reauth flow token

add a special token to always allow completing a form submission, even if the reauthentication time has expired
ui changes
2026-06-26 03:46:14 +00:00 · 2026-03-26 12:41:19 +01:00 · 2026-03-20 12:56:57 +01:00 · 2026-03-20 12:56:38 +01:00 · 2026-03-20 12:55:58 +01:00 · 2026-03-20 12:06:56 +01:00
246 changed files with 76039 additions and 81680 deletions
@@ -24,7 +24,7 @@ jobs:
    name: Packaging
    strategy:
      matrix:
-        python-version: ["3.13"]
+        python-version: ["3.11"]
    steps:
      - uses: actions/checkout@v4
      - name: Set up Python ${{ matrix.python-version }}
@@ -24,10 +24,10 @@ jobs:
    name: Check gettext syntax
    steps:
      - uses: actions/checkout@v4
-      - name: Set up Python 3.13
+      - name: Set up Python 3.11
        uses: actions/setup-python@v5
        with:
-          python-version: 3.13
+          python-version: 3.11
      - uses: actions/cache@v4
        with:
          path: ~/.cache/pip
@@ -49,10 +49,10 @@ jobs:
    name: Spellcheck
    steps:
      - uses: actions/checkout@v4
-      - name: Set up Python 3.13
+      - name: Set up Python 3.11
        uses: actions/setup-python@v5
        with:
-          python-version: 3.13
+          python-version: 3.11
      - uses: actions/cache@v4
        with:
          path: ~/.cache/pip
@@ -24,10 +24,10 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v4
-      - name: Set up Python 3.13
+      - name: Set up Python 3.11
        uses: actions/setup-python@v5
        with:
-          python-version: 3.13
+          python-version: 3.11
      - uses: actions/cache@v4
        with:
          path: ~/.cache/pip
@@ -44,10 +44,10 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v4
-      - name: Set up Python 3.13
+      - name: Set up Python 3.11
        uses: actions/setup-python@v5
        with:
-          python-version: 3.13
+          python-version: 3.11
      - uses: actions/cache@v4
        with:
          path: ~/.cache/pip
@@ -64,10 +64,10 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v4
-      - name: Set up Python 3.13
+      - name: Set up Python 3.11
        uses: actions/setup-python@v5
        with:
-          python-version: 3.13
+          python-version: 3.11
      - name: Install Dependencies
        run: pip3 install licenseheaders
      - name: Run licenseheaders
@@ -23,15 +23,13 @@ jobs:
    name: Tests
    strategy:
      matrix:
-        python-version: ["3.11", "3.13", "3.14"]
+        python-version: ["3.10", "3.11", "3.13"]
        database: [sqlite, postgres]
        exclude:
          - database: sqlite
            python-version: "3.10"
          - database: sqlite
            python-version: "3.11"
-          - database: sqlite
-            python-version: "3.12"
    services:
      postgres:
        image: postgres:15
@@ -83,4 +81,4 @@ jobs:
          file: src/coverage.xml
          token: ${{ secrets.CODECOV_TOKEN }}
          fail_ci_if_error: false
-        if: matrix.database == 'postgres' && matrix.python-version == '3.13'
+        if: matrix.database == 'postgres' && matrix.python-version == '3.11'
@@ -1,16 +1,11 @@
 Contributing to pretix
 ======================

-Welcome to pretix, we are happy that you would like to contribute.
-Before you do so, please make sure to read the following documents:
+Hey there and welcome to pretix!

- [Contribution workflow](https://docs.pretix.eu/dev/development/contribution/general.html)
- [AI-assisted contribution policy](https://docs.pretix.eu/dev/development/contribution/ai.html)
- [Coding style and quality](https://docs.pretix.eu/dev/development/contribution/style.html)
- [Development setup](https://docs.pretix.eu/dev/development/setup.html)
- [Code of Conduct](https://docs.pretix.eu/dev/development/contribution/codeofconduct.html)
+* We've got a contributors guide in [our documentation](https://docs.pretix.eu/dev/development/contribution/) together with notes on the [development setup](https://docs.pretix.eu/dev/development/setup.html).

-Before we can accept your first PR we'll need you to sign [our **Contributor License Agreement** (CLA)](https://pretix.eu/about/en/cla).
-You can find more information about the how and why in our [License FAQ](https://docs.pretix.eu/trust/licensing/faq/) and in our [license change blog post](https://pretix.eu/about/en/blog/20210412-license/).
+* Please note that we have a [Code of Conduct](https://docs.pretix.eu/dev/development/contribution/codeofconduct.html) in place that applies to all project contributions, including issues, pull requests, etc.
+
+* Before we can accept a PR from you we'll need you to sign [our CLA](https://pretix.eu/about/en/cla). You can find more information about the how and why in our [License FAQ](https://docs.pretix.eu/trust/licensing/faq/) and in our [license change blog post](https://pretix.eu/about/en/blog/20210412-license/).

-**Before contributing new functionality, always open a discussion first.**
@@ -1,4 +1,4 @@
-FROM python:3.13-trixie
+FROM python:3.11-bookworm

 RUN apt-get update && \
    apt-get install -y --no-install-recommends \
@@ -31,7 +31,6 @@ RUN apt-get update && \
    mkdir /etc/pretix && \
    mkdir /data && \
    useradd -ms /bin/bash -d /pretix -u 15371 pretixuser && \
-    chmod 0755 /pretix && \
    echo 'pretixuser ALL=(ALL) NOPASSWD:SETENV: /usr/bin/supervisord' >> /etc/sudoers && \
    mkdir /static && \
    mkdir /etc/supervisord
@@ -1,24 +0,0 @@
-.. _`aipolicy`:
-
-AI-assisted contribution policy
-===============================
-
-pretix is maintained by humans.
-Every discussion, issue, and pull request is read and reviewed by humans (and sometimes machines, too).
-We ask you to respect the time and effort put in by these humans by not sending low-effort, unqualified work, since it puts the burden of validation on the maintainer.
-
-Therefore, the pretix project has strict rules for AI usage:
-
- **All AI usage in any form must be disclosed.** You must state the tool you used (e.g. Claude Code, Cursor, Amp) along with the extent that the work was AI-assisted.
-
- **The human-in-the-loop must fully understand all code.** If you can't explain what your changes do and how they interact with the greater system without the aid of AI tools, do not contribute to this project.
-
- **Issues and discussions can use AI assistance but must have a full human-in-the-loop.** This means that any content generated with AI must have been reviewed and edited by a human before submission. AI is very good at being overly verbose and including noise that distracts from the main point. Humans must do their research and trim this down.
-
- **No AI-generated media is allowed (art, images, videos, audio, etc.).** Text and code are the only acceptable AI-generated content, per the other rules in this policy.
-
- **Bad AI drivers will be excluded from the project.** People who produce bad contributions that are clearly AI (slop) will be blocked from our organization without warning.
-
-This policy was inspired by the `ghostty project`_.
-
-.. _ghostty project: https://github.com/ghostty-org/ghostty/blob/main/AI_POLICY.md
@@ -1,39 +1,23 @@
-Contribution workflow
-=====================
+General remarks
+===============

 You are interested in contributing to pretix? That is awesome!

 If you’re new to contributing to open source software, don’t be afraid. We’ll happily review your code and give you
-constructive and friendly feedback on your changes. Every contribution should go through the following steps.
+constructive and friendly feedback on your changes.

-Discussion & Design
-------------------
-
-pretix is a large and mature project with more of a decade of history and hopefully many more decades to come.
-Keeping pretix in good shape over long timeframes is first and foremost a fight against complexity.
-With every additional feature, complexity grows, and both features and complexity are hard to remove.
-
-Even if you are doing the initial work of the contribution, accepting the contribution is not free for us.
-Not only will we need to maintain the feature, but every feature adds cost to the maintenance of every other feature it interacts with, and every feature adds effort for users to understand how pretix works.
-Therefore, we must carefully select what features we add, based on how well they fit the system in general and of how much use they will be to our larger user base.
-
-We strongly ask you to **create a discussion on GitHub for every new feature idea** outlining the use case and the proposed implementation design.
-Pull requests without prior discussion will likely just be closed.
-
-For bug fixes and very minor changes, you can skip this step and open a PR right away.
-
-Development
-----------
-
-To develop your contribution, you'll need pretix running locally on your machine. Head over to :ref:`devsetup` to learn how to do this.
+First of all, you'll need pretix running locally on your machine. Head over to :ref:`devsetup` to learn how to do this.
 If you run into any problems on your way, please do not hesitate to ask us anytime!

-While developing, please have a look at our :ref:`aipolicy` and our guidelines on :ref:`codestyle`.
+Please note that we bound ourselves to a :ref:`coc` that applies to all communication around the project. You can be
+assured that we will not tolerate any form of harassment.

 Sending a patch
 ---------------

-Once you have a first draft of your changes, please `create a pull request`_ on our `GitHub repository`_.
+If you improved pretix in any way, we'd be very happy if you contribute it
+back to the main code base! The easiest way to do so is to `create a pull request`_
+on our `GitHub repository`_.

 We recommend that you create a feature branch for every issue you work on so the changes can
 be reviewed individually.
@@ -41,17 +25,14 @@ Please use the test suite to check whether your changes break any existing featu
 the code style checks to confirm you are consistent with pretix's coding style. You'll
 find instructions on this in the :ref:`checksandtests` section of the development setup guide.

-We automatically run the tests and the code style check on every pull request through GitHub Actions and we won’t
+We automatically run the tests and the code style check on every pull request on Travis CI and we won’t
 accept any pull requests without all tests passing. However, if you don't find out *why* they are not passing,
 just send the pull request and tell us – we'll be glad to help.

 If you add a new feature, please include appropriate documentation into your patch. If you fix a bug,
 please include a regression test, i.e. a test that fails without your changes and passes after applying your changes.

-Again: If you get stuck, do not hesitate to contact us through GitHub discussions.
-
-Please note that we bound ourselves to a :ref:`coc` that applies to all communication around the project. You can be
-assured that we will not tolerate any form of harassment.
+Again: If you get stuck, do not hesitate to contact any of us, or Raphael personally at mail@raphaelmichel.de.

 .. _create a pull request: https://help.github.com/articles/creating-a-pull-request/
 .. _GitHub repository: https://github.com/pretix/pretix
@@ -6,5 +6,4 @@ Contributing to pretix

   general
   style
-   ai
   codeofconduct
@@ -1,7 +1,5 @@
 .. spelling:word-list:: Rebase rebasing

-.. _`codestyle`:
-
 Coding style and quality
 ========================

@@ -30,6 +28,8 @@ Code
 Commits and Pull Requests
 -------------------------

+
+
 Most commits should start as pull requests, therefore this applies to the titles of pull requests as well since
 the pull request title will become the commit message on merge. We prefer merging with GitHub's "Squash and merge"
 feature if the PR contains multiple commits that do not carry value to keep. If there is value in keeping the
@@ -3,7 +3,7 @@ name = "pretix"
 dynamic = ["version"]
 description = "Reinventing presales, one ticket at a time"
 readme = "README.rst"
-requires-python = ">=3.11"
+requires-python = ">=3.10"
 license = {file = "LICENSE"}
 keywords = ["tickets", "web", "shop", "ecommerce"]
 authors = [
@@ -19,11 +19,10 @@ classifiers = [
  "Topic :: Internet :: WWW/HTTP :: Dynamic Content",
  "Environment :: Web Environment",
  "License :: OSI Approved :: GNU Affero General Public License v3",
+  "Programming Language :: Python :: 3.9",
+  "Programming Language :: Python :: 3.10",
  "Programming Language :: Python :: 3.11",
-  "Programming Language :: Python :: 3.12",
-  "Programming Language :: Python :: 3.13",
-  "Programming Language :: Python :: 3.14",
-  "Framework :: Django :: 5.2",
+  "Framework :: Django :: 4.2",
 ]

 dependencies = [
@@ -33,11 +32,11 @@ dependencies = [
  "bleach==6.3.*",
  "celery==5.6.*",
  "chardet==5.2.*",
-  "cryptography>=47.0.0",
+  "cryptography>=44.0.0",
  "css-inline==0.20.*",
-  "defusedcsv>=3.0.0",
+  "defusedcsv>=1.1.0",
  "dnspython==2.*",
-  "Django[argon2]==5.2.*",
+  "Django[argon2]==4.2.*,>=4.2.26",
  "django-bootstrap3==26.1",
  "django-compressor==4.6.0",
  "django-countries==8.2.*",
@@ -60,7 +59,7 @@ dependencies = [
  "dnspython==2.8.*",
  "drf_ujson2==1.7.*",
  "geoip2==5.*",
-  "importlib_metadata==9.*",  # Polyfill, we can probably drop this once we require Python 3.10+
+  "importlib_metadata==8.*",  # Polyfill, we can probably drop this once we require Python 3.10+
  "isoweek",
  "jsonschema",
  "kombu==5.6.*",
@@ -76,7 +75,7 @@ dependencies = [
  "paypal-checkout-serversdk==1.0.*",
  "PyJWT==2.12.*",
  "phonenumberslite==9.0.*",
-  "Pillow==12.2.*",
+  "Pillow==12.1.*",
  "pretix-plugin-build",
  "protobuf==7.34.*",
  "psycopg2-binary",
@@ -90,14 +89,14 @@ dependencies = [
  "pytz-deprecation-shim==0.1.*",
  "pyuca",
  "qrcode==8.2",
-  "redis==7.4.*",
+  "redis==7.1.*",
  "reportlab==4.4.*",
  "requests==2.32.*",
-  "sentry-sdk==2.58.*",
+  "sentry-sdk==2.54.*",
  "sepaxml==2.7.*",
  "stripe==7.9.*",
  "text-unidecode==1.*",
-  "tlds>=2026041800",
+  "tlds>=2020041600",
  "tqdm==4.*",
  "ua-parser==1.0.*",
  "vobject==0.9.*",
@@ -117,7 +116,7 @@ dev = [
  "isort==8.0.*",
  "pep8-naming==0.15.*",
  "potypo",
-  "pytest-asyncio>=1.3.0",
+  "pytest-asyncio>=0.24",
  "pytest-cache",
  "pytest-cov",
  "pytest-django==4.*",
@@ -19,4 +19,4 @@
 # You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
 # <https://www.gnu.org/licenses/>.
 #
-__version__ = "2026.4.4"
+__version__ = "2026.3.0.dev0"
@@ -31,9 +31,7 @@ from pretix.api.serializers.order import OrderPositionSerializer
 from pretix.api.serializers.organizer import (
    CustomerSerializer, GiftCardSerializer,
 )
-from pretix.base.models import (
-    Device, Order, OrderPosition, ReusableMedium, TeamAPIToken,
-)
+from pretix.base.models import Order, OrderPosition, ReusableMedium

 logger = logging.getLogger(__name__)

@@ -82,7 +80,8 @@ class ReusableMediaSerializer(I18nAwareModelSerializer):
            )

        if 'linked_orderposition' in self.context['request'].query_params.getlist('expand'):
-            # Permission Check performed in to_representation
+            # No additional permission check performed, documented limitation of the permission system
+            # Would get to complex/unusable otherwise since the permission depends on the event
            self.fields['linked_orderposition'] = NestedOrderPositionSerializer(read_only=True)
        else:
            self.fields['linked_orderposition'] = serializers.PrimaryKeyRelatedField(
@@ -118,27 +117,6 @@ class ReusableMediaSerializer(I18nAwareModelSerializer):
                )
        return data

-    def to_representation(self, instance):
-        r = super().to_representation(instance)
-        request = self.context.get('request')
-        # late permission evaluations for checks that depend on the actual linked events
-        expand_nested = self.context['request'].query_params.getlist('expand')
-        perm_holder = request.auth if isinstance(request.auth, (Device, TeamAPIToken)) else request.user
-        if 'linked_orderposition' in expand_nested:
-            if instance.linked_orderposition is not None:
-                event = instance.linked_orderposition.order.event
-                if not perm_holder.has_event_permission(event.organizer, event, 'event.orders:read', request):
-                    r['linked_orderposition'] = {'id': instance.linked_orderposition.id}
-
-        if 'linked_giftcard.owner_ticket' in expand_nested:
-            gc = instance.linked_giftcard
-            if gc is not None and gc.owner_ticket is not None:
-                event = gc.owner_ticket.order.event
-                if not perm_holder.has_event_permission(event.organizer, event, 'event.orders:read', request):
-                    r['linked_giftcard']['owner_ticket'] = {'id': instance.linked_giftcard.owner_ticket.id}
-
-        return r
-
    class Meta:
        model = ReusableMedium
        fields = (
@@ -769,11 +769,7 @@ class PaymentDetailsField(serializers.Field):
        pp = value.payment_provider
        if not pp:
            return {}
-        try:
-            return pp.api_payment_details(value)
-        except Exception:
-            logger.exception("Failed to retrieve payment_details")
-            return {}
+        return pp.api_payment_details(value)


 class OrderPaymentSerializer(I18nAwareModelSerializer):
@@ -286,19 +286,6 @@ class GiftCardSerializer(I18nAwareModelSerializer):
                )
        return data

-    def to_representation(self, instance):
-        r = super().to_representation(instance)
-        request = self.context.get('request')
-        # late permission evaluations for checks that depend on the actual linked events
-        if 'owner_ticket' in self.context['request'].query_params.getlist('expand'):
-            owner_ticket = instance.owner_ticket
-            if owner_ticket:
-                event = owner_ticket.order.event
-                perm_holder = request.auth if isinstance(request.auth, (Device, TeamAPIToken)) else request.user
-                if not perm_holder.has_event_permission(event.organizer, event, 'event.orders:read', request):
-                    r['owner_ticket'] = {'id': instance.owner_ticket.id}
-        return r
-
    class Meta:
        model = GiftCard
        fields = ('id', 'secret', 'issuance', 'value', 'currency', 'testmode', 'expires', 'conditions', 'owner_ticket',
@@ -1122,7 +1122,7 @@ class CheckinViewSet(viewsets.ReadOnlyModelViewSet):
    permission = 'event.orders:read'

    def get_queryset(self):
-        qs = Checkin.all.filter(list__event=self.request.event).select_related(
+        qs = Checkin.all.filter().select_related(
            "position",
            "device",
        )
@@ -381,15 +381,12 @@ class EventOrderViewSet(OrderViewSetMixin, viewsets.ModelViewSet):
                resp = HttpResponse(ct.file.file.read(), content_type='text/uri-list')
                return resp
            else:
-                return FileResponse(
-                    ct.file.file,
-                    filename='{}-{}-{}{}'.format(
-                        self.request.event.slug.upper(), order.code,
-                        provider.identifier, ct.extension
-                    ),
-                    as_attachment=True,
-                    content_type=ct.type
+                resp = FileResponse(ct.file.file, content_type=ct.type)
+                resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}{}"'.format(
+                    self.request.event.slug.upper(), order.code,
+                    provider.identifier, ct.extension
                )
+                return resp

    @action(detail=True, methods=['POST'])
    def mark_paid(self, request, **kwargs):
@@ -1306,17 +1303,14 @@ class EventOrderPositionViewSet(OrderPositionViewSetMixin, viewsets.ModelViewSet
            raise NotFound()

        ftype, ignored = mimetypes.guess_type(answer.file.name)
-        return FileResponse(
-            answer.file,
-            filename='{}-{}-{}-{}'.format(
-                self.request.event.slug.upper(),
-                pos.order.code,
-                pos.positionid,
-                os.path.basename(answer.file.name).split('.', 1)[1]
-            ),
-            as_attachment=True,
-            content_type=ftype or 'application/binary'
+        resp = FileResponse(answer.file, content_type=ftype or 'application/binary')
+        resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}-{}"'.format(
+            self.request.event.slug.upper(),
+            pos.order.code,
+            pos.positionid,
+            os.path.basename(answer.file.name).split('.', 1)[1]
        )
+        return resp

    @action(detail=True, url_name="printlog", url_path="printlog", methods=["POST"])
    def printlog(self, request, **kwargs):
@@ -1371,18 +1365,15 @@ class EventOrderPositionViewSet(OrderPositionViewSetMixin, viewsets.ModelViewSet
            if hasattr(image_file, 'seek'):
                image_file.seek(0)

-        return FileResponse(
-            image_file,
-            filename='{}-{}-{}-{}.{}'.format(
-                self.request.event.slug.upper(),
-                pos.order.code,
-                pos.positionid,
-                key,
-                extension,
-            ),
-            as_attachment=True,
-            content_type=ftype or 'application/binary'
+        resp = FileResponse(image_file, content_type=ftype or 'application/binary')
+        resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}-{}.{}"'.format(
+            self.request.event.slug.upper(),
+            pos.order.code,
+            pos.positionid,
+            key,
+            extension,
        )
+        return resp

    @action(detail=True, url_name='download', url_path='download/(?P<output>[^/]+)')
    def download(self, request, output, **kwargs):
@@ -1408,15 +1399,12 @@ class EventOrderPositionViewSet(OrderPositionViewSetMixin, viewsets.ModelViewSet
                resp = HttpResponse(ct.file.file.read(), content_type='text/uri-list')
                return resp
            else:
-                return FileResponse(
-                    ct.file.file,
-                    filename='{}-{}-{}-{}{}'.format(
-                        self.request.event.slug.upper(), pos.order.code, pos.positionid,
-                        provider.identifier, ct.extension
-                    ),
-                    as_attachment=True,
-                    content_type=ct.type
+                resp = FileResponse(ct.file.file, content_type=ct.type)
+                resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}-{}{}"'.format(
+                    self.request.event.slug.upper(), pos.order.code, pos.positionid,
+                    provider.identifier, ct.extension
                )
+                return resp

    @action(detail=True, methods=['POST'])
    def regenerate_secrets(self, request, **kwargs):
@@ -1998,12 +1986,9 @@ class InvoiceViewSet(viewsets.ReadOnlyModelViewSet):
        if not invoice.file:
            raise RetryException()

-        return FileResponse(
-            invoice.file.file,
-            filename='{}.pdf'.format(invoice.number),
-            as_attachment=True,
-            content_type='application/pdf'
-        )
+        resp = FileResponse(invoice.file.file, content_type='application/pdf')
+        resp['Content-Disposition'] = 'attachment; filename="{}.pdf"'.format(invoice.number)
+        return resp

    @action(detail=True, methods=['POST'])
    def transmit(self, request, **kwargs):
@@ -19,10 +19,7 @@
 # You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
 # <https://www.gnu.org/licenses/>.
 #
-import ipaddress
 import logging
-import smtplib
-import socket
 from itertools import groupby
 from smtplib import SMTPResponseException
 from typing import TypeVar
@@ -240,80 +237,3 @@ def base_renderers(sender, **kwargs):

 def get_email_context(**kwargs):
    return PlaceholderContext(**kwargs).render_all()
-
-
-def create_connection(address, timeout=socket.getdefaulttimeout(),
-                      source_address=None, *, all_errors=False):
-    # Taken from the python stdlib, extended with a check for local ips
-
-    host, port = address
-    exceptions = []
-    for res in socket.getaddrinfo(host, port, 0, socket.SOCK_STREAM):
-        af, socktype, proto, canonname, sa = res
-
-        if not getattr(settings, "MAIL_CUSTOM_SMTP_ALLOW_PRIVATE_NETWORKS", False):
-            ip_addr = ipaddress.ip_address(sa[0])
-            if ip_addr.is_multicast:
-                raise socket.error(f"Request to multicast address {sa[0]} blocked")
-            if ip_addr.is_loopback or ip_addr.is_link_local:
-                raise socket.error(f"Request to local address {sa[0]} blocked")
-            if ip_addr.is_private:
-                raise socket.error(f"Request to private address {sa[0]} blocked")
-
-        sock = None
-        try:
-            sock = socket.socket(af, socktype, proto)
-            if timeout is not socket.getdefaulttimeout():
-                sock.settimeout(timeout)
-            if source_address:
-                sock.bind(source_address)
-            sock.connect(sa)
-            # Break explicitly a reference cycle
-            exceptions.clear()
-            return sock
-
-        except socket.error as exc:
-            if not all_errors:
-                exceptions.clear()  # raise only the last error
-            exceptions.append(exc)
-            if sock is not None:
-                sock.close()
-
-    if len(exceptions):
-        try:
-            if not all_errors:
-                raise exceptions[0]
-            raise ExceptionGroup("create_connection failed", exceptions)
-        finally:
-            # Break explicitly a reference cycle
-            exceptions.clear()
-    else:
-        raise socket.error("getaddrinfo returns an empty list")
-
-
-class CheckPrivateNetworkMixin:
-    # _get_socket taken 1:1 from smtplib, just with a call to our own create_connection
-    def _get_socket(self, host, port, timeout):
-        # This makes it simpler for SMTP_SSL to use the SMTP connect code
-        # and just alter the socket connection bit.
-        if timeout is not None and not timeout:
-            raise ValueError('Non-blocking socket (timeout=0) is not supported')
-        if self.debuglevel > 0:
-            self._print_debug('connect: to', (host, port), self.source_address)
-        return create_connection((host, port), timeout, self.source_address)
-
-
-class SMTP(CheckPrivateNetworkMixin, smtplib.SMTP):
-    pass
-
-
-# SMTP used here instead of mixin, because smtp.SMTP_SSL._get_socket calls super()._get_socket and then wraps this socket
-# super()._get_socket needs to be our version from the mixin
-class SMTP_SSL(smtplib.SMTP_SSL, SMTP):  # noqa: N801
-    pass
-
-
-class CheckPrivateNetworkSmtpBackend(EmailBackend):
-    @property
-    def connection_class(self):
-        return SMTP_SSL if self.use_ssl else SMTP
@@ -47,7 +47,6 @@ from django.utils.formats import localize
 from django.utils.translation import gettext, gettext_lazy as _

 from pretix.base.models import Event
-from pretix.base.models.auth import PermissionHolder
 from pretix.helpers.safe_openpyxl import (  # NOQA: backwards compatibility for plugins using excel_safe
    SafeWorkbook, remove_invalid_excel_chars as excel_safe,
 )
@@ -60,20 +59,11 @@ class BaseExporter:
    This is the base class for all data exporters
    """

-    def __init__(self, event, organizer, permission_holder: PermissionHolder=None, progress_callback=lambda v: None):
-        """
-        :param event: Event context, can also be a queryset of events for multi-event exports
-        :param organizer: Organizer context
-        :param user: The user who triggered the export (or None).
-        :param token: The API token that triggered the export (or None).
-        :param device: The device that triggered the export (or None)
-        :param progress_callback: Callback function with progress
-        """
+    def __init__(self, event, organizer, progress_callback=lambda v: None):
        self.event = event
        self.organizer = organizer
        self.progress_callback = progress_callback
        self.is_multievent = isinstance(event, QuerySet)
-        self.permission_holder = permission_holder
        if isinstance(event, QuerySet):
            self.events = event
            self.event = None
@@ -190,7 +180,7 @@ class BaseExporter:
        return True

    @classmethod
-    def get_required_event_permission(cls) -> Optional[str]:
+    def get_required_event_permission(cls) -> str:
        """
        The permission level required to use this exporter for events. For multi-event-exports, this will be used
        to limit the selection of events. Will be ignored if the ``OrganizerLevelExportMixin`` mixin is used.
@@ -205,7 +195,7 @@ class OrganizerLevelExportMixin:
        raise TypeError("required_event_permission may not be called on OrganizerLevelExportMixin")

    @classmethod
-    def get_required_organizer_permission(cls) -> Optional[str]:
+    def get_required_organizer_permission(cls) -> str:
        """
        The permission level required to use this exporter. Must be set for organizer-level exports. Set to `None` to
        allow everyone with any access to the organizer.
@@ -1103,25 +1103,13 @@ class PaymentListExporter(ListExporter):
    def iterate_list(self, form_data):
        provider_names = dict(get_all_payment_providers())

-        i_numbers = Invoice.objects.filter(
-            order=OuterRef('order_id'),
-        ).values('order').annotate(
-            m=GroupConcat('full_invoice_no', delimiter=', ')
-        ).values(
-            'm'
-        ).order_by()
-
        payments = OrderPayment.objects.filter(
            order__event__in=self.events,
            state__in=form_data.get('payment_states', [])
-        ).annotate(
-            order_invoice_numbers=Subquery(i_numbers, output_field=CharField()),
        ).select_related('order').prefetch_related('order__event').order_by('created')
        refunds = OrderRefund.objects.filter(
            order__event__in=self.events,
            state__in=form_data.get('refund_states', [])
-        ).annotate(
-            order_invoice_numbers=Subquery(i_numbers, output_field=CharField()),
        ).select_related('order').prefetch_related('order__event').order_by('created')

        if form_data.get('end_date_range'):
@@ -1147,7 +1135,6 @@ class PaymentListExporter(ListExporter):
        headers = [
            _('Event slug'), _('Order'), _('Payment ID'), _('Creation date'), _('Completion date'), _('Status'),
            _('Status code'), _('Amount'), _('Payment method'), _('Comment'), _('Matching ID'), _('Payment details'),
-            _('Invoice numbers'),
        ]
        yield headers

@@ -1185,7 +1172,6 @@ class PaymentListExporter(ListExporter):
                obj.comment if isinstance(obj, OrderRefund) else "",
                matching_id,
                payment_details,
-                obj.order_invoice_numbers,
            ]
            yield row

@@ -61,23 +61,18 @@ class ReusableMediaExporter(OrganizerLevelExportMixin, ListExporter):
        yield headers
        yield self.ProgressSetTotal(total=media.count())

-        can_read_giftcards = self.permission_holder.has_organizer_permission(self.organizer, 'organizer.giftcards:read')
-
        for medium in media.iterator(chunk_size=1000):
-            giftcard_secret = medium.linked_giftcard.secret if medium.linked_giftcard_id else ''
-            if giftcard_secret and not can_read_giftcards:
-                giftcard_secret = giftcard_secret[:3] + "…"
-
-            yield [
+            row = [
                medium.type,
                medium.identifier,
                _('Yes') if medium.active else _('No'),
                date_format(medium.expires, 'SHORT_DATETIME_FORMAT') if medium.expires else '',
                medium.customer.identifier if medium.customer_id else '',
                f"{medium.linked_orderposition.order.code}-{medium.linked_orderposition.positionid}" if medium.linked_orderposition_id else '',
-                giftcard_secret,
+                medium.linked_giftcard.secret if medium.linked_giftcard_id else '',
                medium.notes,
            ]
+            yield row

    def get_filename(self):
        return f'{self.organizer.slug}_media'
@@ -196,7 +196,8 @@ class RegistrationForm(forms.Form):
    def clean_password(self):
        password1 = self.cleaned_data.get('password', '')
        user = User(email=self.cleaned_data.get('email'))
-        validate_password(password1, user=user)
+        if validate_password(password1, user=user) is not None:
+            raise forms.ValidationError(_(password_validators_help_texts()), code='pw_invalid')
        return password1

    def clean_email(self):
@@ -45,6 +45,7 @@ import pycountry
 from django import forms
 from django.conf import settings
 from django.contrib import messages
+from django.contrib.gis.geoip2 import GeoIP2
 from django.core.exceptions import ValidationError
 from django.core.files.uploadedfile import SimpleUploadedFile
 from django.core.validators import (
@@ -90,7 +91,7 @@ from pretix.base.settings import (
    COUNTRIES_WITH_STATE_IN_ADDRESS, COUNTRY_STATE_LABEL,
    PERSON_NAME_SALUTATIONS, PERSON_NAME_SCHEMES, PERSON_NAME_TITLE_GROUPS,
 )
-from pretix.base.templatetags.rich_text import URL_RE, rich_text
+from pretix.base.templatetags.rich_text import rich_text
 from pretix.base.timemachine import time_machine_now
 from pretix.control.forms import (
    ExtFileField, ExtValidationMixin, SizeValidationMixin, SplitDateTimeField,
@@ -101,7 +102,6 @@ from pretix.helpers.countries import (
 from pretix.helpers.escapejson import escapejson_attr
 from pretix.helpers.http import get_client_ip
 from pretix.helpers.i18n import get_format_without_seconds
-from pretix.helpers.security import get_geoip
 from pretix.presale.signals import question_form_fields

 logger = logging.getLogger(__name__)
@@ -227,15 +227,9 @@ class NamePartsFormField(forms.MultiValueField):
                    # bots.
                    r'^[^$€/%§{}<>~]*$',
                    message=_('Please do not use special characters in names.')
-                ),
-                RegexValidator(
-                    URL_RE,
-                    inverse_match=True,
-                    message=_('Please do not use special characters in names.')
                )
            ]
        }
-        self.max_length = defaults['max_length']
        self.scheme_name = kwargs.pop('scheme')
        self.titles = kwargs.pop('titles')
        self.scheme = PERSON_NAME_SCHEMES.get(self.scheme_name)
@@ -293,7 +287,7 @@ class NamePartsFormField(forms.MultiValueField):
        if self.require_all_fields and not all(v for v in value):
            raise forms.ValidationError(self.error_messages['incomplete'], code='required')

-        if sum(len(v) for v in value.values() if v) > (self.max_length or 250):
+        if sum(len(v) for v in value.values() if v) > 250:
            raise forms.ValidationError(_('Please enter a shorter name.'), code='max_length')

        if value.get("salutation") == "empty":
@@ -399,7 +393,7 @@ class WrappedPhoneNumberPrefixWidget(PhoneNumberPrefixWidget):

 def guess_country_from_request(request, event):
    if settings.HAS_GEOIP:
-        g = get_geoip()
+        g = GeoIP2()
        try:
            res = g.country(get_client_ip(request))
            if res['country_code'] and len(res['country_code']) == 2:
@@ -22,7 +22,9 @@
 import datetime
 import logging
 import math
+import re
 import textwrap
+import unicodedata
 from collections import defaultdict
 from decimal import Decimal
 from io import BytesIO
@@ -56,8 +58,8 @@ from pretix.base.services.currencies import SOURCE_NAMES
 from pretix.base.signals import register_invoice_renderers
 from pretix.base.templatetags.money import money_filter
 from pretix.helpers.reportlab import (
-    FontFallbackParagraph, PlainTextParagraph, ThumbnailingImageReader,
-    normalize_text, register_ttf_font_if_new, reshaper,
+    FontFallbackParagraph, ThumbnailingImageReader, register_ttf_font_if_new,
+    reshaper,
 )
 from pretix.presale.style import get_fonts

@@ -257,8 +259,18 @@ class BaseReportlabInvoiceRenderer(BaseInvoiceRenderer):
                register_ttf_font_if_new(family + ' B I', finders.find(styles['bolditalic']['truetype']))

    def _normalize(self, text):
-        # alias kept for plugin compatibility
-        return normalize_text(text)
+        # reportlab does not support unicode combination characters
+        # It's important we do this before we use ArabicReshaper
+        text = unicodedata.normalize("NFKC", text)
+
+        # reportlab does not support RTL, ligature-heavy scripts like Arabic. Therefore, we use ArabicReshaper
+        # to resolve all ligatures and python-bidi to switch RTL texts.
+        try:
+            text = "<br />".join(get_display(reshaper.reshape(l)) for l in re.split("<br ?/>", text))
+        except:
+            logger.exception('Reshaping/Bidi fixes failed on string {}'.format(repr(text)))
+
+        return text

    def _upper(self, val):
        # We uppercase labels, but not in every language
@@ -339,15 +351,10 @@ class BaseReportlabInvoiceRenderer(BaseInvoiceRenderer):
        return 'invoice.pdf', 'application/pdf', buffer.read()

    def _clean_text(self, text, tags=None):
-        # For backwards compatibility with customer content, we need to support tags like <br> and <b> in a few text
-        # fields. Therefore, we can't use PlainTextParagraph for these, but run bleach instead to limit the allowed
-        # tags.
-        return self._normalize(
-            bleach.clean(
-                text,
-                tags=set(tags) if tags else set()
-            ).strip().replace('<br>', '<br />').replace('\n', '<br />\n')
-        )
+        return self._normalize(bleach.clean(
+            text,
+            tags=set(tags) if tags else set()
+        ).strip().replace('<br>', '<br />').replace('\n', '<br />\n'))


 class PaidMarker(Flowable):
@@ -398,7 +405,8 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
    invoice_to_top = 52 * mm

    def _draw_invoice_to(self, canvas):
-        p = PlainTextParagraph(self.invoice.address_invoice_to, style=self.stylesheet['Normal'])
+        p = FontFallbackParagraph(self._clean_text(self.invoice.address_invoice_to),
+                                  style=self.stylesheet['Normal'])
        p.wrapOn(canvas, self.invoice_to_width, self.invoice_to_height)
        p_size = p.wrap(self.invoice_to_width, self.invoice_to_height)
        p.drawOn(canvas, self.invoice_to_left, self.pagesize[1] - p_size[1] - self.invoice_to_top)
@@ -409,8 +417,8 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
    invoice_from_top = 17 * mm

    def _draw_invoice_from(self, canvas):
-        p = PlainTextParagraph(
-            self.invoice.full_invoice_from,
+        p = FontFallbackParagraph(
+            self._clean_text(self.invoice.full_invoice_from),
            style=self.stylesheet['InvoiceFrom']
        )
        p.wrapOn(canvas, self.invoice_from_width, self.invoice_from_height)
@@ -540,12 +548,13 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
    def _draw_event(self, canvas):
        def shorten(txt):
            txt = str(txt)
-            p = PlainTextParagraph(txt, style=self.stylesheet['Normal'])
+            txt = bleach.clean(txt, tags=set()).strip()
+            p = FontFallbackParagraph(self._normalize(txt.strip().replace('\n', '<br />\n')), style=self.stylesheet['Normal'])
            p_size = p.wrap(self.event_width, self.event_height)

            while p_size[1] > 2 * self.stylesheet['Normal'].leading:
                txt = ' '.join(txt.replace('…', '').split()[:-1]) + '…'
-                p = PlainTextParagraph(txt, style=self.stylesheet['Normal'])
+                p = FontFallbackParagraph(self._normalize(txt.strip().replace('\n', '<br />\n')), style=self.stylesheet['Normal'])
                p_size = p.wrap(self.event_width, self.event_height)
            return txt

@@ -563,7 +572,7 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
        else:
            p_str = shorten(self.invoice.event.name)

-        p = PlainTextParagraph(p_str, style=self.stylesheet['Normal'])
+        p = FontFallbackParagraph(self._normalize(p_str.strip().replace('\n', '<br />\n')), style=self.stylesheet['Normal'])
        p.wrapOn(canvas, self.event_width, self.event_height)
        p_size = p.wrap(self.event_width, self.event_height)
        p.drawOn(canvas, self.event_left, self.pagesize[1] - self.event_top - p_size[1])
@@ -636,37 +645,39 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):

        type_info_text = self.invoice.transmission_type_instance.pdf_info_text()
        if type_info_text:
-            story.append(PlainTextParagraph(
+            story.append(FontFallbackParagraph(
                type_info_text,
                self.stylesheet['WarningBlock']
            ))

        if self.invoice.custom_field:
-            story.append(PlainTextParagraph(
+            story.append(FontFallbackParagraph(
                '{}: {}'.format(
-                    str(self.invoice.event.settings.invoice_address_custom_field),
-                    self.invoice.custom_field,
+                    self._clean_text(str(self.invoice.event.settings.invoice_address_custom_field)),
+                    self._clean_text(self.invoice.custom_field),
                ),
                self.stylesheet['Normal']
            ))

        if self.invoice.internal_reference:
-            story.append(PlainTextParagraph(
-                pgettext('invoice', 'Customer reference: {reference}').format(
-                    reference=self.invoice.internal_reference,
-                ),
+            story.append(FontFallbackParagraph(
+                self._normalize(pgettext('invoice', 'Customer reference: {reference}').format(
+                    reference=self._clean_text(self.invoice.internal_reference),
+                )),
                self.stylesheet['Normal']
            ))

        if self.invoice.invoice_to_vat_id:
-            story.append(PlainTextParagraph(
-                pgettext('invoice', 'Customer VAT ID') + ': ' + self.invoice.invoice_to_vat_id,
+            story.append(FontFallbackParagraph(
+                self._normalize(pgettext('invoice', 'Customer VAT ID')) + ': ' +
+                self._clean_text(self.invoice.invoice_to_vat_id),
                self.stylesheet['Normal']
            ))

        if self.invoice.invoice_to_beneficiary:
-            story.append(PlainTextParagraph(
-                pgettext('invoice', 'Beneficiary') + ':\n' + self.invoice.invoice_to_beneficiary,
+            story.append(FontFallbackParagraph(
+                self._normalize(pgettext('invoice', 'Beneficiary')) + ':<br />' +
+                self._clean_text(self.invoice.invoice_to_beneficiary),
                self.stylesheet['Normal']
            ))

@@ -696,11 +707,11 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):

        story = [
            NextPageTemplate('FirstPage'),
-            PlainTextParagraph(
-                (
+            FontFallbackParagraph(
+                self._normalize(
                    pgettext('invoice', 'Tax Invoice') if str(self.invoice.invoice_from_country) == 'AU'
                    else pgettext('invoice', 'Invoice')
-                ) if not self.invoice.is_cancellation else pgettext('invoice', 'Cancellation'),
+                ) if not self.invoice.is_cancellation else self._normalize(pgettext('invoice', 'Cancellation')),
                self.stylesheet['Heading1']
            ),
            Spacer(1, 5 * mm),
@@ -722,17 +733,17 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
        ]
        if has_taxes:
            tdata = [(
-                PlainTextParagraph(pgettext('invoice', 'Description'), self.stylesheet['Bold']),
-                PlainTextParagraph(pgettext('invoice', 'Qty'), self.stylesheet['BoldRightNoSplit']),
-                PlainTextParagraph(pgettext('invoice', 'Tax rate'), self.stylesheet['BoldRightNoSplit']),
-                PlainTextParagraph(pgettext('invoice', 'Net'), self.stylesheet['BoldRightNoSplit']),
-                PlainTextParagraph(pgettext('invoice', 'Gross'), self.stylesheet['BoldRightNoSplit']),
+                FontFallbackParagraph(self._normalize(pgettext('invoice', 'Description')), self.stylesheet['Bold']),
+                FontFallbackParagraph(self._normalize(pgettext('invoice', 'Qty')), self.stylesheet['BoldRightNoSplit']),
+                FontFallbackParagraph(self._normalize(pgettext('invoice', 'Tax rate')), self.stylesheet['BoldRightNoSplit']),
+                FontFallbackParagraph(self._normalize(pgettext('invoice', 'Net')), self.stylesheet['BoldRightNoSplit']),
+                FontFallbackParagraph(self._normalize(pgettext('invoice', 'Gross')), self.stylesheet['BoldRightNoSplit']),
            )]
        else:
            tdata = [(
-                PlainTextParagraph(pgettext('invoice', 'Description'), self.stylesheet['Bold']),
-                PlainTextParagraph(pgettext('invoice', 'Qty'), self.stylesheet['BoldRightNoSplit']),
-                PlainTextParagraph(pgettext('invoice', 'Amount'), self.stylesheet['BoldRightNoSplit']),
+                FontFallbackParagraph(self._normalize(pgettext('invoice', 'Description')), self.stylesheet['Bold']),
+                FontFallbackParagraph(self._normalize(pgettext('invoice', 'Qty')), self.stylesheet['BoldRightNoSplit']),
+                FontFallbackParagraph(self._normalize(pgettext('invoice', 'Amount')), self.stylesheet['BoldRightNoSplit']),
            )]

        def _group_key(line):
@@ -769,8 +780,8 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
            max_height = self.stylesheet['Normal'].leading * 5
            p_style = self.stylesheet['Normal']
            for __ in range(1000):
-                p = PlainTextParagraph(
-                    curr_description,
+                p = FontFallbackParagraph(
+                    self._clean_text(curr_description, tags=['br']),
                    p_style
                )
                h = p.wrap(max_width, doc.height)[1]
@@ -851,7 +862,7 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
                # Group together at the end of the invoice
                request_show_service_date = period_line
            elif period_line:
-                description_p_list.append(PlainTextParagraph(
+                description_p_list.append(FontFallbackParagraph(
                    period_line,
                    self.stylesheet['Fineprint']
                ))
@@ -863,7 +874,7 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
                        net_price=money_filter(net_value, self.invoice.event.currency),
                        gross_price=money_filter(gross_value, self.invoice.event.currency),
                    )
-                    description_p_list.append(PlainTextParagraph(
+                    description_p_list.append(FontFallbackParagraph(
                        single_price_line,
                        self.stylesheet['Fineprint']
                    ))
@@ -872,11 +883,11 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
                    description_p_list.pop(0),
                    str(len(lines)),
                    localize(tax_rate) + " %",
-                    PlainTextParagraph(
+                    FontFallbackParagraph(
                        money_filter(net_value * len(lines), self.invoice.event.currency).replace('\xa0', ' '),
                        self.stylesheet['NormalRight']
                    ),
-                    PlainTextParagraph(
+                    FontFallbackParagraph(
                        money_filter(gross_value * len(lines), self.invoice.event.currency).replace('\xa0', ' '),
                        self.stylesheet['NormalRight']
                    ),
@@ -893,14 +904,14 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
                    single_price_line = pgettext('invoice', 'Single price: {price}').format(
                        price=money_filter(gross_value, self.invoice.event.currency),
                    )
-                    description_p_list.append(PlainTextParagraph(
+                    description_p_list.append(FontFallbackParagraph(
                        single_price_line,
                        self.stylesheet['Fineprint']
                    ))
                tdata.append((
                    description_p_list.pop(0),
                    str(len(lines)),
-                    PlainTextParagraph(
+                    FontFallbackParagraph(
                        money_filter(gross_value * len(lines), self.invoice.event.currency).replace('\xa0', ' '),
                        self.stylesheet['NormalRight']
                    ),
@@ -933,12 +944,12 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):

        if has_taxes:
            tdata.append([
-                PlainTextParagraph(pgettext('invoice', 'Invoice total'), self.stylesheet['Bold']), '', '', '',
+                FontFallbackParagraph(self._normalize(pgettext('invoice', 'Invoice total')), self.stylesheet['Bold']), '', '', '',
                money_filter(total, self.invoice.event.currency)
            ])
        else:
            tdata.append([
-                PlainTextParagraph(pgettext('invoice', 'Invoice total'), self.stylesheet['Bold']), '',
+                FontFallbackParagraph(self._normalize(pgettext('invoice', 'Invoice total')), self.stylesheet['Bold']), '',
                money_filter(total, self.invoice.event.currency)
            ])

@@ -947,12 +958,12 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
                pending_sum = self.invoice.order.pending_sum
                if pending_sum != total:
                    tdata.append(
-                        [PlainTextParagraph(pgettext('invoice', 'Received payments'), self.stylesheet['Normal'])] +
+                        [FontFallbackParagraph(self._normalize(pgettext('invoice', 'Received payments')), self.stylesheet['Normal'])] +
                        (['', '', ''] if has_taxes else ['']) +
                        [money_filter(pending_sum - total, self.invoice.event.currency)]
                    )
                    tdata.append(
-                        [PlainTextParagraph(pgettext('invoice', 'Outstanding payments'), self.stylesheet['Bold'])] +
+                        [FontFallbackParagraph(self._normalize(pgettext('invoice', 'Outstanding payments')), self.stylesheet['Bold'])] +
                        (['', '', ''] if has_taxes else ['']) +
                        [money_filter(pending_sum, self.invoice.event.currency)]
                    )
@@ -969,12 +980,12 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
                    s=Sum('amount')
                )['s'] or Decimal('0.00')
                tdata.append(
-                    [PlainTextParagraph(pgettext('invoice', 'Paid by gift card'), self.stylesheet['Normal'])] +
+                    [FontFallbackParagraph(self._normalize(pgettext('invoice', 'Paid by gift card')), self.stylesheet['Normal'])] +
                    (['', '', ''] if has_taxes else ['']) +
                    [money_filter(giftcard_sum, self.invoice.event.currency)]
                )
                tdata.append(
-                    [PlainTextParagraph(pgettext('invoice', 'Remaining amount'), self.stylesheet['Bold'])] +
+                    [FontFallbackParagraph(self._normalize(pgettext('invoice', 'Remaining amount')), self.stylesheet['Bold'])] +
                    (['', '', ''] if has_taxes else ['']) +
                    [money_filter(total - giftcard_sum, self.invoice.event.currency)]
                )
@@ -997,14 +1008,14 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
        story.append(Spacer(1, 10 * mm))

        if request_show_service_date:
-            story.append(PlainTextParagraph(
-                pgettext('invoice', 'Invoice period: {daterange}').format(daterange=request_show_service_date),
+            story.append(FontFallbackParagraph(
+                self._normalize(pgettext('invoice', 'Invoice period: {daterange}').format(daterange=request_show_service_date)),
                self.stylesheet['Normal']
            ))

        if self.invoice.payment_provider_text:
            story.append(FontFallbackParagraph(
-                self._clean_text(self.invoice.payment_provider_text, tags=['br', 'b']),
+                self._normalize(self.invoice.payment_provider_text),
                self.stylesheet['Normal']
            ))

@@ -1028,10 +1039,10 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
            ('FONTNAME', (0, 0), (-1, -1), self.font_regular),
        ]
        thead = [
-            PlainTextParagraph(pgettext('invoice', 'Tax rate'), self.stylesheet['Fineprint']),
-            PlainTextParagraph(pgettext('invoice', 'Net value'), self.stylesheet['FineprintRight']),
-            PlainTextParagraph(pgettext('invoice', 'Gross value'), self.stylesheet['FineprintRight']),
-            PlainTextParagraph(pgettext('invoice', 'Tax'), self.stylesheet['FineprintRight']),
+            FontFallbackParagraph(self._normalize(pgettext('invoice', 'Tax rate')), self.stylesheet['Fineprint']),
+            FontFallbackParagraph(self._normalize(pgettext('invoice', 'Net value')), self.stylesheet['FineprintRight']),
+            FontFallbackParagraph(self._normalize(pgettext('invoice', 'Gross value')), self.stylesheet['FineprintRight']),
+            FontFallbackParagraph(self._normalize(pgettext('invoice', 'Tax')), self.stylesheet['FineprintRight']),
            ''
        ]
        tdata = [thead]
@@ -1042,7 +1053,7 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
                continue
            tax = taxvalue_map[idx]
            tdata.append([
-                PlainTextParagraph(localize(rate) + " % " + name, self.stylesheet['Fineprint']),
+                FontFallbackParagraph(self._normalize(localize(rate) + " % " + name), self.stylesheet['Fineprint']),
                money_filter(gross - tax, self.invoice.event.currency),
                money_filter(gross, self.invoice.event.currency),
                money_filter(tax, self.invoice.event.currency),
@@ -1061,7 +1072,7 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
            table.setStyle(TableStyle(tstyledata))
            story.append(Spacer(5 * mm, 5 * mm))
            story.append(KeepTogether([
-                PlainTextParagraph(pgettext('invoice', 'Included taxes'), self.stylesheet['FineprintHeading']),
+                FontFallbackParagraph(self._normalize(pgettext('invoice', 'Included taxes')), self.stylesheet['FineprintHeading']),
                table
            ]))

@@ -1078,7 +1089,7 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
                    net = gross - tax

                    tdata.append([
-                        PlainTextParagraph(localize(rate) + " % " + name, self.stylesheet['Fineprint']),
+                        FontFallbackParagraph(self._normalize(localize(rate) + " % " + name), self.stylesheet['Fineprint']),
                        fmt(net), fmt(gross), fmt(tax), ''
                    ])

@@ -1087,13 +1098,13 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):

                story.append(KeepTogether([
                    Spacer(1, height=2 * mm),
-                    PlainTextParagraph(
-                        pgettext(
+                    FontFallbackParagraph(
+                        self._normalize(pgettext(
                            'invoice', 'Using the conversion rate of 1:{rate} as published by the {authority} on '
                                       '{date}, this corresponds to:'
                        ).format(rate=localize(self.invoice.foreign_currency_rate),
                                 authority=SOURCE_NAMES.get(self.invoice.foreign_currency_source, "?"),
-                                 date=date_format(self.invoice.foreign_currency_rate_date, "SHORT_DATE_FORMAT")),
+                                 date=date_format(self.invoice.foreign_currency_rate_date, "SHORT_DATE_FORMAT"))),
                        self.stylesheet['Fineprint']
                    ),
                    Spacer(1, height=3 * mm),
@@ -1102,14 +1113,14 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
        elif self.invoice.foreign_currency_display and self.invoice.foreign_currency_rate:
            foreign_total = round_decimal(total * self.invoice.foreign_currency_rate)
            story.append(Spacer(1, 5 * mm))
-            story.append(PlainTextParagraph(
+            story.append(FontFallbackParagraph(self._normalize(
                pgettext(
                    'invoice', 'Using the conversion rate of 1:{rate} as published by the {authority} on '
                               '{date}, the invoice total corresponds to {total}.'
                ).format(rate=localize(self.invoice.foreign_currency_rate),
                         date=date_format(self.invoice.foreign_currency_rate_date, "SHORT_DATE_FORMAT"),
                         authority=SOURCE_NAMES.get(self.invoice.foreign_currency_source, "?"),
-                         total=fmt(foreign_total)),
+                         total=fmt(foreign_total))),
                self.stylesheet['Fineprint']
            ))

@@ -1151,8 +1162,11 @@ class Modern1Renderer(ClassicInvoiceRenderer):
    def _draw_invoice_from(self, canvas):
        if not self.invoice.invoice_from:
            return
-        c = self.invoice.address_invoice_from.strip().split('\n')
-        p = PlainTextParagraph(' · '.join(c), style=self.stylesheet['Sender'])
+        c = [
+            self._clean_text(l)
+            for l in self.invoice.address_invoice_from.strip().split('\n')
+        ]
+        p = FontFallbackParagraph(self._normalize(' · '.join(c)), style=self.stylesheet['Sender'])
        p.wrapOn(canvas, self.invoice_to_width, 15.7 * mm)
        p.drawOn(canvas, self.invoice_to_left, self.pagesize[1] - self.invoice_to_top + 2 * mm)
        super()._draw_invoice_from(canvas)
@@ -1211,8 +1225,8 @@ class Modern1Renderer(ClassicInvoiceRenderer):
                _draw(pgettext('invoice', 'Order code'), self.invoice.order.full_code, value_size, self.left_margin, 45 * mm, **kwargs)
            ]

-            p = PlainTextParagraph(
-                date_format(self.invoice.date, "DATE_FORMAT"),
+            p = FontFallbackParagraph(
+                self._normalize(date_format(self.invoice.date, "DATE_FORMAT")),
                style=ParagraphStyle(name=f'Normal{value_size}', fontName=self.font_regular, fontSize=value_size, leading=value_size * 1.2)
            )
            w = stringWidth(p.text, p.frags[0].fontName, p.frags[0].fontSize)
@@ -1269,7 +1283,7 @@ class Modern1SimplifiedRenderer(Modern1Renderer):
        i = []

        if not self.invoice.event.has_subevents and self.invoice.event.settings.show_dates_on_frontpage:
-            i.append(PlainTextParagraph(
+            i.append(FontFallbackParagraph(
                pgettext('invoice', 'Event date: {date_range}').format(
                    date_range=self.invoice.event.get_date_range_display(),
                ),
@@ -36,9 +36,8 @@ from django.core.management.commands.makemigrations import Command as Parent

 from ._migrations import monkeypatch_migrations

+monkeypatch_migrations()
+

 class Command(Parent):
-
-    def handle(self, *args, **kwargs):
-        monkeypatch_migrations()
-        return super().handle(*args, **kwargs)
+    pass
@@ -64,7 +64,7 @@ class Command(BaseCommand):
        if not periodic_task.receivers or periodic_task.sender_receivers_cache.get(self) is NO_RECEIVERS:
            return

-        for receiver in periodic_task._live_receivers(self)[0]:
+        for receiver in periodic_task._live_receivers(self):
            name = f'{receiver.__module__}.{receiver.__name__}'
            if options['list_tasks']:
                print(name)
@@ -24,7 +24,6 @@ from urllib.parse import urlparse, urlsplit
 from zoneinfo import ZoneInfo, ZoneInfoNotFoundError

 from django.conf import settings
-from django.core.exceptions import BadRequest
 from django.http import Http404, HttpRequest, HttpResponse
 from django.middleware.common import CommonMiddleware
 from django.urls import get_script_prefix, resolve
@@ -348,18 +347,6 @@ class SecurityMiddleware(MiddlewareMixin):
        return resp


-class RejectInvalidInputMiddleware(MiddlewareMixin):
-
-    def process_request(self, request):
-        # Nullbytes in GET/POST parameters are mostly harmless, as they will later fail on database insertion, but it
-        # keeps spamming our error logs whenever someone tries to run a vulnerability scanner.
-        if "\x00" in request.META['QUERY_STRING'] or "%00" in request.META['QUERY_STRING']:
-            raise BadRequest("Invalid characters in input.")
-        if request.method in ('POST', 'PUT', 'PATCH') and request.content_type == "application/x-www-form-urlencoded":
-            if any("\x00" in value for key, value_list in request.POST.lists() for value in value_list):
-                raise BadRequest("Invalid characters in input.")
-
-
 class CustomCommonMiddleware(CommonMiddleware):

    def get_full_path_with_slash(self, request):
@@ -41,20 +41,16 @@ class Migration(migrations.Migration):
            name='datetime',
            field=models.DateTimeField(),
        ),
-        migrations.AddIndex(
-            'logentry',
-            models.Index(fields=('datetime', 'id'), name="pretixbase__datetim_b1fe5a_idx"),
+        migrations.AlterIndexTogether(
+            name='logentry',
+            index_together={('datetime', 'id')},
        ),
-        migrations.AddIndex(
-            'order',
-            models.Index(fields=["datetime", "id"], name="pretixbase__datetim_66aff0_idx"),
+        migrations.AlterIndexTogether(
+            name='order',
+            index_together={('datetime', 'id'), ('last_modified', 'id')},
        ),
-        migrations.AddIndex(
-            'order',
-            models.Index(fields=["last_modified", "id"], name="pretixbase__last_mo_4ebf8b_idx"),
-        ),
-        migrations.AddIndex(
-            'transaction',
-            models.Index(fields=('datetime', 'id'), name="pretixbase__datetim_b20405_idx"),
+        migrations.AlterIndexTogether(
+            name='transaction',
+            index_together={('datetime', 'id')},
        ),
    ]
@@ -61,10 +61,7 @@ class Migration(migrations.Migration):
            options={
                'ordering': ('identifier', 'type', 'organizer'),
                'unique_together': {('identifier', 'type', 'organizer')},
-                'indexes': [
-                    models.Index(fields=('identifier', 'type', 'organizer'), name='reusable_medium_organizer_index'),
-                    models.Index(fields=('updated', 'id'), name="pretixbase__updated_093277_idx")
-                ],
+                'index_together': {('identifier', 'type', 'organizer'), ('updated', 'id')},
            },
            bases=(models.Model, pretix.base.models.base.LoggingMixin),
        ),
@@ -9,6 +9,31 @@ class Migration(migrations.Migration):
    ]

    operations = [
+        migrations.RenameIndex(
+            model_name="logentry",
+            new_name="pretixbase__datetim_b1fe5a_idx",
+            old_fields=("datetime", "id"),
+        ),
+        migrations.RenameIndex(
+            model_name="order",
+            new_name="pretixbase__datetim_66aff0_idx",
+            old_fields=("datetime", "id"),
+        ),
+        migrations.RenameIndex(
+            model_name="order",
+            new_name="pretixbase__last_mo_4ebf8b_idx",
+            old_fields=("last_modified", "id"),
+        ),
+        migrations.RenameIndex(
+            model_name="reusablemedium",
+            new_name="pretixbase__updated_093277_idx",
+            old_fields=("updated", "id"),
+        ),
+        migrations.RenameIndex(
+            model_name="transaction",
+            new_name="pretixbase__datetim_b20405_idx",
+            old_fields=("datetime", "id"),
+        ),
        migrations.AlterField(
            model_name="attendeeprofile",
            name="id",
@@ -1,6 +1,6 @@
 # Generated by Django 4.2.10 on 2024-04-02 15:16

-from django.db import migrations, models
+from django.db import migrations


 class Migration(migrations.Migration):
@@ -10,8 +10,8 @@ class Migration(migrations.Migration):
    ]

    operations = [
-        migrations.RemoveIndex(
-            "reusablemedium",
-            'reusable_medium_organizer_index',
+        migrations.AlterIndexTogether(
+            name="reusablemedium",
+            index_together=set(),
        ),
    ]
@@ -70,10 +70,6 @@ def parse_csv(file, length=None, mode="strict", charset=None):
        except ImportError:
            charset = file.charset
    data = data.decode(charset or "utf-8", mode)
-
-    # remove stray linebreaks from the end of the file
-    data = data.rstrip("\n")
-
    # If the file was modified on a Mac, it only contains \r as line breaks
    if '\r' in data and '\n' not in data:
        data = data.replace('\r', '\n')
@@ -29,9 +29,7 @@ import inspect
 import logging
 import os
 import threading
-from pathlib import Path

-import django
 from django.conf import settings
 from django.db import transaction

@@ -76,14 +74,10 @@ def _transactions_mark_order_dirty(order_id, using=None):
    if "PYTEST_CURRENT_TEST" in os.environ:
        # We don't care about Order.objects.create() calls in test code so let's try to figure out if this is test code
        # or not.
-        for frame in inspect.stack()[1:]:
-            if (
-                'pretix/base/models/orders' in frame.filename
-                or Path(frame.filename).is_relative_to(Path(django.__file__).parent)
-            ):
-                # Ignore model- and django-internal code
+        for frame in inspect.stack():
+            if 'pretix/base/models/orders' in frame.filename:
                continue
-            elif 'test_' in frame.filename or 'conftest.py' in frame.filename:
+            elif 'test_' in frame.filename or 'conftest.py in frame.filename':
                return
            elif 'pretix/' in frame.filename or 'pretix_' in frame.filename:
                # This went through non-test code, let's consider it non-test
@@ -38,7 +38,6 @@ import operator
 import secrets
 from datetime import timedelta
 from functools import reduce
-from typing import Protocol

 from django.conf import settings
 from django.contrib.auth.models import (
@@ -68,14 +67,6 @@ class EmailAddressTakenError(IntegrityError):
    pass


-class PermissionHolder(Protocol):
-    def has_event_permission(self, organizer, event, perm_name=None, request=None, session_key=None) -> bool:
-        ...
-
-    def has_organizer_permission(self, organizer, perm_name=None, request=None):
-        ...
-
-
 class UserManager(BaseUserManager):
    """
    This is the user manager for our custom user model. See the User
@@ -705,18 +696,6 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
        return self.teams.exists()


-class UserWithStaffSession:
-    # Wrapper around a User object with a staff session, implementing the PermissionHolder Protocol
-    def __init__(self, user):
-        self.user = user
-
-    def has_event_permission(self, organizer, event, perm_name=None, request=None, session_key=None) -> bool:
-        return True
-
-    def has_organizer_permission(self, organizer, perm_name=None, request=None):
-        return True
-
-
 class UserKnownLoginSource(models.Model):
    user = models.ForeignKey('User', on_delete=models.CASCADE, related_name="known_login_sources")
    agent_type = models.CharField(max_length=255, null=True, blank=True)
@@ -229,7 +229,7 @@ class Device(LoggedModel):
        """
        return self._organizer_permission_set() if self.organizer == organizer else set()

-    def has_event_permission(self, organizer, event, perm_name=None, request=None, session_key=None) -> bool:
+    def has_event_permission(self, organizer, event, perm_name=None, request=None) -> bool:
        """
        Checks if this token is part of a team that grants access of type ``perm_name``
        to the event ``event``.
@@ -238,7 +238,6 @@ class Device(LoggedModel):
        :param event: The event to check
        :param perm_name: The permission, e.g. ``event.orders:read``
        :param request: This parameter is ignored and only defined for compatibility reasons.
-        :param session_key: This parameter is ignored and only defined for compatibility reasons.
        :return: bool
        """
        has_event_access = (self.all_events and organizer == self.organizer) or (
@@ -715,12 +715,6 @@ class Event(EventMixin, LoggedModel):
        self.settings.name_scheme = 'given_family'
        self.settings.payment_banktransfer_invoice_immediately = True
        self.settings.low_availability_percentage = 10
-        self.settings.mail_send_order_free_attendee = True
-        self.settings.mail_send_order_placed_attendee = True
-        self.settings.mail_send_order_paid_attendee = True
-        self.settings.mail_send_order_approved_attendee = True
-        self.settings.mail_send_order_approved_free_attendee = True
-        self.settings.mail_text_download_reminder_attendee = True

    @property
    def social_image(self):
@@ -88,7 +88,7 @@ class LogEntry(models.Model):

    class Meta:
        ordering = ('-datetime', '-id')
-        indexes = [models.Index(fields=["datetime", "id"], name="pretixbase__datetim_b1fe5a_idx")]
+        indexes = [models.Index(fields=["datetime", "id"])]

    def display(self):
        from pretix.base.logentrytype_registry import log_entry_types
@@ -122,7 +122,7 @@ class ReusableMedium(LoggedModel):
    class Meta:
        unique_together = (("identifier", "type", "organizer"),)
        indexes = [
-            models.Index(fields=("updated", "id"), name="pretixbase__updated_093277_idx"),
+            models.Index(fields=("updated", "id")),
        ]
        ordering = "identifier", "type", "organizer"

@@ -336,8 +336,8 @@ class Order(LockModel, LoggedModel):
        verbose_name_plural = _("Orders")
        ordering = ("-datetime", "-pk")
        indexes = [
-            models.Index(fields=["datetime", "id"], name="pretixbase__datetim_66aff0_idx"),
-            models.Index(fields=["last_modified", "id"], name="pretixbase__last_mo_4ebf8b_idx"),
+            models.Index(fields=["datetime", "id"]),
+            models.Index(fields=["last_modified", "id"]),
        ]
        constraints = [
            models.UniqueConstraint(fields=["organizer", "code"], name="order_organizer_code_uniq"),
@@ -590,7 +590,7 @@ class Order(LockModel, LoggedModel):
            not kwargs.get('force_save_with_deferred_fields', None) and
            (not update_fields or ('require_approval' not in update_fields and 'status' not in update_fields))
        ):
-            _fail("It is unsafe to call save() on an Order with deferred fields since we can't check if you missed "
+            _fail("It is unsafe to call save() on an OrderFee with deferred fields since we can't check if you missed "
                  "creating a transaction. Call save(force_save_with_deferred_fields=True) if you really want to do "
                  "this.")

@@ -2841,7 +2841,7 @@ class OrderPosition(AbstractPosition):
            if Transaction.key(self) != self.__initial_transaction_key or self.canceled != self.__initial_canceled or not self.pk:
                _transactions_mark_order_dirty(self.order_id, using=kwargs.get('using', None))
        elif not kwargs.get('force_save_with_deferred_fields', None):
-            _fail("It is unsafe to call save() on an OrderPosition with deferred fields since we can't check if you missed "
+            _fail("It is unsafe to call save() on an OrderFee with deferred fields since we can't check if you missed "
                  "creating a transaction. Call save(force_save_with_deferred_fields=True) if you really want to do "
                  "this.")

@@ -3080,7 +3080,7 @@ class Transaction(models.Model):
    class Meta:
        ordering = 'datetime', 'pk'
        indexes = [
-            models.Index(fields=['datetime', 'id'], name="pretixbase__datetim_b20405_idx")
+            models.Index(fields=['datetime', 'id'])
        ]

    def save(self, *args, **kwargs):
@@ -319,9 +319,6 @@ class TeamQuerySet(models.QuerySet):
    def event_permission_q(cls, perm_name):
        from ..permissions import assert_valid_event_permission

-        if perm_name is None:
-            return Q()
-
        if perm_name.startswith('can_') and perm_name in OLD_TO_NEW_EVENT_COMPAT:  # legacy
            return reduce(operator.and_, [cls.event_permission_q(p) for p in OLD_TO_NEW_EVENT_COMPAT[perm_name]])
        assert_valid_event_permission(perm_name, allow_legacy=False)
@@ -334,9 +331,6 @@ class TeamQuerySet(models.QuerySet):
    def organizer_permission_q(cls, perm_name):
        from ..permissions import assert_valid_organizer_permission

-        if perm_name is None:
-            return Q()
-
        if perm_name.startswith('can_') and perm_name in OLD_TO_NEW_ORGANIZER_COMPAT:  # legacy
            return reduce(operator.and_, [cls.organizer_permission_q(p) for p in OLD_TO_NEW_ORGANIZER_COMPAT[perm_name]])
        assert_valid_organizer_permission(perm_name, allow_legacy=False)
@@ -556,7 +550,7 @@ class TeamAPIToken(models.Model):
        """
        return self.team.organizer_permission_set() if self.team.organizer == organizer else set()

-    def has_event_permission(self, organizer, event, perm_name=None, request=None, session_key=None) -> bool:
+    def has_event_permission(self, organizer, event, perm_name=None, request=None) -> bool:
        """
        Checks if this token is part of a team that grants access of type ``perm_name``
        to the event ``event``.
@@ -565,7 +559,6 @@ class TeamAPIToken(models.Model):
        :param event: The event to check
        :param perm_name: The permission, e.g. ``event.orders:read``
        :param request: This parameter is ignored and only defined for compatibility reasons.
-        :param session_key: This parameter is ignored and only defined for compatibility reasons.
        :return: bool
        """
        has_event_access = (self.team.all_events and organizer == self.team.organizer) or (
@@ -54,7 +54,7 @@ from bidi import get_display
 from django.conf import settings
 from django.contrib.staticfiles import finders
 from django.core.exceptions import ValidationError
-from django.db.models import Exists, Max, Min, OuterRef
+from django.db.models import Max, Min
 from django.db.models.fields.files import FieldFile
 from django.dispatch import receiver
 from django.utils.deconstruct import deconstructible
@@ -76,7 +76,7 @@ from reportlab.pdfgen.canvas import Canvas
 from reportlab.platypus import Paragraph

 from pretix.base.i18n import language
-from pretix.base.models import Checkin, Event, Order, OrderPosition, Question
+from pretix.base.models import Event, Order, OrderPosition, Question
 from pretix.base.settings import PERSON_NAME_SCHEMES
 from pretix.base.signals import layout_image_variables, layout_text_variables
 from pretix.base.templatetags.money import money_filter
@@ -379,13 +379,6 @@ DEFAULT_VARIABLES = OrderedDict((
            str(p) for p in generate_compressed_addon_list(op, order, ev)
        ])
    }),
-    ("checked_in_addons", {
-        "label": _("List of Checked-In Add-Ons"),
-        "editor_sample": _("Add-on 1\n2x Add-on 2"),
-        "evaluate": lambda op, order, ev: "\n".join([
-            str(p) for p in generate_compressed_addon_list(op, order, ev, only_checked_in=True)
-        ])
-    }),
    ("organizer", {
        "label": _("Organizer name"),
        "editor_sample": _("Event organizer company"),
@@ -757,16 +750,12 @@ def get_program_times(op: OrderPosition, ev: Event):
    ])


-def generate_compressed_addon_list(op, order, event, only_checked_in=False):
+def generate_compressed_addon_list(op, order, event):
    itemcount = defaultdict(int)
-    addon_qs = (
+    addons = [p for p in (
        op.addons.all() if 'addons' in getattr(op, '_prefetched_objects_cache', {})
        else op.addons.select_related('item', 'variation')
-    )
-    if only_checked_in:
-        addon_qs = addon_qs.filter(Exists(Checkin.objects.filter(position=OuterRef('pk'))), canceled=False)
-    addons = [p for p in addon_qs if not p.canceled]
-
+    ) if not p.canceled]
    for pos in addons:
        itemcount[pos.item, pos.variation] += 1

@@ -923,7 +912,7 @@ class Renderer:

            # We do not use str.format like in emails so we (a) can evaluate lazily and (b) can re-implement this
            # 1:1 on other platforms that render PDFs through our API (libpretixprint)
-            return re.sub(r'\{([-a-zA-Z0-9:_]+)\}', replace, text)
+            return re.sub(r'\{([a-zA-Z0-9:_]+)\}', replace, text)

        elif o['content'].startswith('itemmeta:'):
            if op.variation_id:
@@ -1056,7 +1045,7 @@ class Renderer:
        except:
            logger.exception('Reshaping/Bidi fixes failed on string {}'.format(repr(text)))

-        p = Paragraph(text, style=style)  # not using AutoEscapeParagraph is safe as we escape above
+        p = Paragraph(text, style=style)
        return p, ad, lineheight

    def _draw_textcontainer(self, canvas: Canvas, op: OrderPosition, order: Order, o: dict):
@@ -38,7 +38,6 @@ SOURCE_NAMES = {
    None: _('European Central Bank'),  # backwards-compatibility
    'eu:ecb:eurofxref-daily': _('European Central Bank'),
    'cz:cnb:rate-fixing-daily': _('Czech National Bank'),
-    'pl:nbp:table-a': _('National Bank of Poland'),
 }


@@ -50,7 +49,6 @@ def fetch_rates(sender, **kwargs):
    source_tasks = {
        'eu:ecb:eurofxref-daily': fetch_ecb_rates,
        'cz:cnb:rate-fixing-daily': fetch_cnb_cz_rates,
-        'pl:nbp:table-a': fetch_nbp_pl_rates,
    }

    for source_name, task in source_tasks.items():
@@ -146,29 +144,3 @@ def fetch_cnb_cz_rates():
                rate=rate,
            )
        )
-
-
-@app.task()
-def fetch_nbp_pl_rates():
-    """
-    Fetches currency rates from the Polish National Bank.
-    """
-    r = requests.get("https://api.nbp.pl/api/exchangerates/tables/A/", headers={
-        "Accept": "application/json",
-    })
-    r.raise_for_status()
-    data = r.json()[0]
-
-    source_date = datetime.strptime(data["effectiveDate"], "%Y-%m-%d").date()
-
-    for r in data["rates"]:
-        rate = Decimal(r["mid"]).quantize(Decimal('0.000001'))
-        ExchangeRate.objects.update_or_create(
-            source='pl:nbp:table-a',
-            source_currency=r["code"],
-            other_currency='PLN',
-            defaults=dict(
-                source_date=source_date,
-                rate=rate,
-            )
-        )
@@ -40,7 +40,6 @@ from pretix.base.models import (
    CachedFile, Device, Event, Organizer, ScheduledEventExport, TeamAPIToken,
    User, cachedfile_name,
 )
-from pretix.base.models.auth import UserWithStaffSession
 from pretix.base.models.exports import ScheduledOrganizerExport
 from pretix.base.services.mail import mail
 from pretix.base.services.tasks import (
@@ -212,12 +211,7 @@ def init_event_exporters(event, user=None, token=None, device=None, request=None
        if not perm_holder.has_event_permission(event.organizer, event, permission_name, request) and not staff_session:
            continue

-        exporter: BaseExporter = response(
-            event=event,
-            organizer=event.organizer,
-            permission_holder=token or device or (UserWithStaffSession(user) if staff_session else user),
-            **kwargs
-        )
+        exporter: BaseExporter = response(event=event, organizer=event.organizer, **kwargs)

        if not exporter.available_for_user(user if user and user.is_authenticated else None):
            continue
@@ -249,12 +243,7 @@ def init_organizer_exporters(
            continue

        if issubclass(response, OrganizerLevelExportMixin):
-            exporter: BaseExporter = response(
-                event=Event.objects.none(),
-                organizer=organizer,
-                permission_holder=token or device or (UserWithStaffSession(user) if staff_session else user),
-                **kwargs,
-            )
+            exporter: BaseExporter = response(event=Event.objects.none(), organizer=organizer, **kwargs)

            try:
                if not perm_holder.has_organizer_permission(organizer, response.get_required_organizer_permission(), request) and not staff_session:
@@ -306,12 +295,7 @@ def init_organizer_exporters(
            if not _has_permission_on_any_team_cache[permission_name] and not staff_session:
                continue

-            exporter: BaseExporter = response(
-                event=_event_list_cache[permission_name],
-                organizer=organizer,
-                permission_holder=token or device or (UserWithStaffSession(user) if staff_session else user),
-                **kwargs,
-            )
+            exporter: BaseExporter = response(event=_event_list_cache[permission_name], organizer=organizer, **kwargs)

        if not exporter.available_for_user(user if user and user.is_authenticated else None):
            continue
@@ -58,7 +58,6 @@ from pretix.base.invoicing.transmission import (
 from pretix.base.models import (
    ExchangeRate, Invoice, InvoiceAddress, InvoiceLine, Order, OrderFee,
 )
-from pretix.base.models.orders import OrderPayment
 from pretix.base.models.tax import EU_CURRENCIES
 from pretix.base.services.tasks import (
    TransactionAwareProfiledEventTask, TransactionAwareTask,
@@ -103,7 +102,7 @@ def build_invoice(invoice: Invoice) -> Invoice:
        introductory = invoice.event.settings.get('invoice_introductory_text', as_type=LazyI18nString)
        additional = invoice.event.settings.get('invoice_additional_text', as_type=LazyI18nString)
        footer = invoice.event.settings.get('invoice_footer_text', as_type=LazyI18nString)
-        if lp and lp.payment_provider and lp.state not in (OrderPayment.PAYMENT_STATE_FAILED, OrderPayment.PAYMENT_STATE_CANCELED):
+        if lp and lp.payment_provider:
            if 'payment' in inspect.signature(lp.payment_provider.render_invoice_text).parameters:
                payment = str(lp.payment_provider.render_invoice_text(invoice.order, lp))
            else:
@@ -205,19 +204,6 @@ def build_invoice(invoice: Invoice) -> Invoice:
                        invoice.foreign_currency_rate = rate.rate.quantize(Decimal('0.0001'), ROUND_HALF_UP)
                        invoice.foreign_currency_rate_date = rate.source_date
                        invoice.foreign_currency_source = 'cz:cnb:rate-fixing-daily'
-            elif invoice.event.settings.invoice_eu_currencies == 'PLN' and invoice.event.currency != 'PLN':
-                invoice.foreign_currency_display = 'PLN'
-                if settings.FETCH_ECB_RATES:
-                    rate = ExchangeRate.objects.filter(
-                        source='pl:nbp:table-a',
-                        source_currency=invoice.event.currency,
-                        other_currency=invoice.foreign_currency_display,
-                        source_date__gt=now().date() - timedelta(days=7)
-                    ).first()
-                    if rate:
-                        invoice.foreign_currency_rate = rate.rate.quantize(Decimal('0.0001'), ROUND_HALF_UP)
-                        invoice.foreign_currency_rate_date = rate.source_date
-                        invoice.foreign_currency_source = 'pl:nbp:table-a'

        except InvoiceAddress.DoesNotExist:
            ia = None
@@ -411,7 +411,7 @@ def mail_send_task(self, **kwargs) -> bool:
        try:
            outgoing_mail = OutgoingMail.objects.select_for_update(of=OF_SELF).get(pk=outgoing_mail)
        except OutgoingMail.DoesNotExist:
-            logger.info(f"Ignoring job for non existing email {outgoing_mail}")
+            logger.info(f"Ignoring job for non existing email {outgoing_mail.guid}")
            return False
        if outgoing_mail.status == OutgoingMail.STATUS_INFLIGHT:
            logger.info(f"Ignoring job for inflight email {outgoing_mail.guid}")
@@ -67,9 +67,9 @@ from pretix.base.email import get_email_context
 from pretix.base.i18n import get_language_without_region, language
 from pretix.base.media import MEDIA_TYPES
 from pretix.base.models import (
-    CartPosition, Device, Event, GiftCard, Item, ItemVariation, LogEntry,
-    Membership, Order, OrderPayment, OrderPosition, Quota, Seat,
-    SeatCategoryMapping, User, Voucher,
+    CartPosition, Device, Event, GiftCard, Item, ItemVariation, Membership,
+    Order, OrderPayment, OrderPosition, Quota, Seat, SeatCategoryMapping, User,
+    Voucher,
 )
 from pretix.base.models.event import SubEvent
 from pretix.base.models.orders import (
@@ -1618,7 +1618,7 @@ class OrderChangeManager:
    MembershipOperation = namedtuple('MembershipOperation', ('position', 'membership'))
    CancelOperation = namedtuple('CancelOperation', ('position', 'price_diff'))
    AddOperation = namedtuple('AddOperation', ('item', 'variation', 'price', 'addon_to', 'subevent', 'seat', 'membership',
-                                               'valid_from', 'valid_until', 'is_bundled', 'result', 'count'))
+                                               'valid_from', 'valid_until', 'is_bundled', 'result'))
    SplitOperation = namedtuple('SplitOperation', ('position',))
    FeeValueOperation = namedtuple('FeeValueOperation', ('fee', 'value', 'price_diff'))
    AddFeeOperation = namedtuple('AddFeeOperation', ('fee', 'price_diff'))
@@ -1632,24 +1632,16 @@ class OrderChangeManager:
    ForceRecomputeOperation = namedtuple('ForceRecomputeOperation', tuple())

    class AddPositionResult:
-        _positions: Optional[List[OrderPosition]]
+        _position: Optional[OrderPosition]

        def __init__(self):
-            self._positions = None
+            self._position = None

        @property
        def position(self) -> OrderPosition:
-            if self._positions is None:
+            if self._position is None:
                raise RuntimeError("Order position has not been created yet. Call commit() first on OrderChangeManager.")
-            if len(self._positions) != 1:
-                raise RuntimeError("More than one position created.")
-            return self._positions[0]
-
-        @property
-        def positions(self) -> List[OrderPosition]:
-            if self._positions is None:
-                raise RuntimeError("Order position has not been created yet. Call commit() first on OrderChangeManager.")
-            return self._positions
+            return self._position

    def __init__(self, order: Order, user=None, auth=None, notify=True, reissue_invoice=True, allow_blocked_seats=False):
        self.order = order
@@ -1856,12 +1848,8 @@ class OrderChangeManager:

    def add_position(self, item: Item, variation: ItemVariation, price: Decimal, addon_to: OrderPosition = None,
                     subevent: SubEvent = None, seat: Seat = None, membership: Membership = None,
-                     valid_from: datetime = None, valid_until: datetime = None, count: int = 1) -> 'OrderChangeManager.AddPositionResult':
-        if count < 1:
-            raise ValueError("Count must be positive")
+                     valid_from: datetime = None, valid_until: datetime = None) -> 'OrderChangeManager.AddPositionResult':
        if isinstance(seat, str):
-            if count > 1:
-                raise ValueError("Cannot combine count > 1 with seat")
            if not seat:
                seat = None
            else:
@@ -1915,14 +1903,14 @@ class OrderChangeManager:
        if self.order.event.settings.invoice_include_free or price.gross != Decimal('0.00'):
            self._invoice_dirty = True

-        self._totaldiff_guesstimate += price.gross * count
-        self._quotadiff.update({q: count for q in new_quotas})
+        self._totaldiff_guesstimate += price.gross
+        self._quotadiff.update(new_quotas)
        if seat:
            self._seatdiff.update([seat])

        result = self.AddPositionResult()
        self._operations.append(self.AddOperation(item, variation, price, addon_to, subevent, seat, membership,
-                                                  valid_from, valid_until, is_bundled, result, count))
+                                                  valid_from, valid_until, is_bundled, result))
        return result

    def split(self, position: OrderPosition):
@@ -2542,35 +2530,29 @@ class OrderChangeManager:
                    secret_dirty.remove(position)
                position.save(update_fields=['canceled', 'secret'])
            elif isinstance(op, self.AddOperation):
-                new_pos = []
-                new_logs = []
-                for i in range(op.count):
-                    pos = OrderPosition.objects.create(
-                        item=op.item, variation=op.variation, addon_to=op.addon_to,
-                        price=op.price.gross, order=self.order, tax_rate=op.price.rate, tax_code=op.price.code,
-                        tax_value=op.price.tax, tax_rule=op.item.tax_rule,
-                        positionid=nextposid, subevent=op.subevent, seat=op.seat,
-                        used_membership=op.membership, valid_from=op.valid_from, valid_until=op.valid_until,
-                        is_bundled=op.is_bundled,
-                    )
-                    nextposid += 1
-                    new_pos.append(pos)
-                    new_logs.append(self.order.log_action('pretix.event.order.changed.add', user=self.user, auth=self.auth, data={
-                        'position': pos.pk,
-                        'item': op.item.pk,
-                        'variation': op.variation.pk if op.variation else None,
-                        'addon_to': op.addon_to.pk if op.addon_to else None,
-                        'price': op.price.gross,
-                        'positionid': pos.positionid,
-                        'membership': pos.used_membership_id,
-                        'subevent': op.subevent.pk if op.subevent else None,
-                        'seat': op.seat.pk if op.seat else None,
-                        'valid_from': op.valid_from.isoformat() if op.valid_from else None,
-                        'valid_until': op.valid_until.isoformat() if op.valid_until else None,
-                    }, save=False))
-
-                op.result._positions = new_pos
-                LogEntry.bulk_create_and_postprocess(new_logs)
+                pos = OrderPosition.objects.create(
+                    item=op.item, variation=op.variation, addon_to=op.addon_to,
+                    price=op.price.gross, order=self.order, tax_rate=op.price.rate, tax_code=op.price.code,
+                    tax_value=op.price.tax, tax_rule=op.item.tax_rule,
+                    positionid=nextposid, subevent=op.subevent, seat=op.seat,
+                    used_membership=op.membership, valid_from=op.valid_from, valid_until=op.valid_until,
+                    is_bundled=op.is_bundled,
+                )
+                nextposid += 1
+                self.order.log_action('pretix.event.order.changed.add', user=self.user, auth=self.auth, data={
+                    'position': pos.pk,
+                    'item': op.item.pk,
+                    'variation': op.variation.pk if op.variation else None,
+                    'addon_to': op.addon_to.pk if op.addon_to else None,
+                    'price': op.price.gross,
+                    'positionid': pos.positionid,
+                    'membership': pos.used_membership_id,
+                    'subevent': op.subevent.pk if op.subevent else None,
+                    'seat': op.seat.pk if op.seat else None,
+                    'valid_from': op.valid_from.isoformat() if op.valid_from else None,
+                    'valid_until': op.valid_until.isoformat() if op.valid_until else None,
+                })
+                op.result._position = pos
            elif isinstance(op, self.SplitOperation):
                position = position_cache.setdefault(op.position.pk, op.position)
                split_positions.append(position)
@@ -2895,7 +2877,7 @@ class OrderChangeManager:
        return total

    def _check_order_size(self):
-        if (len(self.order.positions.all()) + sum([op.count for op in self._operations if isinstance(op, self.AddOperation)])) > settings.PRETIX_MAX_ORDER_SIZE:
+        if (len(self.order.positions.all()) + len([op for op in self._operations if isinstance(op, self.AddOperation)])) > settings.PRETIX_MAX_ORDER_SIZE:
            raise OrderError(
                self.error_messages['max_order_size'] % {
                    'max': settings.PRETIX_MAX_ORDER_SIZE,
@@ -2956,7 +2938,7 @@ class OrderChangeManager:
        ]) + len([
            o for o in self._operations if isinstance(o, self.SplitOperation)
        ])
-        adds = sum([o.count for o in self._operations if isinstance(o, self.AddOperation)])
+        adds = len([o for o in self._operations if isinstance(o, self.AddOperation)])
        if current > 0 and current - cancels + adds < 1:
            raise OrderError(self.error_messages['complete_cancel'])

@@ -3003,18 +2985,17 @@ class OrderChangeManager:
            elif isinstance(op, self.CancelOperation) and op.position in positions_to_fake_cart:
                fake_cart.remove(positions_to_fake_cart[op.position])
            elif isinstance(op, self.AddOperation):
-                for i in range(op.count):
-                    cp = CartPosition(
-                        event=self.event,
-                        item=op.item,
-                        variation=op.variation,
-                        used_membership=op.membership,
-                        subevent=op.subevent,
-                        seat=op.seat,
-                    )
-                    cp.override_valid_from = op.valid_from
-                    cp.override_valid_until = op.valid_until
-                    fake_cart.append(cp)
+                cp = CartPosition(
+                    event=self.event,
+                    item=op.item,
+                    variation=op.variation,
+                    used_membership=op.membership,
+                    subevent=op.subevent,
+                    seat=op.seat,
+                )
+                cp.override_valid_from = op.valid_from
+                cp.override_valid_until = op.valid_until
+                fake_cart.append(cp)
        try:
            validate_memberships_in_order(self.order.customer, fake_cart, self.event, lock=True, ignored_order=self.order, testmode=self.order.testmode)
        except ValidationError as e:
@@ -100,7 +100,7 @@ def primary_font_kwargs():

    choices = [('Open Sans', 'Open Sans')]
    choices += sorted([
-        (a, FontSelect.FontOption(title=a, data=v)) for a, v in get_fonts(pdf_support_required=False).items()
+        (a, {"title": a, "data": v}) for a, v in get_fonts(pdf_support_required=False).items()
    ], key=lambda a: a[0])
    return {
        'choices': choices,
@@ -574,7 +574,6 @@ DEFAULTS = {
                ('True', _('Based on European Central Bank daily rates, whenever the invoice recipient is in an EU '
                           'country that uses a different currency.')),
                ('CZK', _('Based on Czech National Bank daily rates, whenever the invoice amount is not in CZK.')),
-                ('PLN', _('Based on National Bank of Poland daily rates, whenever the invoice amount is not in PLN.')),
            ),
        ),
        'serializer_kwargs': dict(
@@ -583,7 +582,6 @@ DEFAULTS = {
                ('True', _('Based on European Central Bank daily rates, whenever the invoice recipient is in an EU '
                           'country that uses a different currency.')),
                ('CZK', _('Based on Czech National Bank daily rates, whenever the invoice amount is not in CZK.')),
-                ('PLN', _('Based on National Bank of Poland daily rates, whenever the invoice amount is not in PLN.')),
            ),
        ),
    },
@@ -4150,14 +4148,6 @@ def validate_event_settings(event, settings_dict):
                    )
                ]}
            )
-    if (
-        settings_dict.get('invoice_address_from_vat_id') and
-        settings_dict.get('invoice_address_from_country') and
-        settings_dict.get('invoice_address_from_country') not in VAT_ID_COUNTRIES
-    ):
-        raise ValidationError({
-            'invoice_address_from_vat_id': _('VAT-ID is not supported for "{}".').format(settings_dict.get('invoice_address_from_country'))
-        })

    payment_term_last = settings_dict.get('payment_term_last')
    if payment_term_last and event.presale_end:
@@ -32,7 +32,6 @@
 # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations under the License.

-import logging
 import warnings
 from typing import Any, Callable, Generic, List, Tuple, TypeVar

@@ -49,8 +48,6 @@ from .plugins import (
    PLUGIN_LEVEL_ORGANIZER,
 )

-logger = logging.getLogger(__name__)
-
 app_cache = {}
 T = TypeVar('T')

@@ -63,25 +60,23 @@ def _populate_app_cache():

 def get_defining_app(o):
    # If sentry packed this in a wrapper, unpack that
-    module = getattr(o, "__module__", None)
-    if module and "sentry" in module:
+    if "sentry" in o.__module__:
        o = o.__wrapped__

    if hasattr(o, "__mocked_app"):
        return o.__mocked_app

    # Find the Django application this belongs to
-    searchpath = module or getattr(o.__class__, "__module__", None) or ""
+    searchpath = o.__module__

    # Core modules are always active
-    if searchpath and any(searchpath.startswith(cm) for cm in settings.CORE_MODULES):
+    if any(searchpath.startswith(cm) for cm in settings.CORE_MODULES):
        return 'CORE'

    if not app_cache:
        _populate_app_cache()

-    app = None
-    while searchpath:
+    while True:
        app = app_cache.get(searchpath)
        if "." not in searchpath or app:
            break
@@ -162,7 +157,7 @@ class PluginSignal(Generic[T], django.dispatch.Signal):
        if not app_cache:
            _populate_app_cache()

-        for receiver in self._live_receivers(sender)[0]:
+        for receiver in self._sorted_receivers(sender):
            if self._is_receiver_active(sender, receiver):
                response = receiver(signal=self, sender=sender, **named)
                responses.append((receiver, response))
@@ -184,7 +179,7 @@ class PluginSignal(Generic[T], django.dispatch.Signal):
        if not app_cache:
            _populate_app_cache()

-        for receiver in self._live_receivers(sender)[0]:
+        for receiver in self._sorted_receivers(sender):
            if self._is_receiver_active(sender, receiver):
                named[chain_kwarg_name] = response
                response = receiver(signal=self, sender=sender, **named)
@@ -209,7 +204,7 @@ class PluginSignal(Generic[T], django.dispatch.Signal):
        if not app_cache:
            _populate_app_cache()

-        for receiver in self._live_receivers(sender)[0]:
+        for receiver in self._sorted_receivers(sender):
            if self._is_receiver_active(sender, receiver):
                try:
                    response = receiver(signal=self, sender=sender, **named)
@@ -219,35 +214,17 @@ class PluginSignal(Generic[T], django.dispatch.Signal):
                    responses.append((receiver, response))
        return responses

-    def asend(self, sender: T, **named):
-        raise NotImplementedError()  # NOQA
-
-    def asend_robust(self, sender: T, **named):
-        raise NotImplementedError()  # NOQA
-
-    def _live_receivers(self, sender):
-        orig_list, orig_async_list = super()._live_receivers(sender)
-
-        if orig_async_list:
-            logger.error('Async receivers are not supported.')
-            raise NotImplementedError
-
-        def _getattr_fallback_to_class(obj, key):
-            return getattr(obj, key, getattr(obj.__class__, key))
-
-        def _is_core_module(receiver):
-            m = _getattr_fallback_to_class(receiver, "__module__")
-            return any(m.startswith(c) for c in settings.CORE_MODULES)
-
+    def _sorted_receivers(self, sender):
+        orig_list = self._live_receivers(sender)
        sorted_list = sorted(
            orig_list,
            key=lambda receiver: (
-                0 if _is_core_module(receiver) else 1,
-                _getattr_fallback_to_class(receiver, "__module__"),
-                _getattr_fallback_to_class(receiver, "__name__"),
+                0 if any(receiver.__module__.startswith(m) for m in settings.CORE_MODULES) else 1,
+                receiver.__module__,
+                receiver.__name__,
            )
        )
-        return sorted_list, []
+        return sorted_list


 class EventPluginSignal(PluginSignal[Event]):
@@ -323,41 +300,23 @@ class GlobalSignal(django.dispatch.Signal):
        if not self.receivers or self.sender_receivers_cache.get(sender) is NO_RECEIVERS:
            return response

-        for receiver in self._live_receivers(sender)[0]:
+        for receiver in self._live_receivers(sender):
            named[chain_kwarg_name] = response
            response = receiver(signal=self, sender=sender, **named)
        return response

-    def asend(self, sender: T, **named):
-        raise NotImplementedError()  # NOQA
-
-    def asend_robust(self, sender: T, **named):
-        raise NotImplementedError()  # NOQA
-
    def _live_receivers(self, sender):
        # Ensure consistent sorting of receivers
-        orig_list, orig_async_list = super()._live_receivers(sender)
-
-        if orig_async_list:
-            logger.error('Async receivers are not supported.')
-            raise NotImplementedError
-
-        def _getattr_fallback_to_class(obj, key):
-            return getattr(obj, key, getattr(obj.__class__, key))
-
-        def _is_core_module(receiver):
-            m = _getattr_fallback_to_class(receiver, "__module__")
-            return any(m.startswith(c) for c in settings.CORE_MODULES)
-
+        orig_list = super()._live_receivers(sender)
        sorted_list = sorted(
            orig_list,
            key=lambda receiver: (
-                0 if _is_core_module(receiver) else 1,
-                _getattr_fallback_to_class(receiver, "__module__"),
-                _getattr_fallback_to_class(receiver, "__name__"),
+                0 if any(receiver.__module__.startswith(m) for m in settings.CORE_MODULES) else 1,
+                receiver.__module__,
+                receiver.__name__,
            )
        )
-        return sorted_list, []
+        return sorted_list


 class DeprecatedSignal(GlobalSignal):
@@ -2,14 +2,13 @@
 {% load i18n %}
 {% load rich_text %}
 {% load static %}
-{% load wrap_in %}
 {% block title %}{% trans "Redirect" %}{% endblock %}
 {% block content %}
 <i class="fa fa-link fa-fw big-icon"></i>
 <div class="error-details">
    <h1>{% trans "Redirect" %}</h1>
    <h3>
-        {% blocktrans trimmed with host=hostname|wrap_in:'strong' %}
+        {% blocktrans trimmed with host="<strong>"|add:hostname|add:"</strong>"|safe %}
        The link you clicked on wants to redirect you to a destination on the website {{ host }}.
        {% endblocktrans %}
        {% blocktrans trimmed %}
@@ -20,7 +20,6 @@
 # <https://www.gnu.org/licenses/>.
 #
 import logging
-import re
 from collections import defaultdict
 from datetime import timedelta
 from importlib import import_module
@@ -53,7 +52,6 @@ from pretix.celery_app import app
 from pretix.helpers.http import redirect_to_url

 logger = logging.getLogger('pretix.base.tasks')
-RE_ASYNC_ID = re.compile(r"^[a-zA-Z0-9\-]+$")


 class AsyncMixin:
@@ -135,8 +133,6 @@ class AsyncMixin:
    def get_result(self, request):
        if not request.GET.get('async_id'):
            raise BadRequest("No async_id given")
-        if not RE_ASYNC_ID.match(request.GET.get('async_id')):
-            raise BadRequest("Invalid async_id given")
        res = AsyncResult(request.GET.get('async_id'))
        if 'ajax' in self.request.GET:
            return JsonResponse(self._return_ajax_result(res, timeout=0.25))
@@ -34,7 +34,6 @@

 import datetime
 import os
-from dataclasses import dataclass

 from django import forms
 from django.conf import settings
@@ -421,11 +420,6 @@ class SplitDateTimeField(forms.SplitDateTimeField):
 class FontSelect(forms.RadioSelect):
    option_template_name = 'pretixcontrol/font_option.html'

-    @dataclass
-    class FontOption:
-        title: str
-        data: str
-

 class ItemMultipleChoiceField(SafeModelMultipleChoiceField):
    def label_from_instance(self, obj):
@@ -63,7 +63,7 @@ from pretix.base.forms import (
 from pretix.base.models import Event, Organizer, TaxRule, Team
 from pretix.base.models.event import EventFooterLink, EventMetaValue, SubEvent
 from pretix.base.models.organizer import TeamQuerySet
-from pretix.base.models.tax import TAX_CODE_LISTS, VAT_ID_COUNTRIES
+from pretix.base.models.tax import TAX_CODE_LISTS
 from pretix.base.reldate import RelativeDateField, RelativeDateTimeField
 from pretix.base.services.placeholders import FormPlaceholderMixin
 from pretix.base.settings import (
@@ -73,8 +73,8 @@ from pretix.base.settings import (
 )
 from pretix.base.validators import multimail_validate
 from pretix.control.forms import (
-    FontSelect, MultipleLanguagesWidget, SalesChannelCheckboxSelectMultiple,
-    SlugWidget, SplitDateTimeField, SplitDateTimePickerWidget,
+    MultipleLanguagesWidget, SalesChannelCheckboxSelectMultiple, SlugWidget,
+    SplitDateTimeField, SplitDateTimePickerWidget,
 )
 from pretix.control.forms.widgets import Select2
 from pretix.helpers.countries import CachedCountries
@@ -531,13 +531,6 @@ class EventUpdateForm(I18nModelForm):

 class EventSettingsValidationMixin:

-    def clean_invoice_address_from_vat_id(self):
-        value = self.cleaned_data.get('invoice_address_from_vat_id')
-        country = self.cleaned_data.get('invoice_address_from_country')
-        if value and country and country not in VAT_ID_COUNTRIES:
-            return None
-        return value
-
    def clean(self):
        data = super().clean()
        settings_dict = self.obj.settings.freeze()
@@ -729,7 +722,7 @@ class EventSettingsForm(EventSettingsValidationMixin, FormPlaceholderMixin, Sett
            del self.fields['event_list_filters']
            del self.fields['event_calendar_future_only']
        self.fields['primary_font'].choices = [('Open Sans', 'Open Sans')] + sorted([
-            (a, FontSelect.FontOption(title=a, data=v)) for a, v in get_fonts(self.event, pdf_support_required=False).items()
+            (a, {"title": a, "data": v}) for a, v in get_fonts(self.event, pdf_support_required=False).items()
        ], key=lambda a: a[0])

        # create "virtual" fields for better UX when editing <name>_asked and <name>_required fields
@@ -331,10 +331,6 @@ class OtherOperationsForm(forms.Form):


 class OrderPositionAddForm(forms.Form):
-    count = forms.IntegerField(
-        label=_('Number of products to add'),
-        initial=1,
-    )
    itemvar = forms.ChoiceField(
        label=_('Product')
    )
@@ -436,10 +432,6 @@ class OrderPositionAddForm(forms.Form):
            d['used_membership'] = [m for m in self.memberships if str(m.pk) == d['used_membership']][0]
        else:
            d['used_membership'] = None
-        if d.get("count", 1) > 1 and d.get("seat"):
-            raise ValidationError({
-                "seat": _("You can not choose a seat when adding multiple products at once.")
-            })
        return d


@@ -28,7 +28,7 @@ from django.forms import formset_factory
 from django.forms.utils import ErrorDict
 from django.urls import reverse
 from django.utils.functional import cached_property
-from django.utils.translation import gettext_lazy as _, pgettext_lazy
+from django.utils.translation import gettext_lazy as _
 from i18nfield.forms import I18nInlineFormSet

 from pretix.base.forms import I18nModelForm
@@ -102,16 +102,6 @@ class SubEventBulkForm(SubEventForm):
        required=False,
        limit_choices=('date_from', 'date_to'),
    )
-    skip_if_overlap = forms.BooleanField(
-        label=pgettext_lazy('subevent', 'Skip dates that overlap with any existing date'),
-        help_text=pgettext_lazy(
-            'subevent',
-            'This can be useful if all your dates happen in the same location and no repeated dates should '
-            'be created in conflict with existing special events. This respects even inactive dates and works best if '
-            'all dates have both a start and end time.'
-        ),
-        required=False,
-    )

    def __init__(self, *args, **kwargs):
        self.event = kwargs['event']
@@ -363,7 +363,7 @@ def get_global_navigation(request):
            'icon': 'dashboard',
        },
    ]
-    if request.user.is_in_any_teams or request.user.is_staff:
+    if request.user.is_in_any_teams:
        nav += [
            {
                'label': _('Events'),
@@ -38,7 +38,6 @@ from pretix import __version__
 from pretix.base.models import Order, OrderPayment, Transaction
 from pretix.base.plugins import get_all_plugins
 from pretix.base.templatetags.money import money_filter
-from pretix.helpers.reportlab import PlainTextParagraph
 from pretix.plugins.reports.exporters import ReportlabExportMixin
 from pretix.settings import DATA_DIR

@@ -80,23 +79,23 @@ class SysReport(ReportlabExportMixin):
        style_small.fontSize = 6

        story = [
-            PlainTextParagraph("System report", headlinestyle),
+            Paragraph("System report", headlinestyle),
            Spacer(1, 5 * mm),
-            PlainTextParagraph("Usage", subheadlinestyle),
+            Paragraph("Usage", subheadlinestyle),
            Spacer(1, 5 * mm),
            self._usage_table(),
            Spacer(1, 5 * mm),
-            PlainTextParagraph("Installed versions", subheadlinestyle),
+            Paragraph("Installed versions", subheadlinestyle),
            Spacer(1, 5 * mm),
            self._tech_table(),
            Spacer(1, 5 * mm),
-            PlainTextParagraph("Plugins", subheadlinestyle),
+            Paragraph("Plugins", subheadlinestyle),
            Spacer(1, 5 * mm),
-            PlainTextParagraph(self._get_plugin_versions(), style_small),
+            Paragraph(self._get_plugin_versions(), style_small),
            Spacer(1, 5 * mm),
-            PlainTextParagraph("Custom templates", subheadlinestyle),
+            Paragraph("Custom templates", subheadlinestyle),
            Spacer(1, 5 * mm),
-            PlainTextParagraph(self._get_custom_templates(), style_small),
+            Paragraph(self._get_custom_templates(), style_small),
            Spacer(1, 5 * mm),
        ]

@@ -122,13 +121,13 @@ class SysReport(ReportlabExportMixin):
            ("RIGHTPADDING", (-1, 0), (-1, -1), 0),
        ]
        tdata = [
-            [PlainTextParagraph("Site URL:", style), Paragraph(settings.SITE_URL, style)],
-            [PlainTextParagraph("pretix version:", style), Paragraph(__version__, style)],
-            [PlainTextParagraph("Python version:", style), Paragraph(sys.version, style)],
-            [PlainTextParagraph("Platform:", style), Paragraph(platform.platform(), style)],
+            [Paragraph("Site URL:", style), Paragraph(settings.SITE_URL, style)],
+            [Paragraph("pretix version:", style), Paragraph(__version__, style)],
+            [Paragraph("Python version:", style), Paragraph(sys.version, style)],
+            [Paragraph("Platform:", style), Paragraph(platform.platform(), style)],
            [
-                PlainTextParagraph("Database engine:", style),
-                PlainTextParagraph(settings.DATABASES["default"]["ENGINE"], style),
+                Paragraph("Database engine:", style),
+                Paragraph(settings.DATABASES["default"]["ENGINE"], style),
            ],
        ]
        table = Table(tdata, colWidths=colwidths, repeatRows=0)
@@ -207,7 +206,7 @@ class SysReport(ReportlabExportMixin):
        year_last = now().year
        tdata = [
            [
-                PlainTextParagraph(l, style_small_head)
+                Paragraph(l, style_small_head)
                for l in (
                    "Time frame",
                    "Currency",
@@ -258,19 +257,19 @@ class SysReport(ReportlabExportMixin):

                tdata.append(
                    (
-                        PlainTextParagraph(
+                        Paragraph(
                            date_format(first_day, "M Y")
                            + " – "
                            + date_format(after_day - timedelta(days=1), "M Y"),
                            style_small,
                        ),
-                        PlainTextParagraph(c, style_small),
-                        PlainTextParagraph(str(orders_count), style_small) if i == 0 else "",
-                        PlainTextParagraph(money_filter(revenue_data.get("s_net") or 0, c), style_small),
-                        PlainTextParagraph(str(testmode_count), style_small) if i == 0 else "",
-                        PlainTextParagraph(str(unconfirmed_count), style_small) if i == 0 else "",
-                        PlainTextParagraph(str(revenue_data.get("c") or 0), style_small),
-                        PlainTextParagraph(money_filter(revenue_data.get("s_gross") or 0, c), style_small),
+                        Paragraph(c, style_small),
+                        Paragraph(str(orders_count), style_small) if i == 0 else "",
+                        Paragraph(money_filter(revenue_data.get("s_net") or 0, c), style_small),
+                        Paragraph(str(testmode_count), style_small) if i == 0 else "",
+                        Paragraph(str(unconfirmed_count), style_small) if i == 0 else "",
+                        Paragraph(str(revenue_data.get("c") or 0), style_small),
+                        Paragraph(money_filter(revenue_data.get("s_gross") or 0, c), style_small),
                    )
                )

@@ -329,7 +329,6 @@
                                        {{ add_form.custom_error }}
                                    </div>
                                {% endif %}
-                                {% bootstrap_field add_form.count layout="control" %}
                                {% bootstrap_field add_form.itemvar layout="control" %}
                                {% bootstrap_field add_form.price addon_after=request.event.currency layout="control" %}
                                {% if add_form.addon_to %}
@@ -365,7 +364,6 @@
                        </div>
                        <div class="panel-body">
                            <div class="form-horizontal">
-                                {% bootstrap_field add_position_formset.empty_form.count layout="control" %}
                                {% bootstrap_field add_position_formset.empty_form.itemvar layout="control" %}
                                {% bootstrap_field add_position_formset.empty_form.price addon_after=request.event.currency layout="control" %}
                                {% if add_position_formset.empty_form.addon_to %}
@@ -19,7 +19,9 @@
        {% endif %}
    </h1>

-    {{ layout|json_script:"editor-data" }}
+    <script type="application/json" id="editor-data">
+        {{ layout|safe }}
+    </script>
    <div class="row">
        <div class="col-md-9">
            <div class="panel panel-default panel-pdf-editor">
@@ -379,8 +379,6 @@
                        <i class="fa fa-calendar"></i> {% trans "Add many time slots" %}</button>
                </p>
            </div>
-            <hr />
-            {% bootstrap_field form.skip_if_overlap layout="control" horizontal_label_class='sr-only' horizontal_field_class='col-md-12' %}
        </fieldset>
        <fieldset>
            <legend>{% trans "General information" %}</legend>
@@ -6,44 +6,35 @@
    <h1>{% trans "Add a two-factor authentication device" %}</h1>
    <form action="" method="post" class="form-horizontal">
        {% csrf_token %}
+        <input type="hidden" name="flow_token" value="{{ flow_token }}">
        {% bootstrap_form_errors form %}
        {% bootstrap_field form.name layout='horizontal' %}

-        <div class="form-group{% if form.devicetype.errors %} has-error{% endif %}">
+        <div class="form-group">
            <label class="col-md-3 control-label">{% trans "Device type" %}</label>
            <div class="col-md-9">
-                <div>
-                    <div class="big-radio radio">
-                        <label>
-                            <input type="radio" required value="totp" name="{{ form.devicetype.html_name }}" {% if form.devicetype.value == "totp" %}checked{% endif %}>
-                            <strong>{% trans "Smartphone with Authenticator app" %}</strong><br>
-                            <div class="help-block">
-                                {% blocktrans trimmed %}
-                                    Use your smartphone with any Time-based One-Time-Password app like freeOTP, Google Authenticator or Proton Authenticator.
-                                {% endblocktrans %}
-                            </div>
-                        </label>
-                    </div>
-                    <div class="big-radio radio">
-                        <label>
-                            <input type="radio" required value="webauthn" name="{{ form.devicetype.html_name }}" {% if form.devicetype.value == "webauthn" %}checked{% endif %}>
-                            <strong>{% trans "WebAuthn-compatible hardware token" %}</strong><br>
-                            <div class="help-block">
-                                {% blocktrans trimmed %}
-                                    Use a hardware token like the Yubikey, or other biometric authentication like fingerprint or face recognition.
-                                {% endblocktrans %}
-                            </div>
-                        </label>
-                    </div>
+                <div class="big-radio radio">
+                    <label>
+                        <input type="radio" value="totp" name="{{ form.devicetype.html_name }}" {% if form.devicetype.value == "totp" %}checked{% endif %}>
+                        <strong>{% trans "Smartphone with the Authenticator application" %}</strong><br>
+                        <div class="help-block">
+                            {% blocktrans trimmed %}
+                                Use your smartphone with any Time-based One-Time-Password app like freeOTP, Google Authenticator or Proton Authenticator.
+                            {% endblocktrans %}
+                        </div>
+                    </label>
+                </div>
+                <div class="big-radio radio">
+                    <label>
+                        <input type="radio" value="webauthn" name="{{ form.devicetype.html_name }}" {% if form.devicetype.value == "webauthn" %}checked{% endif %}>
+                        <strong>{% trans "WebAuthn-compatible hardware token" %}</strong><br>
+                        <div class="help-block">
+                            {% blocktrans trimmed %}
+                                Use a hardware token like the Yubikey, or biometric authentication on iOS, macOS and Android.
+                            {% endblocktrans %}
+                        </div>
+                    </label>
                </div>
-
-                {% if form.devicetype.errors %}
-                    <div class="help-block">
-                    {% for error in form.devicetype.errors %}
-                        <p>{{ error|escape }}</p>
-                    {% endfor %}
-                    </div>
-                {% endif %}
            </div>
        </div>

@@ -69,14 +69,11 @@
            {% trans "Enter the displayed code here:" %}
            <form class="form form-inline" method="post" action="">
                {% csrf_token %}
+                <input type="hidden" name="flow_token" value="{{ flow_token }}">
                <input type="number" name="token" class="form-control" required="required">
                <button class="btn btn-primary" type="submit">
                    {% trans "Continue" %}
                </button><br>
-                <label>
-                    <input type="checkbox" name="activate" checked="checked" value="on">
-                    {% trans "Require second factor for future logins" %}
-                </label>
            </form>
        </li>
    </ol>
@@ -12,13 +12,9 @@
    </p>
    <form class="form form-inline" method="post" action="" id="webauthn-form">
        {% csrf_token %}
+        <input type="hidden" name="flow_token" value="{{ flow_token }}">
        <input type="hidden" id="webauthn-response" name="token" class="form-control" required="required">
-        <p>
-            <label>
-                <input type="checkbox" name="activate" checked="checked" value="on">
-                {% trans "Require second factor for future logins" %}
-            </label>
-        </p>
+
        <button class="btn btn-primary sr-only" type="submit"></button>
    </form>

@@ -6,6 +6,7 @@
    <h1>{% trans "Delete a two-factor authentication device" %}</h1>
    <form action="" method="post" class="form-horizontal">
        {% csrf_token %}
+        <input type="hidden" name="flow_token" value="{{ flow_token }}">
        <p>{% blocktrans trimmed with device=device.name %}
            Are you sure you want to delete the authentication device "{{ device }}"?
        {% endblocktrans %}</p>
@@ -6,6 +6,7 @@
    <h1>{% trans "Disable two-factor authentication" %}</h1>
    <form action="" method="post" class="form-horizontal">
        {% csrf_token %}
+        <input type="hidden" name="flow_token" value="{{ flow_token }}">
        <p>
            {% trans "Do you really want to disable two-factor authentication?" %}
        </p>
@@ -1,23 +1,58 @@
 {% extends "pretixcontrol/base.html" %}
 {% load i18n %}
 {% load bootstrap3 %}
+{% load icon %}
 {% block title %}{% trans "Enable two-factor authentication" %}{% endblock %}
 {% block content %}
    <h1>{% trans "Enable two-factor authentication" %}</h1>
    <form action="" method="post" class="form-horizontal">
        {% csrf_token %}
+        <input type="hidden" name="flow_token" value="{{ flow_token }}">
        <p>
            {% trans "Do you really want to enable two-factor authentication?" %}
        </p>
        <p>
            {% trans "You will no longer be able to log in to pretix without one of your configured devices." %}
-            {% trans "Please make sure to print out or copy the emergency tokens and store them in a safe place." %}
        </p>
+        {% if new_emergency_tokens %}
+            <div class="panel panel-default">
+                <div class="panel-heading">
+                    <h3 class="panel-title">{% trans "Your emergency codes" %}</h3>
+                </div>
+                <div class="panel-body">
+                    <p>
+                        {% blocktrans trimmed %}
+                            If you lose access to your devices, you can use one of your emergency tokens to log in.
+                            We recommend to store them in a safe place, e.g. printed out or in a password manager.
+                            Every token can be used at most once.
+                        {% endblocktrans %}
+                    </p>
+                    <ul>
+                        {% for code in new_emergency_tokens %}
+                        <li>{{ code }}</li>
+                        {% endfor %}
+                    </ul>
+                    <p>
+                        <label>
+                            <input type="checkbox" required>
+                            {% trans "I stored my emergency tokens in a safe place." %}
+                        </label>
+                    </p>
+                </div>
+            </div>
+        {% else %}
+            <p>
+                {% icon "info-circle" %}
+                {% blocktrans trimmed with generation_date_time=static_tokens_device.created_at %}
+                    You generated your emergency tokens on {{ generation_date_time }}.
+                {% endblocktrans %}
+            </p>
+        {% endif %}
        <div class="form-group submit-group">
            <a href="{% url "control:user.settings.2fa" %}" class="btn btn-default btn-cancel">
                {% trans "Cancel" %}
            </a>
-            <button type="submit" class="btn btn-danger btn-save">
+            <button type="submit" class="btn btn-primary btn-save">
                {% trans "Enable" %}
            </button>
        </div>
@@ -6,6 +6,7 @@
    <h1>{% trans "Leave teams that require two-factor authentication" %}</h1>
    <form action="" method="post" class="form-horizontal">
        {% csrf_token %}
+        <input type="hidden" name="flow_token" value="{{ flow_token }}">
        <p>
            <strong>{% trans "Do you really want to leave the following teams?" %}</strong>
        </p>
@@ -1,5 +1,6 @@
 {% extends "pretixcontrol/base.html" %}
 {% load i18n %}
+{% load icon %}
 {% load bootstrap3 %}
 {% block title %}{% trans "Two-factor authentication" %}{% endblock %}
 {% block content %}
@@ -120,7 +121,7 @@
                        Delete
                    </a>
                    {% if d.devicetype == "totp" %}
-                        <span class="fa fa-mobile"></span>
+                        <span class="fa fa-mobile fa-lg"></span>
                    {% elif d.devicetype == "webauthn" %}
                        <span class="fa fa-usb"></span>
                    {% elif d.devicetype == "u2f" %}
@@ -152,19 +153,30 @@
            </p>
            {% if static_tokens_device %}
                <p>
+                    {% icon "info-circle" %}
                    {% blocktrans trimmed with generation_date_time=static_tokens_device.created_at %}
                        You generated your emergency tokens on {{ generation_date_time }}.
                    {% endblocktrans %}
                </p>
-            {% else %}
+                <a href="{% url "control:user.settings.2fa.regenemergency" %}" class="btn btn-default">
+                    <span class="fa fa-refresh"></span>
+                    {% trans "Generate new emergency tokens" %}
+                </a>
+            {% elif user.require_2fa %}
                <p>
-                    {% trans "You don't have any emergency tokens yet." %}
+                    {% icon "warning" %}
+                    <strong>{% trans "You don't have any emergency tokens yet." %}</strong>
+                </p>
+                <a href="{% url "control:user.settings.2fa.regenemergency" %}" class="btn btn-default">
+                    <span class="fa fa-refresh"></span>
+                    {% trans "Generate emergency tokens" %}
+                </a>
+            {% else %}
+                <p class="help-block">
+                    {% icon "info-circle" %}
+                    {% trans "Emergency tokens will be generated when you enable two-factor authentication." %}
                </p>
            {% endif %}
-            <a href="{% url "control:user.settings.2fa.regenemergency" %}" class="btn btn-default">
-                <span class="fa fa-refresh"></span>
-                {% trans "Generate new emergency tokens" %}
-            </a>
        </div>
    </div>
 {% endblock %}
@@ -6,6 +6,7 @@
    <h1>{% trans "Regenerate emergency codes" %}</h1>
    <form action="" method="post" class="form-horizontal">
        {% csrf_token %}
+        <input type="hidden" name="flow_token" value="{{ flow_token }}">
        <p>
            {% trans "Do you really want to regenerate your emergency codes?" %}
        </p>
@@ -8,6 +8,7 @@
            {% trans "Change login email address" %}
        </h1>
        {% csrf_token %}
+        <input type="hidden" name="flow_token" value="{{ flow_token }}">
        {% bootstrap_form_errors form %}
        <p class="text-muted">
            {% trans "This changes the email address used to login to your account, as well as where we send email notifications." %}
@@ -9,6 +9,7 @@
        </h1>
        <br>
        {% csrf_token %}
+        <input type="hidden" name="flow_token" value="{{ flow_token }}">
        {% bootstrap_form_errors form %}
        {% bootstrap_field form.email %}
        {% bootstrap_field form.old_pw %}
@@ -641,7 +641,7 @@ def user_index(request):

    ctx = {
        'widgets': rearrange(widgets),
-        'can_create_event': request.user.teams.with_organizer_permission("organizer.events:create").exists() or request.user.is_staff,
+        'can_create_event': request.user.teams.with_organizer_permission("organizer.events:create").exists(),
        'upcoming': widgets_for_event_qs(
            request,
            annotated_event_query(request, lazy=True).filter(
@@ -234,21 +234,13 @@ class EventUpdate(DecoupleMixin, EventSettingsViewMixin, EventPermissionRequired
            self.request.event.log_action('pretix.event.footerlinks.changed', user=self.request.user, data={
                'data': self.footer_links_formset.cleaned_data
            })
-
-        change_data = {
-            k: (form.cleaned_data.get(k).name
-                if isinstance(form.cleaned_data.get(k), File)
-                else form.cleaned_data.get(k))
-            for k in form.changed_data
-        }
-        meta_changed = {}
-        for f in self.meta_forms:
-            if f.has_changed():
-                meta_changed[f.property.name] = f.cleaned_data["value"]
-        if meta_changed:
-            change_data['meta_data'] = meta_changed
-        if change_data:
-            self.request.event.log_action('pretix.event.changed', user=self.request.user, data=change_data)
+        if form.has_changed():
+            self.request.event.log_action('pretix.event.changed', user=self.request.user, data={
+                k: (form.cleaned_data.get(k).name
+                    if isinstance(form.cleaned_data.get(k), File)
+                    else form.cleaned_data.get(k))
+                for k in form.changed_data
+            })

        tickets.invalidate_cache.apply_async(kwargs={'event': self.request.event.pk})
        messages.success(self.request, _('Your changes have been saved.'))
@@ -771,7 +763,12 @@ class InvoicePreview(EventPermissionRequiredMixin, View):
    def get(self, request, *args, **kwargs):
        fname, ftype, fcontent = build_preview_invoice_pdf(request.event)
        resp = HttpResponse(fcontent, content_type=ftype)
-        resp['Content-Disposition'] = 'inline; filename="{}"'.format(fname)
+        if settings.DEBUG:
+            # attachment is more secure as we're dealing with user-generated stuff here, but inline is much more convenient during debugging
+            resp['Content-Disposition'] = 'inline; filename="{}"'.format(fname)
+            resp._csp_ignore = True
+        else:
+            resp['Content-Disposition'] = 'attachment; filename="{}"'.format(fname)
        return resp


@@ -300,4 +300,5 @@ class SysReportView(AdministratorPermissionRequiredMixin, TemplateView):
            resp = HttpResponse(data)
            resp['Content-Type'] = mime
            resp['Content-Disposition'] = 'inline; filename="{}"'.format(name)
+            resp._csp_ignore = True
            return resp
@@ -1447,8 +1447,12 @@ class ItemUpdateGeneral(ItemDetailMixin, EventPermissionRequiredMixin, MetaDataE

        meta_changed = {}
        for f in self.meta_forms:
-            if f.has_changed():
-                meta_changed[f.property.name] = f.cleaned_data["value"]
+            meta_changed.update({
+                k: (f.cleaned_data.get(k).name
+                    if isinstance(f.cleaned_data.get(k), File)
+                    else f.cleaned_data.get(k))
+                for k in f.changed_data
+            })
        if meta_changed:
            change_data['meta_data'] = meta_changed

@@ -79,9 +79,9 @@ from pretix.base.email import get_email_context
 from pretix.base.exporter import MultiSheetListExporter
 from pretix.base.i18n import language
 from pretix.base.models import (
-    CachedFile, CachedTicket, Checkin, Invoice, InvoiceAddress, Item,
-    ItemVariation, LogEntry, Order, QuestionAnswer, Quota,
-    ScheduledEventExport, generate_secret,
+    CachedCombinedTicket, CachedFile, CachedTicket, Checkin, Invoice,
+    InvoiceAddress, Item, ItemVariation, LogEntry, Order, QuestionAnswer,
+    Quota, ScheduledEventExport, generate_secret,
 )
 from pretix.base.models.orders import (
    CancellationRequest, OrderFee, OrderPayment, OrderPosition, OrderRefund,
@@ -710,21 +710,34 @@ class OrderDownload(AsyncAction, OrderView):
                resp = HttpResponseRedirect(value.file.file.read())
                return resp
            else:
-                return FileResponse(
-                    value.file.file,
-                    filename='{}-{}-{}-{}{}'.format(
-                        self.request.event.slug.upper(), self.order.code, self.order_position.positionid,
-                        self.output.identifier, value.extension
-                    ),
-                    content_type=value.type
+                resp = FileResponse(value.file.file, content_type=value.type)
+                resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}-{}{}"'.format(
+                    self.request.event.slug.upper(), self.order.code, self.order_position.positionid,
+                    self.output.identifier, value.extension
                )
+                return resp
+        elif isinstance(value, CachedCombinedTicket):
+            if value.type == 'text/uri-list':
+                resp = HttpResponseRedirect(value.file.file.read())
+                return resp
+            else:
+                resp = FileResponse(value.file.file, content_type=value.type)
+                resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}{}"'.format(
+                    self.request.event.slug.upper(), self.order.code, self.output.identifier, value.extension
+                )
+                return resp
        else:
            return redirect(self.get_self_url())

    def get_last_ct(self):
-        ct = CachedTicket.objects.filter(
-            order_position=self.order_position, provider=self.output.identifier, file__isnull=False
-        ).last()
+        if 'position' in self.kwargs:
+            ct = CachedTicket.objects.filter(
+                order_position=self.order_position, provider=self.output.identifier, file__isnull=False
+            ).last()
+        else:
+            ct = CachedCombinedTicket.objects.filter(
+                order=self.order, provider=self.output.identifier, file__isnull=False
+            ).last()
        if not ct or not ct.file:
            return None
        return ct
@@ -1818,15 +1831,15 @@ class InvoiceDownload(EventPermissionRequiredMixin, View):
            return redirect(self.get_order_url())

        try:
-            return FileResponse(
-                self.invoice.file.file,
-                filename='{}.pdf'.format(re.sub("[^a-zA-Z0-9-_.]+", "_", self.invoice.number)),
-                content_type='application/pdf'
-            )
+            resp = FileResponse(self.invoice.file.file, content_type='application/pdf')
        except FileNotFoundError:
            invoice_pdf_task.apply(args=(self.invoice.pk,))
            return self.get(request, *args, **kwargs)

+        resp['Content-Disposition'] = 'inline; filename="{}.pdf"'.format(re.sub("[^a-zA-Z0-9-_.]+", "_", self.invoice.number))
+        resp._csp_ignore = True  # Some browser's PDF readers do not work with CSP
+        return resp
+

 class OrderExtend(OrderView):
    permission = 'event.orders:write'
@@ -2046,13 +2059,12 @@ class OrderChange(OrderView):
                else:
                    variation = None
                try:
-                    for i in range(f.cleaned_data.get("count", 1)):
-                        ocm.add_position(item, variation,
-                                         f.cleaned_data['price'],
-                                         f.cleaned_data.get('addon_to'),
-                                         f.cleaned_data.get('subevent'),
-                                         f.cleaned_data.get('seat'),
-                                         f.cleaned_data.get('used_membership'))
+                    ocm.add_position(item, variation,
+                                     f.cleaned_data['price'],
+                                     f.cleaned_data.get('addon_to'),
+                                     f.cleaned_data.get('subevent'),
+                                     f.cleaned_data.get('seat'),
+                                     f.cleaned_data.get('used_membership'))
                except OrderError as e:
                    f.custom_error = str(e)
                    return False
@@ -1322,7 +1322,7 @@ class DeviceUpdateView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixi
    def form_valid(self, form):
        if form.has_changed():
            self.object.log_action('pretix.device.changed', user=self.request.user, data={
-                k: form.cleaned_data[k] if k != 'limit_events' else [e.id for e in form.cleaned_data[k]]
+                k: getattr(self.object, k) if k != 'limit_events' else [e.id for e in getattr(self.object, k).all()]
                for k in form.changed_data
            })

@@ -263,7 +263,12 @@ class BaseEditorView(EventPermissionRequiredMixin, TemplateView):

            resp = HttpResponse(data, content_type=mimet)
            ftype = fname.split(".")[-1]
-            resp['Content-Disposition'] = 'inline; filename="ticket-preview.{}"'.format(ftype)
+            if settings.DEBUG:
+                # attachment is more secure as we're dealing with user-generated stuff here, but inline is much more convenient during debugging
+                resp['Content-Disposition'] = 'inline; filename="ticket-preview.{}"'.format(ftype)
+                resp._csp_ignore = True
+            else:
+                resp['Content-Disposition'] = 'attachment; filename="ticket-preview.{}"'.format(ftype)
            return resp
        elif "data" in request.POST:
            if cf:
@@ -284,7 +289,7 @@ class BaseEditorView(EventPermissionRequiredMixin, TemplateView):
        ctx['pdf'] = self.get_current_background()
        ctx['variables'] = self.get_variables()
        ctx['images'] = self.get_images()
-        ctx['layout'] = self.get_current_layout()
+        ctx['layout'] = json.dumps(self.get_current_layout())
        ctx['title'] = self.title
        ctx['locales'] = [p for p in settings.LANGUAGES if p[0] in self.request.event.settings.locales]
        ctx['maxfilesize'] = self.maxfilesize
@@ -304,5 +309,6 @@ class FontsCSSView(TemplateView):
 class PdfView(TemplateView):
    def get(self, request, *args, **kwargs):
        cf = get_object_or_404(CachedFile, id=kwargs.get("filename"), filename="background_preview.pdf")
-        resp = FileResponse(cf.file, filename=cf.filename, content_type='application/pdf')
+        resp = FileResponse(cf.file, content_type='application/pdf')
+        resp['Content-Disposition'] = 'attachment; filename="{}"'.format(cf.filename)
        return resp
@@ -540,31 +540,20 @@ class SubEventUpdate(EventPermissionRequiredMixin, SubEventEditorMixin, UpdateVi
            # TODO: LogEntry?

        messages.success(self.request, _('Your changes have been saved.'))
-
-        change_data = {
-            k: (form.cleaned_data.get(k).name
-                if isinstance(form.cleaned_data.get(k), File)
-                else form.cleaned_data.get(k))
-            for k in form.changed_data
-        }
-        meta_changed = {}
-        for f in self.meta_forms:
-            if f.has_changed():
-                meta_changed[f.property.name] = f.cleaned_data["value"]
-        if meta_changed:
-            change_data['meta_data'] = meta_changed
-        for f in self.plugin_forms:
-            change_data.update({
-                k: (f.cleaned_data.get(k).name
-                    if isinstance(f.cleaned_data.get(k), File)
-                    else f.cleaned_data.get(k))
-                for k in f.changed_data
-            })
-        if change_data:
+        if form.has_changed() or any(f.has_changed() for f in self.plugin_forms):
+            data = {
+                k: form.cleaned_data.get(k) for k in form.changed_data
+            }
+            for f in self.plugin_forms:
+                data.update({
+                    k: (f.cleaned_data.get(k).name
+                        if isinstance(f.cleaned_data.get(k), File)
+                        else f.cleaned_data.get(k))
+                    for k in f.changed_data
+                })
            self.object.log_action(
-                'pretix.subevent.changed', user=self.request.user, data=change_data
+                'pretix.subevent.changed', user=self.request.user, data=data
            )
-
        for f in self.plugin_forms:
            f.subevent = self.object
            f.save()
@@ -639,14 +628,6 @@ class SubEventCreate(SubEventEditorMixin, EventPermissionRequiredMixin, CreateVi
                    else f.cleaned_data.get(k))
                for k in f.cleaned_data
            })
-
-        meta_changed = {}
-        for f in self.meta_forms:
-            if f.has_changed():
-                meta_changed[f.property.name] = f.cleaned_data["value"]
-        if meta_changed:
-            data['meta_data'] = meta_changed
-
        form.instance.log_action('pretix.subevent.added', data=dict(data), user=self.request.user)

        self.save_formset(form.instance)
@@ -936,35 +917,6 @@ class SubEventBulkCreate(SubEventEditorMixin, EventPermissionRequiredMixin, Asyn
            if len(subevents) > 100_000:
                raise ValidationError(_('Please do not create more than 100.000 dates at once.'))

-        if form.cleaned_data.get("skip_if_overlap") and subevents:
-            def overlaps(a_from, a_to, b_from, b_to):
-                if a_from == b_from:
-                    return True
-                if a_from > b_from:
-                    # a starts after b
-                    # check if it starts before b ends
-                    return b_to and a_from < b_to
-                # a starts before b
-                # check if it ends before b starts
-                return a_to and a_to > b_from
-
-            date_min = min(se.date_from for se in subevents)
-            date_max = max(se.date_to or se.date_from for se in subevents)
-            dates_existing = list(self.request.event.subevents.annotate(
-                date_fromto=Coalesce('date_to', 'date_from'),
-            ).filter(
-                date_from__lte=date_max,
-                date_fromto__gte=date_min,
-            ).values('date_from', 'date_to'))
-            subevents = [
-                se for se in subevents if not any(
-                    overlaps(se.date_from, se.date_to, other['date_from'], other['date_to'])
-                    for other in dates_existing
-                )
-            ]
-            if not subevents:
-                raise ValidationError(_('All dates would be skipped because they conflict with existing dates.'))
-
        for i, se in enumerate(subevents):
            se.save(clear_cache=False)
            if i % 100 == 0:
@@ -316,7 +316,7 @@ def nav_context_list(request):
        page = 1

    qs_events = request.user.get_events_with_any_permission(request).filter(
-        Q(name__icontains=i18ncomp(query)) | Q(slug__icontains=query) | Q(domain__domainname__iexact=query)
+        Q(name__icontains=i18ncomp(query)) | Q(slug__icontains=query)
    ).annotate(
        min_from=Min('subevents__date_from'),
        max_from=Max('subevents__date_from'),
@@ -331,7 +331,7 @@ def nav_context_list(request):
    else:
        qs_orga = Organizer.objects.filter(pk__in=request.user.teams.values_list('organizer', flat=True))
    if query:
-        qs_orga = qs_orga.filter(Q(name__icontains=query) | Q(slug__icontains=query) | Q(domains__domainname__iexact=query))
+        qs_orga = qs_orga.filter(Q(name__icontains=query) | Q(slug__icontains=query))
    qs_orga = qs_orga.annotate(
        n_events=Count("events")
    ).order_by("-n_events")
@@ -619,7 +619,7 @@ def checkinlist_select2(request, **kwargs):

    qs = request.event.checkin_lists.select_related('subevent').filter(
        qf
-    ).order_by('subevent__date_from', 'name', 'pk')
+    ).order_by('name')

    total = qs.count()
    pagesize = 20
@@ -89,13 +89,31 @@ logger = logging.getLogger(__name__)

 class RecentAuthenticationRequiredMixin:
    max_time = 900
+    max_form_time = 900

    @method_decorator(never_cache)
    def dispatch(self, request, *args, **kwargs):
-        tdelta = time.time() - request.session.get('pretix_auth_login_time', 0)
-        if tdelta > self.max_time:
+        auth_is_recent = time.time() - request.session.get('pretix_auth_login_time', 0) < self.max_time
+        allowed_by_token = (
+            request.session.pop('pretix_reauthed_flow_token', None) == request.POST.get('flow_token', '')
+            and request.session.pop('pretix_reauthed_flow_allowed_url', None) == request.get_full_path()
+            and time.time() - request.session.pop('pretix_reauthed_flow_start_time', 0) < self.max_form_time
+        )
+        if auth_is_recent or allowed_by_token:
+            return super().dispatch(request, *args, **kwargs)
+        else:
            return redirect(reverse('control:user.reauth') + '?next=' + quote(request.get_full_path()))
-        return super().dispatch(request, *args, **kwargs)
+
+    def get_flow_token(self):
+        self.request.session['pretix_reauthed_flow_allowed_url'] = self.request.get_full_path()
+        self.request.session['pretix_reauthed_flow_token'] = get_random_string(22)
+        self.request.session['pretix_reauthed_flow_start_time'] = time.time()
+        return self.request.session['pretix_reauthed_flow_token']
+
+    def get_context_data(self, **kwargs):
+        ctx = super().get_context_data()
+        ctx['flow_token'] = self.get_flow_token()
+        return ctx


 class ReauthView(TemplateView):
@@ -283,6 +301,7 @@ class UserHistoryView(ListView):


 class User2FAMainView(RecentAuthenticationRequiredMixin, TemplateView):
+    max_time = 7200
    template_name = 'pretixcontrol/user/2fa_main.html'

    def get_context_data(self, **kwargs):
@@ -465,25 +484,15 @@ class User2FADeviceConfirmWebAuthnView(RecentAuthenticationRequiredMixin, Templa
            notices = [
                _('A new two-factor authentication device has been added to your account.')
            ]
-            activate = request.POST.get('activate', '')
-            if activate == 'on' and not self.request.user.require_2fa:
-                self.request.user.require_2fa = True
-                self.request.user.save()
-                self.request.user.log_action('pretix.user.settings.2fa.enabled', user=self.request.user)
-                notices.append(
-                    _('Two-factor authentication has been enabled.')
-                )
            self.request.user.send_security_notice(notices)
            self.request.user.update_session_token()
            update_session_auth_hash(self.request, self.request.user)

-            note = ''
-            if not self.request.user.require_2fa:
-                note = ' ' + str(_('Please note that you still need to enable two-factor authentication for your '
-                                   'account using the buttons below to make a second factor required for logging '
-                                   'into your account.'))
-            messages.success(request, str(_('The device has been verified and can now be used.')) + note)
-            return redirect(reverse('control:user.settings.2fa'))
+            messages.success(request, str(_('The device has been verified and can now be used.')))
+            if self.request.user.require_2fa:
+                return redirect(reverse('control:user.settings.2fa'))
+            else:
+                return redirect(reverse('control:user.settings.2fa.enable'))
        except Exception:
            messages.error(request, _('The registration could not be completed. Please try again.'))
            logger.exception('WebAuthn registration failed')
@@ -494,6 +503,7 @@ class User2FADeviceConfirmWebAuthnView(RecentAuthenticationRequiredMixin, Templa

 class User2FADeviceConfirmTOTPView(RecentAuthenticationRequiredMixin, TemplateView):
    template_name = 'pretixcontrol/user/2fa_confirm_totp.html'
+    max_form_time = 7200  # this should have effectively no timeout, as the user might need to download the 2fa app first

    @cached_property
    def device(self):
@@ -514,7 +524,6 @@ class User2FADeviceConfirmTOTPView(RecentAuthenticationRequiredMixin, TemplateVi

    def post(self, request, *args, **kwargs):
        token = request.POST.get('token', '')
-        activate = request.POST.get('activate', '')
        if self.device.verify_token(token):
            self.device.confirmed = True
            self.device.save()
@@ -526,24 +535,15 @@ class User2FADeviceConfirmTOTPView(RecentAuthenticationRequiredMixin, TemplateVi
            notices = [
                _('A new two-factor authentication device has been added to your account.')
            ]
-            if activate == 'on' and not self.request.user.require_2fa:
-                self.request.user.require_2fa = True
-                self.request.user.save()
-                self.request.user.log_action('pretix.user.settings.2fa.enabled', user=self.request.user)
-                notices.append(
-                    _('Two-factor authentication has been enabled.')
-                )
            self.request.user.send_security_notice(notices)
            self.request.user.update_session_token()
            update_session_auth_hash(self.request, self.request.user)

-            note = ''
-            if not self.request.user.require_2fa:
-                note = ' ' + str(_('Please note that you still need to enable two-factor authentication for your '
-                                   'account using the buttons below to make a second factor required for logging '
-                                   'into your account.'))
-            messages.success(request, str(_('The device has been verified and can now be used.')) + note)
-            return redirect(reverse('control:user.settings.2fa'))
+            messages.success(request, str(_('The device has been verified and can now be used.')))
+            if self.request.user.require_2fa:
+                return redirect(reverse('control:user.settings.2fa'))
+            else:
+                return redirect(reverse('control:user.settings.2fa.enable'))
        else:
            messages.error(request, _('The code you entered was not valid. If this problem persists, please check '
                                      'that the date and time of your phone are configured correctly.'))
@@ -576,6 +576,7 @@ class User2FALeaveTeamsView(RecentAuthenticationRequiredMixin, TemplateView):

 class User2FAEnableView(RecentAuthenticationRequiredMixin, TemplateView):
    template_name = 'pretixcontrol/user/2fa_enable.html'
+    max_form_time = 7200  # this should have effectively no timeout, as the user might take some time to print out their emergency codes, and they would become invalid in case of a timeout

    def dispatch(self, request, *args, **kwargs):
        if not any(dt.objects.filter(user=self.request.user, confirmed=True) for dt in REAL_DEVICE_TYPES):
@@ -584,14 +585,39 @@ class User2FAEnableView(RecentAuthenticationRequiredMixin, TemplateView):
            return redirect(reverse('control:user.settings.2fa'))
        return super().dispatch(request, *args, **kwargs)

+    def get(self, request, *args, **kwargs):
+        new_tokens = None
+        try:
+            static_tokens_device = StaticDevice.objects.get(user=self.request.user, name='emergency')
+        except StaticDevice.MultipleObjectsReturned:
+            static_tokens_device = StaticDevice.objects.filter(
+                user=self.request.user, name='emergency'
+            ).first()
+        except StaticDevice.DoesNotExist:
+            static_tokens_device = None
+
+            new_tokens = [get_random_string(length=12, allowed_chars='1234567890') for _ in range(10)]
+            request.session['pretix_2fa_new_emergency_tokens'] = new_tokens
+        return super().get(request, *args, new_emergency_tokens=new_tokens, static_tokens_device=static_tokens_device, **kwargs)
+
    def post(self, request, *args, **kwargs):
+        notices = [
+            _('Two-factor authentication has been enabled.')
+        ]
+        if 'pretix_2fa_new_emergency_tokens' in request.session:
+            d = StaticDevice.objects.create(user=self.request.user, name='emergency')
+            for code in request.session['pretix_2fa_new_emergency_tokens']:
+                d.token_set.create(token=code)
+            self.request.user.log_action('pretix.user.settings.2fa.regenemergency', user=self.request.user)
+            notices += [
+                _('Your two-factor emergency codes have been regenerated.')
+            ]
+            del request.session['pretix_2fa_new_emergency_tokens']
        self.request.user.require_2fa = True
        self.request.user.save()
        self.request.user.log_action('pretix.user.settings.2fa.enabled', user=self.request.user)
        messages.success(request, _('Two-factor authentication is now enabled for your account.'))
-        self.request.user.send_security_notice([
-            _('Two-factor authentication has been enabled.')
-        ])
+        self.request.user.send_security_notice(notices)
        self.request.user.update_session_token()
        update_session_auth_hash(self.request, self.request.user)
        return redirect(reverse('control:user.settings.2fa'))
@@ -29,8 +29,3 @@ class PretixHelpersConfig(AppConfig):
    def ready(self):
        from .monkeypatching import monkeypatch_all_at_ready
        monkeypatch_all_at_ready()
-
-        # Ensure reportlab does not make any calls to the internet or the local disk
-        from reportlab import rl_config
-        rl_config.trustedHosts = []
-        rl_config.trustedSchemes = ['data']
@@ -19,31 +19,12 @@
 # You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
 # <https://www.gnu.org/licenses/>.
 #
-import ipaddress
-import socket
-import sys
 import types
 from datetime import datetime
 from http import cookies

-from django.conf import settings
-from django.core.exceptions import SuspiciousFileOperation
 from PIL import Image
 from requests.adapters import HTTPAdapter
-from urllib3.connection import HTTPConnection, HTTPSConnection
-from urllib3.connectionpool import HTTPConnectionPool, HTTPSConnectionPool
-from urllib3.exceptions import (
-    ConnectTimeoutError, HTTPError, LocationParseError, NameResolutionError,
-    NewConnectionError,
-)
-from urllib3.util.connection import (
-    _TYPE_SOCKET_OPTIONS, _set_socket_options, allowed_gai_family,
-)
-from urllib3.util.timeout import _DEFAULT_TIMEOUT
-
-from pretix.helpers.reportlab import ThumbnailingImageReader
-
-_cgnat_net = ipaddress.ip_network('100.64.0.0/10')


 def monkeypatch_vobject_performance():
@@ -108,150 +89,14 @@ def monkeypatch_requests_timeout():
    HTTPAdapter.send = httpadapter_send


-def monkeypatch_urllib3_ssrf_protection():
-    """
-    pretix allows HTTP requests to untrusted URLs, e.g. through webhooks or external API URLs. This is dangerous since
-    it can allow access to private networks that should not be reachable by users ("server-side request forgery", SSRF).
-    Validating URLs at submission is not sufficient, since with DNS rebinding an attacker can make a domain name pass
-    validation and then resolve to a private IP address on actual execution. Unfortunately, there seems no clean solution
-    to this in Python land, so we monkeypatch urllib3's connection management to check the IP address to be external
-    *after* the DNS resolution.
-
-    This does not work when a global http(s) proxy is used, but in that scenario the proxy can perform the validation.
-    """
-    if getattr(settings, "ALLOW_HTTP_TO_PRIVATE_NETWORKS", False):
-        # Settings are not supposed to change during runtime, so we can optimize performance and complexity by skipping
-        # this if not needed.
-        return
-
-    def create_connection(
-        address: tuple[str, int],
-        timeout=_DEFAULT_TIMEOUT,
-        source_address: tuple[str, int] | None = None,
-        socket_options: _TYPE_SOCKET_OPTIONS | None = None,
-    ) -> socket.socket:
-        # This is copied from urllib3.util.connection v2.3.0
-        host, port = address
-        if host.startswith("["):
-            host = host.strip("[]")
-        err = None
-
-        # Using the value from allowed_gai_family() in the context of getaddrinfo lets
-        # us select whether to work with IPv4 DNS records, IPv6 records, or both.
-        # The original create_connection function always returns all records.
-        family = allowed_gai_family()
-
-        try:
-            host.encode("idna")
-        except UnicodeError:
-            raise LocationParseError(f"'{host}', label empty or too long") from None
-
-        for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
-            af, socktype, proto, canonname, sa = res
-
-            if not getattr(settings, "ALLOW_HTTP_TO_PRIVATE_NETWORKS", False):
-                ip_addr = ipaddress.ip_address(sa[0])
-                if ip_addr.is_multicast:
-                    raise HTTPError(f"Request to multicast address {sa[0]} blocked")
-                if ip_addr.is_loopback or ip_addr.is_link_local:
-                    raise HTTPError(f"Request to local address {sa[0]} blocked")
-                if ip_addr.is_private:
-                    raise HTTPError(f"Request to private address {sa[0]} blocked")
-
-            sock = None
-            try:
-                sock = socket.socket(af, socktype, proto)
-
-                # If provided, set socket level options before connecting.
-                _set_socket_options(sock, socket_options)
-
-                if timeout is not _DEFAULT_TIMEOUT:
-                    sock.settimeout(timeout)
-                if source_address:
-                    sock.bind(source_address)
-                sock.connect(sa)
-                # Break explicitly a reference cycle
-                err = None
-                return sock
-
-            except OSError as _:
-                err = _
-                if sock is not None:
-                    sock.close()
-
-        if err is not None:
-            try:
-                raise err
-            finally:
-                # Break explicitly a reference cycle
-                err = None
-        else:
-            raise OSError("getaddrinfo returns an empty list")
-
-    class ProtectionMixin:
-        def _new_conn(self) -> socket.socket:
-            # This is 1:1 the version from urllib3.connection.HTTPConnection._new_conn v2.3.0
-            # just with a call to our own create_connection
-            try:
-                sock = create_connection(
-                    (self._dns_host, self.port),
-                    self.timeout,
-                    source_address=self.source_address,
-                    socket_options=self.socket_options,
-                )
-            except socket.gaierror as e:
-                raise NameResolutionError(self.host, self, e) from e
-            except socket.timeout as e:
-                raise ConnectTimeoutError(
-                    self,
-                    f"Connection to {self.host} timed out. (connect timeout={self.timeout})",
-                ) from e
-
-            except OSError as e:
-                raise NewConnectionError(
-                    self, f"Failed to establish a new connection: {e}"
-                ) from e
-
-            sys.audit("http.client.connect", self, self.host, self.port)
-            return sock
-
-    class ProtectedHTTPConnection(ProtectionMixin, HTTPConnection):
-        pass
-
-    class ProtectedHTTPSConnection(ProtectionMixin, HTTPSConnection):
-        pass
-
-    HTTPConnectionPool.ConnectionCls = ProtectedHTTPConnection
-    HTTPSConnectionPool.ConnectionCls = ProtectedHTTPSConnection
-
-
 def monkeypatch_cookie_morsel():
    # See https://code.djangoproject.com/ticket/34613
    cookies.Morsel._flags.add("partitioned")
    cookies.Morsel._reserved.setdefault("partitioned", "Partitioned")


-def monkeypatch_reportlab_imagereader():
-    from reportlab.lib import utils
-    old_init = utils.ImageReader.__init__
-
-    def new_init(self, fileName, ident=None):  # noqa
-        if not isinstance(fileName, Image.Image) and not hasattr(fileName, 'read') and not hasattr(fileName, 'str'):
-            if not isinstance(self, ThumbnailingImageReader):
-                # ThumbnailingImageReader is only used by us explicitly and not by using <img> in html, so it is safe
-                raise SuspiciousFileOperation("reportlab should not be reading images from disk")
-
-        return types.MethodType(old_init, self)(
-            fileName, ident
-        )
-
-    utils.ImageReader.__init__ = new_init
-
-
 def monkeypatch_all_at_ready():
    monkeypatch_vobject_performance()
    monkeypatch_pillow_safer()
    monkeypatch_requests_timeout()
-    monkeypatch_urllib3_ssrf_protection()
    monkeypatch_cookie_morsel()
-    monkeypatch_reportlab_imagereader()
@@ -20,19 +20,14 @@
 # <https://www.gnu.org/licenses/>.
 #
 import logging
-import re
-import unicodedata

 from arabic_reshaper import ArabicReshaper
-from bidi import get_display
 from django.conf import settings
 from django.utils.functional import SimpleLazyObject
-from django.utils.html import escape
 from PIL import Image
 from reportlab.lib.styles import ParagraphStyle
 from reportlab.lib.utils import ImageReader
 from reportlab.pdfbase import pdfmetrics
-from reportlab.pdfbase.ttfonts import TTFont
 from reportlab.platypus import Paragraph

 from pretix.presale.style import get_fonts
@@ -75,20 +70,6 @@ reshaper = SimpleLazyObject(lambda: ArabicReshaper(configuration={
 }))


-def normalize_text(text: str) -> str:
-    # reportlab does not support unicode combination characters
-    # It's important we do this before we use ArabicReshaper
-    text = unicodedata.normalize("NFKC", text)
-
-    # reportlab does not support RTL, ligature-heavy scripts like Arabic. Therefore, we use ArabicReshaper
-    # to resolve all ligatures and python-bidi to switch RTL texts.
-    try:
-        text = "\n".join(get_display(reshaper.reshape(l)) for l in re.split("\n", text))
-    except:
-        logger.exception('Reshaping/Bidi fixes failed on string {}'.format(repr(text)))
-    return text
-
-
 class FontFallbackParagraph(Paragraph):
    def __init__(self, text, style=None, *args, **kwargs):
        if style is None:
@@ -106,8 +87,6 @@ class FontFallbackParagraph(Paragraph):
        if not text:
            return True
        font = pdfmetrics.getFont(font_name)
-        if not isinstance(font, TTFont):
-            return True
        return all(
            ord(c) in font.face.charToGlyph or not c.isprintable()
            for c in text
@@ -123,24 +102,6 @@ class FontFallbackParagraph(Paragraph):
                return family


-class PlainTextParagraph(FontFallbackParagraph):
-    def __init__(self, text, style=None, linebreaks=True, *args, **kwargs):
-        if not isinstance(text, str):
-            if hasattr(text, '__html__'):
-                raise ValueError("It is contradictory to pass escaped content to PlainTextParagraph")
-            text = str(text)
-
-        # Normalize unicode and apply reshaping
-        text = normalize_text(text)
-
-        # Escape any HTML in the text
-        text = escape(text)
-
-        if linebreaks:
-            text = text.strip().replace("\n", "<br />\n")
-        super().__init__(text, style, *args, **kwargs)
-
-
 def register_ttf_font_if_new(name, path):
    from reportlab.pdfbase import pdfmetrics
    from reportlab.pdfbase.ttfonts import TTFont
@@ -25,7 +25,7 @@ import time

 from django.conf import settings
 from django.contrib.auth import login as auth_login
-from django.contrib.gis import geoip2
+from django.contrib.gis.geoip2 import GeoIP2
 from django.core.cache import cache
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
@@ -63,20 +63,14 @@ def get_user_agent_hash(request):
 _geoip = None


-def get_geoip() -> geoip2.GeoIP2:
-    # See https://code.djangoproject.com/ticket/36988#ticket
+def _get_country(request):
    global _geoip

-    geoip2.SUPPORTED_DATABASE_TYPES.add("Geoacumen-Country")
-
    if not _geoip:
-        _geoip = geoip2.GeoIP2()
-    return _geoip
+        _geoip = GeoIP2()

-
-def _get_country(request):
    try:
-        res = get_geoip().country(get_client_ip(request))
+        res = _geoip.country(get_client_ip(request))
    except AddressNotFoundError:
        return None
    return res['country_code']
@@ -1,33 +0,0 @@
-#
-# This file is part of pretix (Community Edition).
-#
-# Copyright (C) 2014-2020  Raphael Michel and contributors
-# Copyright (C) 2020-today pretix GmbH and contributors
-#
-# This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General
-# Public License as published by the Free Software Foundation in version 3 of the License.
-#
-# ADDITIONAL TERMS APPLY: Pursuant to Section 7 of the GNU Affero General Public License, additional terms are
-# applicable granting you additional permissions and placing additional restrictions on your usage of this software.
-# Please refer to the pretix LICENSE file to obtain the full terms applicable to this work. If you did not receive
-# this file, see <https://pretix.eu/about/en/license>.
-#
-# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
-# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
-# details.
-#
-# You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
-# <https://www.gnu.org/licenses/>.
-#
-import logging
-
-from django import template
-from django.utils.html import format_html
-
-register = template.Library()
-logger = logging.getLogger(__name__)
-
-
-@register.filter
-def wrap_in(content, tag_name):
-    return format_html(f'<{tag_name}>{{}}</{tag_name}>', content)
@@ -173,7 +173,6 @@ def create_thumbnail(source, size, formats=None):
    # filesystem path, this only works because _open() uses safe_join, which accepts absolute paths if they match the
    # expected base dir. For NanoCDN Files, this works because source.name is set to the storage path.
    source_rb = default_storage.open(source_name, mode='rb')
-    source_ext = os.path.splitext(source_name)[1].lower()

    image = Image.open(BytesIO(source_rb.read()), formats=formats or settings.PILLOW_FORMATS_QUESTIONS_IMAGE)
    try:
@@ -184,14 +183,11 @@ def create_thumbnail(source, size, formats=None):
    frames = []
    durations = []
    for f in ImageSequence.Iterator(image):
-        if f.mode in ("P", "PA") and source_ext == '.png':
-            f = f.convert('RGBA')
-        if f.mode not in ("1", "L", "RGB", "RGBA"):
-            f = f.convert('RGB')
        durations.append(f.info.get("duration", 1000))
        frames.append(resize_image(f, size))
    image_out = frames[0]
    save_kwargs = {}
+    source_ext = os.path.splitext(source_name)[1].lower()

    if source_ext == '.jpg' or source_ext == '.jpeg':
        # Yields better file sizes for photos
@@ -215,6 +211,10 @@ def create_thumbnail(source, size, formats=None):
    checksum = hashlib.md5(image.tobytes()).hexdigest()
    name = checksum + '.' + size.replace('^', 'c') + '.' + target_ext
    buffer = BytesIO()
+    if image_out.mode == "P" and source_ext == '.png':
+        image_out = image_out.convert('RGBA')
+    if image_out.mode not in ("1", "L", "RGB", "RGBA"):
+        image_out = image_out.convert('RGB')
    image_out.save(fp=buffer, format=target_ext.upper(), quality=quality, **save_kwargs)
    imgfile = ContentFile(buffer.getvalue())

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-04-28 09:04+0000\n"
+"POT-Creation-Date: 2026-03-17 14:06+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -632,56 +632,56 @@ msgstr ""
 msgid "Unknown error."
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:310
+#: pretix/static/pretixcontrol/js/ui/main.js:309
 msgid "Your color has great contrast and will provide excellent accessibility."
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:314
+#: pretix/static/pretixcontrol/js/ui/main.js:313
 msgid ""
 "Your color has decent contrast and is sufficient for minimum accessibility "
 "requirements."
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:318
+#: pretix/static/pretixcontrol/js/ui/main.js:317
 msgid ""
 "Your color has insufficient contrast to white. Accessibility of your site "
 "will be impacted."
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:446
-#: pretix/static/pretixcontrol/js/ui/main.js:466
+#: pretix/static/pretixcontrol/js/ui/main.js:445
+#: pretix/static/pretixcontrol/js/ui/main.js:465
 msgid "Search query"
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:464
+#: pretix/static/pretixcontrol/js/ui/main.js:463
 msgid "All"
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:465
+#: pretix/static/pretixcontrol/js/ui/main.js:464
 msgid "None"
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:469
+#: pretix/static/pretixcontrol/js/ui/main.js:468
 msgid "Selected only"
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:842
+#: pretix/static/pretixcontrol/js/ui/main.js:841
 msgid "Enter page number between 1 and %(max)s."
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:845
+#: pretix/static/pretixcontrol/js/ui/main.js:844
 msgid "Invalid page number."
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:1003
+#: pretix/static/pretixcontrol/js/ui/main.js:1002
 msgid "Use a different name internally"
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:1043
+#: pretix/static/pretixcontrol/js/ui/main.js:1042
 msgid "Click to close"
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:1124
+#: pretix/static/pretixcontrol/js/ui/main.js:1123
 msgid "You have unsaved changes!"
 msgstr ""

@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-04-28 09:04+0000\n"
+"POT-Creation-Date: 2026-03-17 14:06+0000\n"
 "PO-Revision-Date: 2021-09-15 11:22+0000\n"
 "Last-Translator: Mohamed Tawfiq <mtawfiq@wafyapp.com>\n"
 "Language-Team: Arabic <https://translate.pretix.eu/projects/pretix/pretix-js/"
@@ -666,13 +666,13 @@ msgstr "توليد الرسائل …"
 msgid "Unknown error."
 msgstr "خطأ غير معروف."

-#: pretix/static/pretixcontrol/js/ui/main.js:310
+#: pretix/static/pretixcontrol/js/ui/main.js:309
 #, fuzzy
 #| msgid "Your color has great contrast and is very easy to read!"
 msgid "Your color has great contrast and will provide excellent accessibility."
 msgstr "اللون يتمتع بتباين كبير وتسهل قراءته!"

-#: pretix/static/pretixcontrol/js/ui/main.js:314
+#: pretix/static/pretixcontrol/js/ui/main.js:313
 #, fuzzy
 #| msgid "Your color has decent contrast and is probably good-enough to read!"
 msgid ""
@@ -680,46 +680,46 @@ msgid ""
 "requirements."
 msgstr "اللون يحظى بتباين معقول ويمكن أن يكون مناسب للقراءة!"

-#: pretix/static/pretixcontrol/js/ui/main.js:318
+#: pretix/static/pretixcontrol/js/ui/main.js:317
 msgid ""
 "Your color has insufficient contrast to white. Accessibility of your site "
 "will be impacted."
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:446
-#: pretix/static/pretixcontrol/js/ui/main.js:466
+#: pretix/static/pretixcontrol/js/ui/main.js:445
+#: pretix/static/pretixcontrol/js/ui/main.js:465
 msgid "Search query"
 msgstr "البحث في الاستفسارات"

-#: pretix/static/pretixcontrol/js/ui/main.js:464
+#: pretix/static/pretixcontrol/js/ui/main.js:463
 msgid "All"
 msgstr "الكل"

-#: pretix/static/pretixcontrol/js/ui/main.js:465
+#: pretix/static/pretixcontrol/js/ui/main.js:464
 msgid "None"
 msgstr "لا شيء"

-#: pretix/static/pretixcontrol/js/ui/main.js:469
+#: pretix/static/pretixcontrol/js/ui/main.js:468
 msgid "Selected only"
 msgstr "المختارة فقط"

-#: pretix/static/pretixcontrol/js/ui/main.js:842
+#: pretix/static/pretixcontrol/js/ui/main.js:841
 msgid "Enter page number between 1 and %(max)s."
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:845
+#: pretix/static/pretixcontrol/js/ui/main.js:844
 msgid "Invalid page number."
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:1003
+#: pretix/static/pretixcontrol/js/ui/main.js:1002
 msgid "Use a different name internally"
 msgstr "قم باستخدم اسم مختلف داخليا"

-#: pretix/static/pretixcontrol/js/ui/main.js:1043
+#: pretix/static/pretixcontrol/js/ui/main.js:1042
 msgid "Click to close"
 msgstr "اضغط لاغلاق الصفحة"

-#: pretix/static/pretixcontrol/js/ui/main.js:1124
+#: pretix/static/pretixcontrol/js/ui/main.js:1123
 msgid "You have unsaved changes!"
 msgstr "لم تقم بحفظ التعديلات!"

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-04-28 09:04+0000\n"
+"POT-Creation-Date: 2026-03-17 14:06+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -632,56 +632,56 @@ msgstr ""
 msgid "Unknown error."
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:310
+#: pretix/static/pretixcontrol/js/ui/main.js:309
 msgid "Your color has great contrast and will provide excellent accessibility."
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:314
+#: pretix/static/pretixcontrol/js/ui/main.js:313
 msgid ""
 "Your color has decent contrast and is sufficient for minimum accessibility "
 "requirements."
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:318
+#: pretix/static/pretixcontrol/js/ui/main.js:317
 msgid ""
 "Your color has insufficient contrast to white. Accessibility of your site "
 "will be impacted."
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:446
-#: pretix/static/pretixcontrol/js/ui/main.js:466
+#: pretix/static/pretixcontrol/js/ui/main.js:445
+#: pretix/static/pretixcontrol/js/ui/main.js:465
 msgid "Search query"
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:464
+#: pretix/static/pretixcontrol/js/ui/main.js:463
 msgid "All"
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:465
+#: pretix/static/pretixcontrol/js/ui/main.js:464
 msgid "None"
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:469
+#: pretix/static/pretixcontrol/js/ui/main.js:468
 msgid "Selected only"
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:842
+#: pretix/static/pretixcontrol/js/ui/main.js:841
 msgid "Enter page number between 1 and %(max)s."
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:845
+#: pretix/static/pretixcontrol/js/ui/main.js:844
 msgid "Invalid page number."
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:1003
+#: pretix/static/pretixcontrol/js/ui/main.js:1002
 msgid "Use a different name internally"
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:1043
+#: pretix/static/pretixcontrol/js/ui/main.js:1042
 msgid "Click to close"
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:1124
+#: pretix/static/pretixcontrol/js/ui/main.js:1123
 msgid "You have unsaved changes!"
 msgstr ""

@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-04-28 09:04+0000\n"
+"POT-Creation-Date: 2026-03-17 14:06+0000\n"
 "PO-Revision-Date: 2025-10-31 17:00+0000\n"
 "Last-Translator: Núria Masclans <nuriamasclansserrat@gmail.com>\n"
 "Language-Team: Catalan <https://translate.pretix.eu/projects/pretix/pretix-"
@@ -644,11 +644,11 @@ msgstr "Generant missatges…"
 msgid "Unknown error."
 msgstr "Error desconegut."

-#: pretix/static/pretixcontrol/js/ui/main.js:310
+#: pretix/static/pretixcontrol/js/ui/main.js:309
 msgid "Your color has great contrast and will provide excellent accessibility."
 msgstr "El teu color té molt contrast i garanteix bona accessibilitat."

-#: pretix/static/pretixcontrol/js/ui/main.js:314
+#: pretix/static/pretixcontrol/js/ui/main.js:313
 msgid ""
 "Your color has decent contrast and is sufficient for minimum accessibility "
 "requirements."
@@ -656,7 +656,7 @@ msgstr ""
 "El teu color té un contrast acceptable i compleix els requisits mínims "
 "d’accessibilitat."

-#: pretix/static/pretixcontrol/js/ui/main.js:318
+#: pretix/static/pretixcontrol/js/ui/main.js:317
 msgid ""
 "Your color has insufficient contrast to white. Accessibility of your site "
 "will be impacted."
@@ -664,40 +664,40 @@ msgstr ""
 "El color no té prou contrast amb el blanc i pot afectar a l'accessibilitat "
 "del lloc web."

-#: pretix/static/pretixcontrol/js/ui/main.js:446
-#: pretix/static/pretixcontrol/js/ui/main.js:466
+#: pretix/static/pretixcontrol/js/ui/main.js:445
+#: pretix/static/pretixcontrol/js/ui/main.js:465
 msgid "Search query"
 msgstr "Consulta de cerca"

-#: pretix/static/pretixcontrol/js/ui/main.js:464
+#: pretix/static/pretixcontrol/js/ui/main.js:463
 msgid "All"
 msgstr "Tots"

-#: pretix/static/pretixcontrol/js/ui/main.js:465
+#: pretix/static/pretixcontrol/js/ui/main.js:464
 msgid "None"
 msgstr "Cap"

-#: pretix/static/pretixcontrol/js/ui/main.js:469
+#: pretix/static/pretixcontrol/js/ui/main.js:468
 msgid "Selected only"
 msgstr "Només seleccionats"

-#: pretix/static/pretixcontrol/js/ui/main.js:842
+#: pretix/static/pretixcontrol/js/ui/main.js:841
 msgid "Enter page number between 1 and %(max)s."
 msgstr "Introdueix un número de pàgina entre 1 i %(max)s."

-#: pretix/static/pretixcontrol/js/ui/main.js:845
+#: pretix/static/pretixcontrol/js/ui/main.js:844
 msgid "Invalid page number."
 msgstr "Número de pàgina no vàlid."

-#: pretix/static/pretixcontrol/js/ui/main.js:1003
+#: pretix/static/pretixcontrol/js/ui/main.js:1002
 msgid "Use a different name internally"
 msgstr "Utilitza un nom diferent internament"

-#: pretix/static/pretixcontrol/js/ui/main.js:1043
+#: pretix/static/pretixcontrol/js/ui/main.js:1042
 msgid "Click to close"
 msgstr "Prem per tancar"

-#: pretix/static/pretixcontrol/js/ui/main.js:1124
+#: pretix/static/pretixcontrol/js/ui/main.js:1123
 msgid "You have unsaved changes!"
 msgstr "Tens canvis sense desar!"

@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-04-28 09:04+0000\n"
+"POT-Creation-Date: 2026-03-17 14:06+0000\n"
 "PO-Revision-Date: 2026-01-08 04:00+0000\n"
 "Last-Translator: Jiří Pastrňák <jiri@pastrnak.email>\n"
 "Language-Team: Czech <https://translate.pretix.eu/projects/pretix/pretix-js/"
@@ -657,57 +657,57 @@ msgstr "Vytváření zpráv…"
 msgid "Unknown error."
 msgstr "Neznámá chyba."

-#: pretix/static/pretixcontrol/js/ui/main.js:310
+#: pretix/static/pretixcontrol/js/ui/main.js:309
 msgid "Your color has great contrast and will provide excellent accessibility."
 msgstr "Tato barva má velmi dobrý kontrast a je velmi dobře čitelná."

-#: pretix/static/pretixcontrol/js/ui/main.js:314
+#: pretix/static/pretixcontrol/js/ui/main.js:313
 msgid ""
 "Your color has decent contrast and is sufficient for minimum accessibility "
 "requirements."
 msgstr ""
 "Tato barva má slušný kontrast a pravděpodobně je dostatečně dobře čitelná."

-#: pretix/static/pretixcontrol/js/ui/main.js:318
+#: pretix/static/pretixcontrol/js/ui/main.js:317
 msgid ""
 "Your color has insufficient contrast to white. Accessibility of your site "
 "will be impacted."
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:446
-#: pretix/static/pretixcontrol/js/ui/main.js:466
+#: pretix/static/pretixcontrol/js/ui/main.js:445
+#: pretix/static/pretixcontrol/js/ui/main.js:465
 msgid "Search query"
 msgstr "Hledaný výraz"

-#: pretix/static/pretixcontrol/js/ui/main.js:464
+#: pretix/static/pretixcontrol/js/ui/main.js:463
 msgid "All"
 msgstr "Všechny"

-#: pretix/static/pretixcontrol/js/ui/main.js:465
+#: pretix/static/pretixcontrol/js/ui/main.js:464
 msgid "None"
 msgstr "Žádný"

-#: pretix/static/pretixcontrol/js/ui/main.js:469
+#: pretix/static/pretixcontrol/js/ui/main.js:468
 msgid "Selected only"
 msgstr "Pouze vybrané"

-#: pretix/static/pretixcontrol/js/ui/main.js:842
+#: pretix/static/pretixcontrol/js/ui/main.js:841
 msgid "Enter page number between 1 and %(max)s."
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:845
+#: pretix/static/pretixcontrol/js/ui/main.js:844
 msgid "Invalid page number."
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:1003
+#: pretix/static/pretixcontrol/js/ui/main.js:1002
 msgid "Use a different name internally"
 msgstr "Interně používat jiný název"

-#: pretix/static/pretixcontrol/js/ui/main.js:1043
+#: pretix/static/pretixcontrol/js/ui/main.js:1042
 msgid "Click to close"
 msgstr "Kliknutím zavřete"

-#: pretix/static/pretixcontrol/js/ui/main.js:1124
+#: pretix/static/pretixcontrol/js/ui/main.js:1123
 msgid "You have unsaved changes!"
 msgstr "Máte neuložené změny!"

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-04-28 09:04+0000\n"
+"POT-Creation-Date: 2026-03-17 14:06+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -633,56 +633,56 @@ msgstr ""
 msgid "Unknown error."
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:310
+#: pretix/static/pretixcontrol/js/ui/main.js:309
 msgid "Your color has great contrast and will provide excellent accessibility."
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:314
+#: pretix/static/pretixcontrol/js/ui/main.js:313
 msgid ""
 "Your color has decent contrast and is sufficient for minimum accessibility "
 "requirements."
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:318
+#: pretix/static/pretixcontrol/js/ui/main.js:317
 msgid ""
 "Your color has insufficient contrast to white. Accessibility of your site "
 "will be impacted."
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:446
-#: pretix/static/pretixcontrol/js/ui/main.js:466
+#: pretix/static/pretixcontrol/js/ui/main.js:445
+#: pretix/static/pretixcontrol/js/ui/main.js:465
 msgid "Search query"
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:464
+#: pretix/static/pretixcontrol/js/ui/main.js:463
 msgid "All"
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:465
+#: pretix/static/pretixcontrol/js/ui/main.js:464
 msgid "None"
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:469
+#: pretix/static/pretixcontrol/js/ui/main.js:468
 msgid "Selected only"
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:842
+#: pretix/static/pretixcontrol/js/ui/main.js:841
 msgid "Enter page number between 1 and %(max)s."
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:845
+#: pretix/static/pretixcontrol/js/ui/main.js:844
 msgid "Invalid page number."
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:1003
+#: pretix/static/pretixcontrol/js/ui/main.js:1002
 msgid "Use a different name internally"
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:1043
+#: pretix/static/pretixcontrol/js/ui/main.js:1042
 msgid "Click to close"
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:1124
+#: pretix/static/pretixcontrol/js/ui/main.js:1123
 msgid "You have unsaved changes!"
 msgstr ""

@@ -6,8 +6,8 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-04-28 09:04+0000\n"
-"PO-Revision-Date: 2026-04-22 18:00+0000\n"
+"POT-Creation-Date: 2026-03-17 14:06+0000\n"
+"PO-Revision-Date: 2024-07-10 15:00+0000\n"
 "Last-Translator: Nikolai <nikolai@lengefeldt.de>\n"
 "Language-Team: Danish <https://translate.pretix.eu/projects/pretix/pretix-js/"
 "da/>\n"
@@ -16,7 +16,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=n != 1;\n"
-"X-Generator: Weblate 5.17\n"
+"X-Generator: Weblate 5.6.1\n"

 #: pretix/plugins/banktransfer/static/pretixplugins/banktransfer/ui.js:56
 #: pretix/plugins/banktransfer/static/pretixplugins/banktransfer/ui.js:62
@@ -682,56 +682,56 @@ msgstr "Opretter beskeder …"
 msgid "Unknown error."
 msgstr "Ukendt fejl."

-#: pretix/static/pretixcontrol/js/ui/main.js:310
+#: pretix/static/pretixcontrol/js/ui/main.js:309
 msgid "Your color has great contrast and will provide excellent accessibility."
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:314
+#: pretix/static/pretixcontrol/js/ui/main.js:313
 msgid ""
 "Your color has decent contrast and is sufficient for minimum accessibility "
 "requirements."
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:318
+#: pretix/static/pretixcontrol/js/ui/main.js:317
 msgid ""
 "Your color has insufficient contrast to white. Accessibility of your site "
 "will be impacted."
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:446
-#: pretix/static/pretixcontrol/js/ui/main.js:466
+#: pretix/static/pretixcontrol/js/ui/main.js:445
+#: pretix/static/pretixcontrol/js/ui/main.js:465
 msgid "Search query"
-msgstr "Søgeforespørgsel"
+msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:464
+#: pretix/static/pretixcontrol/js/ui/main.js:463
 msgid "All"
 msgstr "Alle"

-#: pretix/static/pretixcontrol/js/ui/main.js:465
+#: pretix/static/pretixcontrol/js/ui/main.js:464
 msgid "None"
 msgstr "Ingen"

-#: pretix/static/pretixcontrol/js/ui/main.js:469
+#: pretix/static/pretixcontrol/js/ui/main.js:468
 msgid "Selected only"
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:842
+#: pretix/static/pretixcontrol/js/ui/main.js:841
 msgid "Enter page number between 1 and %(max)s."
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:845
+#: pretix/static/pretixcontrol/js/ui/main.js:844
 msgid "Invalid page number."
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:1003
+#: pretix/static/pretixcontrol/js/ui/main.js:1002
 msgid "Use a different name internally"
 msgstr ""

-#: pretix/static/pretixcontrol/js/ui/main.js:1043
+#: pretix/static/pretixcontrol/js/ui/main.js:1042
 msgid "Click to close"
 msgstr "Klik for at lukke"

-#: pretix/static/pretixcontrol/js/ui/main.js:1124
+#: pretix/static/pretixcontrol/js/ui/main.js:1123
 msgid "You have unsaved changes!"
 msgstr "Du har ændringer, der ikke er gemt!"

--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Mira Weller	9da8c1f7b2	reauth flow token add a special token to always allow completing a form submission, even if the reauthentication time has expired	2026-03-26 12:41:19 +01:00
Mira Weller	6b340682b2	ui changes	2026-03-20 12:56:57 +01:00
Mira Weller	0dc436067f	always perform 2fa activation as dedicated step	2026-03-20 12:56:38 +01:00
Mira Weller	db66c91108	generate emergency tokens during 2fa activation	2026-03-20 12:55:58 +01:00
Mira Weller	3a1db55e8b	remove broken blackberry link	2026-03-20 12:06:56 +01:00
Mira Weller	57da5cbae2	improve 2fa type selection	2026-03-20 11:44:10 +01:00