Fix handling of required fields

Co-authored-by: Richard Schreiber <wiffbi@gmail.com>

src/pretix/__init__.py

@@ -19,4 +19,4 @@
 # You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
 # <https://www.gnu.org/licenses/>.
 #
-__version__ = "2026.3.2"
+__version__ = "2026.3.0.dev0"

src/pretix/api/views/checkin.py

@@ -1122,7 +1122,7 @@ class CheckinViewSet(viewsets.ReadOnlyModelViewSet):
     permission = 'event.orders:read'
 
     def get_queryset(self):
-        qs = Checkin.all.filter(list__event=self.request.event).select_related(
+        qs = Checkin.all.filter().select_related(
             "position",
             "device",
         )

src/pretix/base/forms/auth.py

@@ -196,7 +196,8 @@ class RegistrationForm(forms.Form):
     def clean_password(self):
         password1 = self.cleaned_data.get('password', '')
         user = User(email=self.cleaned_data.get('email'))
-        validate_password(password1, user=user)
+        if validate_password(password1, user=user) is not None:
+            raise forms.ValidationError(_(password_validators_help_texts()), code='pw_invalid')
         return password1
 
     def clean_email(self):

src/pretix/base/services/mail.py

@@ -411,7 +411,7 @@ def mail_send_task(self, **kwargs) -> bool:
         try:
             outgoing_mail = OutgoingMail.objects.select_for_update(of=OF_SELF).get(pk=outgoing_mail)
         except OutgoingMail.DoesNotExist:
-            logger.info(f"Ignoring job for non existing email {outgoing_mail}")
+            logger.info(f"Ignoring job for non existing email {outgoing_mail.guid}")
             return False
         if outgoing_mail.status == OutgoingMail.STATUS_INFLIGHT:
             logger.info(f"Ignoring job for inflight email {outgoing_mail.guid}")

src/pretix/control/forms/filter.py

@@ -1528,6 +1528,133 @@ class SubEventFilterForm(FilterForm):
         return self.event.organizer.meta_properties.filter(filter_allowed=True)
 
 
+class QuotaFilterForm(FilterForm):
+    orders = {
+        '-date': ('-subevent__date_from', 'name', 'pk'),
+        'date': ('subevent__date_from', '-name', '-pk'),
+        'size': ('size', 'name', 'pk'),
+        '-size': ('-size', '-name', '-pk'),
+        'name': ('name', 'pk'),
+        '-name': ('-name', '-pk'),
+    }
+    subevent = forms.ModelChoiceField(
+        label=pgettext_lazy('subevent', 'Date'),
+        queryset=SubEvent.objects.none(),
+        required=False,
+        empty_label=pgettext_lazy('subevent', 'All dates')
+    )
+    date_from = forms.DateField(
+        label=_('Date from'),
+        required=False,
+        widget=DatePickerWidget({
+            'placeholder': _('Date from'),
+        }),
+    )
+    date_until = forms.DateField(
+        label=_('Date until'),
+        required=False,
+        widget=DatePickerWidget({
+            'placeholder': _('Date until'),
+        }),
+    )
+    time_from = forms.TimeField(
+        label=_('Start time from'),
+        required=False,
+        widget=TimePickerWidget({}),
+    )
+    time_until = forms.TimeField(
+        label=_('Start time until'),
+        required=False,
+        widget=TimePickerWidget({}),
+    )
+    weekday = forms.MultipleChoiceField(
+        label=_('Weekday'),
+        choices=(
+            ('2', _('Monday')),
+            ('3', _('Tuesday')),
+            ('4', _('Wednesday')),
+            ('5', _('Thursday')),
+            ('6', _('Friday')),
+            ('7', _('Saturday')),
+            ('1', _('Sunday')),
+        ),
+        widget=forms.CheckboxSelectMultiple,
+        required=False
+    )
+    query = forms.CharField(
+        label=_('Quota name'),
+        widget=forms.TextInput(),
+        required=False
+    )
+
+    def __init__(self, *args, **kwargs):
+        self.event = kwargs.pop('event')
+        super().__init__(*args, **kwargs)
+        if self.event.has_subevents:
+            self.fields['date_from'].widget = DatePickerWidget()
+            self.fields['date_until'].widget = DatePickerWidget()
+            self.fields['subevent'].queryset = self.event.subevents.all()
+            self.fields['subevent'].widget = Select2(
+                attrs={
+                    'data-model-select2': 'event',
+                    'data-select2-url': reverse('control:event.subevents.select2', kwargs={
+                        'event': self.event.slug,
+                        'organizer': self.event.organizer.slug,
+                    }),
+                    'data-placeholder': pgettext_lazy('subevent', 'All dates')
+                }
+            )
+            self.fields['subevent'].widget.choices = self.fields['subevent'].choices
+        else:
+            del self.fields['subevent']
+            del self.fields['date_from']
+            del self.fields['date_until']
+            del self.fields['time_from']
+            del self.fields['time_until']
+            del self.fields['weekday']
+
+    def filter_qs(self, qs):
+        fdata = self.cleaned_data
+
+        if fdata.get('weekday'):
+            qs = qs.annotate(wday=ExtractWeekDay('subevent__date_from')).filter(wday__in=fdata.get('weekday'))
+
+        if fdata.get('subevent'):
+            qs = qs.filter(subevent=fdata["subevent"])
+
+        if fdata.get('query'):
+            query = fdata.get('query')
+            qs = qs.filter(name__icontains=query)
+
+        if fdata.get('date_until'):
+            date_end = make_aware(datetime.combine(
+                fdata.get('date_until') + timedelta(days=1),
+                time(hour=0, minute=0, second=0, microsecond=0)
+            ), get_current_timezone())
+            qs = qs.filter(
+                Q(subevent__date_to__isnull=True, subevent__date_from__lt=date_end) |
+                Q(subevent__date_to__isnull=False, subevent__date_to__lt=date_end)
+            )
+        if fdata.get('date_from'):
+            date_start = make_aware(datetime.combine(
+                fdata.get('date_from'),
+                time(hour=0, minute=0, second=0, microsecond=0)
+            ), get_current_timezone())
+            qs = qs.filter(subevent__date_from__gte=date_start)
+
+        if fdata.get('time_until'):
+            qs = qs.filter(subevent__date_from__time__lte=fdata.get('time_until'))
+        if fdata.get('time_from'):
+            qs = qs.filter(subevent__date_from__time__gte=fdata.get('time_from'))
+
+        if fdata.get('ordering'):
+            qs = qs.order_by(*get_deterministic_ordering(Quota, self.get_order_by()))
+        else:
+            qs = qs.order_by('-subevent__date_from', 'name', 'pk')
+
+        return qs
+
+
 class OrganizerFilterForm(FilterForm):
     orders = {
         'slug': 'slug',

src/pretix/control/forms/item.py

@@ -43,6 +43,7 @@ from django.core.exceptions import ValidationError
 from django.db.models import Max, Q
 from django.forms import ChoiceField, RadioSelect
 from django.forms.formsets import DELETION_FIELD_NAME
+from django.forms.utils import ErrorDict
 from django.urls import reverse
 from django.utils.functional import cached_property
 from django.utils.html import escape, format_html
@@ -375,6 +376,60 @@ class QuotaForm(I18nModelForm):
         return inst
 
 
+class QuotaBulkEditForm(QuotaForm):
+
+    def __init__(self, *args, **kwargs):
+        self.mixed_values = kwargs.pop('mixed_values')
+        self.queryset = kwargs.pop('queryset')
+        super().__init__(**kwargs)
+        self.fields.pop("subevent", None)  # Would add extra complexity and it's hard to imagine a use case for that
+        self.fields["name"].required = False
+        self.fields["itemvars"].required = False
+
+    def clean(self):
+        d = super().clean()
+        if self.prefix + "name" in self.data.getlist('_bulk') and not d.get("name"):
+            raise ValidationError({"name": _("This field is required.")})
+        if self.prefix + "itemvars" in self.data.getlist('_bulk') and not d.get("itemvars"):
+            raise ValidationError({"itemvars": _("This field is required.")})
+        return d
+
+    def save(self, commit=True):
+        objs = list(self.queryset)
+        fields = set()
+
+        for k in self.fields:
+            cb_val = self.prefix + k
+            if cb_val not in self.data.getlist('_bulk'):
+                continue
+
+            fields.add(k)
+            if k == 'itemvars':
+                selected_items = set(list(self.event.items.filter(id__in=[
+                    i.split('-')[0] for i in self.cleaned_data['itemvars']
+                ])))
+                selected_variations = list(ItemVariation.objects.filter(item__event=self.event, id__in=[
+                    i.split('-')[1] for i in self.cleaned_data['itemvars'] if '-' in i
+                ]))
+                for obj in objs:
+                    obj.items.set(selected_items)
+                    obj.variations.set(selected_variations)
+            else:
+                for obj in objs:
+                    setattr(obj, k, self.cleaned_data[k])
+
+        fields = [f for f in fields if f != 'itemvars']
+        if fields:
+            Quota.objects.bulk_update(objs, fields, 200)
+
+    def full_clean(self):
+        if len(self.data) == 0:
+            # form wasn't submitted
+            self._errors = ErrorDict()
+            return
+        super().full_clean()
+
+
 class ItemCreateForm(I18nModelForm):
     NONE = 'none'
     EXISTING = 'existing'

src/pretix/control/templates/pretixcontrol/items/quota_bulk_edit.html

@@ -0,0 +1,49 @@
+{% extends "pretixcontrol/event/base.html" %}
+{% load i18n %}
+{% load bootstrap3 %}
+{% block content %}
+    <h1>
+        {% trans "Change multiple quotas" %}
+        <small>
+            {% blocktrans trimmed with number=quotas.count %}
+                {{ number }} selected
+            {% endblocktrans %}
+        </small>
+    </h1>
+    <form class="form-horizontal" action="" method="post">
+        {% csrf_token %}
+        {% bootstrap_form_errors form %}
+        <div class="hidden">
+            {% for d in quotas %}
+                <input type="hidden" name="quota" value="{{ d.pk }}">
+            {% endfor %}
+        </div>
+        <fieldset>
+            <legend>{% trans "General information" %}</legend>
+            {% bootstrap_field form.name layout="bulkedit" %}
+            {% bootstrap_field form.size layout="bulkedit" %}
+        </fieldset>
+        <fieldset>
+            <legend>{% trans "Items" %}</legend>
+            <p>
+                {% blocktrans trimmed %}
+                    Please select the products or product variations this quota should be applied to. If you apply two
+                    quotas to the same product, it will only be available if <strong>both</strong> quotas have capacity
+                    left.
+                {% endblocktrans %}
+            </p>
+            {% bootstrap_field form.itemvars layout="bulkedit" %}
+        </fieldset>
+        <fieldset>
+            <legend>{% trans "Advanced options" %}</legend>
+            {% bootstrap_field form.close_when_sold_out layout="bulkedit" %}
+            {% bootstrap_field form.release_after_exit layout="bulkedit" %}
+            {% bootstrap_field form.ignore_for_event_availability layout="bulkedit" %}
+        </fieldset>
+        <div class="form-group submit-group">
+            <button type="submit" class="btn btn-primary btn-save">
+                {% trans "Save" %}
+            </button>
+        </div>
+    </form>
+{% endblock %}

src/pretix/control/templates/pretixcontrol/items/quota_delete_bulk.html

@@ -0,0 +1,34 @@
+{% extends "pretixcontrol/event/base.html" %}
+{% load i18n %}
+{% load bootstrap3 %}
+{% block title %}{% trans "Delete quotas" %}{% endblock %}
+{% block content %}
+    <h1>{% trans "Delete quotas" %}</h1>
+    <form action="" method="post" class="form-horizontal">
+        {% csrf_token %}
+        {% if allowed %}
+            <p>{% blocktrans trimmed count num=allowed|length %}
+                Are you sure you want to delete the following quota?
+            {% plural %}
+                Are you sure you want to delete the following {{ num }} quotas?
+            {% endblocktrans %}</p>
+            <ul>
+                {% for q in allowed %}
+                    <li>
+                        {{ q }} {% if q.subevent %}({{ q.subevent }}){% endif %}
+                        <input type="hidden" name="quota" value="{{ q.pk }}">
+                    </li>
+                {% endfor %}
+            </ul>
+        {% endif %}
+        <div class="form-group submit-group">
+            <a href="{% url "control:event.items.quotas" organizer=request.event.organizer.slug event=request.event.slug %}"
+               class="btn btn-default btn-cancel">
+                {% trans "Cancel" %}
+            </a>
+            <button type="submit" class="btn btn-danger btn-save" value="delete_confirm" name="action">
+                {% trans "Delete" %}
+            </button>
+        </div>
+    </form>
+{% endblock %}

src/pretix/control/templates/pretixcontrol/items/quotas.html

@@ -1,6 +1,7 @@
 {% extends "pretixcontrol/items/base.html" %}
 {% load i18n %}
 {% load urlreplace %}
+{% load bootstrap3 %}
 {% block title %}{% trans "Quotas" %}{% endblock %}
 {% block inside %}
     <h1>{% trans "Quotas" %}</h1>
@@ -13,21 +14,12 @@
             number of a specific ticket type at the same time.
         {% endblocktrans %}
     </p>
-    {% if request.event.has_subevents %}
-        <form class="form-inline helper-display-inline" action="" method="get">
-            {% include "pretixcontrol/event/fragment_subevent_choice_simple.html" %}
-        </form>
-    {% endif %}
-    {% if quotas|length == 0 %}
+    {% if quotas|length == 0 and not filter_form.filtered %}
         <div class="empty-collection">
             <p>
-                {% if request.GET.subevent %}
-                    {% trans "Your search did not match any quotas." %}
-                {% else %}
-                    {% blocktrans trimmed %}
-                        You haven't created any quotas yet.
-                    {% endblocktrans %}
-                {% endif %}
+                {% blocktrans trimmed %}
+                    You haven't created any quotas yet.
+                {% endblocktrans %}
             </p>
 
             {% if 'event.items:write' in request.eventpermset %}
@@ -36,79 +28,160 @@
             {% endif %}
         </div>
     {% else %}
+
+        <div class="panel panel-default">
+            <div class="panel-heading">
+                <h3 class="panel-title">
+                    {% trans "Filter" %}
+                </h3>
+            </div>
+            <form class="panel-body filter-form" action="" method="get">
+                <div class="row">
+                    <div class="{% if not filter_form.subevent %}col-lg-6{% else %}col-lg-2{% endif %} col-md-6 col-sm-6 col-xs-12">
+                        {% bootstrap_field filter_form.query %}
+                    </div>
+                    {% if filter_form.subevent %}
+                        <div class="col-lg-2 col-md-6 col-md-2 col-sm-6 col-xs-12">
+                            {% bootstrap_field filter_form.subevent %}
+                        </div>
+                        <div class="col-lg-2 col-md-3 col-sm-6 col-xs-12">
+                            {% bootstrap_field filter_form.date_from %}
+                        </div>
+                        <div class="col-lg-2 col-md-3 col-sm-6 col-xs-12">
+                            {% bootstrap_field filter_form.date_until %}
+                        </div>
+                        <div class="col-lg-2 col-md-3 col-sm-6 col-xs-12">
+                            {% bootstrap_field filter_form.time_from %}
+                        </div>
+                        <div class="col-lg-2 col-md-3 col-sm-6 col-xs-12">
+                            {% bootstrap_field filter_form.time_until %}
+                        </div>
+                        <div class="col-xs-12 one-line-checkboxes">
+                            {% bootstrap_field filter_form.weekday %}
+                        </div>
+                    {% endif %}
+                </div>
+
+                <div class="text-right flip">
+                    <button class="btn btn-primary btn-lg" type="submit">
+                        <span class="fa fa-filter"></span>
+                        {% trans "Filter" %}
+                    </button>
+                </div>
+            </form>
+        </div>
         {% if 'event.items:write' in request.eventpermset %}
             <p>
                 <a href="{% url "control:event.items.quotas.add" organizer=request.event.organizer.slug event=request.event.slug %}" class="btn btn-default"><i class="fa fa-plus"></i> {% trans "Create a new quota" %}
                 </a>
             </p>
         {% endif %}
-        <div class="table-responsive">
-            <table class="table table-hover table-quotas">
-                <thead>
-                <tr>
-                    <th>{% trans "Quota name" %}
-                        <a href="?{% url_replace request 'ordering' '-name' %}"><i class="fa fa-caret-down"></i></a>
-                        <a href="?{% url_replace request 'ordering' 'name' %}"><i class="fa fa-caret-up"></i></a>
-                    </th>
-                    <th>{% trans "Products" %}</th>
-                    {% if request.event.has_subevents %}
-                        <th>{% trans "Date" context "subevent" %}
-                            <a href="?{% url_replace request 'ordering' '-date' %}"><i class="fa fa-caret-down"></i></a>
-                            <a href="?{% url_replace request 'ordering' 'date' %}"><i class="fa fa-caret-up"></i></a>
-                        </th>
-                    {% endif %}
-                    <th>{% trans "Total capacity" %}
-                        <a href="?{% url_replace request 'ordering' '-size' %}"><i class="fa fa-caret-down"></i></a>
-                        <a href="?{% url_replace request 'ordering' 'size' %}"><i class="fa fa-caret-up"></i></a>
-                    </th>
-                    <th>{% trans "Capacity left" %}</th>
-                    <th class="action-col-2"></th>
-                </tr>
-                </thead>
-                <tbody>
-                {% for q in quotas %}
+        <form action="{% url "control:event.items.quotas.bulkaction"  organizer=request.event.organizer.slug event=request.event.slug %}" method="post">
+            {% csrf_token %}
+            {% for field in filter_form %}
+                {{ field.as_hidden }}
+            {% endfor %}
+            <div class="table-responsive">
+                <table class="table table-hover table-quotas">
+                    <thead>
                     <tr>
-                        <td>
-                            <strong><a href="{% url "control:event.items.quotas.show" organizer=request.event.organizer.slug event=request.event.slug quota=q.id %}">{{ q.name }}</a></strong>
-                            {% if q.ignore_for_event_availability %}
-                                <span class="fa fa-eye-slash text-muted" data-toggle="tooltip" title="{% trans "Ignore this quota when determining event availability" %}"></span>
-                            {% endif %}
-                        </td>
-                        <td>
-                            <ul>
-                                {% for item in q.cached_items %}
-                                    {% if not item.has_variations %}
-                                        <li><a href="{% url "control:event.item" organizer=request.event.organizer.slug event=request.event.slug item=item.id %}">{{ item }}</a></li>
-                                    {% endif %}
-                                {% endfor %}
-                                {% for v in q.variations.all %}
-                                    <li><a href="{% url "control:event.item" organizer=request.event.organizer.slug event=request.event.slug item=v.item.id %}#tab-0-3-open">
-                                        {{ v.item }} – {{ v }}</a></li>
-                                {% endfor %}
-                            </ul>
-                        </td>
-                        {% if request.event.has_subevents %}
-                            <td>
-                                {{ q.subevent.name }} – {{ q.subevent.get_date_range_display_with_times }}
-                            </td>
+                        {% if "event.items:write" in request.eventpermset %}
+                            <th>
+                                <label aria-label="{% trans "select all rows for batch-operation" %}" class="batch-select-label"><input type="checkbox" data-toggle-table/></label>
+                            </th>
                         {% endif %}
-                        <td>{% if q.size == None %}Unlimited{% else %}{{ q.size }}{% endif %}</td>
-                        <td>{% include "pretixcontrol/items/fragment_quota_availability.html" with availability=q.cached_avail closed=q.closed %}</td>
-                        <td class="text-right flip">
-                            {% if 'event.items:write' in request.eventpermset %}
-                                <a href="{% url "control:event.items.quotas.edit" organizer=request.event.organizer.slug event=request.event.slug quota=q.id %}" class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
-                                <a href="{% url "control:event.items.quotas.add" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ q.id }}"
-                                   class="btn btn-sm btn-default" title="{% trans "Clone" %}" data-toggle="tooltip">
-                                    <span class="fa fa-copy"></span>
-                                </a>
-                                <a href="{% url "control:event.items.quotas.delete" organizer=request.event.organizer.slug event=request.event.slug quota=q.id %}" class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
-                            {% endif %}
-                        </td>
+                        <th>{% trans "Quota name" %}
+                            <a href="?{% url_replace request 'filter-ordering' '-name' %}"><i class="fa fa-caret-down"></i></a>
+                            <a href="?{% url_replace request 'filter-ordering' 'name' %}"><i class="fa fa-caret-up"></i></a>
+                        </th>
+                        <th>{% trans "Products" %}</th>
+                        {% if request.event.has_subevents %}
+                            <th>{% trans "Date" context "subevent" %}
+                                <a href="?{% url_replace request 'filter-ordering' '-date' %}"><i class="fa fa-caret-down"></i></a>
+                                <a href="?{% url_replace request 'filter-ordering' 'date' %}"><i class="fa fa-caret-up"></i></a>
+                            </th>
+                        {% endif %}
+                        <th>{% trans "Total capacity" %}
+                            <a href="?{% url_replace request 'filter-ordering' '-size' %}"><i class="fa fa-caret-down"></i></a>
+                            <a href="?{% url_replace request 'filter-ordering' 'size' %}"><i class="fa fa-caret-up"></i></a>
+                        </th>
+                        <th>{% trans "Capacity left" %}</th>
+                        <th class="action-col-2"></th>
                     </tr>
-                {% endfor %}
-                </tbody>
-            </table>
-        </div>
+                    {% if "event.items:write" in request.eventpermset and page_obj.paginator.num_pages > 1 %}
+                        <tr class="table-select-all warning hidden">
+                            <td>
+                                <input type="checkbox" name="__ALL" id="__all" data-results-total="{{ page_obj.paginator.count }}">
+                            </td>
+                            <td colspan="6">
+                                <label for="__all">
+                                    {% trans "Select all results on other pages as well" %}
+                                </label>
+                            </td>
+                        </tr>
+                    {% endif %}
+                    </thead>
+                    <tbody>
+                    {% for q in quotas %}
+                        <tr>
+                            {% if "event.items:write" in request.eventpermset %}
+                                <td>
+                                    <label aria-label="{% trans "select row for batch-operation" %}" class="batch-select-label"><input type="checkbox" name="quota" class="batch-select-checkbox" value="{{ q.pk }}"/></label>
+                                </td>
+                            {% endif %}
+                            <td>
+                                <strong><a href="{% url "control:event.items.quotas.show" organizer=request.event.organizer.slug event=request.event.slug quota=q.id %}">{{ q.name }}</a></strong>
+                                {% if q.ignore_for_event_availability %}
+                                    <span class="fa fa-eye-slash text-muted" data-toggle="tooltip" title="{% trans "Ignore this quota when determining event availability" %}"></span>
+                                {% endif %}
+                            </td>
+                            <td>
+                                <ul>
+                                    {% for item in q.cached_items %}
+                                        {% if not item.has_variations %}
+                                            <li><a href="{% url "control:event.item" organizer=request.event.organizer.slug event=request.event.slug item=item.id %}">{{ item }}</a></li>
+                                        {% endif %}
+                                    {% endfor %}
+                                    {% for v in q.variations.all %}
+                                        <li><a href="{% url "control:event.item" organizer=request.event.organizer.slug event=request.event.slug item=v.item.id %}#tab-0-3-open">
+                                            {{ v.item }} – {{ v }}</a></li>
+                                    {% endfor %}
+                                </ul>
+                            </td>
+                            {% if request.event.has_subevents %}
+                                <td>
+                                    {{ q.subevent.name }} – {{ q.subevent.get_date_range_display_with_times }}
+                                </td>
+                            {% endif %}
+                            <td>{% if q.size == None %}Unlimited{% else %}{{ q.size }}{% endif %}</td>
+                            <td>{% include "pretixcontrol/items/fragment_quota_availability.html" with availability=q.cached_avail closed=q.closed %}</td>
+                            <td class="text-right flip">
+                                {% if 'event.items:write' in request.eventpermset %}
+                                    <a href="{% url "control:event.items.quotas.edit" organizer=request.event.organizer.slug event=request.event.slug quota=q.id %}" class="btn btn-default btn-sm"><i class="fa fa-edit"></i></a>
+                                    <a href="{% url "control:event.items.quotas.add" organizer=request.event.organizer.slug event=request.event.slug %}?copy_from={{ q.id }}"
+                                       class="btn btn-sm btn-default" title="{% trans "Clone" %}" data-toggle="tooltip">
+                                        <span class="fa fa-copy"></span>
+                                    </a>
+                                    <a href="{% url "control:event.items.quotas.delete" organizer=request.event.organizer.slug event=request.event.slug quota=q.id %}" class="btn btn-danger btn-sm"><i class="fa fa-trash"></i></a>
+                                {% endif %}
+                            </td>
+                        </tr>
+                    {% endfor %}
+                    </tbody>
+                </table>
+            </div>
+            {% if "event.items:write" in request.eventpermset %}
+                <div class="batch-select-actions">
+                    <button type="submit" class="btn btn-danger btn-save" name="action" value="delete">
+                        <i class="fa fa-trash"></i>{% trans "Delete selected" %}
+                    </button>
+                    <button type="submit" class="btn btn-primary btn-save" name="action" value="edit"
+                            formaction="{% url "control:event.items.quotas.bulkedit"  organizer=request.event.organizer.slug event=request.event.slug %}">
+                        <i class="fa fa-edit"></i>{% trans "Edit selected" %}
+                    </button>
+                </div>
+            {% endif %}
+        </form>
     {% endif %}
     {% include "pretixcontrol/pagination.html" %}
 {% endblock %}

src/pretix/control/urls.py

@@ -349,6 +349,8 @@ urlpatterns = [
                 name='event.items.questions.edit'),
         re_path(r'^questions/add$', item.QuestionCreate.as_view(), name='event.items.questions.add'),
         re_path(r'^quotas/$', item.QuotaList.as_view(), name='event.items.quotas'),
+        re_path(r'^quotas/bulk_action$', item.QuotaBulkAction.as_view(), name='event.items.quotas.bulkaction'),
+        re_path(r'^quotas/bulk_edit$', item.QuotaBulkUpdateView.as_view(), name='event.items.quotas.bulkedit'),
         re_path(r'^quotas/(?P<quota>\d+)/$', item.QuotaView.as_view(), name='event.items.quotas.show'),
         re_path(r'^quotas/select$', typeahead.quotas_select2, name='event.items.quotas.select2'),
         re_path(r'^quotas/(?P<quota>\d+)/change$', item.QuotaUpdate.as_view(), name='event.items.quotas.edit'),

src/pretix/control/views/item.py

@@ -41,21 +41,22 @@ from json.decoder import JSONDecodeError
 from django.contrib import messages
 from django.core.exceptions import PermissionDenied
 from django.core.files import File
-from django.db import transaction
+from django.db import models, transaction
 from django.db.models import (
-    Count, Exists, F, OuterRef, Prefetch, ProtectedError, Q,
+    Count, Exists, F, OuterRef, Prefetch, ProtectedError, Q, Subquery, Value,
 )
+from django.db.models.functions import Cast, Concat
 from django.forms.models import inlineformset_factory
 from django.http import (
     Http404, HttpResponse, HttpResponseBadRequest, HttpResponseRedirect,
 )
-from django.shortcuts import redirect
+from django.shortcuts import redirect, render
 from django.urls import resolve, reverse
 from django.utils.functional import cached_property
 from django.utils.timezone import now
 from django.utils.translation import gettext, gettext_lazy as _
 from django.views.decorators.http import require_http_methods
-from django.views.generic import ListView
+from django.views.generic import FormView, ListView, View
 from django.views.generic.detail import DetailView, SingleObjectMixin
 from django_countries.fields import Country
 
@@ -65,7 +66,7 @@ from pretix.api.serializers.item import (
 )
 from pretix.base.forms import I18nFormSet
 from pretix.base.models import (
-    CartPosition, Item, ItemCategory, ItemProgramTime, ItemVariation,
+    CartPosition, Item, ItemCategory, ItemProgramTime, ItemVariation, LogEntry,
     OrderPosition, Question, QuestionAnswer, QuestionOption, Quota,
     SeatCategoryMapping, Voucher,
 )
@@ -74,12 +75,15 @@ from pretix.base.models.items import ItemAddOn, ItemBundle, ItemMetaValue
 from pretix.base.services.quotas import QuotaAvailability
 from pretix.base.services.tickets import invalidate_cache
 from pretix.base.signals import quota_availability
-from pretix.control.forms.filter import QuestionAnswerFilterForm
+from pretix.control.forms.filter import (
+    QuestionAnswerFilterForm, QuotaFilterForm,
+)
 from pretix.control.forms.item import (
     CategoryForm, ItemAddOnForm, ItemAddOnsFormSet, ItemBundleForm,
     ItemBundleFormSet, ItemCreateForm, ItemMetaValueForm, ItemProgramTimeForm,
     ItemProgramTimeFormSet, ItemUpdateForm, ItemVariationForm,
-    ItemVariationsFormSet, QuestionForm, QuestionOptionForm, QuotaForm,
+    ItemVariationsFormSet, QuestionForm, QuestionOptionForm, QuotaBulkEditForm,
+    QuotaForm,
 )
 from pretix.control.permissions import (
     EventPermissionRequiredMixin, event_permission_required,
@@ -87,6 +91,7 @@ from pretix.control.permissions import (
 from pretix.control.signals import item_forms, item_formsets
 from pretix.helpers.models import modelcopy
 
+from ...helpers import GroupConcat
 from ...helpers.compat import CompatDeleteView
 from . import ChartContainingView, CreateView, PaginationMixin, UpdateView
 
@@ -831,13 +836,38 @@ class QuestionCreate(EventPermissionRequiredMixin, QuestionMixin, CreateView):
         return ret
 
 
-class QuotaList(PaginationMixin, ListView):
+class QuotaQueryMixin:
+
+    @cached_property
+    def request_data(self):
+        if self.request.method == "POST":
+            return self.request.POST
+        return self.request.GET
+
+    def get_queryset(self):
+        qs = self.request.event.quotas
+        if self.filter_form.is_valid():
+            qs = self.filter_form.filter_qs(qs)
+
+        if 'quota' in self.request_data and '__ALL' not in self.request_data:
+            qs = qs.filter(
+                id__in=self.request_data.getlist('quota')
+            )
+
+        return qs
+
+    @cached_property
+    def filter_form(self):
+        return QuotaFilterForm(data=self.request_data, prefix='filter', event=self.request.event)
+
+
+class QuotaList(PaginationMixin, QuotaQueryMixin, ListView):
     model = Quota
     context_object_name = 'quotas'
     template_name = 'pretixcontrol/items/quotas.html'
 
     def get_queryset(self):
-        qs = self.request.event.quotas.prefetch_related(
+        return super().get_queryset().prefetch_related(
             Prefetch(
                 "items",
                 queryset=Item.objects.annotate(
@@ -852,28 +882,10 @@ class QuotaList(PaginationMixin, ListView):
                 queryset=self.request.event.subevents.all()
             )
         )
-        if self.request.GET.get("subevent", "") != "":
-            s = self.request.GET.get("subevent", "")
-            qs = qs.filter(subevent_id=s)
-
-        valid_orders = {
-            '-date': ('-subevent__date_from', 'name', 'pk'),
-            'date': ('subevent__date_from', '-name', '-pk'),
-            'size': ('size', 'name', 'pk'),
-            '-size': ('-size', '-name', '-pk'),
-            'name': ('name', 'pk'),
-            '-name': ('-name', '-pk'),
-        }
-
-        if self.request.GET.get("ordering", "-date") in valid_orders:
-            qs = qs.order_by(*valid_orders[self.request.GET.get("ordering", "-date")])
-        else:
-            qs = qs.order_by('name', 'subevent__date_from', 'pk')
-
-        return qs
 
     def get_context_data(self, **kwargs):
         ctx = super().get_context_data()
+        ctx['filter_form'] = self.filter_form
 
         qa = QuotaAvailability()
         qa.queue(*ctx['quotas'])
@@ -884,6 +896,165 @@ class QuotaList(PaginationMixin, ListView):
         return ctx
 
 
+class QuotaBulkAction(QuotaQueryMixin, EventPermissionRequiredMixin, View):
+    permission = 'event.items:write'
+
+    @transaction.atomic
+    def post(self, request, *args, **kwargs):
+        if request.POST.get('action') == 'delete':
+            return render(request, 'pretixcontrol/items/quota_delete_bulk.html', {
+                'allowed': self.get_queryset().select_related("subevent"),
+            })
+        elif request.POST.get('action') == 'delete_confirm':
+            log_entries = []
+            to_delete = []
+            for obj in self.get_queryset():
+                log_entries.append(obj.log_action('pretix.event.quota.deleted', user=self.request.user, save=False))
+                to_delete.append(obj.pk)
+
+            if to_delete:
+                LogEntry.bulk_create_and_postprocess(log_entries)
+                Quota.objects.filter(pk__in=to_delete).delete()
+            messages.success(request, _('The selected quotas have been deleted or disabled.'))
+        return redirect(self.get_success_url())
+
+    def get_success_url(self) -> str:
+        return reverse('control:event.items.quotas', kwargs={
+            'organizer': self.request.event.organizer.slug,
+            'event': self.request.event.slug,
+        })
+
+
+class QuotaBulkUpdateView(QuotaQueryMixin, EventPermissionRequiredMixin, FormView):
+    template_name = 'pretixcontrol/items/quota_bulk_edit.html'
+    permission = 'event.items:write'
+    context_object_name = 'quota'
+    form_class = QuotaBulkEditForm
+
+    def get_queryset(self):
+        return super().get_queryset().prefetch_related(None).order_by()
+
+    def get(self, request, *args, **kwargs):
+        return HttpResponse(status=405)
+
+    @cached_property
+    def is_submitted(self):
+        # Usually, django considers a form "bound" / "submitted" on every POST request. However, this view is always
+        # called with POST method, even if just to pass the selection of objects to work on, so we want to modify
+        # that behaviour
+        return '_bulk' in self.request.POST
+
+    def get_form_kwargs(self):
+        initial = {}
+        mixed_values = set()
+        qs = self.get_queryset().annotate(
+            items_list=Subquery(
+                Quota.items.through.objects.filter(
+                    quota_id=OuterRef('pk'),
+                    item__variations__isnull=True,
+                ).order_by().values('quota_id').annotate(
+                    g=GroupConcat('item_id', separator=',', ordered=True)
+                ).values('g')
+            ),
+            vars_list=Subquery(
+                Quota.variations.through.objects.filter(
+                    quota_id=OuterRef('pk')
+                ).order_by().values('quota_id').annotate(
+                    g=GroupConcat(
+                        Concat(
+                            Cast(F('itemvariation__item_id'), output_field=models.TextField()),
+                            Value('-', output_field=models.TextField()),
+                            Cast(F('itemvariation_id'), output_field=models.TextField()),
+                        ),
+                        separator=',',
+                        ordered=True
+                    )
+                ).values('g')
+            ),
+        )
+
+        fields = {
+            'name': 'name',
+            'size': 'size',
+            'subevent': 'subevent',
+            'close_when_sold_out': 'close_when_sold_out',
+            'release_after_exit': 'release_after_exit',
+            'ignore_for_event_availability': 'ignore_for_event_availability',
+        }
+        for k, f in fields.items():
+            existing_values = list(qs.order_by(f).values(f).annotate(c=Count('*')))
+            if len(existing_values) == 1:
+                initial[k] = existing_values[0][f]
+            elif len(existing_values) > 1:
+                mixed_values.add(k)
+                initial[k] = None
+
+        item_values = list(qs.order_by("items_list").values("items_list").annotate(c=Count('*')))
+        var_values = list(qs.order_by("vars_list").values("vars_list").annotate(c=Count('*')))
+        if len(item_values) > 1 or len(var_values) > 1:
+            mixed_values.add("itemvars")
+        else:
+            initial["itemvars"] = [iv for iv in (item_values[0]["items_list"] or "").split(",") + (var_values[0]["vars_list"] or "").split(",") if iv]
+
+        kwargs = super().get_form_kwargs()
+        kwargs['event'] = self.request.event
+        kwargs['prefix'] = 'bulkedit'
+        kwargs['initial'] = initial
+        kwargs['queryset'] = self.get_queryset()
+        kwargs['mixed_values'] = mixed_values
+        if not self.is_submitted:
+            kwargs['data'] = None
+            kwargs['files'] = None
+        return kwargs
+
+    def get_success_url(self):
+        return reverse('control:event.items.quotas', kwargs={
+            'organizer': self.request.event.organizer.slug,
+            'event': self.request.event.slug,
+        })
+
+    @transaction.atomic()
+    def form_valid(self, form):
+        log_entries = []
+
+        # Main form
+        form.save()
+        data = {
+            k: v
+            for k, v in form.cleaned_data.items()
+            if k in form.changed_data
+        }
+        data['_raw_bulk_data'] = self.request.POST.dict()
+        for obj in self.get_queryset():
+            log_entries.append(
+                obj.log_action('pretix.event.quota.changed', data=data, user=self.request.user, save=False)
+            )
+
+        LogEntry.bulk_create_and_postprocess(log_entries)
+
+        messages.success(self.request, _('Your changes have been saved.'))
+        return super().form_valid(form)
+
+    def get_context_data(self, **kwargs):
+        ctx = super().get_context_data(**kwargs)
+        ctx['quotas'] = self.get_queryset()
+        ctx['bulk_selected'] = self.request.POST.getlist("_bulk")
+        return ctx
+
+    def post(self, request, *args, **kwargs):
+        form = self.get_form()
+        is_valid = (
+            self.is_submitted and
+            form.is_valid()
+        )
+        if is_valid:
+            return self.form_valid(form)
+        else:
+            if self.is_submitted:
+                messages.error(self.request, _('We could not save your changes. See below for details.'))
+            return self.form_invalid(form)
+
+
 class QuotaCreate(EventPermissionRequiredMixin, CreateView):
     model = Quota
     form_class = QuotaForm

src/pretix/helpers/database.py

@@ -117,12 +117,17 @@ class GroupConcat(Aggregate):
             template = "%(function)s(%(distinct)s%(field)s::text, '%(separator)s' ORDER BY %(field)s::text ASC)"
         else:
             template = "%(function)s(%(distinct)s%(field)s::text, '%(separator)s')"
-        return super().as_sql(
+
+        template, params = super().as_sql(
             compiler, connection,
             function='string_agg',
             template=template,
             **extra_context,
         )
+        if self.ordered:
+            # ordered statement requires field parameters twice
+            params = params + params
+        return template, params
 
 
 class ReplicaRouter:

src/pretix/locale/de/wordlist.txt

@@ -32,7 +32,6 @@ ausgecheckt
 ausgeklappt
 auswahl
 Authentication
-Authenticator
 Authenticator-App
 Autorisierungscode
 Autorisierungs-Endpunktes
@@ -131,7 +130,6 @@ Eingangsscan
 Einlassbuchung
 Einlassdatum
 Einlasskontrolle
-Einmalpasswörter
 einzuchecken
 email
 E-Mail-Renderer
@@ -165,7 +163,6 @@ Explorer
 FA
 Favicon
 F-Droid
-freeOTP
 Footer
 Footer-Link
 Footer-Text
@@ -560,7 +557,6 @@ Zahlungs-ID
 Zahlungspflichtig
 Zehnerkarten
 Zeitbasiert
-zeitbasierte
 Zeitslotbuchung
 Zimpler
 ZIP-Datei

src/pretix/locale/de_Informal/wordlist.txt

@@ -32,7 +32,6 @@ ausgecheckt
 ausgeklappt
 auswahl
 Authentication
-Authenticator
 Authenticator-App
 Autorisierungscode
 Autorisierungs-Endpunktes
@@ -131,7 +130,6 @@ Eingangsscan
 Einlassbuchung
 Einlassdatum
 Einlasskontrolle
-Einmalpasswörter
 einzuchecken
 email
 E-Mail-Renderer
@@ -165,7 +163,6 @@ Explorer
 FA
 Favicon
 F-Droid
-freeOTP
 Footer
 Footer-Link
 Footer-Text
@@ -560,7 +557,6 @@ Zahlungs-ID
 Zahlungspflichtig
 Zehnerkarten
 Zeitbasiert
-zeitbasierte
 Zeitslotbuchung
 Zimpler
 ZIP-Datei

src/pretix/locale/djangojs.pot

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-03-30 11:25+0000\n"
+"POT-Creation-Date: 2026-03-17 14:06+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"

src/pretix/locale/es/LC_MESSAGES/djangojs.po

@@ -8,7 +8,7 @@ msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2026-03-17 14:06+0000\n"
-"PO-Revision-Date: 2026-03-30 03:00+0000\n"
+"PO-Revision-Date: 2026-03-18 12:23+0000\n"
 "Last-Translator: CVZ-es <damien.bremont@casadevelazquez.org>\n"
 "Language-Team: Spanish <https://translate.pretix.eu/projects/pretix/pretix-"
 "js/es/>\n"
@@ -329,7 +329,7 @@ msgstr "Pedido no aprobado"
 
 #: pretix/plugins/webcheckin/static/pretixplugins/webcheckin/main.js:68
 msgid "Checked-in Tickets"
-msgstr "Billetes registrados"
+msgstr "Registro de código QR"
 
 #: pretix/plugins/webcheckin/static/pretixplugins/webcheckin/main.js:69
 msgid "Valid Tickets"

src/pretix/locale/wordlist.txt

@@ -12,7 +12,6 @@ anonymized
 Auth
 authentification
 authenticator
-Authenticator
 automatical
 availabilities
 backend
@@ -23,7 +22,6 @@ barcodes
 Bcc
 BCC
 BezahlCode
-biometric
 BLIK
 blocklist
 BN
@@ -58,7 +56,6 @@ EPS
 eps
 favicon
 filetype
-freeOTP
 frontend
 frontpage
 Galician

src/pretix/plugins/ticketoutputpdf/api.py

@@ -229,11 +229,6 @@ class TicketRendererViewSet(viewsets.ViewSet):
     @action(detail=False, methods=['GET'], url_name='download', url_path='download/(?P<asyncid>[^/]+)/(?P<cfid>[^/]+)')
     def download(self, *args, **kwargs):
         cf = get_object_or_404(CachedFile, id=kwargs['cfid'])
-        if not cf.allowed_for_session(self.request, "ticketoutputpdf-api"):
-            return Response(
-                {'status': 'failed', 'message': 'Unknown file ID or export failed'},
-                status=status.HTTP_410_GONE
-            )
         if cf.file:
             resp = ChunkBasedFileResponse(cf.file.file, content_type=cf.type)
             resp['Content-Disposition'] = 'attachment; filename="{}"'.format(cf.filename).encode("ascii", "ignore")
@@ -270,7 +265,6 @@ class TicketRendererViewSet(viewsets.ViewSet):
         serializer.is_valid(raise_exception=True)
 
         cf = CachedFile(web_download=False)
-        cf.bind_to_session(self.request, "ticketoutputpdf-api")
         cf.date = now()
         cf.expires = now() + timedelta(hours=24)
         cf.save()

src/pretix/presale/forms/customer.py

@@ -28,7 +28,7 @@ from django import forms
 from django.conf import settings
 from django.contrib.auth.hashers import check_password
 from django.contrib.auth.password_validation import (
-    MinimumLengthValidator, get_password_validators, validate_password,
+    get_password_validators, password_validators_help_texts, validate_password,
 )
 from django.contrib.auth.tokens import PasswordResetTokenGenerator
 from django.core import signing
@@ -300,12 +300,13 @@ class SetPasswordForm(forms.Form):
     )
     password = forms.CharField(
         label=_('Password'),
-        widget=forms.PasswordInput(attrs={'autocomplete': 'new-password'}),
+        widget=forms.PasswordInput(attrs={'minlength': '8', 'autocomplete': 'new-password'}),
         max_length=4096,
+        required=True
     )
     password_repeat = forms.CharField(
         label=_('Repeat password'),
-        widget=forms.PasswordInput(attrs={'autocomplete': 'new-password'}),
+        widget=forms.PasswordInput(attrs={'minlength': '8', 'autocomplete': 'new-password'}),
         max_length=4096,
     )
 
@@ -315,14 +316,6 @@ class SetPasswordForm(forms.Form):
         kwargs['initial']['email'] = self.customer.email
         super().__init__(*args, **kwargs)
 
-        pw_min_len_validators = [v for v in get_customer_password_validators() if isinstance(v, MinimumLengthValidator)]
-        if pw_min_len_validators:
-            self.fields['password'].widget.attrs['minlength'] = max(v.min_length for v in pw_min_len_validators)
-            self.fields['password_repeat'].widget.attrs['minlength'] = max(v.min_length for v in pw_min_len_validators)
-
-        if 'password' not in self.data:
-            self.fields['password'].help_text = ' '.join(v.get_help_text() for v in pw_min_len_validators)
-
     def clean(self):
         password1 = self.cleaned_data.get('password', '')
         password2 = self.cleaned_data.get('password_repeat')
@@ -336,7 +329,8 @@ class SetPasswordForm(forms.Form):
 
     def clean_password(self):
         password1 = self.cleaned_data.get('password', '')
-        validate_password(password1, user=self.customer, password_validators=get_customer_password_validators())
+        if validate_password(password1, user=self.customer, password_validators=get_customer_password_validators()) is not None:
+            raise forms.ValidationError(_(password_validators_help_texts()), code='pw_invalid')
         return password1
 
 
@@ -401,13 +395,13 @@ class ChangePasswordForm(forms.Form):
     )
     password = forms.CharField(
         label=_('New password'),
-        widget=forms.PasswordInput(attrs={'autocomplete': 'new-password'}),
+        widget=forms.PasswordInput(attrs={'minlength': '8', 'autocomplete': 'new-password'}),
         max_length=4096,
         required=True
     )
     password_repeat = forms.CharField(
         label=_('Repeat password'),
-        widget=forms.PasswordInput(attrs={'autocomplete': 'new-password'}),
+        widget=forms.PasswordInput(attrs={'minlength': '8', 'autocomplete': 'new-password'}),
         max_length=4096,
     )
 
@@ -417,14 +411,6 @@ class ChangePasswordForm(forms.Form):
         kwargs['initial']['email'] = self.customer.email
         super().__init__(*args, **kwargs)
 
-        pw_min_len_validators = [v for v in get_customer_password_validators() if isinstance(v, MinimumLengthValidator)]
-        if pw_min_len_validators:
-            self.fields['password'].widget.attrs['minlength'] = max(v.min_length for v in pw_min_len_validators)
-            self.fields['password_repeat'].widget.attrs['minlength'] = max(v.min_length for v in pw_min_len_validators)
-
-        if 'password' not in self.data:
-            self.fields['password'].help_text = ' '.join(v.get_help_text() for v in pw_min_len_validators)
-
     def clean(self):
         password1 = self.cleaned_data.get('password', '')
         password2 = self.cleaned_data.get('password_repeat')
@@ -438,7 +424,8 @@ class ChangePasswordForm(forms.Form):
 
     def clean_password(self):
         password1 = self.cleaned_data.get('password', '')
-        validate_password(password1, user=self.customer, password_validators=get_customer_password_validators())
+        if validate_password(password1, user=self.customer, password_validators=get_customer_password_validators()) is not None:
+            raise forms.ValidationError(_(password_validators_help_texts()), code='pw_invalid')
         return password1
 
     def clean_password_current(self):