat'] = seat
                    if not seat.is_available():
                        raise ValidationError(ugettext_lazy('The selected seat "{seat}" is not available.').format(seat=seat.name))
            elif seated:
                raise ValidationError('The specified product requires to choose a seat.')
            cp = CartPosition.objects.create(event=self.context['event'], **validated_data)
        for answ_data in answers_data:
--- a/src/pretix/api/serializers/checkin.py
+++ b/src/pretix/api/serializers/checkin.py
@@ -3,6 +3,7 @@ from rest_framework import serializers
 from rest_framework.exceptions import ValidationError
 from pretix.api.serializers.i18n import I18nAwareModelSerializer
 from pretix.base.channels import get_all_sales_channels
 from pretix.base.models import CheckinList
@@ -13,7 +14,7 @@ class CheckinListSerializer(I18nAwareModelSerializer):
    class Meta:
        model = CheckinList
        fields = ('id', 'name', 'all_products', 'limit_products', 'subevent', 'checkin_count', 'position_count',
-                  'include_pending')
+                  'include_pending', 'auto_checkin_sales_channels')
    def validate(self, data):
        data = super().validate(data)
@@ -35,4 +36,8 @@ class CheckinListSerializer(I18nAwareModelSerializer):
            if full_data.get('subevent'):
                raise ValidationError(_('The subevent does not belong to this event.'))
        for channel in full_data.get('auto_checkin_sales_channels') or []:
            if channel not in get_all_sales_channels():
                raise ValidationError(_('Unknown sales channel.'))
        return data
--- a/src/pretix/api/serializers/event.py
+++ b/src/pretix/api/serializers/event.py
@@ -11,6 +11,9 @@ from pretix.api.serializers.i18n import I18nAwareModelSerializer
 from pretix.base.models import Event, TaxRule
 from pretix.base.models.event import SubEvent
 from pretix.base.models.items import SubEventItem, SubEventItemVariation
 from pretix.base.services.seating import (
    SeatProtected, generate_seats, validate_plan_change,
 )
 class MetaDataField(Field):
@@ -26,6 +29,22 @@ class MetaDataField(Field):
        }
 class SeatCategoryMappingField(Field):
    def to_representation(self, value):
        qs = value.seat_category_mappings.all()
        if isinstance(value, Event):
            qs = qs.filter(subevent=None)
        return {
            v.layout_category: v.product_id for v in qs
        }
    def to_internal_value(self, data):
        return {
            'seat_category_mapping': data or {}
        }
 class PluginsField(Field):
    def to_representation(self, obj):
@@ -45,12 +64,14 @@ class PluginsField(Field):
 class EventSerializer(I18nAwareModelSerializer):
    meta_data = MetaDataField(required=False, source='*')
    plugins = PluginsField(required=False, source='*')
    seat_category_mapping = SeatCategoryMappingField(source='*', required=False)
    class Meta:
        model = Event
        fields = ('name', 'slug', 'live', 'testmode', 'currency', 'date_from',
                  'date_to', 'date_admission', 'is_public', 'presale_start',
-                  'presale_end', 'location', 'has_subevents', 'meta_data', 'plugins')
+                  'presale_end', 'location', 'geo_lat', 'geo_lon', 'has_subevents', 'meta_data', 'seating_plan',
                  'plugins', 'seat_category_mapping')
    def validate(self, data):
        data = super().validate(data)
@@ -61,6 +82,9 @@ class EventSerializer(I18nAwareModelSerializer):
        Event.clean_dates(data.get('date_from'), data.get('date_to'))
        Event.clean_presale(data.get('presale_start'), data.get('presale_end'))
        if full_data.get('has_subevents') and full_data.get('seating_plan'):
            raise ValidationError('Event series should not directly be assigned a seating plan.')
        return data
    def validate_has_subevents(self, value):
@@ -92,6 +116,27 @@ class EventSerializer(I18nAwareModelSerializer):
                raise ValidationError(_('Meta data property \'{name}\' does not exist.').format(name=key))
        return value
    def validate_seating_plan(self, value):
        if value and value.organizer != self.context['request'].organizer:
            raise ValidationError('Invalid seating plan.')
        if self.instance and self.instance.pk:
            try:
                validate_plan_change(self.instance, None, value)
            except SeatProtected as e:
                raise ValidationError(str(e))
        return value
    def validate_seat_category_mapping(self, value):
        if value and value['seat_category_mapping'] and (not self.instance or not self.instance.pk):
            raise ValidationError('You cannot specify seat category mappings on event creation.')
        item_cache = {i.pk: i for i in self.instance.items.all()}
        result = {}
        for k, item in value['seat_category_mapping'].items():
            if item not in item_cache:
                raise ValidationError('Item \'{id}\' does not exist.'.format(id=item))
            result[k] = item_cache[item]
        return {'seat_category_mapping': result}
    def validate_plugins(self, value):
        from pretix.base.plugins import get_all_plugins
@@ -109,6 +154,7 @@ class EventSerializer(I18nAwareModelSerializer):
    @transaction.atomic
    def create(self, validated_data):
        meta_data = validated_data.pop('meta_data', None)
        validated_data.pop('seat_category_mapping', None)
        plugins = validated_data.pop('plugins', settings.PRETIX_PLUGINS_DEFAULT.split(','))
        event = super().create(validated_data)
@@ -120,6 +166,10 @@ class EventSerializer(I18nAwareModelSerializer):
                    value=value
                )
        # Seats
        if event.seating_plan:
            generate_seats(event, None, event.seating_plan, {})
        # Plugins
        if plugins is not None:
            event.set_active_plugins(plugins)
@@ -131,6 +181,7 @@ class EventSerializer(I18nAwareModelSerializer):
    def update(self, instance, validated_data):
        meta_data = validated_data.pop('meta_data', None)
        plugins = validated_data.pop('plugins', None)
        seat_category_mapping = validated_data.pop('seat_category_mapping', None)
        event = super().update(instance, validated_data)
        # Meta data
@@ -151,6 +202,29 @@ class EventSerializer(I18nAwareModelSerializer):
                if prop.name not in meta_data:
                    current_object.delete()
        # Seats
        if seat_category_mapping is not None or ('seating_plan' in validated_data and validated_data['seating_plan'] is None):
            current_mappings = {
                m.layout_category: m
                for m in event.seat_category_mappings.filter(subevent=None)
            }
            if not event.seating_plan:
                seat_category_mapping = {}
            for key, value in seat_category_mapping.items():
                if key in current_mappings:
                    m = current_mappings.pop(key)
                    m.product = value
                    m.save()
                else:
                    event.seat_category_mappings.create(product=value, layout_category=key)
            for m in current_mappings.values():
                m.delete()
        if 'seating_plan' in validated_data or seat_category_mapping is not None:
            generate_seats(event, None, event.seating_plan, {
                m.layout_category: m.product
                for m in event.seat_category_mappings.select_related('product').filter(subevent=None)
            })
        # Plugins
        if plugins is not None:
            event.set_active_plugins(plugins)
@@ -165,6 +239,7 @@ class CloneEventSerializer(EventSerializer):
        plugins = validated_data.pop('plugins', None)
        is_public = validated_data.pop('is_public', None)
        testmode = validated_data.pop('testmode', None)
        has_subevents = validated_data.pop('has_subevents', None)
        new_event = super().create(validated_data)
        event = Event.objects.filter(slug=self.context['event'], organizer=self.context['organizer'].pk).first()
@@ -176,6 +251,8 @@ class CloneEventSerializer(EventSerializer):
            new_event.is_public = is_public
        if testmode is not None:
            new_event.testmode = testmode
        if has_subevents is not None:
            new_event.has_subevents = has_subevents
        new_event.save()
        return new_event
@@ -196,14 +273,16 @@ class SubEventItemVariationSerializer(I18nAwareModelSerializer):
 class SubEventSerializer(I18nAwareModelSerializer):
    item_price_overrides = SubEventItemSerializer(source='subeventitem_set', many=True, required=False)
    variation_price_overrides = SubEventItemVariationSerializer(source='subeventitemvariation_set', many=True, required=False)
    seat_category_mapping = SeatCategoryMappingField(source='*', required=False)
    event = SlugRelatedField(slug_field='slug', read_only=True)
    meta_data = MetaDataField(source='*')
    class Meta:
        model = SubEvent
        fields = ('id', 'name', 'date_from', 'date_to', 'active', 'date_admission',
-                  'presale_start', 'presale_end', 'location', 'event', 'is_public',
+                  'presale_start', 'presale_end', 'location', 'geo_lat', 'geo_lon', 'event', 'is_public',
-                  'item_price_overrides', 'variation_price_overrides', 'meta_data')
+                  'seating_plan', 'item_price_overrides', 'variation_price_overrides', 'meta_data',
                  'seat_category_mapping')
    def validate(self, data):
        data = super().validate(data)
@@ -225,6 +304,25 @@ class SubEventSerializer(I18nAwareModelSerializer):
    def validate_variation_price_overrides(self, data):
        return list(filter(lambda i: 'variation' in i, data))
    def validate_seating_plan(self, value):
        if value and value.organizer != self.context['request'].organizer:
            raise ValidationError('Invalid seating plan.')
        if self.instance and self.instance.pk:
            try:
                validate_plan_change(self.context['request'].event, self.instance, value)
            except SeatProtected as e:
                raise ValidationError(str(e))
        return value
    def validate_seat_category_mapping(self, value):
        item_cache = {i.pk: i for i in self.context['request'].event.items.all()}
        result = {}
        for k, item in value['seat_category_mapping'].items():
            if item not in item_cache:
                raise ValidationError('Item \'{id}\' does not exist.'.format(id=item))
            result[k] = item_cache[item]
        return {'seat_category_mapping': result}
    @cached_property
    def meta_properties(self):
        return {
@@ -242,6 +340,7 @@ class SubEventSerializer(I18nAwareModelSerializer):
        item_price_overrides_data = validated_data.pop('subeventitem_set') if 'subeventitem_set' in validated_data else {}
        variation_price_overrides_data = validated_data.pop('subeventitemvariation_set') if 'subeventitemvariation_set' in validated_data else {}
        meta_data = validated_data.pop('meta_data', None)
        seat_category_mapping = validated_data.pop('seat_category_mapping', None)
        subevent = super().create(validated_data)
        for item_price_override_data in item_price_overrides_data:
@@ -257,6 +356,18 @@ class SubEventSerializer(I18nAwareModelSerializer):
                    value=value
                )
        # Seats
        if subevent.seating_plan:
            if seat_category_mapping is not None:
                for key, value in seat_category_mapping.items():
                    self.context['request'].event.seat_category_mappings.create(
                        product=value, layout_category=key, subevent=subevent
                    )
            generate_seats(self.context['request'].event, subevent, subevent.seating_plan, {
                m.layout_category: m.product
                for m in self.context['request'].event.seat_category_mappings.select_related('product').filter(subevent=subevent)
            })
        return subevent
    @transaction.atomic
@@ -264,6 +375,7 @@ class SubEventSerializer(I18nAwareModelSerializer):
        item_price_overrides_data = validated_data.pop('subeventitem_set') if 'subeventitem_set' in validated_data else {}
        variation_price_overrides_data = validated_data.pop('subeventitemvariation_set') if 'subeventitemvariation_set' in validated_data else {}
        meta_data = validated_data.pop('meta_data', None)
        seat_category_mapping = validated_data.pop('seat_category_mapping', None)
        subevent = super().update(instance, validated_data)
        existing_item_overrides = {item.item: item.id for item in SubEventItem.objects.filter(subevent=subevent)}
@@ -300,6 +412,31 @@ class SubEventSerializer(I18nAwareModelSerializer):
                if prop.name not in meta_data:
                    current_object.delete()
        # Seats
        if seat_category_mapping is not None or ('seating_plan' in validated_data and validated_data['seating_plan'] is None):
            current_mappings = {
                m.layout_category: m
                for m in self.context['request'].event.seat_category_mappings.filter(subevent=subevent)
            }
            if not subevent.seating_plan:
                seat_category_mapping = {}
            for key, value in seat_category_mapping.items():
                if key in current_mappings:
                    m = current_mappings.pop(key)
                    m.product = value
                    m.save()
                else:
                    self.context['request'].event.seat_category_mappings.create(
                        product=value, layout_category=key, subevent=subevent
                    )
            for m in current_mappings.values():
                m.delete()
        if 'seating_plan' in validated_data or seat_category_mapping is not None:
            generate_seats(self.context['request'].event, subevent, subevent.seating_plan, {
                m.layout_category: m.product
                for m in self.context['request'].event.seat_category_mappings.select_related('product').filter(subevent=subevent)
            })
        return subevent
--- a/src/pretix/api/serializers/item.py
+++ b/src/pretix/api/serializers/item.py
@@ -118,7 +118,8 @@ class ItemSerializer(I18nAwareModelSerializer):
                  'position', 'picture', 'available_from', 'available_until',
                  'require_voucher', 'hide_without_voucher', 'allow_cancel', 'require_bundling',
                  'min_per_order', 'max_per_order', 'checkin_attention', 'has_variations', 'variations',
-                  'addons', 'bundles', 'original_price', 'require_approval', 'generate_tickets')
+                  'addons', 'bundles', 'original_price', 'require_approval', 'generate_tickets',
                  'show_quota_left', 'hidden_if_available', 'allow_waitinglist', 'issue_giftcard')
        read_only_fields = ('has_variations', 'picture')
    def get_serializer_context(self):
@@ -133,6 +134,17 @@ class ItemSerializer(I18nAwareModelSerializer):
        Item.clean_per_order(data.get('min_per_order'), data.get('max_per_order'))
        Item.clean_available(data.get('available_from'), data.get('available_until'))
        if data.get('issue_giftcard'):
            if data.get('tax_rule') and data.get('tax_rule').rate > 0:
                raise ValidationError(
                    _("Gift card products should not be associated with non-zero tax rates since sales tax will be "
                      "applied when the gift card is redeemed.")
                )
            if data.get('admission'):
                raise ValidationError(_(
                    "Gift card products should not be admission products at the same time."
                ))
        return data
    def validate_category(self, value):
@@ -200,15 +212,25 @@ class InlineQuestionOptionSerializer(I18nAwareModelSerializer):
        fields = ('id', 'identifier', 'answer', 'position')
 class LegacyDependencyValueField(serializers.CharField):
    def to_representation(self, obj):
        return obj[0] if obj else None
    def to_internal_value(self, data):
        return [data] if data else []
 class QuestionSerializer(I18nAwareModelSerializer):
    options = InlineQuestionOptionSerializer(many=True, required=False)
    identifier = serializers.CharField(allow_null=True)
    dependency_value = LegacyDependencyValueField(source='dependency_values', required=False, allow_null=True)
    class Meta:
        model = Question
        fields = ('id', 'question', 'type', 'required', 'items', 'options', 'position',
-                  'ask_during_checkin', 'identifier', 'dependency_question', 'dependency_value',
+                  'ask_during_checkin', 'identifier', 'dependency_question', 'dependency_values',
-                  'hidden')
+                  'hidden', 'dependency_value', 'print_on_invoice')
    def validate_identifier(self, value):
        Question._clean_identifier(self.context['event'], value, self.instance)
@@ -238,6 +260,9 @@ class QuestionSerializer(I18nAwareModelSerializer):
        dep = full_data.get('dependency_question')
        if dep:
            if dep.ask_during_checkin:
                raise ValidationError(_('Question cannot depend on a question asked during check-in.'))
            seen_ids = {self.instance.pk} if self.instance else set()
            while dep:
                if dep.pk in seen_ids:
@@ -262,6 +287,7 @@ class QuestionSerializer(I18nAwareModelSerializer):
    def create(self, validated_data):
        options_data = validated_data.pop('options') if 'options' in validated_data else []
        items = validated_data.pop('items')
        question = Question.objects.create(**validated_data)
        question.items.set(items)
        for opt_data in options_data:
@@ -273,7 +299,7 @@ class QuotaSerializer(I18nAwareModelSerializer):
    class Meta:
        model = Quota
-        fields = ('id', 'name', 'size', 'items', 'variations', 'subevent')
+        fields = ('id', 'name', 'size', 'items', 'variations', 'subevent', 'closed', 'close_when_sold_out')
    def validate(self, data):
        data = super().validate(data)
--- a/src/pretix/api/serializers/order.py
+++ b/src/pretix/api/serializers/order.py
@@ -2,6 +2,8 @@ import json
 from collections import Counter
 from decimal import Decimal
 import pycountry
 from django.db.models import F, Q
 from django.utils.timezone import now
 from django.utils.translation import ugettext_lazy
 from django_countries.fields import Country
@@ -15,13 +17,17 @@ from pretix.base.channels import get_all_sales_channels
 from pretix.base.i18n import language
 from pretix.base.models import (
    Checkin, Invoice, InvoiceAddress, InvoiceLine, Item, ItemVariation, Order,
-    OrderPosition, Question, QuestionAnswer, SubEvent,
+    OrderPosition, Question, QuestionAnswer, Seat, SubEvent, Voucher,
 )
 from pretix.base.models.orders import (
    CartPosition, OrderFee, OrderPayment, OrderRefund,
 )
 from pretix.base.pdf import get_variables
 from pretix.base.services.cart import error_messages
 from pretix.base.services.pricing import get_price
 from pretix.base.settings import COUNTRIES_WITH_STATE_IN_ADDRESS
 from pretix.base.signals import register_ticket_outputs
 from pretix.multidomain.urlreverse import build_absolute_uri
 class CompatibleCountryField(serializers.Field):
@@ -42,8 +48,8 @@ class InvoiceAddressSerializer(I18nAwareModelSerializer):
    class Meta:
        model = InvoiceAddress
        fields = ('last_modified', 'is_business', 'company', 'name', 'name_parts', 'street', 'zipcode', 'city', 'country',
-                  'vat_id', 'vat_id_validated', 'internal_reference')
+                  'state', 'vat_id', 'vat_id_validated', 'internal_reference')
-        read_only_fields = ('last_modified', 'vat_id_validated')
+        read_only_fields = ('last_modified',)
    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
@@ -58,6 +64,24 @@ class InvoiceAddressSerializer(I18nAwareModelSerializer):
            )
        if data.get('name_parts') and '_scheme' not in data.get('name_parts'):
            data['name_parts']['_scheme'] = self.context['request'].event.settings.name_scheme
        if data.get('country'):
            if not pycountry.countries.get(alpha_2=data.get('country')):
                raise ValidationError(
                    {'country': ['Invalid country code.']}
                )
        if data.get('state'):
            cc = str(data.get('country') or self.instance.country or '')
            if cc not in COUNTRIES_WITH_STATE_IN_ADDRESS:
                raise ValidationError(
                    {'state': ['States are not supported in country "{}".'.format(cc)]}
                )
            if not pycountry.subdivisions.get(code=cc + '-' + data.get('state')):
                raise ValidationError(
                    {'state': ['"{}" is not a known subdivision of the country "{}".'.format(data.get('state'), cc)]}
                )
        return data
@@ -71,6 +95,13 @@ class AnswerQuestionOptionsIdentifierField(serializers.Field):
        return [o.identifier for o in instance.options.all()]
 class InlineSeatSerializer(I18nAwareModelSerializer):
    class Meta:
        model = Seat
        fields = ('id', 'name', 'seat_guid')
 class AnswerSerializer(I18nAwareModelSerializer):
    question_identifier = AnswerQuestionIdentifierField(source='*', read_only=True)
    option_identifiers = AnswerQuestionOptionsIdentifierField(source='*', read_only=True)
@@ -83,7 +114,7 @@ class AnswerSerializer(I18nAwareModelSerializer):
 class CheckinSerializer(I18nAwareModelSerializer):
    class Meta:
        model = Checkin
-        fields = ('datetime', 'list')
+        fields = ('datetime', 'list', 'auto_checked_in')
 class OrderDownloadsField(serializers.Field):
@@ -166,12 +197,13 @@ class OrderPositionSerializer(I18nAwareModelSerializer):
    downloads = PositionDownloadsField(source='*')
    order = serializers.SlugRelatedField(slug_field='code', read_only=True)
    pdf_data = PdfDataSerializer(source='*')
    seat = InlineSeatSerializer(read_only=True)
    class Meta:
        model = OrderPosition
        fields = ('id', 'order', 'positionid', 'item', 'variation', 'price', 'attendee_name', 'attendee_name_parts',
                  'attendee_email', 'voucher', 'tax_rate', 'tax_value', 'secret', 'addon_to', 'subevent', 'checkins',
-                  'downloads', 'answers', 'tax_rule', 'pseudonymization_id', 'pdf_data')
+                  'downloads', 'answers', 'tax_rule', 'pseudonymization_id', 'pdf_data', 'seat')
    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
@@ -254,10 +286,33 @@ class OrderFeeSerializer(I18nAwareModelSerializer):
        fields = ('fee_type', 'value', 'description', 'internal_type', 'tax_rate', 'tax_value', 'tax_rule')
 class PaymentURLField(serializers.URLField):
    def to_representation(self, instance: OrderPayment):
        if instance.state != OrderPayment.PAYMENT_STATE_CREATED:
            return None
        return build_absolute_uri(self.context['event'], 'presale:event.order.pay', kwargs={
            'order': instance.order.code,
            'secret': instance.order.secret,
            'payment': instance.pk,
        })
 class PaymentDetailsField(serializers.Field):
    def to_representation(self, value: OrderPayment):
        pp = value.payment_provider
        if not pp:
            return {}
        return pp.api_payment_details(value)
 class OrderPaymentSerializer(I18nAwareModelSerializer):
    payment_url = PaymentURLField(source='*', allow_null=True, read_only=True)
    details = PaymentDetailsField(source='*', allow_null=True, read_only=True)
    class Meta:
        model = OrderPayment
-        fields = ('local_id', 'state', 'amount', 'created', 'payment_date', 'provider')
+        fields = ('local_id', 'state', 'amount', 'created', 'payment_date', 'provider', 'payment_url',
                  'details')
 class OrderRefundSerializer(I18nAwareModelSerializer):
@@ -268,6 +323,14 @@ class OrderRefundSerializer(I18nAwareModelSerializer):
        fields = ('local_id', 'state', 'source', 'amount', 'payment', 'created', 'execution_date', 'provider')
 class OrderURLField(serializers.URLField):
    def to_representation(self, instance: Order):
        return build_absolute_uri(self.context['event'], 'presale:event.order', kwargs={
            'order': instance.code,
            'secret': instance.secret,
        })
 class OrderSerializer(I18nAwareModelSerializer):
    invoice_address = InvoiceAddressSerializer(allow_null=True)
    positions = OrderPositionSerializer(many=True, read_only=True)
@@ -277,13 +340,15 @@ class OrderSerializer(I18nAwareModelSerializer):
    refunds = OrderRefundSerializer(many=True, read_only=True)
    payment_date = OrderPaymentDateField(source='*', read_only=True)
    payment_provider = OrderPaymentTypeField(source='*', read_only=True)
    url = OrderURLField(source='*', read_only=True)
    class Meta:
        model = Order
        fields = (
            'code', 'status', 'testmode', 'secret', 'email', 'locale', 'datetime', 'expires', 'payment_date',
            'payment_provider', 'fees', 'total', 'comment', 'invoice_address', 'positions', 'downloads',
-            'checkin_attention', 'last_modified', 'payments', 'refunds', 'require_approval', 'sales_channel'
+            'checkin_attention', 'last_modified', 'payments', 'refunds', 'require_approval', 'sales_channel',
            'url'
        )
        read_only_fields = (
            'code', 'status', 'testmode', 'secret', 'datetime', 'expires', 'payment_date',
@@ -305,7 +370,6 @@ class OrderSerializer(I18nAwareModelSerializer):
        # Even though all fields that shouldn't be edited are marked as read_only in the serializer
        # (hopefully), we'll be extra careful here and be explicit about the model fields we update.
        update_fields = ['comment', 'checkin_attention', 'email', 'locale']
        print(validated_data)
        if 'invoice_address' in validated_data:
            iadata = validated_data.pop('invoice_address')
@@ -323,7 +387,7 @@ class OrderSerializer(I18nAwareModelSerializer):
                    }
                try:
                    ia = instance.invoice_address
-                    if iadata.get('vat_id') != ia.vat_id:
+                    if iadata.get('vat_id') != ia.vat_id and 'vat_id_validated' not in iadata:
                        ia.vat_id_validated = False
                    self.fields['invoice_address'].update(ia, iadata)
                except InvoiceAddress.DoesNotExist:
@@ -430,11 +494,16 @@ class OrderPositionCreateSerializer(I18nAwareModelSerializer):
    addon_to = serializers.IntegerField(required=False, allow_null=True)
    secret = serializers.CharField(required=False)
    attendee_name = serializers.CharField(required=False, allow_null=True)
    seat = serializers.CharField(required=False, allow_null=True)
    price = serializers.DecimalField(required=False, allow_null=True, decimal_places=2,
                                     max_digits=10)
    voucher = serializers.SlugRelatedField(slug_field='code', queryset=Voucher.objects.none(),
                                           required=False, allow_null=True)
    class Meta:
        model = OrderPosition
        fields = ('positionid', 'item', 'variation', 'price', 'attendee_name', 'attendee_name_parts', 'attendee_email',
-                  'secret', 'addon_to', 'subevent', 'answers')
+                  'secret', 'addon_to', 'subevent', 'answers', 'seat', 'voucher')
    def validate_secret(self, secret):
        if secret and OrderPosition.all.filter(order__event=self.context['event'], secret=secret).exists():
@@ -508,7 +577,7 @@ class CompatibleJSONField(serializers.JSONField):
 class OrderCreateSerializer(I18nAwareModelSerializer):
    invoice_address = InvoiceAddressSerializer(required=False)
-    positions = OrderPositionCreateSerializer(many=True, required=False)
+    positions = OrderPositionCreateSerializer(many=True, required=True)
    fees = OrderFeeCreateSerializer(many=True, required=False)
    status = serializers.ChoiceField(choices=(
        ('n', Order.STATUS_PENDING),
@@ -520,18 +589,26 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
        min_length=5
    )
    comment = serializers.CharField(required=False, allow_blank=True)
-    payment_provider = serializers.CharField(required=True)
+    payment_provider = serializers.CharField(required=False, allow_null=True)
    payment_info = CompatibleJSONField(required=False)
    consume_carts = serializers.ListField(child=serializers.CharField(), required=False)
    force = serializers.BooleanField(default=False, required=False)
    payment_date = serializers.DateTimeField(required=False, allow_null=True)
    send_mail = serializers.BooleanField(default=False, required=False)
    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
        self.fields['positions'].child.fields['voucher'].queryset = self.context['event'].vouchers.all()
    class Meta:
        model = Order
        fields = ('code', 'status', 'testmode', 'email', 'locale', 'payment_provider', 'fees', 'comment', 'sales_channel',
-                  'invoice_address', 'positions', 'checkin_attention', 'payment_info', 'payment_date', 'consume_carts', 'force')
+                  'invoice_address', 'positions', 'checkin_attention', 'payment_info', 'payment_date', 'consume_carts',
                  'force', 'send_mail')
    def validate_payment_provider(self, pp):
        if pp is None:
            return None
        if pp not in self.context['event'].get_payment_providers():
            raise ValidationError('The given payment provider is not known.')
        return pp
@@ -590,18 +667,36 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
                {'positionid': ["If you set addon_to on any position, you need to specify position IDs manually."]}
                for p in data
            ]
        else:
            for i, p in enumerate(data):
                p['positionid'] = i + 1
        if any(errs):
            raise ValidationError(errs)
        return data
    def validate_testmode(self, testmode):
        if 'sales_channel' in self.initial_data:
            try:
                sales_channel = get_all_sales_channels()[self.initial_data['sales_channel']]
                if testmode and not sales_channel.testmode_supported:
                    raise ValidationError('This sales channel does not provide support for testmode.')
            except KeyError:
                # We do not need to raise a ValidationError here, since there is another check to validate the
                # sales_channel
                pass
        return testmode
    def create(self, validated_data):
        fees_data = validated_data.pop('fees') if 'fees' in validated_data else []
        positions_data = validated_data.pop('positions') if 'positions' in validated_data else []
-        payment_provider = validated_data.pop('payment_provider')
+        payment_provider = validated_data.pop('payment_provider', None)
        payment_info = validated_data.pop('payment_info', '{}')
        payment_date = validated_data.pop('payment_date', now())
        force = validated_data.pop('force', False)
        self._send_mail = validated_data.pop('send_mail', False)
        if 'invoice_address' in validated_data:
            iadata = validated_data.pop('invoice_address')
@@ -615,13 +710,16 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
            ia = None
        with self.context['event'].lock() as now_dt:
-            quotadiff = Counter()
+            free_seats = set()
-
+            seats_seen = set()
            consume_carts = validated_data.pop('consume_carts', [])
            delete_cps = []
            quota_avail_cache = {}
            voucher_usage = Counter()
            if consume_carts:
-                for cp in CartPosition.objects.filter(event=self.context['event'], cart_id__in=consume_carts):
+                for cp in CartPosition.objects.filter(
                    event=self.context['event'], cart_id__in=consume_carts, expires__gt=now()
                ):
                    quotas = (cp.variation.quotas.filter(subevent=cp.subevent)
                              if cp.variation else cp.item.quotas.filter(subevent=cp.subevent))
                    for quota in quotas:
@@ -629,14 +727,64 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
                            quota_avail_cache[quota] = list(quota.availability())
                        if quota_avail_cache[quota][1] is not None:
                            quota_avail_cache[quota][1] += 1
                    if cp.voucher:
                        voucher_usage[cp.voucher] -= 1
                    if cp.expires > now_dt:
-                        quotadiff.subtract(quotas)
+                        if cp.seat:
                            free_seats.add(cp.seat)
                    delete_cps.append(cp)
            errs = [{} for p in positions_data]
            for i, pos_data in enumerate(positions_data):
                if pos_data.get('voucher'):
                    v = pos_data['voucher']
                    if not v.applies_to(pos_data['item'], pos_data.get('variation')):
                        errs[i]['voucher'] = [error_messages['voucher_invalid_item']]
                        continue
                    if v.subevent_id and pos_data.get('subevent').pk != v.subevent_id:
                        errs[i]['voucher'] = [error_messages['voucher_invalid_subevent']]
                        continue
                    if v.valid_until is not None and v.valid_until < now_dt:
                        errs[i]['voucher'] = [error_messages['voucher_expired']]
                        continue
                    voucher_usage[v] += 1
                    if voucher_usage[v] > 0:
                        redeemed_in_carts = CartPosition.objects.filter(
                            Q(voucher=pos_data['voucher']) & Q(event=self.context['event']) & Q(expires__gte=now_dt)
                        ).exclude(pk__in=[cp.pk for cp in delete_cps])
                        v_avail = v.max_usages - v.redeemed - redeemed_in_carts.count()
                        if v_avail < voucher_usage[v]:
                            errs[i]['voucher'] = [
                                'The voucher has already been used the maximum number of times.'
                            ]
                seated = pos_data.get('item').seat_category_mappings.filter(subevent=pos_data.get('subevent')).exists()
                if pos_data.get('seat'):
                    if not seated:
                        errs[i]['seat'] = ['The specified product does not allow to choose a seat.']
                    try:
                        seat = self.context['event'].seats.get(seat_guid=pos_data['seat'], subevent=pos_data.get('subevent'))
                    except Seat.DoesNotExist:
                        errs[i]['seat'] = ['The specified seat does not exist.']
                    else:
                        pos_data['seat'] = seat
                        if (seat not in free_seats and not seat.is_available()) or seat in seats_seen:
                            errs[i]['seat'] = [ugettext_lazy('The selected seat "{seat}" is not available.').format(seat=seat.name)]
                        seats_seen.add(seat)
                elif seated:
                    errs[i]['seat'] = ['The specified product requires to choose a seat.']
            if not force:
                for i, pos_data in enumerate(positions_data):
                    if pos_data.get('voucher'):
                        if pos_data['voucher'].allow_ignore_quota or pos_data['voucher'].block_quota:
                            continue
                    new_quotas = (pos_data.get('variation').quotas.filter(subevent=pos_data.get('subevent'))
                                  if pos_data.get('variation')
                                  else pos_data.get('item').quotas.filter(subevent=pos_data.get('subevent')))
@@ -658,8 +806,6 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
                                        )
                                    ]
                    quotadiff.update(new_quotas)
            if any(errs):
                raise ValidationError({'positions': errs})
@@ -667,38 +813,14 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
                validated_data['locale'] = self.context['event'].settings.locale
            order = Order(event=self.context['event'], **validated_data)
            order.set_expires(subevents=[p.get('subevent') for p in positions_data])
            order.total = sum([p['price'] for p in positions_data]) + sum([f['value'] for f in fees_data], Decimal('0.00'))
            order.meta_info = "{}"
            order.total = Decimal('0.00')
            order.save()
            if order.total == Decimal('0.00') and validated_data.get('status') != Order.STATUS_PAID:
                order.status = Order.STATUS_PAID
                order.save()
                order.payments.create(
                    amount=order.total, provider='free', state=OrderPayment.PAYMENT_STATE_CONFIRMED,
                    payment_date=now()
                )
            elif payment_provider == "free" and order.total != Decimal('0.00'):
                raise ValidationError('You cannot use the "free" payment provider for non-free orders.')
            elif validated_data.get('status') == Order.STATUS_PAID:
                order.payments.create(
                    amount=order.total,
                    provider=payment_provider,
                    info=payment_info,
                    payment_date=payment_date,
                    state=OrderPayment.PAYMENT_STATE_CONFIRMED
                )
            elif payment_provider:
                order.payments.create(
                    amount=order.total,
                    provider=payment_provider,
                    info=payment_info,
                    state=OrderPayment.PAYMENT_STATE_CREATED
                )
            if ia:
                ia.order = order
                ia.save()
            pos_map = {}
            for pos_data in positions_data:
                answers_data = pos_data.pop('answers', [])
@@ -710,9 +832,27 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
                    }
                pos = OrderPosition(**pos_data)
                pos.order = order
                pos._calculate_tax()
                if addon_to:
                    pos.addon_to = pos_map[addon_to]
                if pos.price is None:
                    price = get_price(
                        item=pos.item,
                        variation=pos.variation,
                        voucher=pos.voucher,
                        custom_price=None,
                        subevent=pos.subevent,
                        addon_to=pos.addon_to,
                        invoice_address=ia,
                    )
                    pos.price = price.gross
                    pos.tax_rate = price.rate
                    pos.tax_value = price.tax
                    pos.tax_rule = pos.item.tax_rule
                else:
                    pos._calculate_tax()
                if pos.voucher:
                    Voucher.objects.filter(pk=pos.voucher.pk).update(redeemed=F('redeemed') + 1)
                pos.save()
                pos_map[pos.positionid] = pos
                for answ_data in answers_data:
@@ -722,12 +862,46 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
            for cp in delete_cps:
                cp.delete()
        for fee_data in fees_data:
            f = OrderFee(**fee_data)
            f.order = order
            f._calculate_tax()
            f.save()
        order.total = sum([p.price for p in order.positions.all()]) + sum([f.value for f in order.fees.all()])
        order.save(update_fields=['total'])
        if order.total == Decimal('0.00') and validated_data.get('status') == Order.STATUS_PAID and not payment_provider:
            payment_provider = 'free'
        if order.total == Decimal('0.00') and validated_data.get('status') != Order.STATUS_PAID:
            order.status = Order.STATUS_PAID
            order.save()
            order.payments.create(
                amount=order.total, provider='free', state=OrderPayment.PAYMENT_STATE_CONFIRMED,
                payment_date=now()
            )
        elif payment_provider == "free" and order.total != Decimal('0.00'):
            raise ValidationError('You cannot use the "free" payment provider for non-free orders.')
        elif validated_data.get('status') == Order.STATUS_PAID:
            if not payment_provider:
                raise ValidationError('You cannot create a paid order without a payment provider.')
            order.payments.create(
                amount=order.total,
                provider=payment_provider,
                info=payment_info,
                payment_date=payment_date,
                state=OrderPayment.PAYMENT_STATE_CONFIRMED
            )
        elif payment_provider:
            order.payments.create(
                amount=order.total,
                provider=payment_provider,
                info=payment_info,
                state=OrderPayment.PAYMENT_STATE_CREATED
            )
        return order
--- a/src/pretix/api/serializers/organizer.py
+++ b/src/pretix/api/serializers/organizer.py
@@ -1,8 +1,49 @@
 from django.db.models import Q
 from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers
 from rest_framework.exceptions import ValidationError
 from pretix.api.serializers.i18n import I18nAwareModelSerializer
-from pretix.base.models import Organizer
+from pretix.api.serializers.order import CompatibleJSONField
 from pretix.base.models import GiftCard, Organizer, SeatingPlan
 from pretix.base.models.seating import SeatingPlanLayoutValidator
 class OrganizerSerializer(I18nAwareModelSerializer):
    class Meta:
        model = Organizer
        fields = ('name', 'slug')
 class SeatingPlanSerializer(I18nAwareModelSerializer):
    layout = CompatibleJSONField(
        validators=[SeatingPlanLayoutValidator()]
    )
    class Meta:
        model = SeatingPlan
        fields = ('id', 'name', 'layout')
 class GiftCardSerializer(I18nAwareModelSerializer):
    value = serializers.DecimalField(max_digits=10, decimal_places=2)
    def validate(self, data):
        data = super().validate(data)
        s = data['secret']
        qs = GiftCard.objects.filter(
            secret=s
        ).filter(
            Q(issuer=self.context["organizer"]) | Q(issuer__gift_card_collector_acceptance__collector=self.context["organizer"])
        )
        if self.instance:
            qs = qs.exclude(pk=self.instance.pk)
        if qs.exists():
            raise ValidationError(
                {'secret': _('A gift card with the same secret already exists in your or an affiliated organizer account.')}
            )
        return data
    class Meta:
        model = GiftCard
        fields = ('id', 'secret', 'issuance', 'value', 'currency', 'testmode')
--- a/src/pretix/api/serializers/voucher.py
+++ b/src/pretix/api/serializers/voucher.py
@@ -27,7 +27,7 @@ class VoucherSerializer(I18nAwareModelSerializer):
        model = Voucher
        fields = ('id', 'code', 'max_usages', 'redeemed', 'valid_until', 'block_quota',
                  'allow_ignore_quota', 'price_mode', 'value', 'item', 'variation', 'quota',
-                  'tag', 'comment', 'subevent')
+                  'tag', 'comment', 'subevent', 'show_hidden_items')
        read_only_fields = ('id', 'redeemed')
        list_serializer_class = VoucherListSerializer
--- a/src/pretix/api/signals.py
+++ b/src/pretix/api/signals.py
@@ -2,6 +2,7 @@ from datetime import timedelta
 from django.dispatch import Signal, receiver
 from django.utils.timezone import now
 from django_scopes import scopes_disabled
 from pretix.api.models import ApiCall, WebHookCall
 from pretix.base.signals import periodic_task
@@ -17,10 +18,12 @@ instances.
@receiver(periodic_task)
@scopes_disabled()
 def cleanup_webhook_logs(sender, **kwargs):
    WebHookCall.objects.filter(datetime__lte=now() - timedelta(days=30)).delete()
@receiver(periodic_task)
@scopes_disabled()
 def cleanup_api_logs(sender, **kwargs):
    ApiCall.objects.filter(created__lte=now() - timedelta(hours=24)).delete()
--- a/src/pretix/api/urls.py
+++ b/src/pretix/api/urls.py
@@ -18,6 +18,8 @@ orga_router = routers.DefaultRouter()
 orga_router.register(r'events', event.EventViewSet)
 orga_router.register(r'subevents', event.SubEventViewSet)
 orga_router.register(r'webhooks', webhooks.WebHookViewSet)
 orga_router.register(r'seatingplans', organizer.SeatingPlanViewSet)
 orga_router.register(r'giftcards', organizer.GiftCardViewSet)
 event_router = routers.DefaultRouter()
 event_router.register(r'subevents', event.SubEventViewSet)
--- a/src/pretix/api/views/cart.py
+++ b/src/pretix/api/views/cart.py
@@ -24,7 +24,7 @@ class CartPositionViewSet(CreateModelMixin, DestroyModelMixin, viewsets.ReadOnly
        return CartPosition.objects.filter(
            event=self.request.event,
            cart_id__endswith="@api"
-        )
+        ).select_related('seat').prefetch_related('answers')
    def get_serializer_context(self):
        ctx = super().get_serializer_context()
--- a/src/pretix/api/views/checkin.py
+++ b/src/pretix/api/views/checkin.py
@@ -6,6 +6,7 @@ from django.shortcuts import get_object_or_404
 from django.utils.functional import cached_property
 from django.utils.timezone import now
 from django_filters.rest_framework import DjangoFilterBackend, FilterSet
 from django_scopes import scopes_disabled
 from rest_framework import viewsets
 from rest_framework.decorators import action
 from rest_framework.fields import DateTimeField
@@ -24,11 +25,11 @@ from pretix.base.services.checkin import (
 )
 from pretix.helpers.database import FixedOrderBy
-
+with scopes_disabled():
-class CheckinListFilter(FilterSet):
+    class CheckinListFilter(FilterSet):
-    class Meta:
+        class Meta:
-        model = CheckinList
+            model = CheckinList
-        fields = ['subevent']
+            fields = ['subevent']
 class CheckinListViewSet(viewsets.ModelViewSet):
@@ -43,7 +44,6 @@ class CheckinListViewSet(viewsets.ModelViewSet):
        qs = self.request.event.checkin_lists.prefetch_related(
            'limit_products',
        )
        qs = CheckinList.annotate_with_numbers(qs, self.request.event)
        return qs
    def perform_create(self, serializer):
@@ -92,6 +92,7 @@ class CheckinListViewSet(viewsets.ModelViewSet):
        )
        if not clist.all_products:
            pqs = pqs.filter(item__in=clist.limit_products.values_list('id', flat=True))
            cqs = cqs.filter(position__item__in=clist.limit_products.values_list('id', flat=True))
        ev = clist.subevent or clist.event
        response = {
@@ -146,15 +147,16 @@ class CheckinListViewSet(viewsets.ModelViewSet):
        return Response(response)
-class CheckinOrderPositionFilter(OrderPositionFilter):
+with scopes_disabled():
    class CheckinOrderPositionFilter(OrderPositionFilter):
-    def has_checkin_qs(self, queryset, name, value):
+        def has_checkin_qs(self, queryset, name, value):
-        return queryset.filter(last_checked_in__isnull=not value)
+            return queryset.filter(last_checked_in__isnull=not value)
 class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
    serializer_class = CheckinListOrderPositionSerializer
-    queryset = OrderPosition.objects.none()
+    queryset = OrderPosition.all.none()
    filter_backends = (DjangoFilterBackend, RichOrderingFilter)
    ordering = ('attendee_name_cached', 'positionid')
    ordering_fields = (
@@ -229,7 +231,7 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
                    )
                ))
            ).select_related(
-                'item', 'variation', 'item__category', 'addon_to', 'order', 'order__invoice_address'
+                'item', 'variation', 'item__category', 'addon_to', 'order', 'order__invoice_address', 'seat'
            )
        else:
            qs = qs.prefetch_related(
@@ -239,7 +241,7 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
                ),
                'answers', 'answers__options', 'answers__question',
                Prefetch('addons', OrderPosition.objects.select_related('item', 'variation'))
-            ).select_related('item', 'variation', 'order', 'addon_to', 'order__invoice_address', 'order')
+            ).select_related('item', 'variation', 'order', 'addon_to', 'order__invoice_address', 'order', 'seat')
        if not self.checkinlist.all_products:
            qs = qs.filter(item__in=self.checkinlist.limit_products.values_list('id', flat=True))
@@ -278,6 +280,7 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
                nonce=nonce,
                datetime=dt,
                questions_supported=self.request.data.get('questions_supported', True),
                canceled_supported=self.request.data.get('canceled_supported', False),
                user=self.request.user,
                auth=self.request.auth,
            )
--- a/src/pretix/api/views/event.py
+++ b/src/pretix/api/views/event.py
@@ -3,6 +3,7 @@ from django.db import transaction
 from django.db.models import ProtectedError, Q
 from django.utils.timezone import now
 from django_filters.rest_framework import DjangoFilterBackend, FilterSet
 from django_scopes import scopes_disabled
 from rest_framework import filters, viewsets
 from rest_framework.exceptions import PermissionDenied
@@ -17,52 +18,53 @@ from pretix.base.models import (
 )
 from pretix.base.models.event import SubEvent
 from pretix.helpers.dicts import merge_dicts
 from pretix.presale.views.organizer import filter_qs_by_attr
 with scopes_disabled():
    class EventFilter(FilterSet):
        is_past = django_filters.rest_framework.BooleanFilter(method='is_past_qs')
        is_future = django_filters.rest_framework.BooleanFilter(method='is_future_qs')
        ends_after = django_filters.rest_framework.IsoDateTimeFilter(method='ends_after_qs')
-class EventFilter(FilterSet):
+        class Meta:
-    is_past = django_filters.rest_framework.BooleanFilter(method='is_past_qs')
+            model = Event
-    is_future = django_filters.rest_framework.BooleanFilter(method='is_future_qs')
+            fields = ['is_public', 'live', 'has_subevents']
    ends_after = django_filters.rest_framework.IsoDateTimeFilter(method='ends_after_qs')
-    class Meta:
+        def ends_after_qs(self, queryset, name, value):
-        model = Event
+            expr = (
-        fields = ['is_public', 'live', 'has_subevents']
+                Q(has_subevents=False) &
-
+                Q(
-    def ends_after_qs(self, queryset, name, value):
+                    Q(Q(date_to__isnull=True) & Q(date_from__gte=value))
-        expr = (
+                    | Q(Q(date_to__isnull=False) & Q(date_to__gte=value))
-            Q(has_subevents=False) &
+                )
            Q(
                Q(Q(date_to__isnull=True) & Q(date_from__gte=value))
                | Q(Q(date_to__isnull=False) & Q(date_to__gte=value))
            )
        )
        return queryset.filter(expr)
    def is_past_qs(self, queryset, name, value):
        expr = (
            Q(has_subevents=False) &
            Q(
                Q(Q(date_to__isnull=True) & Q(date_from__lt=now()))
                | Q(Q(date_to__isnull=False) & Q(date_to__lt=now()))
            )
        )
        if value:
            return queryset.filter(expr)
        else:
            return queryset.exclude(expr)
-    def is_future_qs(self, queryset, name, value):
+        def is_past_qs(self, queryset, name, value):
-        expr = (
+            expr = (
-            Q(has_subevents=False) &
+                Q(has_subevents=False) &
-            Q(
+                Q(
-                Q(Q(date_to__isnull=True) & Q(date_from__gte=now()))
+                    Q(Q(date_to__isnull=True) & Q(date_from__lt=now()))
-                | Q(Q(date_to__isnull=False) & Q(date_to__gte=now()))
+                    | Q(Q(date_to__isnull=False) & Q(date_to__lt=now()))
                )
            )
-        )
+            if value:
-        if value:
+                return queryset.filter(expr)
-            return queryset.filter(expr)
+            else:
-        else:
+                return queryset.exclude(expr)
-            return queryset.exclude(expr)
+
        def is_future_qs(self, queryset, name, value):
            expr = (
                Q(has_subevents=False) &
                Q(
                    Q(Q(date_to__isnull=True) & Q(date_from__gte=now()))
                    | Q(Q(date_to__isnull=False) & Q(date_to__gte=now()))
                )
            )
            if value:
                return queryset.filter(expr)
            else:
                return queryset.exclude(expr)
 class EventViewSet(viewsets.ModelViewSet):
@@ -84,8 +86,10 @@ class EventViewSet(viewsets.ModelViewSet):
                organizer=self.request.organizer
            )
        qs = filter_qs_by_attr(qs, self.request)
        return qs.prefetch_related(
-            'meta_values', 'meta_values__property'
+            'meta_values', 'meta_values__property', 'seat_category_mappings'
        )
    def perform_update(self, serializer):
@@ -182,41 +186,42 @@ class CloneEventViewSet(viewsets.ModelViewSet):
        )
-class SubEventFilter(FilterSet):
+with scopes_disabled():
-    is_past = django_filters.rest_framework.BooleanFilter(method='is_past_qs')
+    class SubEventFilter(FilterSet):
-    is_future = django_filters.rest_framework.BooleanFilter(method='is_future_qs')
+        is_past = django_filters.rest_framework.BooleanFilter(method='is_past_qs')
-    ends_after = django_filters.rest_framework.IsoDateTimeFilter(method='ends_after_qs')
+        is_future = django_filters.rest_framework.BooleanFilter(method='is_future_qs')
        ends_after = django_filters.rest_framework.IsoDateTimeFilter(method='ends_after_qs')
-    class Meta:
+        class Meta:
-        model = SubEvent
+            model = SubEvent
-        fields = ['active', 'event__live']
+            fields = ['active', 'event__live']
-    def ends_after_qs(self, queryset, name, value):
+        def ends_after_qs(self, queryset, name, value):
-        expr = Q(
+            expr = Q(
-            Q(Q(date_to__isnull=True) & Q(date_from__gte=value))
+                Q(Q(date_to__isnull=True) & Q(date_from__gte=value))
-            | Q(Q(date_to__isnull=False) & Q(date_to__gte=value))
+                | Q(Q(date_to__isnull=False) & Q(date_to__gte=value))
-        )
+            )
        return queryset.filter(expr)
    def is_past_qs(self, queryset, name, value):
        expr = Q(
            Q(Q(date_to__isnull=True) & Q(date_from__lt=now()))
            | Q(Q(date_to__isnull=False) & Q(date_to__lt=now()))
        )
        if value:
            return queryset.filter(expr)
        else:
            return queryset.exclude(expr)
-    def is_future_qs(self, queryset, name, value):
+        def is_past_qs(self, queryset, name, value):
-        expr = Q(
+            expr = Q(
-            Q(Q(date_to__isnull=True) & Q(date_from__gte=now()))
+                Q(Q(date_to__isnull=True) & Q(date_from__lt=now()))
-            | Q(Q(date_to__isnull=False) & Q(date_to__gte=now()))
+                | Q(Q(date_to__isnull=False) & Q(date_to__lt=now()))
-        )
+            )
-        if value:
+            if value:
-            return queryset.filter(expr)
+                return queryset.filter(expr)
-        else:
+            else:
-            return queryset.exclude(expr)
+                return queryset.exclude(expr)
        def is_future_qs(self, queryset, name, value):
            expr = Q(
                Q(Q(date_to__isnull=True) & Q(date_from__gte=now()))
                | Q(Q(date_to__isnull=False) & Q(date_to__gte=now()))
            )
            if value:
                return queryset.filter(expr)
            else:
                return queryset.exclude(expr)
 class SubEventViewSet(ConditionalListView, viewsets.ModelViewSet):
@@ -239,13 +244,22 @@ class SubEventViewSet(ConditionalListView, viewsets.ModelViewSet):
                event__organizer=self.request.organizer,
                event__in=self.request.user.get_events_with_any_permission()
            )
        qs = filter_qs_by_attr(qs, self.request)
        return qs.prefetch_related(
-            'subeventitem_set', 'subeventitemvariation_set'
+            'subeventitem_set', 'subeventitemvariation_set', 'seat_category_mappings'
        )
    def perform_update(self, serializer):
        original_data = self.get_serializer(instance=serializer.instance).data
        super().perform_update(serializer)
        if serializer.data == original_data:
            # Performance optimization: If nothing was changed, we do not need to save or log anything.
            # This costs us a few cycles on save, but avoids thousands of lines in our log.
            return
        serializer.instance.log_action(
            'pretix.subevent.changed',
            user=self.request.user,
--- a/src/pretix/api/views/item.py
+++ b/src/pretix/api/views/item.py
@@ -3,6 +3,7 @@ from django.db.models import Q
 from django.shortcuts import get_object_or_404
 from django.utils.functional import cached_property
 from django_filters.rest_framework import DjangoFilterBackend, FilterSet
 from django_scopes import scopes_disabled
 from rest_framework import viewsets
 from rest_framework.decorators import action
 from rest_framework.exceptions import PermissionDenied
@@ -21,19 +22,19 @@ from pretix.base.models import (
 )
 from pretix.helpers.dicts import merge_dicts
 with scopes_disabled():
    class ItemFilter(FilterSet):
        tax_rate = django_filters.CharFilter(method='tax_rate_qs')
-class ItemFilter(FilterSet):
+        def tax_rate_qs(self, queryset, name, value):
-    tax_rate = django_filters.CharFilter(method='tax_rate_qs')
+            if value in ("0", "None", "0.00"):
                return queryset.filter(Q(tax_rule__isnull=True) | Q(tax_rule__rate=0))
            else:
                return queryset.filter(tax_rule__rate=value)
-    def tax_rate_qs(self, queryset, name, value):
+        class Meta:
-        if value in ("0", "None", "0.00"):
+            model = Item
-            return queryset.filter(Q(tax_rule__isnull=True) | Q(tax_rule__rate=0))
+            fields = ['active', 'category', 'admission', 'tax_rate', 'free_price']
        else:
            return queryset.filter(tax_rule__rate=value)
    class Meta:
        model = Item
        fields = ['active', 'category', 'admission', 'tax_rate', 'free_price']
 class ItemViewSet(ConditionalListView, viewsets.ModelViewSet):
@@ -65,7 +66,14 @@ class ItemViewSet(ConditionalListView, viewsets.ModelViewSet):
        return ctx
    def perform_update(self, serializer):
        original_data = self.get_serializer(instance=serializer.instance).data
        serializer.save(event=self.request.event)
        if serializer.data == original_data:
            # Performance optimization: If nothing was changed, we do not need to save or log anything.
            # This costs us a few cycles on save, but avoids thousands of lines in our log.
            return
        serializer.instance.log_action(
            'pretix.event.item.changed',
            user=self.request.user,
@@ -312,10 +320,11 @@ class ItemCategoryViewSet(ConditionalListView, viewsets.ModelViewSet):
        super().perform_destroy(instance)
-class QuestionFilter(FilterSet):
+with scopes_disabled():
-    class Meta:
+    class QuestionFilter(FilterSet):
-        model = Question
+        class Meta:
-        fields = ['ask_during_checkin', 'required', 'identifier']
+            model = Question
            fields = ['ask_during_checkin', 'required', 'identifier']
 class QuestionViewSet(ConditionalListView, viewsets.ModelViewSet):
@@ -411,10 +420,11 @@ class QuestionOptionViewSet(viewsets.ModelViewSet):
        super().perform_destroy(instance)
-class QuotaFilter(FilterSet):
+with scopes_disabled():
-    class Meta:
+    class QuotaFilter(FilterSet):
-        model = Quota
+        class Meta:
-        fields = ['subevent']
+            model = Quota
            fields = ['subevent']
 class QuotaViewSet(ConditionalListView, viewsets.ModelViewSet):
@@ -452,9 +462,30 @@ class QuotaViewSet(ConditionalListView, viewsets.ModelViewSet):
        return ctx
    def perform_update(self, serializer):
        original_data = self.get_serializer(instance=serializer.instance).data
        current_subevent = serializer.instance.subevent
        serializer.save(event=self.request.event)
        request_subevent = serializer.instance.subevent
        if serializer.data == original_data:
            # Performance optimization: If nothing was changed, we do not need to save or log anything.
            # This costs us a few cycles on save, but avoids thousands of lines in our log.
            return
        if original_data['closed'] is True and serializer.instance.closed is False:
            serializer.instance.log_action(
                'pretix.event.quota.opened',
                user=self.request.user,
                auth=self.request.auth,
            )
        elif original_data['closed'] is False and serializer.instance.closed is True:
            serializer.instance.log_action(
                'pretix.event.quota.closed',
                user=self.request.user,
                auth=self.request.auth,
            )
        serializer.instance.log_action(
            'pretix.event.quota.changed',
            user=self.request.user,
--- a/src/pretix/api/views/order.py
+++ b/src/pretix/api/views/order.py
@@ -6,11 +6,12 @@ import pytz
 from django.db import transaction
 from django.db.models import F, Prefetch, Q
 from django.db.models.functions import Coalesce, Concat
-from django.http import FileResponse
+from django.http import FileResponse, HttpResponse
 from django.shortcuts import get_object_or_404
 from django.utils.timezone import make_aware, now
 from django.utils.translation import ugettext as _
 from django_filters.rest_framework import DjangoFilterBackend, FilterSet
 from django_scopes import scopes_disabled
 from rest_framework import mixins, serializers, status, viewsets
 from rest_framework.decorators import action
 from rest_framework.exceptions import (
@@ -40,7 +41,8 @@ from pretix.base.services.invoices import (
 )
 from pretix.base.services.mail import SendMailException
 from pretix.base.services.orders import (
-    OrderChangeManager, OrderError, approve_order, cancel_order, deny_order,
+    OrderChangeManager, OrderError, _order_placed_email,
    _order_placed_email_attendee, approve_order, cancel_order, deny_order,
    extend_order, mark_order_expired, mark_order_refunded,
 )
 from pretix.base.services.pricing import get_price
@@ -50,17 +52,17 @@ from pretix.base.signals import (
 )
 from pretix.base.templatetags.money import money_filter
 with scopes_disabled():
    class OrderFilter(FilterSet):
        email = django_filters.CharFilter(field_name='email', lookup_expr='iexact')
        code = django_filters.CharFilter(field_name='code', lookup_expr='iexact')
        status = django_filters.CharFilter(field_name='status', lookup_expr='iexact')
        modified_since = django_filters.IsoDateTimeFilter(field_name='last_modified', lookup_expr='gte')
        created_since = django_filters.IsoDateTimeFilter(field_name='datetime', lookup_expr='gte')
-class OrderFilter(FilterSet):
+        class Meta:
-    email = django_filters.CharFilter(field_name='email', lookup_expr='iexact')
+            model = Order
-    code = django_filters.CharFilter(field_name='code', lookup_expr='iexact')
+            fields = ['code', 'status', 'email', 'locale', 'testmode', 'require_approval']
    status = django_filters.CharFilter(field_name='status', lookup_expr='iexact')
    modified_since = django_filters.IsoDateTimeFilter(field_name='last_modified', lookup_expr='gte')
    created_since = django_filters.IsoDateTimeFilter(field_name='datetime', lookup_expr='gte')
    class Meta:
        model = Order
        fields = ['code', 'status', 'email', 'locale', 'testmode', 'require_approval']
 class OrderViewSet(viewsets.ModelViewSet):
@@ -92,8 +94,8 @@ class OrderViewSet(viewsets.ModelViewSet):
                    'positions',
                    OrderPosition.objects.all().prefetch_related(
                        'checkins', 'item', 'variation', 'answers', 'answers__options', 'answers__question',
-                        'item__category', 'addon_to',
+                        'item__category', 'addon_to', 'seat',
-                        Prefetch('addons', OrderPosition.objects.select_related('item', 'variation'))
+                        Prefetch('addons', OrderPosition.objects.select_related('item', 'variation', 'seat'))
                    )
                )
            )
@@ -102,7 +104,7 @@ class OrderViewSet(viewsets.ModelViewSet):
                Prefetch(
                    'positions',
                    OrderPosition.objects.all().prefetch_related(
-                        'checkins', 'item', 'variation', 'answers', 'answers__options', 'answers__question',
+                        'checkins', 'item', 'variation', 'answers', 'answers__options', 'answers__question', 'seat',
                    )
                )
            )
@@ -146,12 +148,16 @@ class OrderViewSet(viewsets.ModelViewSet):
            generate.apply_async(args=('order', order.pk, provider.identifier))
            raise RetryException()
        else:
-            resp = FileResponse(ct.file.file, content_type=ct.type)
+            if ct.type == 'text/uri-list':
-            resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}{}"'.format(
+                resp = HttpResponse(ct.file.file.read(), content_type='text/uri-list')
-                self.request.event.slug.upper(), order.code,
+                return resp
-                provider.identifier, ct.extension
+            else:
-            )
+                resp = FileResponse(ct.file.file, content_type=ct.type)
-            return resp
+                resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}{}"'.format(
                    self.request.event.slug.upper(), order.code,
                    provider.identifier, ct.extension
                )
                return resp
    @action(detail=True, methods=['POST'])
    def mark_paid(self, request, **kwargs):
@@ -430,6 +436,7 @@ class OrderViewSet(viewsets.ModelViewSet):
        serializer.is_valid(raise_exception=True)
        with transaction.atomic():
            self.perform_create(serializer)
            send_mail = serializer._send_mail
            order = serializer.instance
            serializer = OrderSerializer(order, context=serializer.context)
@@ -438,14 +445,50 @@ class OrderViewSet(viewsets.ModelViewSet):
                user=request.user if request.user.is_authenticated else None,
                auth=request.auth,
            )
        order_placed.send(self.request.event, order=order)
-        gen_invoice = invoice_qualified(order) and (
+        with language(order.locale):
-            (order.event.settings.get('invoice_generate') == 'True') or
+            order_placed.send(self.request.event, order=order)
-            (order.event.settings.get('invoice_generate') == 'paid' and order.status == Order.STATUS_PAID)
+
-        ) and not order.invoices.last()
+            gen_invoice = invoice_qualified(order) and (
-        if gen_invoice:
+                (order.event.settings.get('invoice_generate') == 'True') or
-            generate_invoice(order, trigger_pdf=True)
+                (order.event.settings.get('invoice_generate') == 'paid' and order.status == Order.STATUS_PAID)
            ) and not order.invoices.last()
            invoice = None
            if gen_invoice:
                invoice = generate_invoice(order, trigger_pdf=True)
            if send_mail:
                payment = order.payments.last()
                free_flow = (
                    payment and order.total == Decimal('0.00') and order.status == Order.STATUS_PAID and
                    not order.require_approval and payment.provider == "free"
                )
                if free_flow:
                    email_template = request.event.settings.mail_text_order_free
                    log_entry = 'pretix.event.order.email.order_free'
                    email_attendees = request.event.settings.mail_send_order_free_attendee
                    email_attendees_template = request.event.settings.mail_text_order_free_attendee
                else:
                    email_template = request.event.settings.mail_text_order_placed
                    log_entry = 'pretix.event.order.email.order_placed'
                    email_attendees = request.event.settings.mail_send_order_placed_attendee
                    email_attendees_template = request.event.settings.mail_text_order_placed_attendee
                _order_placed_email(
                    request.event, order, payment.payment_provider if payment else None, email_template,
                    log_entry, invoice, payment
                )
                if email_attendees:
                    for p in order.positions.all():
                        if p.addon_to_id is None and p.attendee_email and p.attendee_email != order.email:
                            _order_placed_email_attendee(request.event, order, p, email_attendees_template, log_entry)
                if not free_flow and order.status == Order.STATUS_PAID and payment:
                    payment._send_paid_mail(invoice, None, '')
                    if self.request.event.settings.mail_send_order_paid_attendee:
                        for p in order.positions.all():
                            if p.addon_to_id is None and p.attendee_email and p.attendee_email != order.email:
                                payment._send_paid_mail_attendee(p, None)
        headers = self.get_success_headers(serializer.data)
        return Response(serializer.data, status=status.HTTP_201_CREATED, headers=headers)
@@ -531,48 +574,49 @@ class OrderViewSet(viewsets.ModelViewSet):
            self.get_object().gracefully_delete(user=self.request.user if self.request.user.is_authenticated else None, auth=self.request.auth)
-class OrderPositionFilter(FilterSet):
+with scopes_disabled():
-    order = django_filters.CharFilter(field_name='order', lookup_expr='code__iexact')
+    class OrderPositionFilter(FilterSet):
-    has_checkin = django_filters.rest_framework.BooleanFilter(method='has_checkin_qs')
+        order = django_filters.CharFilter(field_name='order', lookup_expr='code__iexact')
-    attendee_name = django_filters.CharFilter(method='attendee_name_qs')
+        has_checkin = django_filters.rest_framework.BooleanFilter(method='has_checkin_qs')
-    search = django_filters.CharFilter(method='search_qs')
+        attendee_name = django_filters.CharFilter(method='attendee_name_qs')
        search = django_filters.CharFilter(method='search_qs')
-    def search_qs(self, queryset, name, value):
+        def search_qs(self, queryset, name, value):
-        return queryset.filter(
+            return queryset.filter(
-            Q(secret__istartswith=value)
+                Q(secret__istartswith=value)
-            | Q(attendee_name_cached__icontains=value)
+                | Q(attendee_name_cached__icontains=value)
-            | Q(addon_to__attendee_name_cached__icontains=value)
+                | Q(addon_to__attendee_name_cached__icontains=value)
-            | Q(attendee_email__icontains=value)
+                | Q(attendee_email__icontains=value)
-            | Q(addon_to__attendee_email__icontains=value)
+                | Q(addon_to__attendee_email__icontains=value)
-            | Q(order__code__istartswith=value)
+                | Q(order__code__istartswith=value)
-            | Q(order__invoice_address__name_cached__icontains=value)
+                | Q(order__invoice_address__name_cached__icontains=value)
-            | Q(order__email__icontains=value)
+                | Q(order__email__icontains=value)
-        )
+            )
-    def has_checkin_qs(self, queryset, name, value):
+        def has_checkin_qs(self, queryset, name, value):
-        return queryset.filter(checkins__isnull=not value)
+            return queryset.filter(checkins__isnull=not value)
-    def attendee_name_qs(self, queryset, name, value):
+        def attendee_name_qs(self, queryset, name, value):
-        return queryset.filter(Q(attendee_name_cached__iexact=value) | Q(addon_to__attendee_name_cached__iexact=value))
+            return queryset.filter(Q(attendee_name_cached__iexact=value) | Q(addon_to__attendee_name_cached__iexact=value))
-    class Meta:
+        class Meta:
-        model = OrderPosition
+            model = OrderPosition
-        fields = {
+            fields = {
-            'item': ['exact', 'in'],
+                'item': ['exact', 'in'],
-            'variation': ['exact', 'in'],
+                'variation': ['exact', 'in'],
-            'secret': ['exact'],
+                'secret': ['exact'],
-            'order__status': ['exact', 'in'],
+                'order__status': ['exact', 'in'],
-            'addon_to': ['exact', 'in'],
+                'addon_to': ['exact', 'in'],
-            'subevent': ['exact', 'in'],
+                'subevent': ['exact', 'in'],
-            'pseudonymization_id': ['exact'],
+                'pseudonymization_id': ['exact'],
-            'voucher__code': ['exact'],
+                'voucher__code': ['exact'],
-            'voucher': ['exact'],
+                'voucher': ['exact'],
-        }
+            }
 class OrderPositionViewSet(mixins.DestroyModelMixin, viewsets.ReadOnlyModelViewSet):
    serializer_class = OrderPositionSerializer
-    queryset = OrderPosition.objects.none()
+    queryset = OrderPosition.all.none()
    filter_backends = (DjangoFilterBackend, OrderingFilter)
    ordering = ('order__datetime', 'positionid')
    ordering_fields = ('order__code', 'order__datetime', 'positionid', 'attendee_name', 'order__status',)
@@ -609,13 +653,13 @@ class OrderPositionViewSet(mixins.DestroyModelMixin, viewsets.ReadOnlyModelViewS
                    )
                ))
            ).select_related(
-                'item', 'variation', 'item__category', 'addon_to'
+                'item', 'variation', 'item__category', 'addon_to', 'seat'
            )
        else:
            qs = qs.prefetch_related(
                'checkins', 'answers', 'answers__options', 'answers__question'
            ).select_related(
-                'item', 'order', 'order__event', 'order__event__organizer'
+                'item', 'order', 'order__event', 'order__event__organizer', 'seat'
            )
        return qs
@@ -721,12 +765,16 @@ class OrderPositionViewSet(mixins.DestroyModelMixin, viewsets.ReadOnlyModelViewS
            generate.apply_async(args=('orderposition', pos.pk, provider.identifier))
            raise RetryException()
        else:
-            resp = FileResponse(ct.file.file, content_type=ct.type)
+            if ct.type == 'text/uri-list':
-            resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}-{}{}"'.format(
+                resp = HttpResponse(ct.file.file.read(), content_type='text/uri-list')
-                self.request.event.slug.upper(), pos.order.code, pos.positionid,
+                return resp
-                provider.identifier, ct.extension
+            else:
-            )
+                resp = FileResponse(ct.file.file, content_type=ct.type)
-            return resp
+                resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}-{}{}"'.format(
                    self.request.event.slug.upper(), pos.order.code, pos.positionid,
                    provider.identifier, ct.extension
                )
                return resp
    def perform_destroy(self, instance):
        try:
@@ -960,22 +1008,23 @@ class RefundViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
        serializer.save()
-class InvoiceFilter(FilterSet):
+with scopes_disabled():
-    refers = django_filters.CharFilter(method='refers_qs')
+    class InvoiceFilter(FilterSet):
-    number = django_filters.CharFilter(method='nr_qs')
+        refers = django_filters.CharFilter(method='refers_qs')
-    order = django_filters.CharFilter(field_name='order', lookup_expr='code__iexact')
+        number = django_filters.CharFilter(method='nr_qs')
        order = django_filters.CharFilter(field_name='order', lookup_expr='code__iexact')
-    def refers_qs(self, queryset, name, value):
+        def refers_qs(self, queryset, name, value):
-        return queryset.annotate(
+            return queryset.annotate(
-            refers_nr=Concat('refers__prefix', 'refers__invoice_no')
+                refers_nr=Concat('refers__prefix', 'refers__invoice_no')
-        ).filter(refers_nr__iexact=value)
+            ).filter(refers_nr__iexact=value)
-    def nr_qs(self, queryset, name, value):
+        def nr_qs(self, queryset, name, value):
-        return queryset.filter(nr__iexact=value)
+            return queryset.filter(nr__iexact=value)
-    class Meta:
+        class Meta:
-        model = Invoice
+            model = Invoice
-        fields = ['order', 'number', 'is_cancellation', 'refers', 'locale']
+            fields = ['order', 'number', 'is_cancellation', 'refers', 'locale']
 class RetryException(APIException):
--- a/src/pretix/api/views/organizer.py
+++ b/src/pretix/api/views/organizer.py
@@ -1,8 +1,15 @@
-from rest_framework import filters, viewsets
+from django.db import transaction
 from rest_framework import filters, serializers, status, viewsets
 from rest_framework.decorators import action
 from rest_framework.exceptions import MethodNotAllowed, PermissionDenied
 from rest_framework.response import Response
 from pretix.api.models import OAuthAccessToken
-from pretix.api.serializers.organizer import OrganizerSerializer
+from pretix.api.serializers.organizer import (
-from pretix.base.models import Organizer
+    GiftCardSerializer, OrganizerSerializer, SeatingPlanSerializer,
 )
 from pretix.base.models import GiftCard, Organizer, SeatingPlan
 from pretix.helpers.dicts import merge_dicts
 class OrganizerViewSet(viewsets.ReadOnlyModelViewSet):
@@ -30,3 +37,113 @@ class OrganizerViewSet(viewsets.ReadOnlyModelViewSet):
            return Organizer.objects.filter(pk=self.request.auth.organizer_id)
        else:
            return Organizer.objects.filter(pk=self.request.auth.team.organizer_id)
 class SeatingPlanViewSet(viewsets.ModelViewSet):
    serializer_class = SeatingPlanSerializer
    queryset = SeatingPlan.objects.none()
    permission = 'can_change_organizer_settings'
    write_permission = 'can_change_organizer_settings'
    def get_queryset(self):
        return self.request.organizer.seating_plans.all()
    def get_serializer_context(self):
        ctx = super().get_serializer_context()
        ctx['organizer'] = self.request.organizer
        return ctx
    def perform_create(self, serializer):
        inst = serializer.save(organizer=self.request.organizer)
        self.request.organizer.log_action(
            'pretix.seatingplan.added',
            user=self.request.user,
            auth=self.request.auth,
            data=merge_dicts(self.request.data, {'id': inst.pk})
        )
    def perform_update(self, serializer):
        if serializer.instance.events.exists() or serializer.instance.subevents.exists():
            raise PermissionDenied('This plan can not be changed while it is in use for an event.')
        inst = serializer.save(organizer=self.request.organizer)
        self.request.organizer.log_action(
            'pretix.seatingplan.changed',
            user=self.request.user,
            auth=self.request.auth,
            data=merge_dicts(self.request.data, {'id': serializer.instance.pk})
        )
        return inst
    def perform_destroy(self, instance):
        if instance.events.exists() or instance.subevents.exists():
            raise PermissionDenied('This plan can not be deleted while it is in use for an event.')
        instance.log_action(
            'pretix.seatingplan.deleted',
            user=self.request.user,
            auth=self.request.auth,
            data={'id': instance.pk}
        )
        instance.delete()
 class GiftCardViewSet(viewsets.ModelViewSet):
    serializer_class = GiftCardSerializer
    queryset = GiftCard.objects.none()
    permission = 'can_manage_gift_cards'
    write_permission = 'can_manage_gift_cards'
    def get_queryset(self):
        return self.request.organizer.issued_gift_cards.all()
    def get_serializer_context(self):
        ctx = super().get_serializer_context()
        ctx['organizer'] = self.request.organizer
        return ctx
    @transaction.atomic()
    def perform_create(self, serializer):
        value = serializer.validated_data.pop('value')
        inst = serializer.save(issuer=self.request.organizer)
        inst.transactions.create(value=value)
        inst.log_action(
            'pretix.giftcards.transaction.manual',
            user=self.request.user,
            auth=self.request.auth,
            data=merge_dicts(self.request.data, {'id': inst.pk})
        )
    @transaction.atomic()
    def perform_update(self, serializer):
        GiftCard.objects.select_for_update().get(pk=self.get_object().pk)
        old_value = serializer.instance.value
        value = serializer.validated_data.pop('value')
        inst = serializer.save(secret=serializer.instance.secret, currency=serializer.instance.currency,
                               testmode=serializer.instance.testmode)
        diff = value - old_value
        inst.transactions.create(value=diff)
        inst.log_action(
            'pretix.giftcards.transaction.manual',
            user=self.request.user,
            auth=self.request.auth,
            data={'value': diff}
        )
        return inst
    @action(detail=True, methods=["POST"])
    @transaction.atomic()
    def transact(self, request, **kwargs):
        gc = GiftCard.objects.select_for_update().get(pk=self.get_object().pk)
        value = serializers.DecimalField(max_digits=10, decimal_places=2).to_internal_value(
            request.data.get('value')
        )
        gc.transactions.create(value=value)
        gc.log_action(
            'pretix.giftcards.transaction.manual',
            user=self.request.user,
            auth=self.request.auth,
            data={'value': value}
        )
        return Response(GiftCardSerializer(gc).data, status=status.HTTP_200_OK)
    def perform_destroy(self, instance):
        raise MethodNotAllowed("Gift cards cannot be deleted.")
--- a/src/pretix/api/views/voucher.py
+++ b/src/pretix/api/views/voucher.py
@@ -6,6 +6,7 @@ from django.utils.timezone import now
 from django_filters.rest_framework import (
    BooleanFilter, DjangoFilterBackend, FilterSet,
 )
 from django_scopes import scopes_disabled
 from rest_framework import status, viewsets
 from rest_framework.decorators import action
 from rest_framework.exceptions import PermissionDenied
@@ -15,22 +16,22 @@ from rest_framework.response import Response
 from pretix.api.serializers.voucher import VoucherSerializer
 from pretix.base.models import Voucher
 with scopes_disabled():
    class VoucherFilter(FilterSet):
        active = BooleanFilter(method='filter_active')
-class VoucherFilter(FilterSet):
+        class Meta:
-    active = BooleanFilter(method='filter_active')
+            model = Voucher
            fields = ['code', 'max_usages', 'redeemed', 'block_quota', 'allow_ignore_quota',
                      'price_mode', 'value', 'item', 'variation', 'quota', 'tag', 'subevent']
-    class Meta:
+        def filter_active(self, queryset, name, value):
-        model = Voucher
+            if value:
-        fields = ['code', 'max_usages', 'redeemed', 'block_quota', 'allow_ignore_quota',
+                return queryset.filter(Q(redeemed__lt=F('max_usages')) &
-                  'price_mode', 'value', 'item', 'variation', 'quota', 'tag', 'subevent']
+                                       (Q(valid_until__isnull=True) | Q(valid_until__gt=now())))
-
+            else:
-    def filter_active(self, queryset, name, value):
+                return queryset.filter(Q(redeemed__gte=F('max_usages')) |
-        if value:
+                                       (Q(valid_until__isnull=False) & Q(valid_until__lte=now())))
            return queryset.filter(Q(redeemed__lt=F('max_usages')) &
                                   (Q(valid_until__isnull=True) | Q(valid_until__gt=now())))
        else:
            return queryset.filter(Q(redeemed__gte=F('max_usages')) |
                                   (Q(valid_until__isnull=False) & Q(valid_until__lte=now())))
 class VoucherViewSet(viewsets.ModelViewSet):
--- a/src/pretix/api/views/waitinglist.py
+++ b/src/pretix/api/views/waitinglist.py
@@ -1,5 +1,6 @@
 import django_filters
 from django_filters.rest_framework import DjangoFilterBackend, FilterSet
 from django_scopes import scopes_disabled
 from rest_framework import viewsets
 from rest_framework.decorators import action
 from rest_framework.exceptions import PermissionDenied, ValidationError
@@ -10,16 +11,16 @@ from pretix.api.serializers.waitinglist import WaitingListSerializer
 from pretix.base.models import WaitingListEntry
 from pretix.base.models.waitinglist import WaitingListException
 with scopes_disabled():
    class WaitingListFilter(FilterSet):
        has_voucher = django_filters.rest_framework.BooleanFilter(method='has_voucher_qs')
-class WaitingListFilter(FilterSet):
+        def has_voucher_qs(self, queryset, name, value):
-    has_voucher = django_filters.rest_framework.BooleanFilter(method='has_voucher_qs')
+            return queryset.filter(voucher__isnull=not value)
-    def has_voucher_qs(self, queryset, name, value):
+        class Meta:
-        return queryset.filter(voucher__isnull=not value)
+            model = WaitingListEntry
-
+            fields = ['item', 'variation', 'email', 'locale', 'has_voucher', 'subevent']
    class Meta:
        model = WaitingListEntry
        fields = ['item', 'variation', 'email', 'locale', 'has_voucher', 'subevent']
 class WaitingListViewSet(viewsets.ModelViewSet):
--- a/src/pretix/api/webhooks.py
+++ b/src/pretix/api/webhooks.py
@@ -8,6 +8,7 @@ from celery.exceptions import MaxRetriesExceededError
 from django.db.models import Exists, OuterRef, Q
 from django.dispatch import receiver
 from django.utils.translation import ugettext_lazy as _
 from django_scopes import scope, scopes_disabled
 from requests import RequestException
 from pretix.api.models import WebHook, WebHookCall, WebHookEventListener
@@ -203,51 +204,52 @@ def notify_webhooks(logentry_id: int):
@app.task(base=ProfiledTask, bind=True, max_retries=9)
 def send_webhook(self, logentry_id: int, action_type: str, webhook_id: int):
    # 9 retries with 2**(2*x) timing is roughly 72 hours
-    logentry = LogEntry.all.get(id=logentry_id)
+    with scopes_disabled():
-    webhook = WebHook.objects.get(id=webhook_id)
+        webhook = WebHook.objects.get(id=webhook_id)
    with scope(organizer=webhook.organizer):
        logentry = LogEntry.all.get(id=logentry_id)
        types = get_all_webhook_events()
        event_type = types.get(action_type)
        if not event_type or not webhook.enabled:
            return  # Ignore, e.g. plugin not installed
-    types = get_all_webhook_events()
+        payload = event_type.build_payload(logentry)
-    event_type = types.get(action_type)
+        t = time.time()
    if not event_type or not webhook.enabled:
        return  # Ignore, e.g. plugin not installed
    payload = event_type.build_payload(logentry)
    t = time.time()
    try:
        try:
-            resp = requests.post(
+            try:
-                webhook.target_url,
+                resp = requests.post(
-                json=payload,
+                    webhook.target_url,
-                allow_redirects=False
+                    json=payload,
-            )
+                    allow_redirects=False
-            WebHookCall.objects.create(
+                )
-                webhook=webhook,
+                WebHookCall.objects.create(
-                action_type=logentry.action_type,
+                    webhook=webhook,
-                target_url=webhook.target_url,
+                    action_type=logentry.action_type,
-                is_retry=self.request.retries > 0,
+                    target_url=webhook.target_url,
-                execution_time=time.time() - t,
+                    is_retry=self.request.retries > 0,
-                return_code=resp.status_code,
+                    execution_time=time.time() - t,
-                payload=json.dumps(payload),
+                    return_code=resp.status_code,
-                response_body=resp.text[:1024 * 1024],
+                    payload=json.dumps(payload),
-                success=200 <= resp.status_code <= 299
+                    response_body=resp.text[:1024 * 1024],
-            )
+                    success=200 <= resp.status_code <= 299
-            if resp.status_code == 410:
+                )
-                webhook.enabled = False
+                if resp.status_code == 410:
-                webhook.save()
+                    webhook.enabled = False
-            elif resp.status_code > 299:
+                    webhook.save()
                elif resp.status_code > 299:
                    raise self.retry(countdown=2 ** (self.request.retries * 2))
            except RequestException as e:
                WebHookCall.objects.create(
                    webhook=webhook,
                    action_type=logentry.action_type,
                    target_url=webhook.target_url,
                    is_retry=self.request.retries > 0,
                    execution_time=time.time() - t,
                    return_code=0,
                    payload=json.dumps(payload),
                    response_body=str(e)[:1024 * 1024]
                )
                raise self.retry(countdown=2 ** (self.request.retries * 2))
-        except RequestException as e:
+        except MaxRetriesExceededError:
-            WebHookCall.objects.create(
+            pass
                webhook=webhook,
                action_type=logentry.action_type,
                target_url=webhook.target_url,
                is_retry=self.request.retries > 0,
                execution_time=time.time() - t,
                return_code=0,
                payload=json.dumps(payload),
                response_body=str(e)[:1024 * 1024]
            )
            raise self.retry(countdown=2 ** (self.request.retries * 2))
    except MaxRetriesExceededError:
        pass
--- a/src/pretix/base/init.py
+++ b/src/pretix/base/init.py
@@ -13,7 +13,7 @@ class PretixBaseConfig(AppConfig):
        from . import invoice  # NOQA
        from . import notifications  # NOQA
        from . import email  # NOQA
-        from .services import auth, export, mail, tickets, cart, orders, invoices, cleanup, update_check, quotas, notifications  # NOQA
+        from .services import auth, checkin, export, mail, tickets, cart, orders, invoices, cleanup, update_check, quotas, notifications, vouchers  # NOQA
        try:
            from .celery_app import app as celery_app  # NOQA
--- a/src/pretix/base/auth.py
+++ b/src/pretix/base/auth.py
@@ -0,0 +1,109 @@
 from collections import OrderedDict
 from importlib import import_module
 from django import forms
 from django.conf import settings
 from django.contrib.auth import authenticate
 from django.utils.translation import gettext_lazy as _
 def get_auth_backends():
    backends = {}
    for b in settings.PRETIX_AUTH_BACKENDS:
        mod, name = b.rsplit('.', 1)
        b = getattr(import_module(mod), name)()
        backends[b.identifier] = b
    return backends
 class BaseAuthBackend:
    """
    This base class defines the interface that needs to be implemented by every class that supplies
    an authentication method to pretix. Please note that pretix authentication backends are different
    from plain Django authentication backends! Be sure to read the documentation chapter on authentication
    backends before you implement one.
    """
    @property
    def identifier(self):
        """
        A short and unique identifier for this authentication backend.
        This should only contain lowercase letters and in most cases will
        be the same as your package name.
        """
        raise NotImplementedError()
    @property
    def verbose_name(self):
        """
        A human-readable name of this authentication backend.
        """
        raise NotImplementedError()
    @property
    def visible(self):
        """
        Whether or not this backend can be selected by users actively. Set this to ``False``
        if you only implement ``request_authenticate``.
        """
        return True
    @property
    def login_form_fields(self) -> dict:
        """
        This property may return form fields that the user needs to fill in to log in.
        """
        return {}
    def form_authenticate(self, request, form_data):
        """
        This method will be called after the user filled in the login form. ``request`` will contain
        the current request and ``form_data`` the input for the form fields defined in ``login_form_fields``.
        You are expected to either return a ``User`` object (if login was successful) or ``None``.
        """
        return
    def request_authenticate(self, request):
        """
        This method will be called when the user opens the login form. If the user already has a valid session
        according to your login mechanism, for example a cookie set by a different system or HTTP header set by a
        reverse proxy, you can directly return a ``User`` object that will be logged in.
        ``request`` will contain the current request.
        You are expected to either return a ``User`` object (if login was successful) or ``None``.
        """
        return
    def authentication_url(self, request):
        """
        This method will be called to populate the URL for your authentication method's tab on the login page.
        For example, if your method works through OAuth, you could return the URL of the OAuth authorization URL the
        user needs to visit.
        If you return ``None`` (the default), the link will point to a page that shows the form defined by
        ``login_form_fields``.
        """
        return
 class NativeAuthBackend(BaseAuthBackend):
    identifier = 'native'
    verbose_name = _('pretix User')
    @property
    def login_form_fields(self) -> dict:
        """
        This property may return form fields that the user needs to fill in
        to log in.
        """
        d = OrderedDict([
            ('email', forms.EmailField(label=_("E-mail"), max_length=254,
                                       widget=forms.EmailInput(attrs={'autofocus': 'autofocus'}))),
            ('password', forms.CharField(label=_("Password"), widget=forms.PasswordInput)),
        ])
        return d
    def form_authenticate(self, request, form_data):
        u = authenticate(request=request, email=form_data['email'].lower(), password=form_data['password'])
        if u and u.auth_backend == self.identifier:
            return u
--- a/src/pretix/base/banlist.py
+++ b/src/pretix/base/banlist.py
@@ -0,0 +1,80 @@
 import re
 # banlist based on http://www.bannedwordlist.com/lists/swearWords.txt
 banlist = [
    "anal",
    "anus",
    "arse",
    "ass",
    "balls",
    "bastard",
    "bitch",
    "biatch",
    "bloody",
    "blowjob",
    "bollock",
    "bollok",
    "boner",
    "boob",
    "bugger",
    "bum",
    "butt",
    "clitoris",
    "cock",
    "coon",
    "crap",
    "cunt",
    "damn",
    "dick",
    "dildo",
    "dyke",
    "fag",
    "feck",
    "fellate",
    "fellatio",
    "felching",
    "fuck",
    "fudgepacker",
    "flange",
    "goddamn",
    "hell",
    "homo",
    "jerk",
    "jizz",
    "knobend",
    "labia",
    "lmao",
    "lmfao",
    "muff",
    "nigger",
    "nigga",
    "omg",
    "penis",
    "piss",
    "poop",
    "prick",
    "pube",
    "pussy",
    "queer",
    "scrotum",
    "sex",
    "shit",
    "sh1t",
    "slut",
    "smegma",
    "spunk",
    "tit",
    "tosser",
    "turd",
    "twat",
    "vagina",
    "wank",
    "whore",
    "wtf"
 ]
 blacklist_regex = re.compile('(' + '|'.join(banlist) + ')')
 def banned(string):
    return bool(blacklist_regex.search(string.lower()))
--- a/src/pretix/base/channels.py
+++ b/src/pretix/base/channels.py
@@ -35,6 +35,13 @@ class SalesChannel:
        """
        return "circle"
    @property
    def testmode_supported(self) -> bool:
        """
        Indication, if a saleschannels supports test mode orders
        """
        return True
 def get_all_sales_channels():
    global _ALL_CHANNELS
--- a/src/pretix/base/context.py
+++ b/src/pretix/base/context.py
@@ -0,0 +1,15 @@
 import sys
 from django.conf import settings
 def contextprocessor(request):
    ctx = {
        'rtl': getattr(request, 'LANGUAGE_CODE', 'en') in settings.LANGUAGES_RTL,
    }
    if settings.DEBUG and 'runserver' not in sys.argv:
        ctx['debug_warning'] = True
    elif 'runserver' in sys.argv:
        ctx['development_warning'] = True
    return ctx
--- a/src/pretix/base/email.py
+++ b/src/pretix/base/email.py
@@ -1,15 +1,23 @@
 import inspect
 import logging
 from datetime import timedelta
 from decimal import Decimal
 from smtplib import SMTPResponseException
 from django.conf import settings
 from django.core.mail.backends.smtp import EmailBackend
 from django.dispatch import receiver
 from django.template.loader import get_template
 from django.utils.timezone import now
 from django.utils.translation import ugettext_lazy as _
 from inlinestyler.utils import inline_css
-from pretix.base.models import Event, Order, OrderPosition
+from pretix.base.i18n import LazyCurrencyNumber, LazyDate, LazyNumber
-from pretix.base.signals import register_html_mail_renderers
+from pretix.base.models import Event
 from pretix.base.settings import PERSON_NAME_SCHEMES
 from pretix.base.signals import (
    register_html_mail_renderers, register_mail_placeholders,
 )
 from pretix.base.templatetags.rich_text import markdown_compile_email
 logger = logging.getLogger('pretix.base.email')
@@ -44,8 +52,8 @@ class BaseHTMLMailRenderer:
    def __str__(self):
        return self.identifier
-    def render(self, plain_body: str, plain_signature: str, subject: str, order: Order=None,
+    def render(self, plain_body: str, plain_signature: str, subject: str, order=None,
-               position: OrderPosition=None) -> str:
+               position=None) -> str:
        """
        This method should generate the HTML part of the email.
@@ -97,7 +105,7 @@ class TemplateBasedMailRenderer(BaseHTMLMailRenderer):
    def template_name(self):
        raise NotImplementedError()
-    def render(self, plain_body: str, plain_signature: str, subject: str, order: Order, position: OrderPosition) -> str:
+    def render(self, plain_body: str, plain_signature: str, subject: str, order, position) -> str:
        body_md = markdown_compile_email(plain_body)
        htmlctx = {
            'site': settings.PRETIX_INSTANCE_NAME,
@@ -136,3 +144,305 @@ class ClassicMailRenderer(TemplateBasedMailRenderer):
@receiver(register_html_mail_renderers, dispatch_uid="pretixbase_email_renderers")
 def base_renderers(sender, **kwargs):
    return [ClassicMailRenderer]
 class BaseMailTextPlaceholder:
    """
    This is the base class for for all email text placeholders.
    """
    @property
    def required_context(self):
        """
        This property should return a list of all attribute names that need to be
        contained in the base context so that this placeholder is available. By default,
        it returns a list containing the string "event".
        """
        return ["event"]
    @property
    def identifier(self):
        """
        This should return the identifier of this placeholder in the email.
        """
        raise NotImplementedError()
    def render(self, context):
        """
        This method is called to generate the actual text that is being
        used in the email. You will be passed a context dictionary with the
        base context attributes specified in ``required_context``. You are
        expected to return a plain-text string.
        """
        raise NotImplementedError()
    def render_sample(self, event):
        """
        This method is called to generate a text to be used in email previews.
        This may only depend on the event.
        """
        raise NotImplementedError()
 class SimpleFunctionalMailTextPlaceholder(BaseMailTextPlaceholder):
    def __init__(self, identifier, args, func, sample):
        self._identifier = identifier
        self._args = args
        self._func = func
        self._sample = sample
    @property
    def identifier(self):
        return self._identifier
    @property
    def required_context(self):
        return self._args
    def render(self, context):
        return self._func(**{k: context[k] for k in self._args})
    def render_sample(self, event):
        if callable(self._sample):
            return self._sample(event)
        else:
            return self._sample
 def get_available_placeholders(event, base_parameters):
    if 'order' in base_parameters:
        base_parameters.append('invoice_address')
    params = {}
    for r, val in register_mail_placeholders.send(sender=event):
        if not isinstance(val, (list, tuple)):
            val = [val]
        for v in val:
            if all(rp in base_parameters for rp in v.required_context):
                params[v.identifier] = v
    return params
 def get_email_context(**kwargs):
    from pretix.base.models import InvoiceAddress
    event = kwargs['event']
    if 'order' in kwargs:
        try:
            kwargs['invoice_address'] = kwargs['order'].invoice_address
        except InvoiceAddress.DoesNotExist:
            kwargs['invoice_address'] = InvoiceAddress()
    ctx = {}
    for r, val in register_mail_placeholders.send(sender=event):
        if not isinstance(val, (list, tuple)):
            val = [val]
        for v in val:
            if all(rp in kwargs for rp in v.required_context):
                ctx[v.identifier] = v.render(kwargs)
    return ctx
 def _placeholder_payment(order, payment):
    if not payment:
        return None
    if 'payment' in inspect.signature(payment.payment_provider.order_pending_mail_render).parameters:
        return str(payment.payment_provider.order_pending_mail_render(order, payment))
    else:
        return str(payment.payment_provider.order_pending_mail_render(order))
@receiver(register_mail_placeholders, dispatch_uid="pretixbase_register_mail_placeholders")
 def base_placeholders(sender, **kwargs):
    from pretix.base.models import InvoiceAddress
    from pretix.multidomain.urlreverse import build_absolute_uri
    ph = [
        SimpleFunctionalMailTextPlaceholder(
            'event', ['event'], lambda event: event.name, lambda event: event.name
        ),
        SimpleFunctionalMailTextPlaceholder(
            'event_slug', ['event'], lambda event: event.slug, lambda event: event.slug
        ),
        SimpleFunctionalMailTextPlaceholder(
            'code', ['order'], lambda order: order.code, 'F8VVL'
        ),
        SimpleFunctionalMailTextPlaceholder(
            'total', ['order'], lambda order: LazyNumber(order.total), lambda event: LazyNumber(Decimal('42.23'))
        ),
        SimpleFunctionalMailTextPlaceholder(
            'currency', ['event'], lambda event: event.currency, lambda event: event.currency
        ),
        SimpleFunctionalMailTextPlaceholder(
            'total_with_currency', ['event', 'order'], lambda event, order: LazyCurrencyNumber(order.total,
                                                                                               event.currency),
            lambda event: LazyCurrencyNumber(Decimal('42.23'), event.currency)
        ),
        SimpleFunctionalMailTextPlaceholder(
            'expire_date', ['event', 'order'], lambda event, order: LazyDate(order.expires.astimezone(event.timezone)),
            lambda event: LazyDate(now() + timedelta(days=15))
            # TODO: This used to be "date" in some placeholders, add a migration!
        ),
        SimpleFunctionalMailTextPlaceholder(
            'url', ['order', 'event'], lambda order, event: build_absolute_uri(
                event,
                'presale:event.order.open', kwargs={
                    'order': order.code,
                    'secret': order.secret,
                    'hash': order.email_confirm_hash()
                }
            ), lambda event: build_absolute_uri(
                event,
                'presale:event.order.open', kwargs={
                    'order': 'F8VVL',
                    'secret': '6zzjnumtsx136ddy',
                    'hash': '98kusd8ofsj8dnkd'
                }
            ),
        ),
        SimpleFunctionalMailTextPlaceholder(
            'url', ['event', 'position'], lambda event, position: build_absolute_uri(
                event,
                'presale:event.order.position',
                kwargs={
                    'order': position.order.code,
                    'secret': position.web_secret,
                    'position': position.positionid
                }
            ),
            lambda event: build_absolute_uri(
                event,
                'presale:event.order.position', kwargs={
                    'order': 'F8VVL',
                    'secret': '6zzjnumtsx136ddy',
                    'position': '123'
                }
            ),
        ),
        SimpleFunctionalMailTextPlaceholder(
            'url', ['waiting_list_entry', 'event'],
            lambda waiting_list_entry, event: build_absolute_uri(
                event, 'presale:event.redeem'
            ) + '?voucher=' + waiting_list_entry.voucher.code,
            lambda event: build_absolute_uri(
                event,
                'presale:event.redeem',
            ) + '?voucher=68CYU2H6ZTP3WLK5',
        ),
        SimpleFunctionalMailTextPlaceholder(
            'invoice_name', ['invoice_address'], lambda invoice_address: invoice_address.name or '',
            _('John Doe')
        ),
        SimpleFunctionalMailTextPlaceholder(
            'invoice_company', ['invoice_address'], lambda invoice_address: invoice_address.company or '',
            _('Sample Corporation')
        ),
        SimpleFunctionalMailTextPlaceholder(
            'orders', ['event', 'orders'], lambda event, orders: '\n' + '\n\n'.join(
                '* {} - {}'.format(
                    order.full_code,
                    build_absolute_uri(event, 'presale:event.order', kwargs={
                        'event': event.slug,
                        'organizer': event.organizer.slug,
                        'order': order.code,
                        'secret': order.secret
                    }),
                )
                for order in orders
            ), lambda event: '\n' + '\n\n'.join(
                '* {} - {}'.format(
                    '{}-{}'.format(event.slug.upper(), order['code']),
                    build_absolute_uri(event, 'presale:event.order', kwargs={
                        'event': event.slug,
                        'organizer': event.organizer.slug,
                        'order': order['code'],
                        'secret': order['secret']
                    }),
                )
                for order in [
                    {'code': 'F8VVL', 'secret': '6zzjnumtsx136ddy'},
                    {'code': 'HIDHK', 'secret': '98kusd8ofsj8dnkd'},
                    {'code': 'OPKSB', 'secret': '09pjdksflosk3njd'}
                ]
            ),
        ),
        SimpleFunctionalMailTextPlaceholder(
            'hours', ['event', 'waiting_list_entry'], lambda event, waiting_list_entry:
            event.settings.waiting_list_hours,
            lambda event: event.settings.waiting_list_hours
        ),
        SimpleFunctionalMailTextPlaceholder(
            'product', ['waiting_list_entry'], lambda waiting_list_entry: waiting_list_entry.item.name,
            _('Sample Admission Ticket')
        ),
        SimpleFunctionalMailTextPlaceholder(
            'code', ['waiting_list_entry'], lambda waiting_list_entry: waiting_list_entry.voucher.code,
            '68CYU2H6ZTP3WLK5'
        ),
        SimpleFunctionalMailTextPlaceholder(
            'voucher_list', ['voucher_list'], lambda voucher_list: '\n'.join(voucher_list),
            '    68CYU2H6ZTP3WLK5\n    7MB94KKPVEPSMVF2'
        ),
        SimpleFunctionalMailTextPlaceholder(
            'url', ['event', 'voucher_list'], lambda event, voucher_list: build_absolute_uri(event, 'presale:event.index', kwargs={
                'event': event.slug,
                'organizer': event.organizer.slug,
            }), lambda event: build_absolute_uri(event, 'presale:event.index', kwargs={
                'event': event.slug,
                'organizer': event.organizer.slug,
            })
        ),
        SimpleFunctionalMailTextPlaceholder(
            'name', ['name'], lambda name: name,
            _('John Doe')
        ),
        SimpleFunctionalMailTextPlaceholder(
            'comment', ['comment'], lambda comment: comment,
            _('An individual text with a reason can be inserted here.'),
        ),
        SimpleFunctionalMailTextPlaceholder(
            'payment_info', ['order', 'payment'], _placeholder_payment,
            _('The amount has been charged to your card.'),
        ),
        SimpleFunctionalMailTextPlaceholder(
            'payment_info', ['payment_info'], lambda payment_info: payment_info,
            _('Please transfer money to this bank account: 9999-9999-9999-9999'),
        ),
        SimpleFunctionalMailTextPlaceholder(
            'attendee_name', ['position'], lambda position: position.attendee_name,
            _('John Doe'),
        ),
        SimpleFunctionalMailTextPlaceholder(
            'name', ['position_or_address'],
            lambda position_or_address: (
                position_or_address.name
                if isinstance(position_or_address, InvoiceAddress)
                else position_or_address.attendee_name
            ),
            _('John Doe'),
        ),
    ]
    name_scheme = PERSON_NAME_SCHEMES[sender.settings.name_scheme]
    for f, l, w in name_scheme['fields']:
        if f == 'full_name':
            continue
        ph.append(SimpleFunctionalMailTextPlaceholder(
            'attendee_name_%s' % f, ['position'], lambda position, f=f: position.attendee_name_parts.get(f, ''),
            name_scheme['sample'][f]
        ))
        ph.append(SimpleFunctionalMailTextPlaceholder(
            'name_%s' % f, ['position_or_address'],
            lambda position_or_address, f=f: (
                position_or_address.name_parts.get(f, '')
                if isinstance(position_or_address, InvoiceAddress)
                else position_or_address.attendee_name_parts.get(f, '')
            ),
            name_scheme['sample'][f]
        ))
    for k, v in sender.meta_data.items():
        ph.append(SimpleFunctionalMailTextPlaceholder(
            'meta_%s' % k, ['event'], lambda event, k=k: event.meta_data[k],
            v
        ))
    return ph
--- a/src/pretix/base/exporter.py
+++ b/src/pretix/base/exporter.py
@@ -71,6 +71,8 @@ class BaseExporter:
        :type form_data: dict
        :param form_data: The form data of the export details form
        :param output_file: You can optionally accept a parameter that will be given a file handle to write the
                            output to. In this case, you can return None instead of the file content.
        Note: If you use a ``ModelChoiceField`` (or a ``ModelMultipleChoiceField``), the
        ``form_data`` will not contain the model instance but only it's primary key (or
@@ -109,16 +111,22 @@ class ListExporter(BaseExporter):
        raise NotImplementedError()  # noqa
    def get_filename(self):
-        return 'export.csv'
+        return 'export'
-    def _render_csv(self, form_data, **kwargs):
+    def _render_csv(self, form_data, output_file=None, **kwargs):
-        output = io.StringIO()
+        if output_file:
-        writer = csv.writer(output, **kwargs)
+            writer = csv.writer(output_file, **kwargs)
-        for line in self.iterate_list(form_data):
+            for line in self.iterate_list(form_data):
-            writer.writerow(line)
+                writer.writerow(line)
-        return self.get_filename() + '.csv', 'text/csv', output.getvalue().encode("utf-8")
+            return self.get_filename() + '.csv', 'text/csv', None
        else:
            output = io.StringIO()
            writer = csv.writer(output, **kwargs)
            for line in self.iterate_list(form_data):
                writer.writerow(line)
            return self.get_filename() + '.csv', 'text/csv', output.getvalue().encode("utf-8")
-    def _render_xlsx(self, form_data):
+    def _render_xlsx(self, form_data, output_file=None):
        wb = Workbook()
        ws = wb.get_active_sheet()
        try:
@@ -129,20 +137,24 @@ class ListExporter(BaseExporter):
            for j, val in enumerate(line):
                ws.cell(row=i + 1, column=j + 1).value = str(val) if not isinstance(val, KNOWN_TYPES) else val
-        with tempfile.NamedTemporaryFile(suffix='.xlsx') as f:
+        if output_file:
-            wb.save(f.name)
+            wb.save(output_file)
-            f.seek(0)
+            return self.get_filename() + '.xlsx', 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', None
-            return self.get_filename() + '.xlsx', 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', f.read()
+        else:
            with tempfile.NamedTemporaryFile(suffix='.xlsx') as f:
                wb.save(f.name)
                f.seek(0)
                return self.get_filename() + '.xlsx', 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', f.read()
-    def render(self, form_data: dict) -> Tuple[str, str, bytes]:
+    def render(self, form_data: dict, output_file=None) -> Tuple[str, str, bytes]:
        if form_data.get('_format') == 'xlsx':
-            return self._render_xlsx(form_data)
+            return self._render_xlsx(form_data, output_file=output_file)
        elif form_data.get('_format') == 'default':
-            return self._render_csv(form_data, quoting=csv.QUOTE_NONNUMERIC, delimiter=',')
+            return self._render_csv(form_data, quoting=csv.QUOTE_NONNUMERIC, delimiter=',', output_file=output_file)
        elif form_data.get('_format') == 'csv-excel':
-            return self._render_csv(form_data, dialect='excel')
+            return self._render_csv(form_data, dialect='excel', output_file=output_file)
        elif form_data.get('_format') == 'semicolon':
-            return self._render_csv(form_data, dialect='excel', delimiter=';')
+            return self._render_csv(form_data, dialect='excel', delimiter=';', output_file=output_file)
 class MultiSheetListExporter(ListExporter):
@@ -180,14 +192,20 @@ class MultiSheetListExporter(ListExporter):
    def iterate_sheet(self, form_data, sheet):
        raise NotImplementedError()  # noqa
-    def _render_sheet_csv(self, form_data, sheet, **kwargs):
+    def _render_sheet_csv(self, form_data, sheet, output_file=None, **kwargs):
-        output = io.StringIO()
+        if output_file:
-        writer = csv.writer(output, **kwargs)
+            writer = csv.writer(output_file, **kwargs)
-        for line in self.iterate_sheet(form_data, sheet):
+            for line in self.iterate_sheet(form_data, sheet):
-            writer.writerow(line)
+                writer.writerow(line)
-        return self.get_filename() + '.csv', 'text/csv', output.getvalue().encode("utf-8")
+            return self.get_filename() + '.csv', 'text/csv', None
        else:
            output = io.StringIO()
            writer = csv.writer(output, **kwargs)
            for line in self.iterate_sheet(form_data, sheet):
                writer.writerow(line)
            return self.get_filename() + '.csv', 'text/csv', output.getvalue().encode("utf-8")
-    def _render_xlsx(self, form_data):
+    def _render_xlsx(self, form_data, output_file=None):
        wb = Workbook()
        ws = wb.get_active_sheet()
        wb.remove(ws)
@@ -197,19 +215,24 @@ class MultiSheetListExporter(ListExporter):
                for j, val in enumerate(line):
                    ws.cell(row=i + 1, column=j + 1).value = str(val) if not isinstance(val, KNOWN_TYPES) else val
-        with tempfile.NamedTemporaryFile(suffix='.xlsx') as f:
+        if output_file:
-            wb.save(f.name)
+            wb.save(output_file)
-            f.seek(0)
+            return self.get_filename() + '.xlsx', 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', None
-            return self.get_filename() + '.xlsx', 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', f.read()
+        else:
            with tempfile.NamedTemporaryFile(suffix='.xlsx') as f:
                wb.save(f.name)
                f.seek(0)
                return self.get_filename() + '.xlsx', 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', f.read()
-    def render(self, form_data: dict) -> Tuple[str, str, bytes]:
+    def render(self, form_data: dict, output_file=None) -> Tuple[str, str, bytes]:
        if form_data.get('_format') == 'xlsx':
-            return self._render_xlsx(form_data)
+            return self._render_xlsx(form_data, output_file=output_file)
        elif ':' in form_data.get('_format'):
            sheet, f = form_data.get('_format').split(':')
            if f == 'default':
-                return self._render_sheet_csv(form_data, sheet, quoting=csv.QUOTE_NONNUMERIC, delimiter=',')
+                return self._render_sheet_csv(form_data, sheet, quoting=csv.QUOTE_NONNUMERIC, delimiter=',',
                                              output_file=output_file)
            elif f == 'excel':
-                return self._render_sheet_csv(form_data, sheet, dialect='excel')
+                return self._render_sheet_csv(form_data, sheet, dialect='excel', output_file=output_file)
            elif f == 'semicolon':
-                return self._render_sheet_csv(form_data, sheet, dialect='excel', delimiter=';')
+                return self._render_sheet_csv(form_data, sheet, dialect='excel', delimiter=';', output_file=output_file)
--- a/src/pretix/base/exporters/dekodi.py
+++ b/src/pretix/base/exporters/dekodi.py
@@ -129,8 +129,11 @@ class DekodiNREIExporter(BaseExporter):
            'DIDt': invoice.order.datetime.isoformat().replace('Z', '+00:00'),
            'DT': '30' if invoice.is_cancellation else '10',
            'EM': invoice.order.email,
-            'FamN': invoice.invoice_to_name.rsplit(' ', 1)[-1],
+            'FamN': invoice.invoice_to_name.rsplit(' ', 1)[-1] if invoice.invoice_to_name else '',
-            'FN': invoice.invoice_to_name.rsplit(' ', 1)[0] if ' ' in invoice.invoice_to_name else '',
+            'FN': (
                invoice.invoice_to_name.rsplit(' ', 1)[0]
                if invoice.invoice_to_name and ' ' in invoice.invoice_to_name else ''
            ),
            'IDt': invoice.date.isoformat() + 'T08:00:00+01:00',
            'INo': invoice.full_invoice_no,
            'IsNet': invoice.reverse_charge,
--- a/src/pretix/base/exporters/invoices.py
+++ b/src/pretix/base/exporters/invoices.py
@@ -20,7 +20,7 @@ class InvoiceExporter(BaseExporter):
    identifier = 'invoices'
    verbose_name = _('All invoices')
-    def render(self, form_data: dict):
+    def render(self, form_data: dict, output_file=None):
        qs = self.event.invoices.filter(shredded=False)
        if form_data.get('payment_provider'):
@@ -47,7 +47,7 @@ class InvoiceExporter(BaseExporter):
        with tempfile.TemporaryDirectory() as d:
            any = False
-            with ZipFile(os.path.join(d, 'tmp.zip'), 'w') as zipf:
+            with ZipFile(output_file or os.path.join(d, 'tmp.zip'), 'w') as zipf:
                for i in qs:
                    try:
                        if not i.file:
@@ -68,8 +68,11 @@ class InvoiceExporter(BaseExporter):
            if not any:
                return None
-            with open(os.path.join(d, 'tmp.zip'), 'rb') as zipf:
+            if output_file:
-                return '{}_invoices.zip'.format(self.event.slug), 'application/zip', zipf.read()
+                return '{}_invoices.zip'.format(self.event.slug), 'application/zip', None
            else:
                with open(os.path.join(d, 'tmp.zip'), 'rb') as zipf:
                    return '{}_invoices.zip'.format(self.event.slug), 'application/zip', zipf.read()
    @property
    def export_form_fields(self):
--- a/src/pretix/base/exporters/orderlist.py
+++ b/src/pretix/base/exporters/orderlist.py
@@ -9,7 +9,7 @@ from django.utils.formats import date_format, localize
 from django.utils.translation import pgettext, ugettext as _, ugettext_lazy
 from pretix.base.models import (
-    InvoiceAddress, InvoiceLine, Order, OrderPosition,
+    InvoiceAddress, InvoiceLine, Order, OrderPosition, Question,
 )
 from pretix.base.models.orders import OrderFee, OrderPayment, OrderRefund
 from pretix.base.settings import PERSON_NAME_SCHEMES
@@ -96,7 +96,7 @@ class OrderListExporter(MultiSheetListExporter):
            for k, label, w in name_scheme['fields']:
                headers.append(label)
        headers += [
-            _('Address'), _('ZIP code'), _('City'), _('Country'), _('VAT ID'),
+            _('Address'), _('ZIP code'), _('City'), _('Country'), pgettext('address', 'State'), _('VAT ID'),
            _('Date of last payment'), _('Fees'), _('Order locale')
        ]
@@ -109,6 +109,8 @@ class OrderListExporter(MultiSheetListExporter):
        headers.append(_('Invoice numbers'))
        headers.append(_('Sales channel'))
        headers.append(_('Requires special attention'))
        headers.append(_('Comment'))
        yield headers
@@ -153,10 +155,11 @@ class OrderListExporter(MultiSheetListExporter):
                    order.invoice_address.city,
                    order.invoice_address.country if order.invoice_address.country else
                    order.invoice_address.country_old,
                    order.invoice_address.state,
                    order.invoice_address.vat_id,
                ]
            except InvoiceAddress.DoesNotExist:
-                row += [''] * (7 + (len(name_scheme['fields']) if len(name_scheme['fields']) > 1 else 0))
+                row += [''] * (8 + (len(name_scheme['fields']) if len(name_scheme['fields']) > 1 else 0))
            row += [
                order.payment_date.astimezone(tz).strftime('%Y-%m-%d') if order.payment_date else '',
@@ -178,6 +181,8 @@ class OrderListExporter(MultiSheetListExporter):
            row.append(', '.join([i.number for i in order.invoices.all()]))
            row.append(order.sales_channel)
            row.append(_('Yes') if order.checkin_attention else _('No'))
            row.append(order.comment or "")
            yield row
    def iterate_fees(self, form_data: dict):
@@ -208,7 +213,7 @@ class OrderListExporter(MultiSheetListExporter):
            for k, label, w in name_scheme['fields']:
                headers.append(_('Invoice address name') + ': ' + str(label))
        headers += [
-            _('Address'), _('ZIP code'), _('City'), _('Country'), _('VAT ID'),
+            _('Address'), _('ZIP code'), _('City'), _('Country'), pgettext('address', 'State'), _('VAT ID'),
        ]
        yield headers
@@ -243,10 +248,11 @@ class OrderListExporter(MultiSheetListExporter):
                    order.invoice_address.city,
                    order.invoice_address.country if order.invoice_address.country else
                    order.invoice_address.country_old,
                    order.invoice_address.state,
                    order.invoice_address.vat_id,
                ]
            except InvoiceAddress.DoesNotExist:
-                row += [''] * (7 + (len(name_scheme['fields']) if len(name_scheme['fields']) > 1 else 0))
+                row += [''] * (8 + (len(name_scheme['fields']) if len(name_scheme['fields']) > 1 else 0))
            yield row
    def iterate_positions(self, form_data: dict):
@@ -301,7 +307,7 @@ class OrderListExporter(MultiSheetListExporter):
            for k, label, w in name_scheme['fields']:
                headers.append(_('Invoice address name') + ': ' + str(label))
        headers += [
-            _('Address'), _('ZIP code'), _('City'), _('Country'), _('VAT ID'),
+            _('Address'), _('ZIP code'), _('City'), _('Country'), pgettext('address', 'State'), _('VAT ID'),
        ]
        headers.append(_('Sales channel'))
@@ -339,7 +345,12 @@ class OrderListExporter(MultiSheetListExporter):
            ]
            acache = {}
            for a in op.answers.all():
-                acache[a.question_id] = str(a)
+                # We do not want to localize Date, Time and Datetime question answers, as those can lead
                # to difficulties parsing the data (for example 2019-02-01 may become Février, 2019 01 in French).
                if a.question.type in Question.UNLOCALIZED_TYPES:
                    acache[a.question_id] = a.answer
                else:
                    acache[a.question_id] = str(a)
            for q in questions:
                row.append(acache.get(q.pk, ''))
            try:
@@ -358,10 +369,11 @@ class OrderListExporter(MultiSheetListExporter):
                    order.invoice_address.city,
                    order.invoice_address.country if order.invoice_address.country else
                    order.invoice_address.country_old,
                    order.invoice_address.state,
                    order.invoice_address.vat_id,
                ]
            except InvoiceAddress.DoesNotExist:
-                row += [''] * (7 + (len(name_scheme['fields']) if len(name_scheme['fields']) > 1 else 0))
+                row += [''] * (8 + (len(name_scheme['fields']) if len(name_scheme['fields']) > 1 else 0))
            row.append(order.sales_channel)
            yield row
@@ -503,6 +515,7 @@ class InvoiceDataExporter(MultiSheetListExporter):
                _('Invoice recipient:') + ' ' + _('ZIP code'),
                _('Invoice recipient:') + ' ' + _('City'),
                _('Invoice recipient:') + ' ' + _('Country'),
                _('Invoice recipient:') + ' ' + pgettext('address', 'State'),
                _('Invoice recipient:') + ' ' + _('VAT ID'),
                _('Invoice recipient:') + ' ' + _('Beneficiary'),
                _('Invoice recipient:') + ' ' + _('Internal reference'),
@@ -552,6 +565,7 @@ class InvoiceDataExporter(MultiSheetListExporter):
                    i.invoice_to_zipcode,
                    i.invoice_to_city,
                    i.invoice_to_country,
                    i.invoice_to_state,
                    i.invoice_to_vat_id,
                    i.invoice_to_beneficiary,
                    i.internal_reference,
@@ -591,6 +605,7 @@ class InvoiceDataExporter(MultiSheetListExporter):
                _('Invoice recipient:') + ' ' + _('ZIP code'),
                _('Invoice recipient:') + ' ' + _('City'),
                _('Invoice recipient:') + ' ' + _('Country'),
                _('Invoice recipient:') + ' ' + pgettext('address', 'State'),
                _('Invoice recipient:') + ' ' + _('VAT ID'),
                _('Invoice recipient:') + ' ' + _('Beneficiary'),
                _('Invoice recipient:') + ' ' + _('Internal reference'),
@@ -630,6 +645,7 @@ class InvoiceDataExporter(MultiSheetListExporter):
                    i.invoice_to_zipcode,
                    i.invoice_to_city,
                    i.invoice_to_country,
                    i.invoice_to_state,
                    i.invoice_to_vat_id,
                    i.invoice_to_beneficiary,
                    i.internal_reference,
--- a/src/pretix/base/forms/auth.py
+++ b/src/pretix/base/forms/auth.py
@@ -1,6 +1,5 @@
 from django import forms
 from django.conf import settings
 from django.contrib.auth import authenticate
 from django.contrib.auth.password_validation import (
    password_validators_help_texts, validate_password,
 )
@@ -14,32 +13,33 @@ class LoginForm(forms.Form):
    Base class for authenticating users. Extend this to get a form that accepts
    username/password logins.
    """
    email = forms.EmailField(label=_("E-mail"), max_length=254)
    password = forms.CharField(label=_("Password"), widget=forms.PasswordInput)
    keep_logged_in = forms.BooleanField(label=_("Keep me logged in"), required=False)
    error_messages = {
-        'invalid_login': _("Please enter a correct email address and password."),
+        'invalid_login': _("This combination of credentials is not known to our system."),
        'inactive': _("This account is inactive.")
    }
-    def __init__(self, request=None, *args, **kwargs):
+    def __init__(self, backend, request=None, *args, **kwargs):
        """
        The 'request' parameter is set for custom auth use by subclasses.
        The form data comes in via the standard 'data' kwarg.
        """
        self.request = request
        self.user_cache = None
        self.backend = backend
        super().__init__(*args, **kwargs)
        for k, f in backend.login_form_fields.items():
            self.fields[k] = f
        if not settings.PRETIX_LONG_SESSIONS:
            del self.fields['keep_logged_in']
        else:
            self.fields.move_to_end('keep_logged_in')
    def clean(self):
-        email = self.cleaned_data.get('email')
+        if all(k in self.cleaned_data for k, f in self.fields.items() if f.required):
-        password = self.cleaned_data.get('password')
+            self.user_cache = self.backend.form_authenticate(self.request, self.cleaned_data)
        if email and password:
            self.user_cache = authenticate(request=self.request, email=email.lower(), password=password)
            if self.user_cache is None:
                raise forms.ValidationError(
                    self.error_messages['invalid_login'],
@@ -181,3 +181,44 @@ class PasswordForgotForm(forms.Form):
    def clean_email(self):
        return self.cleaned_data['email']
 class ReauthForm(forms.Form):
    error_messages = {
        'invalid_login': _("This combination of credentials is not known to our system."),
        'inactive': _("This account is inactive.")
    }
    def __init__(self, backend, user, request=None, *args, **kwargs):
        """
        The 'request' parameter is set for custom auth use by subclasses.
        The form data comes in via the standard 'data' kwarg.
        """
        self.request = request
        self.user = user
        self.backend = backend
        super().__init__(*args, **kwargs)
        for k, f in backend.login_form_fields.items():
            self.fields[k] = f
        if 'email' in self.fields:
            self.fields['email'].disabled = True
    def clean(self):
        self.cleaned_data['email'] = self.user.email
        user_cache = self.backend.form_authenticate(self.request, self.cleaned_data)
        if user_cache != self.user:
            raise forms.ValidationError(
                self.error_messages['invalid_login'],
                code='invalid_login'
            )
        else:
            self.confirm_login_allowed(user_cache)
        return self.cleaned_data
    def confirm_login_allowed(self, user: User):
        if not user.is_active:
            raise forms.ValidationError(
                self.error_messages['inactive'],
                code='inactive',
            )
--- a/src/pretix/base/forms/questions.py
+++ b/src/pretix/base/forms/questions.py
@@ -1,17 +1,24 @@
 import copy
 import json
 import logging
 from decimal import Decimal
 from urllib.error import HTTPError
 import dateutil.parser
 import pycountry
 import pytz
 import vat_moss.errors
 import vat_moss.id
 from django import forms
 from django.contrib import messages
 from django.core.exceptions import ValidationError
 from django.db.models import QuerySet
 from django.forms import Select
 from django.utils.html import escape
 from django.utils.safestring import mark_safe
-from django.utils.translation import get_language, ugettext_lazy as _
+from django.utils.translation import (
    get_language, pgettext_lazy, ugettext_lazy as _,
 )
 from django_countries import countries
 from django_countries.fields import Country, CountryField
@@ -20,10 +27,14 @@ from pretix.base.forms.widgets import (
    TimePickerWidget, UploadedFileWidget,
 )
 from pretix.base.models import InvoiceAddress, Question, QuestionOption
-from pretix.base.models.tax import EU_COUNTRIES
+from pretix.base.models.tax import EU_COUNTRIES, cc_to_vat_prefix
-from pretix.base.settings import PERSON_NAME_SCHEMES
+from pretix.base.settings import (
    COUNTRIES_WITH_STATE_IN_ADDRESS, PERSON_NAME_SCHEMES,
    PERSON_NAME_TITLE_GROUPS,
 )
 from pretix.base.templatetags.rich_text import rich_text
 from pretix.control.forms import SplitDateTimeField
 from pretix.helpers.escapejson import escapejson_attr
 from pretix.helpers.i18n import get_format_without_seconds
 from pretix.presale.signals import question_form_fields
@@ -32,15 +43,27 @@ logger = logging.getLogger(__name__)
 class NamePartsWidget(forms.MultiWidget):
    widget = forms.TextInput
    autofill_map = {
        'given_name': 'given-name',
        'family_name': 'family-name',
        'middle_name': 'additional-name',
        'title': 'honorific-prefix',
        'full_name': 'name',
        'calling_name': 'nickname',
    }
-    def __init__(self, scheme: dict, field: forms.Field, attrs=None):
+    def __init__(self, scheme: dict, field: forms.Field, attrs=None, titles: list=None):
        widgets = []
        self.scheme = scheme
        self.field = field
        self.titles = titles
        for fname, label, size in self.scheme['fields']:
            a = copy.copy(attrs) or {}
            a['data-fname'] = fname
-            widgets.append(self.widget(attrs=a))
+            if fname == 'title' and self.titles:
                widgets.append(Select(attrs=a, choices=[('', '')] + [(d, d) for d in self.titles[1]]))
            else:
                widgets.append(self.widget(attrs=a))
        super().__init__(widgets, attrs)
    def decompress(self, value):
@@ -74,6 +97,7 @@ class NamePartsWidget(forms.MultiWidget):
                    title=self.scheme['fields'][i][1],
                    placeholder=self.scheme['fields'][i][1],
                )
                final_attrs['autocomplete'] = (self.attrs.get('autocomplete', '') + ' ' + self.autofill_map.get(self.scheme['fields'][i][0], 'off')).strip()
                final_attrs['data-size'] = self.scheme['fields'][i][2]
            output.append(widget.render(name + '_%s' % i, widget_value, final_attrs, renderer=renderer))
        return mark_safe(self.format_output(output))
@@ -99,19 +123,34 @@ class NamePartsFormField(forms.MultiValueField):
            'max_length': kwargs.pop('max_length', None),
        }
        self.scheme_name = kwargs.pop('scheme')
        self.titles = kwargs.pop('titles')
        self.scheme = PERSON_NAME_SCHEMES.get(self.scheme_name)
        if self.titles:
            self.scheme_titles = PERSON_NAME_TITLE_GROUPS.get(self.titles)
        else:
            self.scheme_titles = None
        self.one_required = kwargs.get('required', True)
        require_all_fields = kwargs.pop('require_all_fields', False)
        kwargs['required'] = False
        kwargs['widget'] = (kwargs.get('widget') or self.widget)(
-            scheme=self.scheme, field=self, **kwargs.pop('widget_kwargs', {})
+            scheme=self.scheme, titles=self.scheme_titles, field=self, **kwargs.pop('widget_kwargs', {})
        )
        defaults.update(**kwargs)
        for fname, label, size in self.scheme['fields']:
            defaults['label'] = label
-            field = forms.CharField(**defaults)
+            if fname == 'title' and self.scheme_titles:
-            field.part_name = fname
+                d = dict(defaults)
-            fields.append(field)
+                d.pop('max_length', None)
                field = forms.ChoiceField(
                    **d,
                    choices=[('', '')] + [(d, d) for d in self.scheme_titles[1]]
                )
                field.part_name = fname
                fields.append(field)
            else:
                field = forms.CharField(**defaults)
                field.part_name = fname
                fields.append(field)
        super().__init__(
            fields=fields, require_all_fields=False, *args, **kwargs
        )
@@ -156,6 +195,7 @@ class BaseQuestionsForm(forms.Form):
                max_length=255,
                required=event.settings.attendee_names_required,
                scheme=event.settings.name_scheme,
                titles=event.settings.name_scheme_titles,
                label=_('Attendee name'),
                initial=(cartpos.attendee_name_parts if cartpos else orderpos.attendee_name_parts),
            )
@@ -163,7 +203,12 @@ class BaseQuestionsForm(forms.Form):
            self.fields['attendee_email'] = forms.EmailField(
                required=event.settings.attendee_emails_required,
                label=_('Attendee email'),
-                initial=(cartpos.attendee_email if cartpos else orderpos.attendee_email)
+                initial=(cartpos.attendee_email if cartpos else orderpos.attendee_email),
                widget=forms.EmailInput(
                    attrs={
                        'autocomplete': 'email'
                    }
                )
            )
        for q in questions:
@@ -277,7 +322,7 @@ class BaseQuestionsForm(forms.Form):
            if q.dependency_question_id:
                field.widget.attrs['data-question-dependency'] = q.dependency_question_id
-                field.widget.attrs['data-question-dependency-value'] = q.dependency_value
+                field.widget.attrs['data-question-dependency-values'] = escapejson_attr(json.dumps(q.dependency_values))
                if q.type != 'M':
                    field.widget.attrs['required'] = q.required and not self.all_optional
                    field._required = q.required and not self.all_optional
@@ -293,31 +338,35 @@ class BaseQuestionsForm(forms.Form):
                self.fields[key] = value
                value.initial = data.get('question_form_data', {}).get(key)
        for k, v in self.fields.items():
            if v.widget.attrs.get('autocomplete') or k == 'attendee_name_parts':
                v.widget.attrs['autocomplete'] = 'section-{} '.format(self.prefix) + v.widget.attrs.get('autocomplete', '')
    def clean(self):
        d = super().clean()
        question_cache = {f.question.pk: f.question for f in self.fields.values() if getattr(f, 'question', None)}
-        def question_is_visible(parentid, qval):
+        def question_is_visible(parentid, qvals):
            if parentid not in question_cache:
                return False
            parentq = question_cache[parentid]
-            if parentq.dependency_question_id and not question_is_visible(parentq.dependency_question_id, parentq.dependency_value):
+            if parentq.dependency_question_id and not question_is_visible(parentq.dependency_question_id, parentq.dependency_values):
                return False
            if 'question_%d' % parentid not in d:
                return False
            dval = d.get('question_%d' % parentid)
-            if qval == 'True':
+            return (
-                return dval
+                ('True' in qvals and dval)
-            elif qval == 'False':
+                or ('False' in qvals and not dval)
-                return not dval
+                or (isinstance(dval, QuestionOption) and dval.identifier in qvals)
-            elif isinstance(dval, QuestionOption):
+                or (isinstance(dval, (list, QuerySet)) and any(qval in [o.identifier for o in dval] for qval in qvals))
-                return dval.identifier == qval
+            )
            else:
                return qval in [o.identifier for o in dval]
        def question_is_required(q):
            return (
                q.required and
-                (not q.dependency_question_id or question_is_visible(q.dependency_question_id, q.dependency_value))
+                (not q.dependency_question_id or question_is_visible(q.dependency_question_id, q.dependency_values))
            )
        if not self.all_optional:
@@ -333,13 +382,29 @@ class BaseInvoiceAddressForm(forms.ModelForm):
    class Meta:
        model = InvoiceAddress
-        fields = ('is_business', 'company', 'name_parts', 'street', 'zipcode', 'city', 'country', 'vat_id',
+        fields = ('is_business', 'company', 'name_parts', 'street', 'zipcode', 'city', 'country', 'state',
-                  'internal_reference', 'beneficiary')
+                  'vat_id', 'internal_reference', 'beneficiary')
        widgets = {
            'is_business': BusinessBooleanRadio,
-            'street': forms.Textarea(attrs={'rows': 2, 'placeholder': _('Street and Number')}),
+            'street': forms.Textarea(attrs={
                'rows': 2,
                'placeholder': _('Street and Number'),
                'autocomplete': 'street-address'
            }),
            'beneficiary': forms.Textarea(attrs={'rows': 3}),
-            'company': forms.TextInput(attrs={'data-display-dependency': '#id_is_business_1'}),
+            'country': forms.Select(attrs={
                'autocomplete': 'country',
            }),
            'zipcode': forms.TextInput(attrs={
                'autocomplete': 'postal-code',
            }),
            'city': forms.TextInput(attrs={
                'autocomplete': 'address-level2',
            }),
            'company': forms.TextInput(attrs={
                'data-display-dependency': '#id_is_business_1',
                'autocomplete': 'organization',
            }),
            'vat_id': forms.TextInput(attrs={'data-display-dependency': '#id_is_business_1'}),
            'internal_reference': forms.TextInput,
        }
@@ -377,6 +442,33 @@ class BaseInvoiceAddressForm(forms.ModelForm):
        if not event.settings.invoice_address_vatid:
            del self.fields['vat_id']
        c = [('', pgettext_lazy('address', 'Select state'))]
        fprefix = self.prefix + '-' if self.prefix else ''
        cc = None
        if fprefix + 'country' in self.data:
            cc = str(self.data[fprefix + 'country'])
        elif 'country' in self.initial:
            cc = str(self.initial['country'])
        elif self.instance and self.instance.country:
            cc = str(self.instance.country)
        if cc and cc in COUNTRIES_WITH_STATE_IN_ADDRESS:
            types, form = COUNTRIES_WITH_STATE_IN_ADDRESS[cc]
            statelist = [s for s in pycountry.subdivisions.get(country_code=cc) if s.type in types]
            c += sorted([(s.code[3:], s.name) for s in statelist], key=lambda s: s[1])
        elif fprefix + 'state' in self.data:
            self.data = self.data.copy()
            del self.data[fprefix + 'state']
        self.fields['state'] = forms.ChoiceField(
            label=pgettext_lazy('address', 'State'),
            required=False,
            choices=c,
            widget=forms.Select(attrs={
                'autocomplete': 'address-level1',
            }),
        )
        self.fields['state'].widget.is_required = True
        if not event.settings.invoice_address_required or self.all_optional:
            for k, f in self.fields.items():
                f.required = False
@@ -398,17 +490,23 @@ class BaseInvoiceAddressForm(forms.ModelForm):
            max_length=255,
            required=event.settings.invoice_name_required and not self.all_optional,
            scheme=event.settings.name_scheme,
            titles=event.settings.name_scheme_titles,
            label=_('Name'),
            initial=(self.instance.name_parts if self.instance else self.instance.name_parts),
        )
        if event.settings.invoice_address_required and not event.settings.invoice_address_company_required and not self.all_optional:
-            self.fields['name_parts'].widget.attrs['data-required-if'] = '#id_is_business_0'
+            if not event.settings.invoice_name_required:
                self.fields['name_parts'].widget.attrs['data-required-if'] = '#id_is_business_0'
            self.fields['name_parts'].widget.attrs['data-no-required-attr'] = '1'
            self.fields['company'].widget.attrs['data-required-if'] = '#id_is_business_1'
        if not event.settings.invoice_address_beneficiary:
            del self.fields['beneficiary']
        for k, v in self.fields.items():
            if v.widget.attrs.get('autocomplete') or k == 'name_parts':
                v.widget.attrs['autocomplete'] = 'section-invoice billing ' + v.widget.attrs.get('autocomplete', '')
    def clean(self):
        data = self.cleaned_data
        if not data.get('is_business'):
@@ -422,6 +520,10 @@ class BaseInvoiceAddressForm(forms.ModelForm):
        if 'vat_id' in self.changed_data or not data.get('vat_id'):
            self.instance.vat_id_validated = False
        if data.get('city') and data.get('country') and str(data['country']) in COUNTRIES_WITH_STATE_IN_ADDRESS:
            if not data.get('state'):
                self.add_error('state', _('This field is required.'))
        self.instance.name_parts = data.get('name_parts')
        if all(
@@ -433,7 +535,7 @@ class BaseInvoiceAddressForm(forms.ModelForm):
        if self.validate_vat_id and self.instance.vat_id_validated and 'vat_id' not in self.changed_data:
            pass
        elif self.validate_vat_id and data.get('is_business') and data.get('country') in EU_COUNTRIES and data.get('vat_id'):
-            if data.get('vat_id')[:2] != str(data.get('country')):
+            if data.get('vat_id')[:2] != cc_to_vat_prefix(str(data.get('country'))):
                raise ValidationError(_('Your VAT ID does not match the selected country.'))
            try:
                result = vat_moss.id.validate(data.get('vat_id'))
@@ -451,7 +553,7 @@ class BaseInvoiceAddressForm(forms.ModelForm):
                                                     'your country is currently not available. We will therefore '
                                                     'need to charge VAT on your invoice. You can get the tax amount '
                                                     'back via the VAT reimbursement process.'))
-            except vat_moss.errors.WebServiceError:
+            except (vat_moss.errors.WebServiceError, HTTPError):
                logger.exception('VAT ID checking failed for country {}'.format(data.get('country')))
                self.instance.vat_id_validated = False
                if self.request and self.vat_warning:
@@ -464,9 +566,8 @@ class BaseInvoiceAddressForm(forms.ModelForm):
 class BaseInvoiceNameForm(BaseInvoiceAddressForm):
    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
        for f in list(self.fields.keys()):
-            if f != 'name':
+            if f != 'name_parts':
                del self.fields[f]
--- a/src/pretix/base/forms/user.py
+++ b/src/pretix/base/forms/user.py
@@ -56,6 +56,11 @@ class UserSettingsForm(forms.ModelForm):
        self.user = kwargs.pop('user')
        super().__init__(*args, **kwargs)
        self.fields['email'].required = True
        if self.user.auth_backend != 'native':
            del self.fields['old_pw']
            del self.fields['new_pw']
            del self.fields['new_pw_repeat']
            self.fields['email'].disabled = True
    def clean_old_pw(self):
        old_pw = self.cleaned_data.get('old_pw')
@@ -115,5 +120,5 @@ class User2FADeviceAddForm(forms.Form):
    name = forms.CharField(label=_('Device name'), max_length=64)
    devicetype = forms.ChoiceField(label=_('Device type'), widget=forms.RadioSelect, choices=(
        ('totp', _('Smartphone with the Authenticator application')),
-        ('u2f', _('U2F-compatible hardware token (e.g. Yubikey)')),
+        ('webauthn', _('WebAuthn-compatible hardware token (e.g. Yubikey)')),
    ))
--- a/src/pretix/base/forms/validators.py
+++ b/src/pretix/base/forms/validators.py
@@ -26,7 +26,7 @@ class PlaceholderValidator(BaseValidator):
        if value.count('{') != value.count('}'):
            raise ValidationError(
                _('Invalid placeholder syntax: You used a different number of "{" than of "}".'),
-                code='invalid',
+                code='invalid_placeholder_syntax',
            )
        data_placeholders = list(re.findall(r'({[^}]*})', value, re.X))
@@ -37,7 +37,7 @@ class PlaceholderValidator(BaseValidator):
        if invalid_placeholders:
            raise ValidationError(
                _('Invalid placeholder(s): %(value)s'),
-                code='invalid',
+                code='invalid_placeholders',
                params={'value': ", ".join(invalid_placeholders,)})
    def clean(self, x):
--- a/src/pretix/base/forms/widgets.py
+++ b/src/pretix/base/forms/widgets.py
@@ -46,6 +46,14 @@ class TimePickerWidget(forms.TimeInput):
 class UploadedFileWidget(forms.ClearableFileInput):
    def __init__(self, *args, **kwargs):
        # Browsers can't recognize that the server already has a file uploaded
        # Don't mark this input as being required if we already have an answer
        # (this needs to be done via the attrs, otherwise we wouldn't get the "required" star on the field label)
        attrs = kwargs.get('attrs', {})
        if kwargs.get('required') and kwargs.get('initial'):
            attrs.update({'required': None})
        kwargs.update({'attrs': attrs})
        self.position = kwargs.pop('position')
        self.event = kwargs.pop('event')
        self.answer = kwargs.pop('answer')
--- a/src/pretix/base/management/commands/export.py
+++ b/src/pretix/base/management/commands/export.py
@@ -0,0 +1,58 @@
 import json
 import sys
 from django.core.management.base import BaseCommand
 from django.utils.timezone import override
 from django_scopes import scope
 from pretix.base.i18n import language
 from pretix.base.models import Event, Organizer
 from pretix.base.signals import register_data_exporters
 class Command(BaseCommand):
    help = "Run an exporter to get data out of pretix"
    def add_arguments(self, parser):
        parser.add_argument('organizer_slug', nargs=1, type=str)
        parser.add_argument('event_slug', nargs=1, type=str)
        parser.add_argument('export_provider', nargs=1, type=str)
        parser.add_argument('output_file', nargs=1, type=str)
        parser.add_argument('--parameters', action='store', type=str, help='JSON-formatted parameters')
    def handle(self, *args, **options):
        try:
            o = Organizer.objects.get(slug=options['organizer_slug'][0])
        except Organizer.DoesNotExist:
            self.stderr.write(self.style.ERROR('Organizer not found.'))
            sys.exit(1)
        with scope(organizer=o):
            try:
                e = o.events.get(slug=options['event_slug'][0])
            except Event.DoesNotExist:
                self.stderr.write(self.style.ERROR('Event not found.'))
                sys.exit(1)
            with language(e.settings.locale), override(e.settings.timezone):
                responses = register_data_exporters.send(e)
                for receiver, response in responses:
                    ex = response(e)
                    if ex.identifier == options['export_provider'][0]:
                        params = json.loads(options.get('parameters') or '{}')
                        with open(options['output_file'][0], 'wb') as f:
                            try:
                                ex.render(form_data=params, output_file=f)
                            except TypeError:
                                self.stderr.write(self.style.WARNING(
                                    'Provider does not support direct file writing, need to buffer export in memory.'))
                                d = ex.render(form_data=params)
                                if d is None:
                                    self.stderr.write(self.style.ERROR('Empty export.'))
                                    sys.exit(2)
                                f.write(d[2])
                            sys.exit(0)
            self.stderr.write(self.style.ERROR('Export provider not found.'))
            sys.exit(1)
--- a/src/pretix/base/management/commands/makemigrations.py
+++ b/src/pretix/base/management/commands/makemigrations.py
@@ -23,7 +23,7 @@ modelops.AlterModelOptions.ALTER_OPTION_KEYS.remove("default_manager_name")
 modelops.AlterModelOptions.ALTER_OPTION_KEYS.remove("permissions")
 modelops.AlterModelOptions.ALTER_OPTION_KEYS.remove("default_permissions")
 IGNORED_ATTRS = [
-    # (field type, attribute name, blacklist of field sub-types)
+    # (field type, attribute name, banlist of field sub-types)
    (models.Field, 'verbose_name', []),
    (models.Field, 'help_text', []),
    (models.Field, 'validators', []),
@@ -38,8 +38,8 @@ original_deconstruct = models.Field.deconstruct
 def new_deconstruct(self):
    name, path, args, kwargs = original_deconstruct(self)
-    for ftype, attr, blacklist in IGNORED_ATTRS:
+    for ftype, attr, banlist in IGNORED_ATTRS:
-        if isinstance(self, ftype) and not any(isinstance(self, ft) for ft in blacklist):
+        if isinstance(self, ftype) and not any(isinstance(self, ft) for ft in banlist):
            kwargs.pop(attr, None)
    return name, path, args, kwargs
--- a/src/pretix/base/management/commands/migrate.py
+++ b/src/pretix/base/management/commands/migrate.py
@@ -2,7 +2,7 @@
 Django tries to be helpful by suggesting to run "makemigrations" in red font on every "migrate"
 run when there are things we have no migrations for. Usually, this is intended, and running
 "makemigrations" can really screw up the environment of a user, so we want to prevent novice
-users from doing that by going really dirty and fitlering it from the output.
+users from doing that by going really dirty and filtering it from the output.
 """
 import sys
@@ -11,13 +11,13 @@ from django.core.management.commands.migrate import Command as Parent
 class OutputFilter(OutputWrapper):
-    blacklist = (
+    banlist = (
        "Your models have changes that are not yet reflected",
        "Run 'manage.py makemigrations' to make new "
    )
    def write(self, msg, style_func=None, ending=None):
-        if any(b in msg for b in self.blacklist):
+        if any(b in msg for b in self.banlist):
            return
        super().write(msg, style_func, ending)
--- a/src/pretix/base/management/commands/runperiodic.py
+++ b/src/pretix/base/management/commands/runperiodic.py
@@ -1,3 +1,4 @@
 from django.conf import settings
 from django.core.management import call_command
 from django.core.management.base import BaseCommand
@@ -8,5 +9,12 @@ class Command(BaseCommand):
    help = "Run periodic tasks"
    def handle(self, *args, **options):
-        periodic_task.send(self)
+        for recv, resp in periodic_task.send_robust(self):
            if isinstance(resp, Exception):
                if settings.SENTRY_ENABLED:
                    from sentry_sdk import capture_exception
                    capture_exception(resp)
                else:
                    raise resp
        call_command('clearsessions')
--- a/src/pretix/base/management/commands/shell_scoped.py
+++ b/src/pretix/base/management/commands/shell_scoped.py
@@ -0,0 +1,39 @@
 import sys
 from django.apps import apps
 from django.core.management import call_command
 from django.core.management.base import BaseCommand
 from django_scopes import scope, scopes_disabled
 class Command(BaseCommand):
    def create_parser(self, *args, **kwargs):
        parser = super().create_parser(*args, **kwargs)
        parser.parse_args = lambda x: parser.parse_known_args(x)[0]
        return parser
    def handle(self, *args, **options):
        parser = self.create_parser(sys.argv[0], sys.argv[1])
        flags = parser.parse_known_args(sys.argv[2:])[1]
        if "--override" in flags:
            with scopes_disabled():
                return call_command("shell_plus", *args, **options)
        lookups = {}
        for flag in flags:
            lookup, value = flag.lstrip("-").split("=")
            lookup = lookup.split("__", maxsplit=1)
            lookups[lookup[0]] = {
                lookup[1] if len(lookup) > 1 else "pk": value
            }
        models = {
            model_name.split(".")[-1]: model_class
            for app_name, app_content in apps.all_models.items()
            for (model_name, model_class) in app_content.items()
        }
        scope_options = {
            app_name: models[app_name].objects.get(**app_value)
            for app_name, app_value in lookups.items()
        }
        with scope(**scope_options):
            return call_command("shell_plus", *args, **options)
--- a/src/pretix/base/middleware.py
+++ b/src/pretix/base/middleware.py
@@ -14,6 +14,7 @@ from django.utils.translation.trans_real import (
    parse_accept_lang_header,
 )
 from pretix.base.settings import GlobalSettingsObject
 from pretix.multidomain.urlreverse import get_domain
 _supported = None
@@ -187,6 +188,11 @@ class SecurityMiddleware(MiddlewareMixin):
        # https://github.com/pretix/pretix/issues/765
        resp['P3P'] = 'CP=\"ALL DSP COR CUR ADM TAI OUR IND COM NAV INT\"'
        img_src = []
        gs = GlobalSettingsObject()
        if gs.settings.leaflet_tiles:
            img_src.append(gs.settings.leaflet_tiles[:gs.settings.leaflet_tiles.index("/", 10)].replace("{s}", "*"))
        h = {
            'default-src': ["{static}"],
            'script-src': ['{static}', 'https://checkout.stripe.com', 'https://js.stripe.com'],
@@ -196,7 +202,7 @@ class SecurityMiddleware(MiddlewareMixin):
            'child-src': ['{static}', 'https://checkout.stripe.com', 'https://js.stripe.com'],
            'style-src': ["{static}", "{media}"],
            'connect-src': ["{dynamic}", "{media}", "https://checkout.stripe.com"],
-            'img-src': ["{static}", "{media}", "data:", "https://*.stripe.com"],
+            'img-src': ["{static}", "{media}", "data:", "https://*.stripe.com"] + img_src,
            'font-src': ["{static}"],
            'media-src': ["{static}", "data:"],
            # form-action is not only used to match on form actions, but also on URLs
--- a/src/pretix/base/migrations/0031_auto_20160816_0648_squashed_0048_auto_20161129_1330.py
+++ b/src/pretix/base/migrations/0031_auto_20160816_0648_squashed_0048_auto_20161129_1330.py
@@ -182,12 +182,12 @@ class Migration(migrations.Migration):
        migrations.AlterField(
            model_name='event',
            name='slug',
-            field=models.SlugField(help_text='Should be short, only contain lowercase letters and numbers, and must be unique among your events. This is being used in addresses and bank transfer references.', validators=[django.core.validators.RegexValidator(message='The slug may only contain letters, numbers, dots and dashes.', regex='^[a-zA-Z0-9.-]+$'), pretix.base.validators.EventSlugBlacklistValidator()], verbose_name='Slug'),
+            field=models.SlugField(help_text='Should be short, only contain lowercase letters and numbers, and must be unique among your events. This is being used in addresses and bank transfer references.', validators=[django.core.validators.RegexValidator(message='The slug may only contain letters, numbers, dots and dashes.', regex='^[a-zA-Z0-9.-]+$'), pretix.base.validators.EventSlugBanlistValidator()], verbose_name='Slug'),
        ),
        migrations.AlterField(
            model_name='organizer',
            name='slug',
-            field=models.SlugField(help_text='Should be short, only contain lowercase letters and numbers, and must be unique among your events. This is being used in addresses and bank transfer references.', validators=[django.core.validators.RegexValidator(message='The slug may only contain letters, numbers, dots and dashes.', regex='^[a-zA-Z0-9.-]+$'), pretix.base.validators.OrganizerSlugBlacklistValidator()], verbose_name='Slug'),
+            field=models.SlugField(help_text='Should be short, only contain lowercase letters and numbers, and must be unique among your events. This is being used in addresses and bank transfer references.', validators=[django.core.validators.RegexValidator(message='The slug may only contain letters, numbers, dots and dashes.', regex='^[a-zA-Z0-9.-]+$'), pretix.base.validators.OrganizerSlugBanlistValidator()], verbose_name='Slug'),
        ),
        migrations.AlterField(
            model_name='voucher',
--- a/src/pretix/base/migrations/0047_auto_20161126_1300.py
+++ b/src/pretix/base/migrations/0047_auto_20161126_1300.py
@@ -23,12 +23,12 @@ class Migration(migrations.Migration):
        migrations.AlterField(
            model_name='event',
            name='slug',
-            field=models.SlugField(help_text='Should be short, only contain lowercase letters and numbers, and must be unique among your events. This is being used in addresses and bank transfer references.', validators=[django.core.validators.RegexValidator(message='The slug may only contain letters, numbers, dots and dashes.', regex='^[a-zA-Z0-9.-]+$'), pretix.base.validators.EventSlugBlacklistValidator()], verbose_name='Slug'),
+            field=models.SlugField(help_text='Should be short, only contain lowercase letters and numbers, and must be unique among your events. This is being used in addresses and bank transfer references.', validators=[django.core.validators.RegexValidator(message='The slug may only contain letters, numbers, dots and dashes.', regex='^[a-zA-Z0-9.-]+$'), pretix.base.validators.EventSlugBanlistValidator()], verbose_name='Slug'),
        ),
        migrations.AlterField(
            model_name='organizer',
            name='slug',
-            field=models.SlugField(help_text='Should be short, only contain lowercase letters and numbers, and must be unique among your events. This is being used in addresses and bank transfer references.', validators=[django.core.validators.RegexValidator(message='The slug may only contain letters, numbers, dots and dashes.', regex='^[a-zA-Z0-9.-]+$'), pretix.base.validators.OrganizerSlugBlacklistValidator()], verbose_name='Slug'),
+            field=models.SlugField(help_text='Should be short, only contain lowercase letters and numbers, and must be unique among your events. This is being used in addresses and bank transfer references.', validators=[django.core.validators.RegexValidator(message='The slug may only contain letters, numbers, dots and dashes.', regex='^[a-zA-Z0-9.-]+$'), pretix.base.validators.OrganizerSlugBanlistValidator()], verbose_name='Slug'),
        ),
        migrations.AlterField(
            model_name='voucher',
--- a/src/pretix/base/migrations/0050_orderposition_positionid_squashed_0061_event_location.py
+++ b/src/pretix/base/migrations/0050_orderposition_positionid_squashed_0061_event_location.py
@@ -124,7 +124,7 @@ class Migration(migrations.Migration):
        migrations.AlterField(
            model_name='event',
            name='slug',
-            field=models.SlugField(help_text='Should be short, only contain lowercase letters and numbers, and must be unique among your events. This will be used in order codes, invoice numbers, links and bank transfer references.', validators=[django.core.validators.RegexValidator(message='The slug may only contain letters, numbers, dots and dashes.', regex='^[a-zA-Z0-9.-]+$'), pretix.base.validators.EventSlugBlacklistValidator()], verbose_name='Short form'),
+            field=models.SlugField(help_text='Should be short, only contain lowercase letters and numbers, and must be unique among your events. This will be used in order codes, invoice numbers, links and bank transfer references.', validators=[django.core.validators.RegexValidator(message='The slug may only contain letters, numbers, dots and dashes.', regex='^[a-zA-Z0-9.-]+$'), pretix.base.validators.EventSlugBanlistValidator()], verbose_name='Short form'),
        ),
        migrations.AddField(
            model_name='requiredaction',
@@ -179,7 +179,7 @@ class Migration(migrations.Migration):
        migrations.AlterField(
            model_name='organizer',
            name='slug',
-            field=models.SlugField(help_text='Should be short, only contain lowercase letters and numbers, and must be unique among your events. This is being used in addresses and bank transfer references.', validators=[django.core.validators.RegexValidator(message='The slug may only contain letters, numbers, dots and dashes.', regex='^[a-zA-Z0-9.-]+$'), pretix.base.validators.OrganizerSlugBlacklistValidator()], verbose_name='Short form'),
+            field=models.SlugField(help_text='Should be short, only contain lowercase letters and numbers, and must be unique among your events. This is being used in addresses and bank transfer references.', validators=[django.core.validators.RegexValidator(message='The slug may only contain letters, numbers, dots and dashes.', regex='^[a-zA-Z0-9.-]+$'), pretix.base.validators.OrganizerSlugBanlistValidator()], verbose_name='Short form'),
        ),
        migrations.RunPython(
            code=merge_names,
--- a/src/pretix/base/migrations/0052_team_teaminvite_squashed_0070_auto_20170719_0910.py
+++ b/src/pretix/base/migrations/0052_team_teaminvite_squashed_0070_auto_20170719_0910.py
@@ -346,7 +346,7 @@ class Migration(migrations.Migration):
                help_text='Should be short, only contain lowercase letters and numbers, and must be unique among your events. We recommend some kind of abbreviation or a date with less than 10 characters that can be easily remembered, but you can also choose to use a random value. This will be used in URLs, order codes, invoice numbers, and bank transfer references.',
                validators=[django.core.validators.RegexValidator(
                    message='The slug may only contain letters, numbers, dots and dashes.', regex='^[a-zA-Z0-9.-]+$'),
-                    pretix.base.validators.EventSlugBlacklistValidator()], verbose_name='Short form'),
+                    pretix.base.validators.EventSlugBanlistValidator()], verbose_name='Short form'),
        ),
        migrations.AlterField(
            model_name='invoice',
--- a/src/pretix/base/migrations/0053_auto_20170104_1252.py
+++ b/src/pretix/base/migrations/0053_auto_20170104_1252.py
@@ -33,7 +33,7 @@ class Migration(migrations.Migration):
        migrations.AlterField(
            model_name='event',
            name='slug',
-            field=models.SlugField(help_text='Should be short, only contain lowercase letters and numbers, and must be unique among your events. This will be used in order codes, invoice numbers, links and bank transfer references.', validators=[django.core.validators.RegexValidator(message='The slug may only contain letters, numbers, dots and dashes.', regex='^[a-zA-Z0-9.-]+$'), pretix.base.validators.EventSlugBlacklistValidator()], verbose_name='Short form'),
+            field=models.SlugField(help_text='Should be short, only contain lowercase letters and numbers, and must be unique among your events. This will be used in order codes, invoice numbers, links and bank transfer references.', validators=[django.core.validators.RegexValidator(message='The slug may only contain letters, numbers, dots and dashes.', regex='^[a-zA-Z0-9.-]+$'), pretix.base.validators.EventSlugBanlistValidator()], verbose_name='Short form'),
        ),
        migrations.AddField(
            model_name='requiredaction',
--- a/src/pretix/base/migrations/0057_auto_20170107_1531.py
+++ b/src/pretix/base/migrations/0057_auto_20170107_1531.py
@@ -36,7 +36,7 @@ class Migration(migrations.Migration):
        migrations.AlterField(
            model_name='organizer',
            name='slug',
-            field=models.SlugField(help_text='Should be short, only contain lowercase letters and numbers, and must be unique among your events. This is being used in addresses and bank transfer references.', validators=[django.core.validators.RegexValidator(message='The slug may only contain letters, numbers, dots and dashes.', regex='^[a-zA-Z0-9.-]+$'), pretix.base.validators.OrganizerSlugBlacklistValidator()], verbose_name='Short form'),
+            field=models.SlugField(help_text='Should be short, only contain lowercase letters and numbers, and must be unique among your events. This is being used in addresses and bank transfer references.', validators=[django.core.validators.RegexValidator(message='The slug may only contain letters, numbers, dots and dashes.', regex='^[a-zA-Z0-9.-]+$'), pretix.base.validators.OrganizerSlugBanlistValidator()], verbose_name='Short form'),
        ),
        migrations.RunPython(merge_names, migrations.RunPython.noop)
    ]
--- a/src/pretix/base/migrations/0063_auto_20170702_1711.py
+++ b/src/pretix/base/migrations/0063_auto_20170702_1711.py
@@ -38,7 +38,7 @@ class Migration(migrations.Migration):
        migrations.AlterField(
            model_name='event',
            name='slug',
-            field=models.SlugField(help_text='Should be short, only contain lowercase letters and numbers, and must be unique among your events. We recommend some kind of abbreviation or a date with less than 10 characters that can be easily remembered, but you can also choose to use a random value. This will be used in URLs, order codes, invoice numbers, and bank transfer references.', validators=[django.core.validators.RegexValidator(message='The slug may only contain letters, numbers, dots and dashes.', regex='^[a-zA-Z0-9.-]+$'), pretix.base.validators.EventSlugBlacklistValidator()], verbose_name='Short form'),
+            field=models.SlugField(help_text='Should be short, only contain lowercase letters and numbers, and must be unique among your events. We recommend some kind of abbreviation or a date with less than 10 characters that can be easily remembered, but you can also choose to use a random value. This will be used in URLs, order codes, invoice numbers, and bank transfer references.', validators=[django.core.validators.RegexValidator(message='The slug may only contain letters, numbers, dots and dashes.', regex='^[a-zA-Z0-9.-]+$'), pretix.base.validators.EventSlugBanlistValidator()], verbose_name='Short form'),
        ),
        migrations.AlterField(
            model_name='invoice',
--- a/src/pretix/base/migrations/0077_auto_20171124_1629.py
+++ b/src/pretix/base/migrations/0077_auto_20171124_1629.py
@@ -44,7 +44,7 @@ class Migration(migrations.Migration):
        migrations.AlterField(
            model_name='event',
            name='slug',
-            field=models.SlugField(help_text='Should be short, only contain lowercase letters, numbers, dots, and dashes, and must be unique among your events. We recommend some kind of abbreviation or a date with less than 10 characters that can be easily remembered, but you can also choose to use a random value. This will be used in URLs, order codes, invoice numbers, and bank transfer references.', validators=[django.core.validators.RegexValidator(message='The slug may only contain letters, numbers, dots and dashes.', regex='^[a-zA-Z0-9.-]+$'), pretix.base.validators.EventSlugBlacklistValidator()], verbose_name='Short form'),
+            field=models.SlugField(help_text='Should be short, only contain lowercase letters, numbers, dots, and dashes, and must be unique among your events. We recommend some kind of abbreviation or a date with less than 10 characters that can be easily remembered, but you can also choose to use a random value. This will be used in URLs, order codes, invoice numbers, and bank transfer references.', validators=[django.core.validators.RegexValidator(message='The slug may only contain letters, numbers, dots and dashes.', regex='^[a-zA-Z0-9.-]+$'), pretix.base.validators.EventSlugBanlistValidator()], verbose_name='Short form'),
        ),
        migrations.AlterField(
            model_name='eventmetaproperty',
@@ -54,7 +54,7 @@ class Migration(migrations.Migration):
        migrations.AlterField(
            model_name='organizer',
            name='slug',
-            field=models.SlugField(help_text='Should be short, only contain lowercase letters, numbers, dots, and dashes. Every slug can only be used once. This is being used in URLs to refer to your organizer accounts and your events.', validators=[django.core.validators.RegexValidator(message='The slug may only contain letters, numbers, dots and dashes.', regex='^[a-zA-Z0-9.-]+$'), pretix.base.validators.OrganizerSlugBlacklistValidator()], verbose_name='Short form'),
+            field=models.SlugField(help_text='Should be short, only contain lowercase letters, numbers, dots, and dashes. Every slug can only be used once. This is being used in URLs to refer to your organizer accounts and your events.', validators=[django.core.validators.RegexValidator(message='The slug may only contain letters, numbers, dots and dashes.', regex='^[a-zA-Z0-9.-]+$'), pretix.base.validators.OrganizerSlugBanlistValidator()], verbose_name='Short form'),
        ),
        migrations.CreateModel(
            name='CheckinList',
--- a/src/pretix/base/migrations/0077_auto_20171124_1629_squashed_0088_auto_20180328_1217.py
+++ b/src/pretix/base/migrations/0077_auto_20171124_1629_squashed_0088_auto_20180328_1217.py
@@ -105,7 +105,7 @@ class Migration(migrations.Migration):
                          'references.',
                validators=[django.core.validators.RegexValidator(
                    message='The slug may only contain letters, numbers, dots and dashes.', regex='^[a-zA-Z0-9.-]+$'),
-                    pretix.base.validators.EventSlugBlacklistValidator()], verbose_name='Short form'),
+                    pretix.base.validators.EventSlugBanlistValidator()], verbose_name='Short form'),
        ),
        migrations.AlterField(
            model_name='eventmetaproperty',
@@ -125,7 +125,7 @@ class Migration(migrations.Migration):
                          ' events.',
                validators=[django.core.validators.RegexValidator(
                    message='The slug may only contain letters, numbers, dots and dashes.', regex='^[a-zA-Z0-9.-]+$'),
-                    pretix.base.validators.OrganizerSlugBlacklistValidator()], verbose_name='Short form'),
+                    pretix.base.validators.OrganizerSlugBanlistValidator()], verbose_name='Short form'),
        ),
        migrations.CreateModel(
            name='CheckinList',
--- a/src/pretix/base/migrations/0098_auto_20180731_1243.py
+++ b/src/pretix/base/migrations/0098_auto_20180731_1243.py
@@ -27,7 +27,7 @@ class Migration(migrations.Migration):
        migrations.AlterField(
            model_name='organizer',
            name='slug',
-            field=models.SlugField(help_text='Should be short, only contain lowercase letters, numbers, dots, and dashes. Every slug can only be used once. This is being used in URLs to refer to your organizer accounts and your events.', unique=True, validators=[django.core.validators.RegexValidator(message='The slug may only contain letters, numbers, dots and dashes.', regex='^[a-zA-Z0-9.-]+$'), pretix.base.validators.OrganizerSlugBlacklistValidator()], verbose_name='Short form'),
+            field=models.SlugField(help_text='Should be short, only contain lowercase letters, numbers, dots, and dashes. Every slug can only be used once. This is being used in URLs to refer to your organizer accounts and your events.', unique=True, validators=[django.core.validators.RegexValidator(message='The slug may only contain letters, numbers, dots and dashes.', regex='^[a-zA-Z0-9.-]+$'), pretix.base.validators.OrganizerSlugBanlistValidator()], verbose_name='Short form'),
        ),
        migrations.AlterField(
            model_name='staffsession',
--- a/src/pretix/base/migrations/0098_auto_20180731_1243_squashed_0100_item_require_approval.py
+++ b/src/pretix/base/migrations/0098_auto_20180731_1243_squashed_0100_item_require_approval.py
@@ -29,7 +29,7 @@ class Migration(migrations.Migration):
        migrations.AlterField(
            model_name='organizer',
            name='slug',
-            field=models.SlugField(help_text='Should be short, only contain lowercase letters, numbers, dots, and dashes. Every slug can only be used once. This is being used in URLs to refer to your organizer accounts and your events.', unique=True, validators=[django.core.validators.RegexValidator(message='The slug may only contain letters, numbers, dots and dashes.', regex='^[a-zA-Z0-9.-]+$'), pretix.base.validators.OrganizerSlugBlacklistValidator()], verbose_name='Short form'),
+            field=models.SlugField(help_text='Should be short, only contain lowercase letters, numbers, dots, and dashes. Every slug can only be used once. This is being used in URLs to refer to your organizer accounts and your events.', unique=True, validators=[django.core.validators.RegexValidator(message='The slug may only contain letters, numbers, dots and dashes.', regex='^[a-zA-Z0-9.-]+$'), pretix.base.validators.OrganizerSlugBanlistValidator()], verbose_name='Short form'),
        ),
        migrations.AlterField(
            model_name='staffsession',
--- a/src/pretix/base/migrations/0123_auto_20190530_1035.py
+++ b/src/pretix/base/migrations/0123_auto_20190530_1035.py
@@ -0,0 +1,70 @@
 # Generated by Django 2.2.1 on 2019-05-30 10:35
 import django.db.models.deletion
 from django.db import migrations, models
 import pretix.base.models.base
 class Migration(migrations.Migration):
    dependencies = [
        ('pretixbase', '0122_orderposition_web_secret'),
    ]
    operations = [
        migrations.CreateModel(
            name='SeatingPlan',
            fields=[
                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False)),
                ('name', models.CharField(max_length=190)),
                ('layout', models.TextField()),
                ('organizer', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='seating_plans', to='pretixbase.Organizer')),
            ],
            options={
                'abstract': False,
            },
            bases=(models.Model, pretix.base.models.base.LoggingMixin),
        ),
        migrations.CreateModel(
            name='SeatCategoryMapping',
            fields=[
                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False)),
                ('layout_category', models.CharField(max_length=190)),
                ('event', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='seat_category_mappings', to='pretixbase.Event')),
                ('product', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='seat_category_mappings', to='pretixbase.Item')),
                ('subevent', models.ForeignKey(null=True, on_delete=django.db.models.deletion.CASCADE, related_name='seat_category_mappings', to='pretixbase.SubEvent')),
            ],
        ),
        migrations.CreateModel(
            name='Seat',
            fields=[
                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False)),
                ('name', models.CharField(max_length=190)),
                ('blocked', models.BooleanField(default=False)),
                ('event', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='seats', to='pretixbase.Event')),
                ('product', models.ForeignKey(null=True, on_delete=django.db.models.deletion.CASCADE, related_name='seats', to='pretixbase.Item')),
                ('subevent', models.ForeignKey(null=True, on_delete=django.db.models.deletion.CASCADE, related_name='seats', to='pretixbase.SubEvent')),
            ],
        ),
        migrations.AddField(
            model_name='cartposition',
            name='seat',
            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.PROTECT, to='pretixbase.Seat'),
        ),
        migrations.AddField(
            model_name='event',
            name='seating_plan',
            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.PROTECT, related_name='events', to='pretixbase.SeatingPlan'),
        ),
        migrations.AddField(
            model_name='orderposition',
            name='seat',
            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.PROTECT, to='pretixbase.Seat'),
        ),
        migrations.AddField(
            model_name='subevent',
            name='seating_plan',
            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.PROTECT, related_name='subevents', to='pretixbase.SeatingPlan'),
        ),
    ]
--- a/Show More
+++ b/Show More