Update cache handling

Update checkout.py
Validate email addresses fo valid DNS names
2026-01-10 22:22:26 +00:00 · 2021-01-01 20:13:09 +01:00 · 2021-01-01 20:13:09 +01:00 · 2021-01-01 20:13:09 +01:00
405 changed files with 116602 additions and 186971 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -1,23 +0,0 @@
---
-name: Bug report
-about: Please only create issues for bug reports. Feature requests or general questions
-  should start as a "Discussion" on GitHub.
-title: ''
-labels: ''
-assignees: ''
-
---
-
-<!-- Please only create issues for bug reports. Feature requests or general questions should start as a "Discussion" on GitHub. -->
-
-**Describe the bug**
-A clear and concise description of what the bug is.
-
-**Expected behavior**
-A clear and concise description of what you expected to happen.
-
-**Screenshots**
-If applicable, add screenshots to help explain your problem.
-
-**Additional context**
-Add any other context about the problem here.
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -33,7 +33,7 @@ jobs:
      - name: Install system packages
        run: sudo apt update && sudo apt install enchant hunspell aspell-en
      - name: Install Dependencies
-        run: pip3 install -Ur doc/requirements.txt
+        run: pip3 install --no-use-pep517 -Ur doc/requirements.txt
      - name: Spellcheck docs
        run: make spelling
        working-directory: ./doc
--- a/.github/workflows/strings.yml
+++ b/.github/workflows/strings.yml
@@ -31,7 +31,7 @@ jobs:
      - name: Install system packages
        run: sudo apt update && sudo apt install gettext
      - name: Install Dependencies
-        run: pip3 install -Ur src/requirements.txt
+        run: pip3 install --no-use-pep517 -Ur src/requirements.txt
      - name: Compile messages
        run: python manage.py compilemessages
        working-directory: ./src
@@ -56,7 +56,7 @@ jobs:
      - name: Install system packages
        run: sudo apt update && sudo apt install enchant hunspell hunspell-de-de aspell-en aspell-de
      - name: Install Dependencies
-        run: pip3 install -Ur src/requirements/dev.txt
+        run: pip3 install --no-use-pep517 -Ur src/requirements/dev.txt
      - name: Spellcheck translations
        run: potypo
        working-directory: ./src
--- a/.github/workflows/style.yml
+++ b/.github/workflows/style.yml
@@ -29,7 +29,7 @@ jobs:
          restore-keys: |
            ${{ runner.os }}-pip-
      - name: Install Dependencies
-        run: pip3 install -Ur src/requirements/dev.txt
+        run: pip3 install --no-use-pep517 -Ur src/requirements/dev.txt
      - name: Run isort
        run: isort -c .
        working-directory: ./src
@@ -49,7 +49,7 @@ jobs:
          restore-keys: |
            ${{ runner.os }}-pip-
      - name: Install Dependencies
-        run: pip3 install -r src/requirements.txt -Ur src/requirements/dev.txt
+        run: pip3 install -r src/requirements.txt --no-use-pep517 -Ur src/requirements/dev.txt
      - name: Run flake8
        run: flake8 .
        working-directory: ./src
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -57,13 +57,10 @@ jobs:
      - name: Install system dependencies
        run: sudo apt update && sudo apt install gettext mysql-client
      - name: Install Python dependencies
-        run: pip3 install -r src/requirements.txt -Ur src/requirements/dev.txt mysqlclient psycopg2-binary
+        run: pip3 install -r src/requirements.txt --no-use-pep517 -Ur src/requirements/dev.txt mysqlclient psycopg2-binary
      - name: Run checks
        run: python manage.py check
        working-directory: ./src
-      - name: Install JS dependencies
-        working-directory: ./src
-        run: make npminstall
      - name: Compile
        working-directory: ./src
        run: make all compress
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -24,7 +24,6 @@ pypi:
        - XDG_CACHE_HOME=/cache pip3 install -Ur src/requirements.txt -r src/requirements/dev.txt
        - cd src
        - python setup.py sdist
-        - make npminstall
        - pip install dist/pretix-*.tar.gz
        - python -m pretix migrate
        - python -m pretix check
--- a/6
+++ b/6
@@ -31,11 +31,7 @@ RUN apt-get update && \
    useradd -ms /bin/bash -d /pretix -u 15371 pretixuser && \
    echo 'pretixuser ALL=(ALL) NOPASSWD:SETENV: /usr/bin/supervisord' >> /etc/sudoers && \
    mkdir /static && \
-    mkdir /etc/supervisord && \
-	curl -fsSL https://deb.nodesource.com/setup_15.x | sudo -E bash - && \
-    apt-get install -y nodejs && \
-    curl -qL https://www.npmjs.com/install.sh | sh
-
+    mkdir /etc/supervisord

 ENV LC_ALL=C.UTF-8 \
    DJANGO_SETTINGS_MODULE=production_settings
--- a/deployment/docker/supervisord/base.conf
+++ b/deployment/docker/supervisord/base.conf
@@ -2,8 +2,9 @@
 file=/tmp/supervisor.sock

 [supervisord]
-logfile=/dev/stdout
-logfile_maxbytes=0
+logfile=/tmp/supervisord.log
+logfile_maxbytes=50MB
+logfile_backups=10
 loglevel=info
 pidfile=/tmp/supervisord.pid
 nodaemon=false
--- a/deployment/docker/supervisord/nginx.conf
+++ b/deployment/docker/supervisord/nginx.conf
@@ -3,7 +3,5 @@ command=/usr/sbin/nginx
 autostart=true
 autorestart=true
 priority=10
-stdout_logfile=/dev/fd/1
-stdout_logfile_maxbytes=0
-stderr_logfile=/dev/fd/2
-stderr_logfile_maxbytes=0
+stdout_events_enabled=true
+stderr_events_enabled=true
--- a/deployment/docker/supervisord/pretixtask.conf
+++ b/deployment/docker/supervisord/pretixtask.conf
@@ -4,7 +4,3 @@ autostart=true
 autorestart=true
 priority=5
 user=pretixuser
-stdout_logfile=/dev/fd/1
-stdout_logfile_maxbytes=0
-stderr_logfile=/dev/fd/2
-stderr_logfile_maxbytes=0
--- a/deployment/docker/supervisord/pretixweb.conf
+++ b/deployment/docker/supervisord/pretixweb.conf
@@ -5,7 +5,3 @@ autorestart=true
 priority=5
 user=pretixuser
 environment=HOME=/pretix
-stdout_logfile=/dev/fd/1
-stdout_logfile_maxbytes=0
-stderr_logfile=/dev/fd/2
-stderr_logfile_maxbytes=0
--- a/doc/admin/indexes.rst
+++ b/doc/admin/indexes.rst
@@ -60,10 +60,6 @@ Here is the currently recommended set of commands::
    CREATE INDEX CONCURRENTLY pretix_addidx_ia_company
        ON pretixbase_invoiceaddress
        USING gin (upper("company") gin_trgm_ops);
-    CREATE INDEX CONCURRENTLY pretix_addidx_orderpos_email_upper
-        ON public.pretixbase_orderposition (upper((attendee_email)::text));
-    CREATE INDEX CONCURRENTLY pretix_addidx_voucher_code_upper
-        ON public.pretixbase_voucher (upper((code)::text));


 Also, if you use our ``pretix-shipping`` plugin::
--- a/doc/admin/maintainance.rst
+++ b/doc/admin/maintainance.rst
@@ -95,12 +95,6 @@ pretix_model_instances
    the ``model`` name. Starting with pretix 3.11, these numbers might only be approximate for
    most tables when running on PostgreSQL to mitigate performance impact.

-pretix_celery_tasks_queued_count
-    The number of background tasks in the worker queue, labeled with ``queue``.
-
-pretix_celery_tasks_queued_age_seconds
-    The age of the longest-waiting in the worker queue in seconds, labeled with ``queue``.
-
 .. _metric types: https://prometheus.io/docs/concepts/metric_types/
 .. _Prometheus: https://prometheus.io/
 .. _cProfile: https://docs.python.org/3/library/profile.html
--- a/doc/api/fundamentals.rst
+++ b/doc/api/fundamentals.rst
@@ -183,9 +183,6 @@ Relative date         *either* String in ISO 8601  ``"2017-12-27"``,
                      constructed from a number of
                      days before the base point
                      and the base point.
-File                  URL in responses, ``file:``  ``"https://…"``, ``"file:…"``
-                      specifiers in requests
-                      (see below).
 ===================== ============================ ===================================

 Query parameters
@@ -230,48 +227,4 @@ We store idempotency keys for 24 hours, so you should never retry a request afte
 All ``POST``, ``PUT``, ``PATCH``, or ``DELETE`` api calls support idempotency keys. Adding an idempotency key to a
 ``GET``, ``HEAD``, or ``OPTIONS`` request has no effect.

-
-File upload
-----------
-
-In some places, the API supports working with files, for example when setting the picture of a product. In this case,
-you will first need to make a separate request to our file upload endpoint:
-
-.. sourcecode:: http
-
-   POST /api/v1/upload HTTP/1.1
-   Host: pretix.eu
-   Authorization: Token e1l6gq2ye72thbwkacj7jbri7a7tvxe614ojv8ybureain92ocub46t5gab5966k
-   Content-Type: image/png
-   Content-Disposition: attachment; filename="logo.png"
-   Content-Length: 1234
-
-   <raw file content>
-
-Note that the ``Content-Type`` and ``Content-Disposition`` headers are required. If the upload was successful, you will
-receive a JSON response with the ID of the file:
-
-.. sourcecode:: http
-
-   HTTP/1.1 201 Created
-   Content-Type: application/json
-
-   {
-     "id": "file:1cd99455-1ebd-4cda-b1a2-7a7d2a969ad1"
-   }
-
-You can then use this file ID in the request you want to use it in. File IDs are currently valid for 24 hours and can only
-be used using the same authorization method and user that was used to upload them.
-
-.. sourcecode:: http
-
-   PATCH /api/v1/organizers/test/events/test/items/3/ HTTP/1.1
-   Host: pretix.eu
-   Content-Type: application/json
-
-   {
-     "picture": "file:1cd99455-1ebd-4cda-b1a2-7a7d2a969ad1"
-   }
-
-
 .. _CSRF policies: https://docs.djangoproject.com/en/1.11/ref/csrf/#ajax
--- a/doc/api/guides/index.rst
+++ b/doc/api/guides/index.rst
@@ -8,5 +8,4 @@ This part of the documentation contains how-to guides on some special use cases
 .. toctree::
   :maxdepth: 2

-   order_lifecycle
   custom_checkout
--- a/doc/api/guides/order_lifecycle.rst
+++ b/doc/api/guides/order_lifecycle.rst
@@ -1,56 +0,0 @@
-Understanding the life cycle of orders
-======================================
-
-When integrating pretix with other systems, it is important that you understand how orders and related objects
-such as order positions, fees, payments, refunds, and invoices work together, in order to react to their changes
-properly and map them to processes in your system.
-
-Order states
------------
-
-Generally, an order can be in six states. For compatibility reasons, the ``status`` field only allows four values
-and the two remaining states are modeled through the ``require_approval`` field and the number of positions within
-an order. The states and their allowed changes are shown in the following graph:
-
-.. image:: /images/order_states.png
-
-
-Object types
------------
-
-Order
-    One order represents one purchase. It's the main object you interact with and bundles all the other objects
-    together. Orders can change in many ways during their lifetime, but will never be deleted (unless ``testmode``
-    is set to ``true``).
-
-Order position
-    An order position represents one product contained in the order. Orders can usually have multiple positions.
-    There might be a parent-child relation between order positions if one position is an add-on to another position.
-    Order positions can change in many ways during their lifetime, and can also be removed or added to an order.
-
-Order fees
-    A fee represents a charge that is not related to a product. Examples include shipping fees, service fees, and
-    cancellation fees.
-    Order fees can change in many ways during their lifetime, and can also be removed or added to an order.
-
-Order payment
-    An order payment represents one payment attempt with a specific payment method and amount. An order can have
-    multiple payments attached.
-    Order payments have their own state diagram. Apart from their state and their meta information (e.g. used
-    credit card, …) they usually don't change. They may be added at any time, but will never be deleted.
-
-Order refund
-    An order payment represents one refund attempt with a specific payment method and amount. An order can have
-    multiple refunds attached.
-    Order refunds have their own state diagram. Apart from their state and their meta information (e.g. used
-    credit card, …) they usually don't change. They may be added at any time, but will never be deleted.
-
-Invoice
-    An invoice represents a legal document stating the contents of an order. While the backend technically allows
-    to update an invoice in some situations, invoices are generally considered immutable. Once they are issued,
-    they no longer change. If the order changes substantially (e.g. prices change), an invoice is canceled through
-    creation of a new invoice with the opposite amount, plus the issuance of a new invoice.
-
-Here's an example of how they all play together:
-
-.. image:: /images/order_objects.png
--- a/doc/api/resources/carts.rst
+++ b/doc/api/resources/carts.rst
@@ -42,6 +42,10 @@ seat                                  objects                    The assigned se
 └ seat_guid                           string                     Identifier of the seat within the seating plan
 ===================================== ========================== =======================================================

+.. versionchanged:: 1.17
+
+   This resource has been added.
+
 .. versionchanged:: 3.0

   This ``seat`` attribute has been added.
--- a/doc/api/resources/categories.rst
+++ b/doc/api/resources/categories.rst
@@ -25,6 +25,14 @@ is_addon                              boolean                    If ``true``, it
                                                                 defining add-ons for other products.
 ===================================== ========================== =======================================================

+.. versionchanged:: 1.14
+
+   The operations POST, PATCH, PUT and DELETE have been added.
+
+.. versionchanged:: 1.16
+
+   The field ``internal_name`` has been added.
+

 Endpoints
 ---------
--- a/doc/api/resources/checkinlists.rst
+++ b/doc/api/resources/checkinlists.rst
@@ -36,6 +36,22 @@ rules                                 object                     Custom check-in
 exit_all_at                           datetime                   Automatically check out (i.e. perform an exit scan) at this point in time. After this happened, this property will automatically be set exactly one day into the future. Note that this field is considered "internal configuration" and if you pull the list with ``If-Modified-Since``, the daily change in this field will not trigger a response.
 ===================================== ========================== =======================================================

+.. versionchanged:: 1.10
+
+   This resource has been added.
+
+.. versionchanged:: 1.11
+
+   The ``positions`` endpoints have been added.
+
+.. versionchanged:: 1.13
+
+   The ``include_pending`` field has been added.
+
+.. versionchanged:: 3.2
+
+    The ``auto_checkin_sales_channels`` field has been added.
+
 .. versionchanged:: 3.9

    The ``subevent`` attribute may now be ``null`` inside event series. The ``allow_multiple_entries``,
@@ -49,13 +65,13 @@ exit_all_at                           datetime                   Automatically c

    The ``exit_all_at`` attribute has been added.

-.. versionchanged:: 3.17
-
-    The ``ends_after`` and ``expand`` query parameters have been added.
-
 Endpoints
 ---------

+.. versionchanged:: 1.15
+
+   The ``../status/`` detail endpoint has been added.
+
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/checkinlists/

   Returns a list of all check-in lists within a given event.
@@ -104,8 +120,6 @@ Endpoints
   :query integer page: The page number in case of a multi-page result set, default is 1
   :query integer subevent: Only return check-in lists of the sub-event with the given ID
   :query integer subevent_match: Only return check-in lists that are valid for the sub-event with the given ID (i.e. also lists valid for all subevents)
-   :query string ends_after: Exclude all check-in lists attached to a sub-event that is already in the past at the given time.
-   :query string expand: Expand a field into a full object. Currently only ``subevent`` is supported. Can be passed multiple times.
   :query string exclude: Exclude a field from the output, e.g. ``checkin_count``. Can be used as a performance optimization. Can be passed multiple times.
   :param organizer: The ``slug`` field of the organizer to fetch
   :param event: The ``slug`` field of the event to fetch
@@ -366,6 +380,29 @@ Endpoints
 Order position endpoints
 ------------------------

+.. versionchanged:: 1.15
+
+   The order positions endpoint has been extended by the filter queries ``item__in``, ``variation__in``,
+   ``order__status__in``, ``subevent__in``, ``addon_to__in``, and ``search``. The search for attendee names and order
+   codes is now case-insensitive.
+
+   The ``.../redeem/`` endpoint has been added.
+
+.. versionchanged:: 2.0
+
+   The order positions endpoint has been extended by the filter queries ``voucher`` and ``voucher__code``.
+
+.. versionchanged:: 2.7
+
+   The resource now contains the new attributes ``require_attention`` and ``order__status`` and accepts the new
+   ``ignore_status`` filter. The ``attendee_name`` field is now "smart" (see below) and the redemption endpoint
+   returns ``400`` instead of ``404`` on tickets which are known but not paid.
+
+.. versionchanged:: 3.2
+
+    The ``checkins`` dict now also contains a ``auto_checked_in`` value to indicate if the check-in has been performed
+    automatically by the system.
+
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/checkinlists/(list)/positions/

   Returns a list of all order positions within a given event. The result is the same as
@@ -453,7 +490,6 @@ Order position endpoints
                           ``attendee_name,positionid``
   :query string order: Only return positions of the order with the given order code
   :query string search: Fuzzy search matching the attendee name, order code, invoice address name as well as to the beginning of the secret.
-   :query string expand: Expand a field into a full object. Currently only ``subevent``, ``item``, and ``variation`` are supported. Can be passed multiple times.
   :query integer item: Only return positions with the purchased item matching the given ID.
   :query integer item__in: Only return positions with the purchased item matching one of the given comma-separated IDs.
   :query integer variation: Only return positions with the purchased item variation matching the given ID.
--- a/doc/api/resources/events.rst
+++ b/doc/api/resources/events.rst
@@ -52,6 +52,31 @@ sales_channels                        list                       A list of sales
 ===================================== ========================== =======================================================


+.. versionchanged:: 1.7
+
+   The ``meta_data`` field has been added.
+
+.. versionchanged:: 1.15
+
+   The ``plugins`` field has been added.
+   The operations POST, PATCH, PUT and DELETE have been added.
+
+.. versionchanged:: 2.1
+
+   Filters have been added to the list of events.
+
+.. versionchanged:: 2.5
+
+   The ``testmode`` attribute has been added.
+
+.. versionchanged:: 2.8
+
+    When cloning events, the ``testmode`` attribute will now be cloned, too.
+
+.. versionchanged:: 3.0
+
+   The attributes ``seating_plan`` and ``seat_category_mapping`` have been added.
+
 .. versionchanged:: 3.3

   The attributes ``geo_lat`` and ``geo_lon`` have been added.
--- a/doc/api/resources/invoices.rst
+++ b/doc/api/resources/invoices.rst
@@ -15,24 +15,8 @@ number                                string                     Invoice number
 order                                 string                     Order code of the order this invoice belongs to
 is_cancellation                       boolean                    ``true``, if this invoice is the cancellation of a
                                                                 different invoice.
-invoice_from_name                     string                     Sender address: Name
-invoice_from                          string                     Sender address: Address lines
-invoice_from_zipcode                  string                     Sender address: ZIP code
-invoice_from_city                     string                     Sender address: City
-invoice_from_country                  string                     Sender address: Country code
-invoice_from_tax_id                   string                     Sender address: Local Tax ID
-invoice_from_vat_id                   string                     Sender address: EU VAT ID
-invoice_to                            string                     Full recipient address
-invoice_to_company                    string                     Recipient address: Company name
-invoice_to_name                       string                     Recipient address: Person name
-invoice_to_street                     string                     Recipient address: Address lines
-invoice_to_zipcode                    string                     Recipient address: ZIP code
-invoice_to_city                       string                     Recipient address: City
-invoice_to_state                      string                     Recipient address: State (only used in some countries)
-invoice_to_country                    string                     Recipient address: Country code
-invoice_to_vat_id                     string                     Recipient address: EU VAT ID
-invoice_to_beneficiary                string                     Invoice beneficiary
-custom_field                          string                     Custom invoice address field
+invoice_from                          string                     Sender address
+invoice_to                            string                     Receiver address
 date                                  date                       Invoice date
 refers                                string                     Invoice number of an invoice this invoice refers to
                                                                 (for example a cancellation refers to the invoice it
@@ -46,31 +30,6 @@ footer_text                           string                     Text to be prin
 lines                                 list of objects            The actual invoice contents
 ├ position                            integer                    Number of the line within an invoice.
 ├ description                         string                     Text representing the invoice line (e.g. product name)
-├ item                                integer                    Product used to create this line. Note that everything
-                                                                 about the product might have changed since the creation
-                                                                 of the invoice. Can be ``null`` for all invoice lines
-                                                                 created before this field was introduced as well as for
-                                                                 all lines not created by a product (e.g. a shipping or
-                                                                 cancellation fee).
-├ variation                           integer                    Product variation used to create this line. Note that everything
-                                                                 about the product might have changed since the creation
-                                                                 of the invoice. Can be ``null`` for all invoice lines
-                                                                 created before this field was introduced as well as for
-                                                                 all lines not created by a product (e.g. a shipping or
-                                                                 cancellation fee).
-├ event_date_from                     datetime                   Start date of the (sub)event this line was created for as it
-                                                                 was set during invoice creation. Can be ``null`` for all invoice
-                                                                 lines created before this was introduced as well as for lines in
-                                                                 an event series not created by a product (e.g. shipping or
-                                                                 cancellation fees).
-├ event_date_to                       datetime                   End date of the (sub)event this line was created for as it
-                                                                 was set during invoice creation. Can be ``null`` for all invoice
-                                                                 lines created before this was introduced as well as for lines in
-                                                                 an event series not created by a product (e.g. shipping or
-                                                                 cancellation fees) as well as whenever the respective (sub)event
-                                                                 has no end date set.
-├ attendee_name                       string                     Attendee name at time of invoice creation. Can be ``null`` if no
-                                                                 name was set or if names are configured to not be added to invoices.
 ├ gross_value                         money (string)             Price including taxes
 ├ tax_value                           money (string)             Tax amount included
 ├ tax_name                            string                     Name of used tax rate (e.g. "VAT")
@@ -87,16 +46,28 @@ internal_reference                    string                     Customer's refe
 ===================================== ========================== =======================================================


+.. versionchanged:: 1.6
+
+   The attribute ``invoice_no`` has been dropped in favor of ``number`` which includes the number including the prefix,
+   since the prefix can now vary. Also, invoices now need to be identified by their ``number`` instead of the raw
+   number.
+
+
+.. versionchanged:: 1.7
+
+   The attributes ``lines.tax_name``, ``foreign_currency_display``, ``foreign_currency_rate``, and
+   ``foreign_currency_rate_date`` have been added.
+
+
+.. versionchanged:: 1.9
+
+   The attribute ``internal_reference`` has been added.
+
+
 .. versionchanged:: 3.4

   The attribute ``lines.number`` has been added.

-.. versionchanged:: 3.17
-
-   The attribute ``invoice_to_*``, ``invoice_from_*``, ``custom_field``, ``lines.item``, ``lines.variation``, ``lines.event_date_from``,
-   ``lines.event_date_to``, and ``lines.attendee_name`` have been added.
-   ``refers`` now returns an invoice number including the prefix.
-

 Endpoints
 ---------
@@ -130,24 +101,8 @@ Endpoints
            "number": "SAMPLECONF-00001",
            "order": "ABC12",
            "is_cancellation": false,
-            "invoice_from_name": "Big Events LLC",
-            "invoice_from": "Demo street 12",
-            "invoice_from_zipcode":"",
-            "invoice_from_city":"Demo town",
-            "invoice_from_country":"US",
-            "invoice_from_tax_id":"",
-            "invoice_from_vat_id":"",
-            "invoice_to": "Sample company\nJohn Doe\nTest street 12\n12345 Testington\nTestikistan\nVAT-ID: EU123456789",
-            "invoice_to_company": "Sample company",
-            "invoice_to_name": "John Doe",
-            "invoice_to_street": "Test street 12",
-            "invoice_to_zipcode": "12345",
-            "invoice_to_city": "Testington",
-            "invoice_to_state": null,
-            "invoice_to_country": "TE",
-            "invoice_to_vat_id": "EU123456789",
-            "invoice_to_beneficiary": "",
-            "custom_field": null,
+            "invoice_from": "Big Events LLC\nDemo street 12\nDemo town",
+            "invoice_to": "Sample company\nJohn Doe\nTest street 12\n12345 Testington\nTestikistan\nVAT ID: EU123456789",
            "date": "2017-12-01",
            "refers": null,
            "locale": "en",
@@ -160,11 +115,6 @@ Endpoints
              {
                "position": 1,
                "description": "Budget Ticket",
-                "item": 1234,
-                "variation": 245,
-                "event_date_from": "2017-12-27T10:00:00Z",
-                "event_date_to": null,
-                "attendee_name": null,
                "gross_value": "23.00",
                "tax_value": "0.00",
                "tax_name": "VAT",
@@ -216,24 +166,8 @@ Endpoints
        "number": "SAMPLECONF-00001",
        "order": "ABC12",
        "is_cancellation": false,
-        "invoice_from_name": "Big Events LLC",
-        "invoice_from": "Demo street 12",
-        "invoice_from_zipcode":"",
-        "invoice_from_city":"Demo town",
-        "invoice_from_country":"US",
-        "invoice_from_tax_id":"",
-        "invoice_from_vat_id":"",
-        "invoice_to": "Sample company\nJohn Doe\nTest street 12\n12345 Testington\nTestikistan\nVAT-ID: EU123456789",
-        "invoice_to_company": "Sample company",
-        "invoice_to_name": "John Doe",
-        "invoice_to_street": "Test street 12",
-        "invoice_to_zipcode": "12345",
-        "invoice_to_city": "Testington",
-        "invoice_to_state": null,
-        "invoice_to_country": "TE",
-        "invoice_to_vat_id": "EU123456789",
-        "invoice_to_beneficiary": "",
-        "custom_field": null,
+        "invoice_from": "Big Events LLC\nDemo street 12\nDemo town",
+        "invoice_to": "Sample company\nJohn Doe\nTest street 12\n12345 Testington\nTestikistan\nVAT ID: EU123456789",
        "date": "2017-12-01",
        "refers": null,
        "locale": "en",
@@ -246,11 +180,6 @@ Endpoints
          {
            "position": 1,
            "description": "Budget Ticket",
-            "item": 1234,
-            "variation": 245,
-            "event_date_from": "2017-12-27T10:00:00Z",
-            "event_date_to": null,
-            "attendee_name": null,
            "gross_value": "23.00",
            "tax_value": "0.00",
            "tax_name": "VAT",
--- a/doc/api/resources/item_add-ons.rst
+++ b/doc/api/resources/item_add-ons.rst
@@ -28,6 +28,10 @@ multi_allowed                         boolean                    Adding the same
 price_included                        boolean                    Adding this add-on to the item is free
 ===================================== ========================== =======================================================

+.. versionchanged:: 1.12
+
+   This resource has been added.
+
 Endpoints
 ---------

--- a/doc/api/resources/item_bundles.rst
+++ b/doc/api/resources/item_bundles.rst
@@ -30,6 +30,10 @@ designated_price                      money (string)             Designated pric
                                                                 taxation. This is not added to the price.
 ===================================== ========================== =======================================================

+.. versionchanged:: 2.6
+
+   This resource has been added.
+
 Endpoints
 ---------

--- a/doc/api/resources/item_variations.rst
+++ b/doc/api/resources/item_variations.rst
@@ -26,6 +26,14 @@ description                           multi-lingual string       A public descri
 position                              integer                    An integer, used for sorting
 ===================================== ========================== =======================================================

+.. versionchanged:: 2.7
+
+   The attribute ``original_price`` has been added.
+
+.. versionchanged:: 1.12
+
+   This resource has been added.
+
 Endpoints
 ---------

--- a/doc/api/resources/items.rst
+++ b/doc/api/resources/items.rst
@@ -36,8 +36,8 @@ admission                             boolean                    ``true`` for it
                                                                 (such as primary tickets) and ``false`` for others
                                                                 (such as add-ons or merchandise).
 position                              integer                    An integer, used for sorting
-picture                               file                       A product picture to be displayed in the shop
-                                                                 (can be ``null``).
+picture                               string                     A product picture to be displayed in the shop
+                                                                 (read-only, can be ``null``).
 sales_channels                        list of strings            Sales channels this product is available on, such as
                                                                 ``"web"`` or ``"resellers"``. Defaults to ``["web"]``.
 available_from                        datetime                   The first date time at which this item can be bought
@@ -118,6 +118,44 @@ bundles                               list of objects            Definition of b
 meta_data                             object                     Values set for event-specific meta data parameters.
 ===================================== ========================== =======================================================

+.. versionchanged:: 2.7
+
+   The attribute ``original_price`` has been added for ``variations``.
+
+.. versionchanged:: 1.7
+
+   The attribute ``tax_rule`` has been added. ``tax_rate`` is kept for compatibility. The attribute
+   ``checkin_attention`` has been added.
+
+.. versionchanged:: 1.12
+
+   The write operations ``POST``, ``PATCH``, ``PUT``, and ``DELETE`` have been added.
+   The attribute ``price_included`` has been added to ``addons``.
+
+.. versionchanged:: 1.16
+
+   The ``internal_name`` and ``original_price`` fields have been added.
+
+.. versionchanged:: 2.0
+
+   The field ``require_approval`` has been added.
+
+.. versionchanged:: 2.3
+
+   The ``sales_channels`` attribute has been added.
+
+.. versionchanged:: 2.4
+
+   The ``generate_tickets`` attribute has been added.
+
+.. versionchanged:: 2.6
+
+   The ``bundles`` and ``require_bundling`` attributes have been added.
+
+.. versionchanged:: 3.0
+
+   The ``show_quota_left``, ``allow_waitinglist``, and ``hidden_if_available`` attributes have been added.
+
 .. versionchanged:: 3.7

   The attribute ``meta_data`` has been added.
--- a/doc/api/resources/orders.rst
+++ b/doc/api/resources/orders.rst
@@ -94,6 +94,60 @@ last_modified                         datetime                   Last modificati
 ===================================== ========================== =======================================================


+.. versionchanged:: 1.6
+
+   The ``invoice_address.country`` attribute contains a two-letter country code for all new orders. For old orders,
+   a custom text might still be returned.
+
+.. versionchanged:: 1.7
+
+   The attributes ``invoice_address.vat_id_validated`` and ``invoice_address.is_business`` have been added.
+   The attributes ``order.payment_fee``, ``order.payment_fee_tax_rate`` and ``order.payment_fee_tax_value`` have been
+   deprecated in favor of the new ``fees`` attribute but will still be served and removed in 1.9.
+
+.. versionchanged:: 1.9
+
+   First write operations (``…/mark_paid/``, ``…/mark_pending/``, ``…/mark_canceled/``, ``…/mark_expired/``) have been added.
+   The attribute ``invoice_address.internal_reference`` has been added.
+
+.. versionchanged:: 1.13
+
+   The field ``checkin_attention`` has been added.
+
+.. versionchanged:: 1.15
+
+   The attributes ``order.payment_fee``, ``order.payment_fee_tax_rate``, ``order.payment_fee_tax_value`` and
+   ``order.payment_fee_tax_rule`` have finally been removed.
+
+.. versionchanged:: 1.16
+
+   The attributes ``order.last_modified`` as well as the corresponding filters to the resource have been added.
+   An endpoint for order creation as well as ``…/mark_refunded/`` has been added.
+
+.. versionchanged:: 2.0
+
+   The ``order.payment_date`` and ``order.payment_provider`` attributes have been deprecated in favor of the new
+   nested ``payments`` and ``refunds`` resources, but will still be served and removed in 2.2. The ``require_approval``
+   attribute has been added, as have been the ``…/approve/`` and ``…/deny/`` endpoints.
+
+.. versionchanged:: 2.3
+
+   The ``sales_channel`` attribute has been added.
+
+.. versionchanged:: 2.4
+
+   ``order.status`` can no longer be ``r``, ``…/mark_canceled/`` now accepts a ``cancellation_fee`` parameter and
+   ``…/mark_refunded/`` has been deprecated.
+
+.. versionchanged:: 2.5
+
+   The ``testmode`` attribute has been added and ``DELETE`` has been implemented for orders.
+
+.. versionchanged:: 3.1
+
+   The ``invoice_address.state`` and ``url`` attributes have been added. When creating orders through the API,
+   vouchers are now supported and many fields are now optional.
+
 .. versionchanged:: 3.5

   The ``order.fees.canceled`` attribute has been added.
@@ -166,7 +220,7 @@ downloads                             list of objects            List of ticket
 └ url                                 string                     Download URL
 answers                               list of objects            Answers to user-defined questions
 ├ question                            integer                    Internal ID of the answered question
-├ answer                              string                     Text representation of the answer (URL if answer is a file)
+├ answer                              string                     Text representation of the answer
 ├ question_identifier                 string                     The question's ``identifier`` field
 ├ options                             list of integers           Internal IDs of selected option(s)s (only for choice types)
 └ option_identifiers                  list of strings            The ``identifier`` fields of the selected option(s)s
@@ -179,6 +233,30 @@ pdf_data                              object                     Data object req
                                                                 ``pdf_data=true`` query parameter to your request.
 ===================================== ========================== =======================================================

+.. versionchanged:: 1.7
+
+   The attribute ``tax_rule`` has been added.
+
+.. versionchanged:: 1.11
+
+   The attribute ``checkins.list`` has been added.
+
+.. versionchanged:: 1.14
+
+  The attributes ``answers.question_identifier`` and ``answers.option_identifiers`` have been added.
+
+.. versionchanged:: 1.16
+
+  The attributes ``pseudonymization_id`` and ``pdf_data`` have been added.
+
+.. versionchanged:: 3.0
+
+  The attribute ``seat`` has been added.
+
+.. versionchanged:: 3.2
+
+  The value ``auto_checked_in`` has been added to the ``checkins``-attribute.
+
 .. versionchanged:: 3.3

  The ``url`` of a ticket ``download`` can now also return a ``text/uri-list`` instead of a file. See
@@ -196,10 +274,6 @@ pdf_data                              object                     Data object req

  The ``checkin.type`` attribute has been added.

-.. versionchanged:: 3.16
-
-   Answers to file questions are now returned as an URL.
-
 .. _order-payment-resource:

 Order payment resource
@@ -228,6 +302,14 @@ details                               object                     Payment-specifi
                                                                 the object is empty.
 ===================================== ========================== =======================================================

+.. versionchanged:: 2.0
+
+  This resource has been added.
+
+.. versionchanged:: 3.1
+
+  The attributes ``payment_url`` and ``details`` have been added.
+
 .. _order-refund-resource:

 Order refund resource
@@ -243,14 +325,21 @@ state                                 string                     Payment state,
 source                                string                     How this refund has been created, one of ``buyer``, ``admin``, or ``external``
 amount                                money (string)             Payment amount
 created                               datetime                   Date and time of creation of this payment
-comment                               string                     Reason for refund (shown to the customer in some cases, can be ``null``).
-execution_date                        datetime                   Date and time of completion of this refund (or ``null``)
+payment_date                          datetime                   Date and time of completion of this payment (or ``null``)
 provider                              string                     Identification string of the payment provider
 ===================================== ========================== =======================================================

+.. versionchanged:: 2.0
+
+  This resource has been added.
+
 List of all orders
 ------------------

+.. versionchanged:: 1.15
+
+   Filtering for emails or order codes is now case-insensitive.
+
 .. versionchanged:: 3.5

   The ``include_canceled_positions`` and ``include_canceled_fees`` query parameters have been added.
@@ -1356,6 +1445,21 @@ Sending e-mails
 List of all order positions
 ---------------------------

+.. versionchanged:: 1.15
+
+   The order positions endpoint has been extended by the filter queries ``item__in``, ``variation__in``,
+   ``order__status__in``, ``subevent__in``, ``addon_to__in`` and ``search``. The search for attendee names and order
+   codes is now case-insensitive.
+
+.. versionchanged:: 2.0
+
+   The order positions endpoint has been extended by the filter queries ``voucher``, ``voucher__code`` and
+   ``pseudonymization_id``.
+
+.. versionchanged:: 3.2
+
+  The value ``auto_checked_in`` has been added to the ``checkins``-attribute.
+
 .. versionchanged:: 3.5

   The ``include_canceled_positions`` and ``include_canceled_fees`` query parameters have been added.
@@ -1602,67 +1706,6 @@ Order position ticket download
 Manipulating individual positions
 ---------------------------------

-.. versionchanged:: 3.15
-
-   The ``PATCH`` method has been added for individual positions.
-
-.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/orderpositions/(id)/
-
-   Updates specific fields on an order position. Currently, only the following fields are supported:
-
-   * ``attendee_email``
-
-   * ``attendee_name_parts`` or ``attendee_name``
-
-   * ``company``
-
-   * ``street``
-
-   * ``zipcode``
-
-   * ``city``
-
-   * ``country``
-
-   * ``state``
-
-   * ``answers``: If specified, you will need to provide **all** answers for this order position.
-     Validation is handled the same way as when creating orders through the API. You are therefore
-     expected to provide ``question``, ``answer``, and possibly ``options``. ``question_identifier``
-     and ``option_identifiers`` will be ignored.
-
-   **Example request**:
-
-   .. sourcecode:: http
-
-      PATCH /api/v1/organizers/bigevents/events/sampleconf/orderpositions/23442/ HTTP/1.1
-      Host: pretix.eu
-      Accept: application/json, text/javascript
-      Content-Type: application/json
-
-      {
-        "attendee_email": "other@example.org"
-      }
-
-   **Example response**:
-
-   .. sourcecode:: http
-
-      HTTP/1.1 200 OK
-      Vary: Accept
-      Content-Type: application/json
-
-      (Full order resource, see above.)
-
-   :param organizer: The ``slug`` field of the organizer of the event
-   :param event: The ``slug`` field of the event
-   :param id: The ``id`` field of the order position to update
-
-   :statuscode 200: no error
-   :statuscode 400: The order could not be updated due to invalid submitted data.
-   :statuscode 401: Authentication failure
-   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to update this order.
-
 .. http:delete:: /api/v1/organizers/(organizer)/events/(event)/orderpositions/(id)/

   Deletes an order position, identified by its internal ID.
@@ -1695,6 +1738,10 @@ Manipulating individual positions
 Order payment endpoints
 -----------------------

+.. versionchanged:: 2.0
+
+  These endpoints have been added.
+
 .. versionchanged:: 3.6

   Payments can now be created through the API.
@@ -1974,6 +2021,10 @@ Order payment endpoints
 Order refund endpoints
 ----------------------

+.. versionchanged:: 2.0
+
+  These endpoints have been added.
+
 .. http:get:: /api/v1/organizers/(organizer)/events/(event)/orders/(code)/refunds/

   Returns a list of all refunds for an order.
@@ -2007,7 +2058,6 @@ Order refund endpoints
            "payment": 1,
            "created": "2017-12-01T10:00:00Z",
            "execution_date": "2017-12-04T12:13:12Z",
-            "comment": "Cancellation",
            "provider": "banktransfer"
          }
        ]
@@ -2050,7 +2100,6 @@ Order refund endpoints
        "payment": 1,
        "created": "2017-12-01T10:00:00Z",
        "execution_date": "2017-12-04T12:13:12Z",
-        "comment": "Cancellation",
        "provider": "banktransfer"
      }

@@ -2085,7 +2134,6 @@ Order refund endpoints
        "amount": "23.00",
        "payment": 1,
        "execution_date": null,
-        "comment": "Cancellation",
        "provider": "manual",
        "mark_canceled": false,
        "mark_pending": true
@@ -2107,7 +2155,6 @@ Order refund endpoints
        "payment": 1,
        "created": "2017-12-01T10:00:00Z",
        "execution_date": null,
-        "comment": "Cancellation",
        "provider": "manual"
      }

--- a/doc/api/resources/question_options.rst
+++ b/doc/api/resources/question_options.rst
@@ -19,6 +19,10 @@ identifier                            string                     An arbitrary st
 answer                                multi-lingual string       The displayed value of this option
 ===================================== ========================== =======================================================

+.. versionchanged:: 1.12
+
+   This resource has been added.
+
 Endpoints
 ---------

--- a/doc/api/resources/questions.rst
+++ b/doc/api/resources/questions.rst
@@ -75,6 +75,28 @@ dependency_value                      string                     An old version
                                                                 for one value. **Deprecated.**
 ===================================== ========================== =======================================================

+.. versionchanged:: 1.12
+
+  The values ``D``, ``H``, and ``W`` for the field ``type`` are now allowed and the ``ask_during_checkin`` field has
+  been added.
+
+.. versionchanged:: 1.14
+
+  Write methods have been added. The attribute ``identifier`` has been added to both the resource itself and the
+  options resource. The ``position`` attribute has been added to the options resource.
+
+.. versionchanged:: 2.7
+
+  The attribute ``hidden`` and the question type ``CC`` have been added.
+
+.. versionchanged:: 3.0
+
+  The attribute ``dependency_values`` has been added.
+
+.. versionchanged:: 3.1
+
+  The attribute ``print_on_invoice`` has been added.
+
 .. versionchanged:: 3.5

  The attribute ``help_text`` has been added.
--- a/doc/api/resources/quotas.rst
+++ b/doc/api/resources/quotas.rst
@@ -30,6 +30,14 @@ release_after_exit                    boolean                    Whether the quo
                                                                 have been scanned at an exit.
 ===================================== ========================== =======================================================

+.. versionchanged:: 1.10
+
+   The write operations ``POST``, ``PATCH``, ``PUT``, and ``DELETE`` have been added.
+
+.. versionchanged:: 3.0
+
+   The attributes ``close_when_sold_out`` and ``closed`` have been added.
+
 .. versionchanged:: 3.10

   The attribute ``release_after_exit`` has been added.
--- a/doc/api/resources/seatingplans.rst
+++ b/doc/api/resources/seatingplans.rst
@@ -20,6 +20,10 @@ layout                                object                     JSON representa
                                                                 still evolves. The version in use can be found `here`_.
 ===================================== ========================== =======================================================

+.. versionchanged:: 3.0
+
+   This endpoint has been added.
+
 Endpoints
 ---------

--- a/doc/api/resources/subevents.rst
+++ b/doc/api/resources/subevents.rst
@@ -33,7 +33,6 @@ date_to                               datetime                   The sub-event's
 date_admission                        datetime                   The sub-event's admission date (or ``null``)
 presale_start                         datetime                   The sub-date at which the ticket shop opens (or ``null``)
 presale_end                           datetime                   The sub-date at which the ticket shop closes (or ``null``)
-frontpage_text                        multi-lingual string       The description of the event (or ``null``)
 location                              multi-lingual string       The sub-event location (or ``null``)
 geo_lat                               float                      Latitude of the location (or ``null``)
 geo_lon                               float                      Longitude of the location (or ``null``)
@@ -55,6 +54,25 @@ seat_category_mapping                 object                     An object mappi
 last_modified                         datetime                   Last modification of this object
 ===================================== ========================== =======================================================

+.. versionchanged:: 1.7
+
+   The ``meta_data`` field has been added.
+
+.. versionchanged:: 2.1
+
+   The ``event`` field has been added, together with filters on the list of dates and an organizer-level list.
+
+.. versionchanged:: 2.6
+   The write operations ``POST``, ``PATCH``, ``PUT``, and ``DELETE`` have been added.
+
+.. versionchanged:: 2.7
+
+   The attribute ``is_public`` has been added.
+
+.. versionchanged:: 3.0
+
+   The attributes ``seating_plan`` and ``seat_category_mapping`` have been added.
+
 .. versionchanged:: 3.3

   The attributes ``geo_lat`` and ``geo_lon`` have been added.
--- a/doc/api/resources/taxrules.rst
+++ b/doc/api/resources/taxrules.rst
@@ -24,6 +24,14 @@ home_country                          string                     Merchant countr
                                                                 ``null`` or empty string
 ===================================== ========================== =======================================================

+.. versionchanged:: 1.7
+
+   This resource has been added.
+
+.. versionchanged:: 1.9
+
+   The write operations ``POST``, ``PATCH``, ``PUT``, and ``DELETE`` have been added.
+

 Endpoints
 ---------
--- a/doc/api/resources/teams.rst
+++ b/doc/api/resources/teams.rst
@@ -1,4 +1,4 @@
-.. spelling:: fullname checkin
+.. spelling:: fullname

 .. _`rest-teams`:

@@ -32,7 +32,6 @@ can_view_orders                       boolean
 can_change_orders                     boolean
 can_view_vouchers                     boolean
 can_change_vouchers                   boolean
-can_checkin_orders                    boolean
 ===================================== ========================== =======================================================

 Team member resource
--- a/doc/api/resources/vouchers.rst
+++ b/doc/api/resources/vouchers.rst
@@ -46,6 +46,14 @@ show_hidden_items                     boolean                    Only if set to
 ===================================== ========================== =======================================================


+.. versionchanged:: 1.9
+
+   The write operations ``POST``, ``PATCH``, ``PUT``, and ``DELETE`` have been added.
+
+.. versionchanged:: 3.0
+
+   The attribute ``show_hidden_items`` has been added.
+
 .. versionchanged:: 3.4

   The attribute ``seat`` has been added.
--- a/doc/api/resources/waitinglist.rst
+++ b/doc/api/resources/waitinglist.rst
@@ -13,10 +13,7 @@ Field                                 Type                       Description
 ===================================== ========================== =======================================================
 id                                    integer                    Internal ID of the waiting list entry
 created                               datetime                   Creation date of the waiting list entry
-name                                  string                     Name of the user on the waiting list (or ``null``)
-name_parts                            object of strings          Decomposition of name of the user (or ``null``)
 email                                 string                     Email address of the user on the waiting list
-phone                                 string                     Phone number of the user on the waiting list (or ``null``)
 voucher                               integer                    Internal ID of the voucher sent to this user. If
                                                                 this field is set, the user has been sent a voucher
                                                                 and is no longer waiting. If it is ``null``, the
--- a/doc/development/api/general.rst
+++ b/doc/development/api/general.rst
@@ -34,7 +34,7 @@ Frontend
 --------

 .. automodule:: pretix.presale.signals
-   :members: html_head, html_footer, footer_link, global_footer_link, front_page_top, front_page_bottom, front_page_bottom_widget, fee_calculation_for_cart, contact_form_fields, question_form_fields, contact_form_fields_overrides, question_form_fields_overrides, checkout_confirm_messages, checkout_confirm_page_content, checkout_all_optional, html_page_header, sass_preamble, sass_postamble, render_seating_plan, checkout_flow_steps, position_info, position_info_top, item_description, global_html_head, global_html_footer, global_html_page_header
+   :members: html_head, html_footer, footer_link, front_page_top, front_page_bottom, front_page_bottom_widget, fee_calculation_for_cart, contact_form_fields, question_form_fields, contact_form_fields_overrides, question_form_fields_overrides, checkout_confirm_messages, checkout_confirm_page_content, checkout_all_optional, html_page_header, sass_preamble, sass_postamble, render_seating_plan, checkout_flow_steps, position_info, position_info_top, item_description, global_html_head, global_html_footer, global_html_page_header


 .. automodule:: pretix.presale.signals
@@ -79,7 +79,7 @@ Ticket designs
 """"""""""""""

 .. automodule:: pretix.base.signals
-   :members: layout_text_variables, layout_image_variables
+   :members: layout_text_variables

 .. automodule:: pretix.plugins.ticketoutputpdf.signals
   :members: override_layout
--- a/doc/development/api/payment.rst
+++ b/doc/development/api/payment.rst
@@ -106,22 +106,14 @@ The provider class

   .. automethod:: payment_control_render

-   .. automethod:: payment_control_render_short
-
   .. automethod:: payment_refund_supported

   .. automethod:: payment_partial_refund_supported

-   .. automethod:: payment_presale_render
-
   .. automethod:: execute_refund

   .. automethod:: refund_control_render

-   .. automethod:: new_refund_control_form_render
-
-   .. automethod:: new_refund_control_form_process
-
   .. automethod:: api_payment_details

   .. automethod:: matching_id
--- a/doc/development/concepts.rst
+++ b/doc/development/concepts.rst
@@ -82,15 +82,11 @@ Orders
 ^^^^^^

 If a customer completes the checkout process, an **Order** will be created containing all the entered information.
-An order can be in one of currently six states that are listed in the diagram below:
+An order can be in one of currently four states that are listed in the diagram below:

 .. image:: /images/order_states.png

-The dotted lines represent status changes that usually do not happen as part of the regular process, but can be
-performed manually in the admin backend.
-
-For historical reasons, there are only four valid values of the ``status`` field, and the two additional states are
-represented differently:
+There are additional "fake" states that are displayed like states but not represented as states in the system:

 * An order is considered **canceled (with paid fee)** if it is in **paid** status but does not include any non-cancelled positions.

--- a/doc/development/setup.rst
+++ b/doc/development/setup.rst
@@ -67,10 +67,6 @@ Then, create the local database::
 A first user with username ``admin@localhost`` and password ``admin`` will be automatically
 created.

-You will also need to install a few JavaScript dependencies::
-
-    make npminstall
-
 If you want to see pretix in a different language than English, you have to compile our language
 files::

--- a/doc/images/order_objects.png
+++ b/doc/images/order_objects.png
--- a/doc/images/order_objects.puml
+++ b/doc/images/order_objects.puml
@@ -1,34 +0,0 @@
-@startuml
-
-participant User
-collections "OrderPayment\nOrderRefund" as P
-collections "Order\nOrderPosition" as O
-collections "Invoice\nInvoiceLine" as I
-
-User -> O: Order placed (€100)
-rnote over O #6DD96D: Order A1B2C\nstatus = **n**\ntotal = €100
-O -> P: Payment created
-O -> I: Invoice created\n(can also happen later)
-rnote over I #6DD96D: Invoice 00001\n€100
-rnote over P #6DD96D: OrderPayment A1B2C-P-1\nstate = **created**
-P -> User: Payment details (web, email)
-User -> P: Payment performed
-rnote over P #EFF46B: OrderPayment A1B2C-P-1\nstate = **confirmed**
-P -> O: Order marked as paid
-rnote over O #EFF46B: Order A1B2C\nstatus = **p**\ntotal = €100
-User -> O: Data change (e.g. invoice address)
-O -> I: Invoice reissued
-rnote over I #6DD96D: Invoice 00002\n€-100
-rnote over I #6DD96D: Invoice 00003\n€100
-rnote over O #EFF46B: Order A1B2C\nstatus = **p**\ntotal = €100
-User -> O: Order canceled
-rnote over O #EFF46B: Order A1B2C\nstatus = **c**
-O -> I: Invoice canceled
-rnote over I #6DD96D: Invoice 00004\n€-100
-O -> P: Refund started
-rnote over P #6DD96D: OrderRefund\nA1B2C-R-1\nstate = **created**
-P -> User: Money sent
-rnote over P #EFF46B: OrderRefund\nA1B2C-R-1\nstate = **done**
-
-@enduml
-
--- a/doc/images/order_states.png
+++ b/doc/images/order_states.png
--- a/doc/images/order_states.puml
+++ b/doc/images/order_states.puml
@@ -1,39 +1,19 @@
@startuml

-state "Approval Pending" as AP
-state "Canceled (with paid fee)" as CP
-AP: status = "n"
-AP: require_approval = true
-Pending: status = "n"
-Pending: require_approval = false
-Pending: Tickets reserved: yes
-Expired: status = "e"
-Expired: Tickets reserved: no
-Paid: status = "p"
-Paid: count(positions | !canceled) > 0
-Paid: Tickets reserved: yes
-CP: status = "p"
-CP: count(positions | !canceled) = 0
-Canceled: status = "c"
-Canceled: Tickets reserved: no
+Pending: Order is expecting payment\nOrder reduces quotas
+Expired: Payment period is over\nOrder does not affect quotas
+Paid: Order was successful\nOrder reduces quotas
+Canceled: Order has been canceled\nOrder does not affect quotas

-
-[*] -> Pending: order placed\ntotal > 0
-[*] -> Paid: order placed\ntotal = 0
-[*] -> AP: order placed\napproval required
-Pending --> Paid: order paid
-Pending --> Expired: after payment\ndeadline
-Expired --> Paid: order paid\n(only if quota left)
-Expired -[dashed]-> Canceled
-Expired -[dashed]-> Pending: order extended
-Paid --> Canceled: order canceled
-Pending --> Canceled: order canceled
-Paid -[dashed]-> Pending: refund
-AP --> Pending: order approved
-AP --> Canceled: order denied
-Paid --> CP: order canceled\n(with cancellation fee)
-Canceled -[dashed]-> Pending: order reactivated
-Canceled -[dashed]-> Paid: order reactivated
-CP -[dashed]-> Canceled: fee canceled
+[*] --> Pending: customer\nplaces order
+Pending --> Paid: successful payment
+Pending --> Expired: automatically\nor manually\non admin action
+Expired --> Paid: if payment is received\nonly if quota left
+Expired --> Canceled
+Expired --> Pending: manually\non admin action
+Paid --> Canceled: manually on\nadmin action\nor if an external\npayment provider\nnotifies about a\npayment refund
+Pending --> Canceled: on admin or\ncustomer action
+Paid -> Pending: manually on admin action
+[*] --> Paid: customer\nplaces free order

@enduml
--- a/doc/plugins/badges.rst
+++ b/doc/plugins/badges.rst
@@ -22,6 +22,10 @@ item_assignments                      list of objects            Products this l
 └ item                                integer                    Item ID
 ===================================== ========================== =======================================================

+.. versionchanged:: 1.16
+
+   This resource has been added.
+

 Endpoints
 ---------
--- a/doc/plugins/ticketoutputpdf.rst
+++ b/doc/plugins/ticketoutputpdf.rst
@@ -24,6 +24,14 @@ item_assignments                      list of objects            Products this l
 └ item                                integer                    Item ID
 ===================================== ========================== =======================================================

+.. versionchanged:: 1.16
+
+   This resource has been added.
+
+.. versionchanged:: 2.3
+
+   The ``item_assignments.sales_channel`` field has been added.
+

 Endpoints
 ---------
--- a/doc/user/events/email.rst
+++ b/doc/user/events/email.rst
@@ -64,35 +64,20 @@ is valid in every text):
 Placeholder                    Description
 ============================== ===============================================================================
 event                          The event name
-event_slug                     The event's short form
-code                           In case of the waiting list, the voucher code to redeem
-currency                       The currency used for the event (three-letter code)
 total                          The order's total value
 total_with_currency            The order's total value with a localized currency sign
-refund_amount                  (For cancellation emails) The amount of money that will be refunded, including
-                               the currency
+currency                       The currency used for the event (three-letter code)
 payment_info                   Information text specific to the payment method (e.g. banking details)
 url                            An URL pointing to the download/status page of the order
-url_info_change                An URL pointing to the page of the order that can be used to change ticket
-                               information
-url_products_change            An URL pointing to the page of the order that can be used to change the products
-                               in the order
-url_cancel                     An URL pointing to the page of the order that can be used to cancel the order
-name, name_*                   Any name that can be used to address the recipient (e.g. name from invoice address,
-                               name from first ticket, …)
-invoice_name, invoice_name_*   The name field of the invoice address
+invoice_name                   The name field of the invoice address
 invoice_company                The company field of the invoice address
-attendee_name, attendee_name_* The name of the attendee represented by the ticket
 expire_date                    The order's expiration date
-comment                        When rejecting an order, this will contain the reason for the rejection
 date                           The same as ``expire_date``, but in a different e-mail (for backwards
                               compatibility)
 orders                         A list of orders including links to their status pages, specific to the "resend
                               link (requested by user)" e-mail
+code                           In case of the waiting list, the voucher code to redeem
 hours                          In case of the waiting list, the number of hours the voucher code is valid
-product                        In case of the waiting list, the product that has become available
-voucher_list                   When sending out vouchers in bulk, this will be replaced with the list of
-                               vouchers
 ============================== ===============================================================================

 The different e-mails are explained in the following:
--- a/doc/user/events/widget.rst
+++ b/doc/user/events/widget.rst
@@ -88,15 +88,6 @@ website. If you confident to have a good reason for not using SSL, you can overr

   <pretix-widget event="https://pretix.eu/demo/democon/" skip-ssl-check></pretix-widget>

-Always open a new tab
---------------------
-
-If you want the checkout process to always open a new tab regardless of screen size, you can pass the ``disable-iframe``
-attribute::
-
-   <pretix-widget event="https://pretix.eu/demo/democon/" disable-iframe></pretix-widget>
-
-
 Pre-selecting a voucher
 -----------------------

@@ -206,10 +197,7 @@ should be added to the cart. The syntax of this attribute is ``item_ITEMID=1,ite
 where ``ITEMID`` are the internal IDs of items to be added and ``VARID`` are the internal IDs of variations of those
 items, if the items have variations. If you omit the ``items`` attribute, the general start page will be presented.

-In case you are using an event-series, you will need to specify the subevent for which the item(s) should be put in the
-cart. This can be done by specifying the ``subevent``-attribute.
-
-Just as the widget, the button supports the optional attributes ``voucher``, ``disable-iframe``, and ``skip-ssl-check``.
+Just as the widget, the button supports the optional attributes ``voucher`` and ``skip-ssl-check``.

 You can style the button using the ``pretix-button`` CSS class.

@@ -316,92 +304,8 @@ Hosted or pretix Enterprise are active, you can pass the following fields:
 * If you use the campaigns plugin, you can pass a campaign ID as a value to ``data-campaign``. This way, all orders
  made through this widget will be counted towards this campaign.

-* If you use the tracking plugin, you can enable cross-domain tracking. To do so, you need to initialize the 
-  pretix-widget manually. Use the html code to embed the widget and add one the following code snippets. Make sure to
-  replace all occurrences of <MEASUREMENT_ID> with your Google Analytics MEASUREMENT_ID (UA-XXXXXXX-X or G-XXXXXXXX)
-
-  Please also make sure to add the embedding website to your `Referral exclusions
-  <https://support.google.com/analytics/answer/2795830>`_ in your Google Analytics settings.
-
-  If you use Google Analytics 4 (GA4 – G-XXXXXXXX)::
-
-    <script async src="https://www.googletagmanager.com/gtag/js?id=<MEASUREMENT_ID>"></script>
-    <script type="text/javascript">
-        window.dataLayer = window.dataLayer || [];
-        function gtag(){dataLayer.push(arguments);}
-        gtag('js', new Date());
-        gtag('config', '<MEASUREMENT_ID>');
-
-        window.pretixWidgetCallback = function () {
-            window.PretixWidget.build_widgets = false;
-            window.addEventListener('load', function() { // Wait for GA to be loaded
-                if (!window['google_tag_manager']) {
-                    window.PretixWidget.buildWidgets();
-                    return;
-                }
-
-                var clientId;
-                var sessionId;
-                var loadingTimeout;
-                function build() {
-                    // use loadingTimeout to make sure build() is only called once
-                    if (!loadingTimeout) return;
-                    window.clearTimeout(loadingTimeout);
-                    loadingTimeout = null;
-                    if (clientId) window.PretixWidget.widget_data["tracking-ga-id"] = clientId;
-                    if (sessionId) window.PretixWidget.widget_data["tracking-ga-sessid"] = sessionId;
-                    window.PretixWidget.buildWidgets();
-                };
-                // make sure to build pretix-widgets if gtag fails to load either client_id or session_id
-                loadingTimeout = window.setTimeout(build, 2000);
-
-                gtag('get', '<MEASUREMENT_ID>', 'client_id', function(id) {
-                    clientId = id;
-                    if (sessionId !== undefined) build();
-                });
-                gtag('get', '<MEASUREMENT_ID>', 'session_id', function(id) {
-                    sessionId = id;
-                    if (clientId !== undefined) build();
-                });
-            });
-        };
-    </script>
-
-  If you use Universal Analytics with ``gtag.js`` (UA-XXXXXXX-X)::
-
-    <script async src="https://www.googletagmanager.com/gtag/js?id=<MEASUREMENT_ID>"></script>
-    <script type="text/javascript">
-        window.dataLayer = window.dataLayer || [];
-        function gtag(){dataLayer.push(arguments);}
-        gtag('js', new Date());
-        gtag('config', '<MEASUREMENT_ID>');
-
-        window.pretixWidgetCallback = function () {
-            window.PretixWidget.build_widgets = false;
-            window.addEventListener('load', function() { // Wait for GA to be loaded
-                if (!window['google_tag_manager']) {
-                    window.PretixWidget.buildWidgets();
-                    return;
-                }
-
-                // make sure to build pretix-widgets if gtag fails to load client_id
-                var loadingTimeout = window.setTimeout(function() {
-                    loadingTimeout = null;
-                    window.PretixWidget.buildWidgets();
-                }, 1000);
-
-                gtag('get', '<MEASUREMENT_ID>', 'client_id', function(id) {
-                    if (loadingTimeout) {
-                        window.clearTimeout(loadingTimeout);
-                        window.PretixWidget.widget_data["tracking-ga-id"] = id;
-                        window.PretixWidget.buildWidgets();
-                    }
-                });
-            });
-        };
-    </script>
-
-  If you use ```analytics.js` (Universal Analytics)::
+* If you use the tracking plugin, you can pass a Google Analytics User ID to enable cross-domain tracking. This will
+  require you to dynamically load the widget, like this::

    <script>
        (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
@@ -409,33 +313,32 @@ Hosted or pretix Enterprise are active, you can pass the following fields:
        m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
        })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');

-        ga('create', '<MEASUREMENT_ID>', 'auto');
+        ga('create', 'UA-XXXXXX-1', 'auto');
        ga('send', 'pageview');

        window.pretixWidgetCallback = function () {
            window.PretixWidget.build_widgets = false;
            window.addEventListener('load', function() { // Wait for GA to be loaded
-                if (!window['ga'] || !ga.create) {
-                    // Tracking is probably blocked
-                    window.PretixWidget.buildWidgets()
-                    return;
-                }
-
-                var loadingTimeout = window.setTimeout(function() {
-                    loadingTimeout = null;
-                    window.PretixWidget.buildWidgets();
-                }, 1000);
-                ga(function(tracker) {
-                    if (loadingTimeout) {
-                        window.clearTimeout(loadingTimeout);
+                if(window.ga && ga.create) {
+                    ga(function(tracker) {
                        window.PretixWidget.widget_data["tracking-ga-id"] = tracker.get('clientId');
-                        window.PretixWidget.buildWidgets();
-                    }
-                });
+                        window.PretixWidget.buildWidgets()
+                    });
+                } else { // Tracking is probably blocked
+                       window.PretixWidget.buildWidgets()
+                }
            });
        };
    </script>

+  In some combinations with Google Tag Manager, the widget does not load this way. In this case, try replacing
+  ``tracker.get('clientId')`` with ``ga.getAll()[0].get('clientId')``.
+
+
+.. versionchanged:: 2.3
+
+   Data passing options have been added in pretix 2.3. If you use a self-hosted version of pretix, they only work
+   fully if you configured a redis server.

 .. versionchanged:: 3.6

--- a/doc/user/organizers/teams.rst
+++ b/doc/user/organizers/teams.rst
@@ -59,8 +59,6 @@ Permissions separate into two areas:
   * Can view vouchers – This permission allows viewing the list of vouchers including the voucher codes themselves and
     their redemption status.

-   * Can perform check-ins – This permission allows using web-based features to perform ticket search and check-in.
-
   * Can change vouchers – This permission allows to create and modify vouchers in all their details. It only works
     properly if the same users also have the "Can view vouchers" permission.

--- a/src/.gitignore
+++ b/src/.gitignore
@@ -8,5 +8,3 @@ dist/
 *.egg-info/
 *.bak
 pretix/static/jsi18n/
-node_modules/
-
--- a/src/Makefile
+++ b/src/Makefile
@@ -6,13 +6,13 @@ localecompile:
 	./manage.py compilemessages

 localegen:
-	./manage.py makemessages --keep-pot --ignore "pretix/helpers/*" --ignore "pretix/static/npm_dir/*" $(LNGS)
-	./manage.py makemessages --keep-pot -d djangojs --ignore "pretix/static/npm_dir/*" --ignore "pretix/helpers/*" --ignore "pretix/static/jsi18n/*" --ignore "pretix/static/jsi18n/*" --ignore "pretix/static.dist/*" --ignore "data/*" --ignore "pretix/static/rrule/*" --ignore "build/*" $(LNGS)
+	./manage.py makemessages --keep-pot --ignore "pretix/helpers/*" $(LNGS)
+	./manage.py makemessages --keep-pot -d djangojs --ignore "pretix/helpers/*" --ignore "pretix/static/jsi18n/*" --ignore "pretix/static/jsi18n/*" --ignore "pretix/static.dist/*" --ignore "data/*" --ignore "pretix/static/rrule/*" --ignore "build/*" $(LNGS)

 staticfiles: jsi18n
 	./manage.py collectstatic --noinput

-compress: npminstall
+compress:
 	./manage.py compress

 jsi18n: localecompile
@@ -23,10 +23,3 @@ test:

 coverage:
 	coverage run -m py.test
-
-npminstall:
-	# keep this in sync with setup.py!
-	mkdir -p pretix/static.dist/node_prefix/
-	cp -r pretix/static/npm_dir/* pretix/static.dist/node_prefix/
-	npm install --prefix=pretix/static.dist/node_prefix
-
--- a/src/pretix/init.py
+++ b/src/pretix/init.py
@@ -1 +1 @@
-__version__ = "3.17.0"
+__version__ = "3.15.0.dev0"
--- a/src/pretix/api/auth/devicesecurity.py
+++ b/src/pretix/api/auth/devicesecurity.py
@@ -10,7 +10,7 @@ class FullAccessSecurityProfile:


 class AllowListSecurityProfile:
-    allowlist = ()
+    allowlist = tuple()

    def is_allowed(self, request):
        key = (request.method, f"{request.resolver_match.namespace}:{request.resolver_match.url_name}")
@@ -41,9 +41,7 @@ class PretixScanSecurityProfile(AllowListSecurityProfile):
        ('POST', 'api-v1:checkinlistpos-redeem'),
        ('GET', 'api-v1:revokedsecrets-list'),
        ('GET', 'api-v1:order-list'),
-        ('GET', 'api-v1:orderposition-pdf_image'),
        ('GET', 'api-v1:event.settings'),
-        ('POST', 'api-v1:upload'),
    )


@@ -69,9 +67,7 @@ class PretixScanNoSyncSecurityProfile(AllowListSecurityProfile):
        ('GET', 'api-v1:checkinlist-status'),
        ('POST', 'api-v1:checkinlistpos-redeem'),
        ('GET', 'api-v1:revokedsecrets-list'),
-        ('GET', 'api-v1:orderposition-pdf_image'),
        ('GET', 'api-v1:event.settings'),
-        ('POST', 'api-v1:upload'),
    )


@@ -95,15 +91,11 @@ class PretixPosSecurityProfile(AllowListSecurityProfile):
        ('GET', 'api-v1:taxrule-list'),
        ('GET', 'api-v1:ticketlayout-list'),
        ('GET', 'api-v1:ticketlayoutitem-list'),
-        ('GET', 'api-v1:badgelayout-list'),
-        ('GET', 'api-v1:badgeitem-list'),
        ('GET', 'api-v1:order-list'),
        ('POST', 'api-v1:order-list'),
        ('GET', 'api-v1:order-detail'),
        ('DELETE', 'api-v1:orderposition-detail'),
-        ('GET', 'api-v1:orderposition-pdf_image'),
        ('POST', 'api-v1:order-mark_canceled'),
-        ('POST', 'api-v1:orderpayment-list'),
        ('POST', 'api-v1:orderrefund-list'),
        ('POST', 'api-v1:orderrefund-done'),
        ('POST', 'api-v1:cartposition-list'),
@@ -114,7 +106,6 @@ class PretixPosSecurityProfile(AllowListSecurityProfile):
        ('POST', 'plugins:pretix_posbackend:posreceipt-list'),
        ('POST', 'plugins:pretix_posbackend:posclosing-list'),
        ('POST', 'plugins:pretix_posbackend:posdebugdump-list'),
-        ('GET', 'plugins:pretix_posbackend:poscashier-list'),
        ('POST', 'plugins:pretix_posbackend:stripeterminal.token'),
        ('GET', 'api-v1:revokedsecrets-list'),
        ('GET', 'api-v1:event.settings'),
@@ -122,7 +113,6 @@ class PretixPosSecurityProfile(AllowListSecurityProfile):
        ('GET', 'plugins:pretix_seating:event.event.subevent'),
        ('GET', 'plugins:pretix_seating:event.plan'),
        ('GET', 'plugins:pretix_seating:selection.simple'),
-        ('POST', 'api-v1:upload'),
    )


--- a/src/pretix/api/auth/permission.py
+++ b/src/pretix/api/auth/permission.py
@@ -46,12 +46,8 @@ class EventPermission(BasePermission):
            else:
                request.eventpermset = perm_holder.get_event_permission_set(request.organizer, request.event)

-            if isinstance(required_permission, (list, tuple)):
-                if not any(p in request.eventpermset for p in required_permission):
-                    return False
-            else:
-                if required_permission and required_permission not in request.eventpermset:
-                    return False
+            if required_permission and required_permission not in request.eventpermset:
+                return False

        elif 'organizer' in request.resolver_match.kwargs:
            if not request.organizer or not perm_holder.has_organizer_permission(request.organizer, request=request):
@@ -61,12 +57,8 @@ class EventPermission(BasePermission):
            else:
                request.orgapermset = perm_holder.get_organizer_permission_set(request.organizer)

-            if isinstance(required_permission, (list, tuple)):
-                if not any(p in request.eventpermset for p in required_permission):
-                    return False
-            else:
-                if required_permission and required_permission not in request.orgapermset:
-                    return False
+            if required_permission and required_permission not in request.orgapermset:
+                return False

        if isinstance(request.auth, OAuthAccessToken):
            if not request.auth.allow_scopes(['write']) and request.method not in SAFE_METHODS:
@@ -97,38 +89,10 @@ class EventCRUDPermission(EventPermission):
 class ProfilePermission(BasePermission):

    def has_permission(self, request, view):
-        if not request.user.is_authenticated and not isinstance(request.auth, (Device, TeamAPIToken)):
+        if not request.user.is_authenticated:
            return False

-        if request.user.is_authenticated:
-            try:
-                # If this logic is updated, make sure to also update the logic in pretix/control/middleware.py
-                assert_session_valid(request)
-            except SessionInvalid:
-                return False
-            except SessionReauthRequired:
-                return False
-
        if isinstance(request.auth, OAuthAccessToken):
            if not (request.auth.allow_scopes(['read']) or request.auth.allow_scopes(['profile'])) and request.method in SAFE_METHODS:
                return False
-
-        return True
-
-
-class AnyAuthenticatedClientPermission(BasePermission):
-
-    def has_permission(self, request, view):
-        if not request.user.is_authenticated and not isinstance(request.auth, (Device, TeamAPIToken)):
-            return False
-
-        if request.user.is_authenticated:
-            try:
-                # If this logic is updated, make sure to also update the logic in pretix/control/middleware.py
-                assert_session_valid(request)
-            except SessionInvalid:
-                return False
-            except SessionReauthRequired:
-                return False
-
        return True
--- a/src/pretix/api/serializers/cart.py
+++ b/src/pretix/api/serializers/cart.py
@@ -1,6 +1,5 @@
 from datetime import timedelta

-from django.core.files import File
 from django.utils.crypto import get_random_string
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy
@@ -101,15 +100,8 @@ class CartPositionCreateSerializer(I18nAwareModelSerializer):

        for answ_data in answers_data:
            options = answ_data.pop('options')
-            if isinstance(answ_data['answer'], File):
-                an = answ_data.pop('answer')
-                answ = cp.answers.create(**answ_data, answer='')
-                answ.file.save(an.name, an, save=False)
-                answ.answer = 'file://' + answ.file.name
-                answ.save()
-            else:
-                answ = cp.answers.create(**answ_data)
-                answ.options.add(*options)
+            answ = cp.answers.create(**answ_data)
+            answ.options.add(*options)
        return cp

    def validate_cart_id(self, cid):
--- a/src/pretix/api/serializers/checkin.py
+++ b/src/pretix/api/serializers/checkin.py
@@ -2,7 +2,6 @@ from django.utils.translation import gettext as _
 from rest_framework import serializers
 from rest_framework.exceptions import ValidationError

-from pretix.api.serializers.event import SubEventSerializer
 from pretix.api.serializers.i18n import I18nAwareModelSerializer
 from pretix.base.channels import get_all_sales_channels
 from pretix.base.models import CheckinList
@@ -21,9 +20,6 @@ class CheckinListSerializer(I18nAwareModelSerializer):
    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)

-        if 'subevent' in self.context['request'].query_params.getlist('expand'):
-            self.fields['subevent'] = SubEventSerializer(read_only=True)
-
        for exclude_field in self.context['request'].query_params.getlist('exclude'):
            p = exclude_field.split('.')
            if p[0] in self.fields:
@@ -54,6 +50,4 @@ class CheckinListSerializer(I18nAwareModelSerializer):
            if channel not in get_all_sales_channels():
                raise ValidationError(_('Unknown sales channel.'))

-        CheckinList.validate_rules(data.get('rules'))
-
        return data
--- a/src/pretix/api/serializers/event.py
+++ b/src/pretix/api/serializers/event.py
@@ -1,29 +1,25 @@
-import logging
-
 from django.conf import settings
 from django.core.exceptions import ValidationError
 from django.db import transaction
-from django.utils.crypto import get_random_string
 from django.utils.functional import cached_property
 from django.utils.translation import gettext as _
 from django_countries.serializers import CountryFieldMixin
+from hierarkey.proxy import HierarkeyProxy
 from pytz import common_timezones
+from rest_framework import serializers
 from rest_framework.fields import ChoiceField, Field
 from rest_framework.relations import SlugRelatedField

 from pretix.api.serializers.i18n import I18nAwareModelSerializer
-from pretix.api.serializers.settings import SettingsSerializer
-from pretix.base.models import Device, Event, TaxRule, TeamAPIToken
+from pretix.base.models import Event, TaxRule
 from pretix.base.models.event import SubEvent
 from pretix.base.models.items import SubEventItem, SubEventItemVariation
 from pretix.base.services.seating import (
    SeatProtected, generate_seats, validate_plan_change,
 )
-from pretix.base.settings import validate_event_settings
+from pretix.base.settings import DEFAULTS, validate_event_settings
 from pretix.base.signals import api_event_settings_fields

-logger = logging.getLogger(__name__)
-

 class MetaDataField(Field):

@@ -174,12 +170,9 @@ class EventSerializer(I18nAwareModelSerializer):
        }

    def validate_meta_data(self, value):
-        for key, v in value['meta_data'].items():
+        for key in value['meta_data'].keys():
            if key not in self.meta_properties:
                raise ValidationError(_('Meta data property \'{name}\' does not exist.').format(name=key))
-            if self.meta_properties[key].allowed_values:
-                if v not in [_v.strip() for _v in self.meta_properties[key].allowed_values.splitlines()]:
-                    raise ValidationError(_('Meta data property \'{name}\' does not allow value \'{value}\'.').format(name=key, value=v))
        return value

    @cached_property
@@ -226,14 +219,6 @@ class EventSerializer(I18nAwareModelSerializer):

        return value

-    @cached_property
-    def ignored_meta_properties(self):
-        perm_holder = (self.context['request'].auth if isinstance(self.context['request'].auth, (Device, TeamAPIToken))
-                       else self.context['request'].user)
-        if perm_holder.has_organizer_permission('can_change_organizer_settings', request=self.context['request']):
-            return []
-        return [k for k, p in self.meta_properties.items() if p.protected]
-
    @transaction.atomic
    def create(self, validated_data):
        meta_data = validated_data.pop('meta_data', None)
@@ -249,11 +234,10 @@ class EventSerializer(I18nAwareModelSerializer):
        # Meta data
        if meta_data is not None:
            for key, value in meta_data.items():
-                if key not in self.ignored_meta_properties:
-                    event.meta_values.create(
-                        property=self.meta_properties.get(key),
-                        value=value
-                    )
+                event.meta_values.create(
+                    property=self.meta_properties.get(key),
+                    value=value
+                )

        # Item Meta properties
        if item_meta_properties is not None:
@@ -291,25 +275,23 @@ class EventSerializer(I18nAwareModelSerializer):
        if meta_data is not None:
            current = {mv.property: mv for mv in event.meta_values.select_related('property')}
            for key, value in meta_data.items():
-                if key not in self.ignored_meta_properties:
-                    prop = self.meta_properties.get(key)
-                    if prop in current:
-                        current[prop].value = value
-                        current[prop].save()
-                    else:
-                        event.meta_values.create(
-                            property=self.meta_properties.get(key),
-                            value=value
-                        )
+                prop = self.meta_properties.get(key)
+                if prop in current:
+                    current[prop].value = value
+                    current[prop].save()
+                else:
+                    event.meta_values.create(
+                        property=self.meta_properties.get(key),
+                        value=value
+                    )

            for prop, current_object in current.items():
-                if prop.name not in self.ignored_meta_properties:
-                    if prop.name not in meta_data:
-                        current_object.delete()
+                if prop.name not in meta_data:
+                    current_object.delete()

        # Item Meta properties
        if item_meta_properties is not None:
-            current = list(event.item_meta_properties.all())
+            current = [imp for imp in event.item_meta_properties.all()]
            for key, value in item_meta_properties.items():
                prop = self.item_meta_props.get(key)
                if prop in current:
@@ -409,8 +391,8 @@ class SubEventSerializer(I18nAwareModelSerializer):
        model = SubEvent
        fields = ('id', 'name', 'date_from', 'date_to', 'active', 'date_admission',
                  'presale_start', 'presale_end', 'location', 'geo_lat', 'geo_lon', 'event', 'is_public',
-                  'frontpage_text', 'seating_plan', 'item_price_overrides', 'variation_price_overrides',
-                  'meta_data', 'seat_category_mapping', 'last_modified')
+                  'seating_plan', 'item_price_overrides', 'variation_price_overrides', 'meta_data',
+                  'seat_category_mapping', 'last_modified')

    def validate(self, data):
        data = super().validate(data)
@@ -458,22 +440,11 @@ class SubEventSerializer(I18nAwareModelSerializer):
        }

    def validate_meta_data(self, value):
-        for key, v in value['meta_data'].items():
+        for key in value['meta_data'].keys():
            if key not in self.meta_properties:
                raise ValidationError(_('Meta data property \'{name}\' does not exist.').format(name=key))
-            if self.meta_properties[key].allowed_values:
-                if v not in [_v.strip() for _v in self.meta_properties[key].allowed_values.splitlines()]:
-                    raise ValidationError(_('Meta data property \'{name}\' does not allow value \'{value}\'.').format(name=key, value=v))
        return value

-    @cached_property
-    def ignored_meta_properties(self):
-        perm_holder = (self.context['request'].auth if isinstance(self.context['request'].auth, (Device, TeamAPIToken))
-                       else self.context['request'].user)
-        if perm_holder.has_organizer_permission('can_change_organizer_settings', request=self.context['request']):
-            return []
-        return [k for k, p in self.meta_properties.items() if p.protected]
-
    @transaction.atomic
    def create(self, validated_data):
        item_price_overrides_data = validated_data.pop('subeventitem_set') if 'subeventitem_set' in validated_data else {}
@@ -490,11 +461,10 @@ class SubEventSerializer(I18nAwareModelSerializer):
        # Meta data
        if meta_data is not None:
            for key, value in meta_data.items():
-                if key not in self.ignored_meta_properties:
-                    subevent.meta_values.create(
-                        property=self.meta_properties.get(key),
-                        value=value
-                    )
+                subevent.meta_values.create(
+                    property=self.meta_properties.get(key),
+                    value=value
+                )

        # Seats
        if subevent.seating_plan:
@@ -540,21 +510,19 @@ class SubEventSerializer(I18nAwareModelSerializer):
        if meta_data is not None:
            current = {mv.property: mv for mv in subevent.meta_values.select_related('property')}
            for key, value in meta_data.items():
-                if key not in self.ignored_meta_properties:
-                    prop = self.meta_properties.get(key)
-                    if prop in current:
-                        current[prop].value = value
-                        current[prop].save()
-                    else:
-                        subevent.meta_values.create(
-                            property=self.meta_properties.get(key),
-                            value=value
-                        )
+                prop = self.meta_properties.get(key)
+                if prop in current:
+                    current[prop].value = value
+                    current[prop].save()
+                else:
+                    subevent.meta_values.create(
+                        property=self.meta_properties.get(key),
+                        value=value
+                    )

            for prop, current_object in current.items():
-                if prop.name not in self.ignored_meta_properties:
-                    if prop.name not in meta_data:
-                        current_object.delete()
+                if prop.name not in meta_data:
+                    current_object.delete()

        # Seats
        if seat_category_mapping is not None or ('seating_plan' in validated_data and validated_data['seating_plan'] is None):
@@ -590,13 +558,12 @@ class TaxRuleSerializer(CountryFieldMixin, I18nAwareModelSerializer):
        fields = ('id', 'name', 'rate', 'price_includes_tax', 'eu_reverse_charge', 'home_country')


-class EventSettingsSerializer(SettingsSerializer):
+class EventSettingsSerializer(serializers.Serializer):
    default_fields = [
        'imprint_url',
        'checkout_email_helptext',
        'presale_has_ended_text',
        'voucher_explanation_text',
-        'checkout_success_text',
        'banner_text',
        'banner_text_bottom',
        'show_dates_on_frontpage',
@@ -609,16 +576,10 @@ class EventSettingsSerializer(SettingsSerializer):
        'locale',
        'region',
        'last_order_modification_date',
-        'allow_modifications_after_checkin',
        'show_quota_left',
        'waiting_list_enabled',
        'waiting_list_hours',
        'waiting_list_auto',
-        'waiting_list_names_asked',
-        'waiting_list_names_required',
-        'waiting_list_phones_asked',
-        'waiting_list_phones_required',
-        'waiting_list_phones_explanation_text',
        'max_items_per_order',
        'reservation_time',
        'contact_mail',
@@ -628,9 +589,7 @@ class EventSettingsSerializer(SettingsSerializer):
        'redirect_to_checkout_directly',
        'frontpage_subevent_ordering',
        'event_list_type',
-        'event_list_available_only',
        'frontpage_text',
-        'event_info_text',
        'attendee_names_asked',
        'attendee_names_required',
        'attendee_emails_asked',
@@ -664,7 +623,6 @@ class EventSettingsSerializer(SettingsSerializer):
        'mail_from',
        'mail_from_name',
        'mail_attach_ical',
-        'mail_attach_tickets',
        'invoice_address_asked',
        'invoice_address_required',
        'invoice_address_vatid',
@@ -696,7 +654,6 @@ class EventSettingsSerializer(SettingsSerializer):
        'invoice_additional_text',
        'invoice_footer_text',
        'invoice_eu_currencies',
-        'invoice_logo_image',
        'cancel_allow_user',
        'cancel_allow_user_until',
        'cancel_allow_user_paid',
@@ -706,7 +663,6 @@ class EventSettingsSerializer(SettingsSerializer):
        'cancel_allow_user_paid_keep_percentage',
        'cancel_allow_user_paid_adjust_fees',
        'cancel_allow_user_paid_adjust_fees_explanation',
-        'cancel_allow_user_paid_adjust_fees_step',
        'cancel_allow_user_paid_refund_as_giftcard',
        'cancel_allow_user_paid_require_approval',
        'change_allow_user_variation',
@@ -718,21 +674,45 @@ class EventSettingsSerializer(SettingsSerializer):
        'theme_color_background',
        'theme_round_borders',
        'primary_font',
-        'logo_image',
-        'logo_image_large',
-        'logo_show_title',
-        'og_image',
    ]

    def __init__(self, *args, **kwargs):
        self.event = kwargs.pop('event')
+        self.changed_data = []
        super().__init__(*args, **kwargs)
+        for fname in self.default_fields:
+            kwargs = DEFAULTS[fname].get('serializer_kwargs', {})
+            if callable(kwargs):
+                kwargs = kwargs()
+            kwargs.setdefault('required', False)
+            kwargs.setdefault('allow_null', True)
+            form_kwargs = DEFAULTS[fname].get('form_kwargs', {})
+            if callable(form_kwargs):
+                form_kwargs = form_kwargs()
+            if 'serializer_class' not in DEFAULTS[fname]:
+                raise ValidationError('{} has no serializer class'.format(fname))
+            f = DEFAULTS[fname]['serializer_class'](
+                **kwargs
+            )
+            f._label = form_kwargs.get('label', fname)
+            f._help_text = form_kwargs.get('help_text')
+            self.fields[fname] = f

        for recv, resp in api_event_settings_fields.send(sender=self.event):
            for fname, field in resp.items():
                field.required = False
                self.fields[fname] = field

+    def update(self, instance: HierarkeyProxy, validated_data):
+        for attr, value in validated_data.items():
+            if value is None:
+                instance.delete(attr)
+                self.changed_data.append(attr)
+            elif instance.get(attr, as_type=type(value)) != value:
+                instance.set(attr, value)
+                self.changed_data.append(attr)
+        return instance
+
    def validate(self, data):
        data = super().validate(data)
        settings_dict = self.instance.freeze()
@@ -740,14 +720,6 @@ class EventSettingsSerializer(SettingsSerializer):
        validate_event_settings(self.event, settings_dict)
        return data

-    def get_new_filename(self, name: str) -> str:
-        nonce = get_random_string(length=8)
-        fname = '%s/%s/%s.%s.%s' % (
-            self.event.organizer.slug, self.event.slug, name.split('/')[-1], nonce, name.split('.')[-1]
-        )
-        # TODO: make sure pub is always correct
-        return 'pub/' + fname
-

 class DeviceEventSettingsSerializer(EventSettingsSerializer):
    default_fields = [
--- a/src/pretix/api/serializers/exporters.py
+++ b/src/pretix/api/serializers/exporters.py
@@ -18,18 +18,18 @@ class FormFieldWrapperField(serializers.Field):


 simple_mappings = (
-    (forms.DateField, serializers.DateField, ()),
-    (forms.TimeField, serializers.TimeField, ()),
-    (forms.SplitDateTimeField, serializers.DateTimeField, ()),
-    (forms.DateTimeField, serializers.DateTimeField, ()),
+    (forms.DateField, serializers.DateField, tuple()),
+    (forms.TimeField, serializers.TimeField, tuple()),
+    (forms.SplitDateTimeField, serializers.DateTimeField, tuple()),
+    (forms.DateTimeField, serializers.DateTimeField, tuple()),
    (forms.DecimalField, serializers.DecimalField, ('max_digits', 'decimal_places', 'min_value', 'max_value')),
-    (forms.FloatField, serializers.FloatField, ()),
-    (forms.IntegerField, serializers.IntegerField, ()),
-    (forms.EmailField, serializers.EmailField, ()),
-    (forms.UUIDField, serializers.UUIDField, ()),
-    (forms.URLField, serializers.URLField, ()),
-    (forms.NullBooleanField, serializers.NullBooleanField, ()),
-    (forms.BooleanField, serializers.BooleanField, ()),
+    (forms.FloatField, serializers.FloatField, tuple()),
+    (forms.IntegerField, serializers.IntegerField, tuple()),
+    (forms.EmailField, serializers.EmailField, tuple()),
+    (forms.UUIDField, serializers.UUIDField, tuple()),
+    (forms.URLField, serializers.URLField, tuple()),
+    (forms.NullBooleanField, serializers.NullBooleanField, tuple()),
+    (forms.BooleanField, serializers.BooleanField, tuple()),
 )


--- a/src/pretix/api/serializers/fields.py
+++ b/src/pretix/api/serializers/fields.py
@@ -1,6 +1,5 @@
 from collections import OrderedDict

-from django.core.exceptions import ValidationError
 from rest_framework import serializers


@@ -28,50 +27,3 @@ class ListMultipleChoiceField(serializers.MultipleChoiceField):
        ]

        return remove_duplicates_from_list(representation_data)
-
-
-class UploadedFileField(serializers.Field):
-    default_error_messages = {
-        'required': 'No file was submitted.',
-        'not_found': 'The submitted file ID was not found.',
-        'invalid_type': 'The submitted file has a file type that is not allowed in this field.',
-        'size': 'The submitted file is too large to be used in this field.',
-    }
-
-    def __init__(self, *args, **kwargs):
-        self.allowed_types = kwargs.pop('allowed_types', None)
-        self.max_size = kwargs.pop('max_size', None)
-        super().__init__(*args, **kwargs)
-
-    def to_internal_value(self, data):
-        from pretix.base.models import CachedFile
-
-        request = self.context.get('request', None)
-        try:
-            cf = CachedFile.objects.get(
-                session_key=f'api-upload-{str(type(request.user or request.auth))}-{(request.user or request.auth).pk}',
-                file__isnull=False,
-                pk=data[len("file:"):],
-            )
-        except (ValidationError, IndexError):  # invalid uuid
-            self.fail('not_found')
-        except CachedFile.DoesNotExist:
-            self.fail('not_found')
-
-        if self.allowed_types and cf.type not in self.allowed_types:
-            self.fail('invalid_type')
-        if self.max_size and cf.file.size > self.max_size:
-            self.fail('size')
-
-        return cf.file
-
-    def to_representation(self, value):
-        if not value:
-            return None
-
-        try:
-            url = value.url
-        except AttributeError:
-            return None
-        request = self.context['request']
-        return request.build_absolute_uri(url)
--- a/src/pretix/api/serializers/item.py
+++ b/src/pretix/api/serializers/item.py
@@ -7,7 +7,6 @@ from django.utils.translation import gettext_lazy as _
 from rest_framework import serializers

 from pretix.api.serializers.event import MetaDataField
-from pretix.api.serializers.fields import UploadedFileField
 from pretix.api.serializers.i18n import I18nAwareModelSerializer
 from pretix.base.models import (
    Item, ItemAddOn, ItemBundle, ItemCategory, ItemMetaValue, ItemVariation,
@@ -114,9 +113,6 @@ class ItemSerializer(I18nAwareModelSerializer):
    variations = InlineItemVariationSerializer(many=True, required=False)
    tax_rate = ItemTaxRateField(source='*', read_only=True)
    meta_data = MetaDataField(required=False, source='*')
-    picture = UploadedFileField(required=False, allow_null=True, allowed_types=(
-        'image/png', 'image/jpeg', 'image/gif'
-    ), max_size=10 * 1024 * 1024)

    class Meta:
        model = Item
@@ -127,7 +123,7 @@ class ItemSerializer(I18nAwareModelSerializer):
                  'min_per_order', 'max_per_order', 'checkin_attention', 'has_variations', 'variations',
                  'addons', 'bundles', 'original_price', 'require_approval', 'generate_tickets',
                  'show_quota_left', 'hidden_if_available', 'allow_waitinglist', 'issue_giftcard', 'meta_data')
-        read_only_fields = ('has_variations',)
+        read_only_fields = ('has_variations', 'picture')

    def validate(self, data):
        data = super().validate(data)
--- a/src/pretix/api/serializers/order.py
+++ b/src/pretix/api/serializers/order.py
@@ -3,7 +3,6 @@ from collections import Counter, defaultdict
 from decimal import Decimal

 import pycountry
-from django.core.files import File
 from django.db.models import F, Q
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy
@@ -13,23 +12,18 @@ from rest_framework.exceptions import ValidationError
 from rest_framework.relations import SlugRelatedField
 from rest_framework.reverse import reverse

-from pretix.api.serializers.event import SubEventSerializer
 from pretix.api.serializers.i18n import I18nAwareModelSerializer
-from pretix.api.serializers.item import (
-    InlineItemVariationSerializer, ItemSerializer,
-)
 from pretix.base.channels import get_all_sales_channels
 from pretix.base.decimal import round_decimal
 from pretix.base.i18n import language
 from pretix.base.models import (
-    CachedFile, Checkin, Invoice, InvoiceAddress, InvoiceLine, Item,
-    ItemVariation, Order, OrderPosition, Question, QuestionAnswer, Seat,
-    SubEvent, TaxRule, Voucher,
+    Checkin, Invoice, InvoiceAddress, InvoiceLine, Item, ItemVariation, Order,
+    OrderPosition, Question, QuestionAnswer, Seat, SubEvent, TaxRule, Voucher,
 )
 from pretix.base.models.orders import (
    CartPosition, OrderFee, OrderPayment, OrderRefund, RevokedTicketSecret,
 )
-from pretix.base.pdf import get_images, get_variables
+from pretix.base.pdf import get_variables
 from pretix.base.services.cart import error_messages
 from pretix.base.services.locking import NoLockManager
 from pretix.base.services.pricing import get_price
@@ -49,14 +43,6 @@ class CompatibleCountryField(serializers.Field):
            return instance.country_old


-class CountryField(serializers.Field):
-    def to_internal_value(self, data):
-        return {self.field_name: Country(data)}
-
-    def to_representation(self, src):
-        return str(src) if src else None
-
-
 class InvoiceAddressSerializer(I18nAwareModelSerializer):
    country = CompatibleCountryField(source='*')
    name = serializers.CharField(required=False)
@@ -108,9 +94,12 @@ class AnswerQuestionIdentifierField(serializers.Field):

 class AnswerQuestionOptionsIdentifierField(serializers.Field):
    def to_representation(self, instance: QuestionAnswer):
-        if isinstance(instance, WrappedModel) or instance.pk:
-            return [o.identifier for o in instance.options.all()]
-        return []
+        return [o.identifier for o in instance.options.all()]
+
+
+class AnswerQuestionOptionsField(serializers.Field):
+    def to_representation(self, instance: QuestionAnswer):
+        return [o.pk for o in instance.options.all()]


 class InlineSeatSerializer(I18nAwareModelSerializer):
@@ -123,102 +112,12 @@ class InlineSeatSerializer(I18nAwareModelSerializer):
 class AnswerSerializer(I18nAwareModelSerializer):
    question_identifier = AnswerQuestionIdentifierField(source='*', read_only=True)
    option_identifiers = AnswerQuestionOptionsIdentifierField(source='*', read_only=True)
-
-    def to_representation(self, instance):
-        r = super().to_representation(instance)
-        if r['answer'].startswith('file://') and instance.orderposition:
-            r['answer'] = reverse('api-v1:orderposition-answer', kwargs={
-                'organizer': instance.orderposition.order.event.organizer.slug,
-                'event': instance.orderposition.order.event.slug,
-                'pk': instance.orderposition.pk,
-                'question': instance.question_id,
-            }, request=self.context['request'])
-        return r
+    options = AnswerQuestionOptionsField(source='*', read_only=True)

    class Meta:
        model = QuestionAnswer
        fields = ('question', 'answer', 'question_identifier', 'options', 'option_identifiers')

-    def validate_question(self, q):
-        if q.event != self.context['event']:
-            raise ValidationError(
-                'The specified question does not belong to this event.'
-            )
-        return q
-
-    def _handle_file_upload(self, data):
-        try:
-            ao = self.context["request"].user or self.context["request"].auth
-            cf = CachedFile.objects.get(
-                session_key=f'api-upload-{str(type(ao))}-{ao.pk}',
-                file__isnull=False,
-                pk=data['answer'][len("file:"):],
-            )
-        except (ValidationError, IndexError):  # invalid uuid
-            raise ValidationError('The submitted file ID "{fid}" was not found.'.format(fid=data))
-        except CachedFile.DoesNotExist:
-            raise ValidationError('The submitted file ID "{fid}" was not found.'.format(fid=data))
-
-        allowed_types = (
-            'image/png', 'image/jpeg', 'image/gif', 'application/pdf'
-        )
-        if cf.type not in allowed_types:
-            raise ValidationError('The submitted file "{fid}" has a file type that is not allowed in this field.'.format(fid=data))
-        if cf.file.size > 10 * 1024 * 1024:
-            raise ValidationError('The submitted file "{fid}" is too large to be used in this field.'.format(fid=data))
-
-        data['options'] = []
-        data['answer'] = cf.file
-        return data
-
-    def validate(self, data):
-        if data.get('question').type == Question.TYPE_FILE:
-            return self._handle_file_upload(data)
-        elif data.get('question').type in (Question.TYPE_CHOICE, Question.TYPE_CHOICE_MULTIPLE):
-            if not data.get('options'):
-                raise ValidationError(
-                    'You need to specify options if the question is of a choice type.'
-                )
-            if data.get('question').type == Question.TYPE_CHOICE and len(data.get('options')) > 1:
-                raise ValidationError(
-                    'You can specify at most one option for this question.'
-                )
-            for o in data.get('options'):
-                if o.question_id != data.get('question').pk:
-                    raise ValidationError(
-                        'The specified option does not belong to this question.'
-                    )
-
-            data['answer'] = ", ".join([str(o) for o in data.get('options')])
-
-        else:
-            if data.get('options'):
-                raise ValidationError(
-                    'You should not specify options if the question is not of a choice type.'
-                )
-
-            if data.get('question').type == Question.TYPE_BOOLEAN:
-                if data.get('answer') in ['true', 'True', '1', 'TRUE']:
-                    data['answer'] = 'True'
-                elif data.get('answer') in ['false', 'False', '0', 'FALSE']:
-                    data['answer'] = 'False'
-                else:
-                    raise ValidationError(
-                        'Please specify "true" or "false" for boolean questions.'
-                    )
-            elif data.get('question').type == Question.TYPE_NUMBER:
-                serializers.DecimalField(
-                    max_digits=50,
-                    decimal_places=25
-                ).to_internal_value(data.get('answer'))
-            elif data.get('question').type == Question.TYPE_DATE:
-                data['answer'] = serializers.DateField().to_internal_value(data.get('answer'))
-            elif data.get('question').type == Question.TYPE_TIME:
-                data['answer'] = serializers.TimeField().to_internal_value(data.get('answer'))
-            elif data.get('question').type == Question.TYPE_DATETIME:
-                data['answer'] = serializers.DateTimeField().to_internal_value(data.get('answer'))
-        return data
-

 class CheckinSerializer(I18nAwareModelSerializer):
    class Meta:
@@ -288,9 +187,6 @@ class PdfDataSerializer(serializers.Field):
            if 'vars' not in self.context:
                self.context['vars'] = get_variables(self.context['request'].event)

-            if 'vars_images' not in self.context:
-                self.context['vars_images'] = get_images(self.context['request'].event)
-
            for k, f in self.context['vars'].items():
                res[k] = f['evaluate'](instance, instance.order, ev)

@@ -305,39 +201,17 @@ class PdfDataSerializer(serializers.Field):
            for k, v in instance.item._cached_meta_data.items():
                res['itemmeta:' + k] = v

-            res['images'] = {}
-
-            for k, f in self.context['vars_images'].items():
-                if 'etag' in f:
-                    has_image = etag = f['etag'](instance, instance.order, ev)
-                else:
-                    has_image = f['etag'](instance, instance.order, ev)
-                    etag = None
-                if has_image:
-                    url = reverse('api-v1:orderposition-pdf_image', kwargs={
-                        'organizer': instance.order.event.organizer.slug,
-                        'event': instance.order.event.slug,
-                        'pk': instance.pk,
-                        'key': k,
-                    }, request=self.context['request'])
-                    if etag:
-                        url += f'#etag={etag}'
-                    res['images'][k] = url
-                else:
-                    res['images'][k] = None
-
-            return res
+        return res


 class OrderPositionSerializer(I18nAwareModelSerializer):
-    checkins = CheckinSerializer(many=True, read_only=True)
+    checkins = CheckinSerializer(many=True)
    answers = AnswerSerializer(many=True)
-    downloads = PositionDownloadsField(source='*', read_only=True)
+    downloads = PositionDownloadsField(source='*')
    order = serializers.SlugRelatedField(slug_field='code', read_only=True)
-    pdf_data = PdfDataSerializer(source='*', read_only=True)
+    pdf_data = PdfDataSerializer(source='*')
    seat = InlineSeatSerializer(read_only=True)
    country = CompatibleCountryField(source='*')
-    attendee_name = serializers.CharField(required=False)

    class Meta:
        model = OrderPosition
@@ -345,99 +219,11 @@ class OrderPositionSerializer(I18nAwareModelSerializer):
                  'company', 'street', 'zipcode', 'city', 'country', 'state',
                  'attendee_email', 'voucher', 'tax_rate', 'tax_value', 'secret', 'addon_to', 'subevent', 'checkins',
                  'downloads', 'answers', 'tax_rule', 'pseudonymization_id', 'pdf_data', 'seat', 'canceled')
-        read_only_fields = (
-            'id', 'order', 'positionid', 'item', 'variation', 'price', 'voucher', 'tax_rate', 'tax_value', 'secret',
-            'addon_to', 'subevent', 'checkins', 'downloads', 'answers', 'tax_rule', 'pseudonymization_id', 'pdf_data',
-            'seat', 'canceled'
-        )

    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
-        request = self.context.get('request')
-        if not request or not self.context['request'].query_params.get('pdf_data', 'false') == 'true' or 'can_view_orders' not in request.eventpermset:
-            self.fields.pop('pdf_data', None)
-
-    def validate(self, data):
-        if data.get('attendee_name') and data.get('attendee_name_parts'):
-            raise ValidationError(
-                {'attendee_name': ['Do not specify attendee_name if you specified attendee_name_parts.']}
-            )
-        if data.get('attendee_name_parts') and '_scheme' not in data.get('attendee_name_parts'):
-            data['attendee_name_parts']['_scheme'] = self.context['request'].event.settings.name_scheme
-
-        if data.get('country'):
-            if not pycountry.countries.get(alpha_2=data.get('country').code):
-                raise ValidationError(
-                    {'country': ['Invalid country code.']}
-                )
-
-        if data.get('state'):
-            cc = str(data.get('country') or self.instance.country or '')
-            if cc not in COUNTRIES_WITH_STATE_IN_ADDRESS:
-                raise ValidationError(
-                    {'state': ['States are not supported in country "{}".'.format(cc)]}
-                )
-            if not pycountry.subdivisions.get(code=cc + '-' + data.get('state')):
-                raise ValidationError(
-                    {'state': ['"{}" is not a known subdivision of the country "{}".'.format(data.get('state'), cc)]}
-                )
-        return data
-
-    def update(self, instance, validated_data):
-        # Even though all fields that shouldn't be edited are marked as read_only in the serializer
-        # (hopefully), we'll be extra careful here and be explicit about the model fields we update.
-        update_fields = [
-            'attendee_name_parts', 'company', 'street', 'zipcode', 'city', 'country',
-            'state', 'attendee_email',
-        ]
-        answers_data = validated_data.pop('answers', None)
-
-        name = validated_data.pop('attendee_name', '')
-        if name and not validated_data.get('attendee_name_parts'):
-            validated_data['attendee_name_parts'] = {
-                '_legacy': name
-            }
-
-        for attr, value in validated_data.items():
-            if attr in update_fields:
-                setattr(instance, attr, value)
-
-        instance.save(update_fields=update_fields)
-
-        if answers_data is not None:
-            qs_seen = set()
-            answercache = {
-                a.question_id: a for a in instance.answers.all()
-            }
-            for answ_data in answers_data:
-                options = answ_data.pop('options', [])
-                if answ_data['question'].pk in qs_seen:
-                    raise ValidationError(f'Question {answ_data["question"]} was sent twice.')
-                if answ_data['question'].pk in answercache:
-                    a = answercache[answ_data['question'].pk]
-                    if isinstance(answ_data['answer'], File):
-                        a.file.save(answ_data['answer'].name, answ_data['answer'], save=False)
-                        a.answer = 'file://' + a.file.name
-                    else:
-                        for attr, value in answ_data.items():
-                            setattr(a, attr, value)
-                    a.save()
-                else:
-                    if isinstance(answ_data['answer'], File):
-                        an = answ_data.pop('answer')
-                        a = instance.answers.create(**answ_data, answer='')
-                        a.file.save(an.name, an, save=False)
-                        a.answer = 'file://' + a.file.name
-                        a.save()
-                    else:
-                        a = instance.answers.create(**answ_data)
-                a.options.set(options)
-                qs_seen.add(a.question_id)
-            for qid, a in answercache.items():
-                if qid not in qs_seen:
-                    a.delete()
-
-        return instance
+        if 'request' in self.context and not self.context['request'].query_params.get('pdf_data', 'false') == 'true':
+            self.fields.pop('pdf_data')


 class RequireAttentionField(serializers.Field):
@@ -489,18 +275,6 @@ class CheckinListOrderPositionSerializer(OrderPositionSerializer):
                  'downloads', 'answers', 'tax_rule', 'pseudonymization_id', 'pdf_data', 'seat', 'require_attention',
                  'order__status')

-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-
-        if 'subevent' in self.context['request'].query_params.getlist('expand'):
-            self.fields['subevent'] = SubEventSerializer(read_only=True)
-
-        if 'item' in self.context['request'].query_params.getlist('expand'):
-            self.fields['item'] = ItemSerializer(read_only=True)
-
-        if 'variation' in self.context['request'].query_params.getlist('expand'):
-            self.fields['variation'] = InlineItemVariationSerializer(read_only=True)
-

 class OrderPaymentTypeField(serializers.Field):
    # TODO: Remove after pretix 2.2
@@ -562,7 +336,7 @@ class OrderRefundSerializer(I18nAwareModelSerializer):

    class Meta:
        model = OrderRefund
-        fields = ('local_id', 'state', 'source', 'amount', 'payment', 'created', 'execution_date', 'comment', 'provider')
+        fields = ('local_id', 'state', 'source', 'amount', 'payment', 'created', 'execution_date', 'provider')


 class OrderURLField(serializers.URLField):
@@ -601,7 +375,7 @@ class OrderSerializer(I18nAwareModelSerializer):
    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
        if not self.context['request'].query_params.get('pdf_data', 'false') == 'true':
-            self.fields['positions'].child.fields.pop('pdf_data', None)
+            self.fields['positions'].child.fields.pop('pdf_data')

        for exclude_field in self.context['request'].query_params.getlist('exclude'):
            p = exclude_field.split('.')
@@ -651,17 +425,7 @@ class OrderSerializer(I18nAwareModelSerializer):
        return instance


-class AnswerQuestionOptionsField(serializers.Field):
-    def to_representation(self, instance: QuestionAnswer):
-        return [o.pk for o in instance.options.all()]
-
-
-class SimulatedAnswerSerializer(AnswerSerializer):
-    options = AnswerQuestionOptionsField(read_only=True, source='*')
-
-
 class SimulatedOrderPositionSerializer(OrderPositionSerializer):
-    answers = SimulatedAnswerSerializer(many=True)
    addon_to = serializers.SlugRelatedField(read_only=True, slug_field='positionid')


@@ -688,8 +452,62 @@ class PriceCalcSerializer(serializers.Serializer):
            del self.fields['subevent']


-class AnswerCreateSerializer(AnswerSerializer):
-    pass
+class AnswerCreateSerializer(I18nAwareModelSerializer):
+
+    class Meta:
+        model = QuestionAnswer
+        fields = ('question', 'answer', 'options')
+
+    def validate_question(self, q):
+        if q.event != self.context['event']:
+            raise ValidationError(
+                'The specified question does not belong to this event.'
+            )
+        return q
+
+    def validate(self, data):
+        if data.get('question').type == Question.TYPE_FILE:
+            raise ValidationError(
+                'File uploads are currently not supported via the API.'
+            )
+        elif data.get('question').type in (Question.TYPE_CHOICE, Question.TYPE_CHOICE_MULTIPLE):
+            if not data.get('options'):
+                raise ValidationError(
+                    'You need to specify options if the question is of a choice type.'
+                )
+            if data.get('question').type == Question.TYPE_CHOICE and len(data.get('options')) > 1:
+                raise ValidationError(
+                    'You can specify at most one option for this question.'
+                )
+            data['answer'] = ", ".join([str(o) for o in data.get('options')])
+
+        else:
+            if data.get('options'):
+                raise ValidationError(
+                    'You should not specify options if the question is not of a choice type.'
+                )
+
+            if data.get('question').type == Question.TYPE_BOOLEAN:
+                if data.get('answer') in ['true', 'True', '1', 'TRUE']:
+                    data['answer'] = 'True'
+                elif data.get('answer') in ['false', 'False', '0', 'FALSE']:
+                    data['answer'] = 'False'
+                else:
+                    raise ValidationError(
+                        'Please specify "true" or "false" for boolean questions.'
+                    )
+            elif data.get('question').type == Question.TYPE_NUMBER:
+                serializers.DecimalField(
+                    max_digits=50,
+                    decimal_places=25
+                ).to_internal_value(data.get('answer'))
+            elif data.get('question').type == Question.TYPE_DATE:
+                data['answer'] = serializers.DateField().to_internal_value(data.get('answer'))
+            elif data.get('question').type == Question.TYPE_TIME:
+                data['answer'] = serializers.TimeField().to_internal_value(data.get('answer'))
+            elif data.get('question').type == Question.TYPE_DATETIME:
+                data['answer'] = serializers.DateTimeField().to_internal_value(data.get('answer'))
+        return data


 class OrderFeeCreateSerializer(I18nAwareModelSerializer):
@@ -1226,16 +1044,8 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
                    pos.save()
                    for answ_data in answers_data:
                        options = answ_data.pop('options', [])
-
-                        if isinstance(answ_data['answer'], File):
-                            an = answ_data.pop('answer')
-                            answ = pos.answers.create(**answ_data, answer='')
-                            answ.file.save(an.name, an, save=False)
-                            answ.answer = 'file://' + answ.file.name
-                            answ.save()
-                        else:
-                            answ = pos.answers.create(**answ_data)
-                            answ.options.add(*options)
+                        answ = pos.answers.create(**answ_data)
+                        answ.options.add(*options)
                pos_map[pos.positionid] = pos

            if not simulate:
@@ -1347,24 +1157,17 @@ class InlineInvoiceLineSerializer(I18nAwareModelSerializer):

    class Meta:
        model = InvoiceLine
-        fields = ('position', 'description', 'item', 'variation', 'attendee_name', 'event_date_from',
-                  'event_date_to', 'gross_value', 'tax_value', 'tax_rate', 'tax_name')
+        fields = ('position', 'description', 'gross_value', 'tax_value', 'tax_rate', 'tax_name')


 class InvoiceSerializer(I18nAwareModelSerializer):
    order = serializers.SlugRelatedField(slug_field='code', read_only=True)
-    refers = serializers.SlugRelatedField(slug_field='full_invoice_no', read_only=True)
+    refers = serializers.SlugRelatedField(slug_field='invoice_no', read_only=True)
    lines = InlineInvoiceLineSerializer(many=True)
-    invoice_to_country = CountryField()
-    invoice_from_country = CountryField()

    class Meta:
        model = Invoice
-        fields = ('order', 'number', 'is_cancellation', 'invoice_from', 'invoice_from_name', 'invoice_from_zipcode',
-                  'invoice_from_city', 'invoice_from_country', 'invoice_from_tax_id', 'invoice_from_vat_id',
-                  'invoice_to', 'invoice_to_company', 'invoice_to_name', 'invoice_to_street', 'invoice_to_zipcode',
-                  'invoice_to_city', 'invoice_to_state', 'invoice_to_country', 'invoice_to_vat_id', 'invoice_to_beneficiary',
-                  'custom_field', 'date', 'refers', 'locale',
+        fields = ('order', 'number', 'is_cancellation', 'invoice_from', 'invoice_to', 'date', 'refers', 'locale',
                  'introductory_text', 'additional_text', 'payment_provider_text', 'footer_text', 'lines',
                  'foreign_currency_display', 'foreign_currency_rate', 'foreign_currency_rate_date',
                  'internal_reference')
@@ -1391,7 +1194,7 @@ class OrderRefundCreateSerializer(I18nAwareModelSerializer):

    class Meta:
        model = OrderRefund
-        fields = ('state', 'source', 'amount', 'payment', 'execution_date', 'provider', 'info', 'comment')
+        fields = ('state', 'source', 'amount', 'payment', 'execution_date', 'provider', 'info')

    def create(self, validated_data):
        pid = validated_data.pop('payment', None)
--- a/src/pretix/api/serializers/organizer.py
+++ b/src/pretix/api/serializers/organizer.py
@@ -1,15 +1,13 @@
-import logging
 from decimal import Decimal

 from django.db.models import Q
-from django.utils.crypto import get_random_string
 from django.utils.translation import gettext_lazy as _
+from hierarkey.proxy import HierarkeyProxy
 from rest_framework import serializers
 from rest_framework.exceptions import ValidationError

 from pretix.api.serializers.i18n import I18nAwareModelSerializer
 from pretix.api.serializers.order import CompatibleJSONField
-from pretix.api.serializers.settings import SettingsSerializer
 from pretix.base.auth import get_auth_backends
 from pretix.base.i18n import get_language_without_region
 from pretix.base.models import (
@@ -18,11 +16,9 @@ from pretix.base.models import (
 )
 from pretix.base.models.seating import SeatingPlanLayoutValidator
 from pretix.base.services.mail import SendMailException, mail
-from pretix.base.settings import validate_organizer_settings
+from pretix.base.settings import DEFAULTS, validate_organizer_settings
 from pretix.helpers.urls import build_absolute_uri

-logger = logging.getLogger(__name__)
-

 class OrganizerSerializer(I18nAwareModelSerializer):
    class Meta:
@@ -95,7 +91,7 @@ class TeamSerializer(serializers.ModelSerializer):
            'id', 'name', 'all_events', 'limit_events', 'can_create_events', 'can_change_teams',
            'can_change_organizer_settings', 'can_manage_gift_cards', 'can_change_event_settings',
            'can_change_items', 'can_view_orders', 'can_change_orders', 'can_view_vouchers',
-            'can_change_vouchers', 'can_checkin_orders'
+            'can_change_vouchers'
        )

    def validate(self, data):
@@ -211,10 +207,8 @@ class TeamMemberSerializer(serializers.ModelSerializer):
        )


-class OrganizerSettingsSerializer(SettingsSerializer):
+class OrganizerSettingsSerializer(serializers.Serializer):
    default_fields = [
-        'contact_mail',
-        'imprint_url',
        'organizer_info_text',
        'event_list_type',
        'event_list_availability',
@@ -231,13 +225,40 @@ class OrganizerSettingsSerializer(SettingsSerializer):
        'theme_color_danger',
        'theme_color_background',
        'theme_round_borders',
-        'primary_font',
-        'organizer_logo_image'
+        'primary_font'
    ]

    def __init__(self, *args, **kwargs):
        self.organizer = kwargs.pop('organizer')
+        self.changed_data = []
        super().__init__(*args, **kwargs)
+        for fname in self.default_fields:
+            kwargs = DEFAULTS[fname].get('serializer_kwargs', {})
+            if callable(kwargs):
+                kwargs = kwargs()
+            kwargs.setdefault('required', False)
+            kwargs.setdefault('allow_null', True)
+            form_kwargs = DEFAULTS[fname].get('form_kwargs', {})
+            if callable(form_kwargs):
+                form_kwargs = form_kwargs()
+            if 'serializer_class' not in DEFAULTS[fname]:
+                raise ValidationError('{} has no serializer class'.format(fname))
+            f = DEFAULTS[fname]['serializer_class'](
+                **kwargs
+            )
+            f._label = form_kwargs.get('label', fname)
+            f._help_text = form_kwargs.get('help_text')
+            self.fields[fname] = f
+
+    def update(self, instance: HierarkeyProxy, validated_data):
+        for attr, value in validated_data.items():
+            if value is None:
+                instance.delete(attr)
+                self.changed_data.append(attr)
+            elif instance.get(attr, as_type=type(value)) != value:
+                instance.set(attr, value)
+                self.changed_data.append(attr)
+        return instance

    def validate(self, data):
        data = super().validate(data)
@@ -245,11 +266,3 @@ class OrganizerSettingsSerializer(SettingsSerializer):
        settings_dict.update(data)
        validate_organizer_settings(self.organizer, settings_dict)
        return data
-
-    def get_new_filename(self, name: str) -> str:
-        nonce = get_random_string(length=8)
-        fname = '%s/%s.%s.%s' % (
-            self.organizer.slug, name.split('/')[-1], nonce, name.split('.')[-1]
-        )
-        # TODO: make sure pub is always correct
-        return 'pub/' + fname
--- a/src/pretix/api/serializers/settings.py
+++ b/src/pretix/api/serializers/settings.py
@@ -1,77 +0,0 @@
-import logging
-
-from django.core.files import File
-from django.core.files.storage import default_storage
-from django.db.models.fields.files import FieldFile
-from hierarkey.proxy import HierarkeyProxy
-from rest_framework import serializers
-from rest_framework.exceptions import ValidationError
-
-from pretix.api.serializers.fields import UploadedFileField
-from pretix.base.settings import DEFAULTS
-
-logger = logging.getLogger(__name__)
-
-
-class SettingsSerializer(serializers.Serializer):
-    default_fields = []
-
-    def __init__(self, *args, **kwargs):
-        self.changed_data = []
-        super().__init__(*args, **kwargs)
-        for fname in self.default_fields:
-            kwargs = DEFAULTS[fname].get('serializer_kwargs', {})
-            if callable(kwargs):
-                kwargs = kwargs()
-            kwargs.setdefault('required', False)
-            kwargs.setdefault('allow_null', True)
-            form_kwargs = DEFAULTS[fname].get('form_kwargs', {})
-            if callable(form_kwargs):
-                form_kwargs = form_kwargs()
-            if 'serializer_class' not in DEFAULTS[fname]:
-                raise ValidationError('{} has no serializer class'.format(fname))
-            f = DEFAULTS[fname]['serializer_class'](
-                **kwargs
-            )
-            f._label = form_kwargs.get('label', fname)
-            f._help_text = form_kwargs.get('help_text')
-            f.parent = self
-            self.fields[fname] = f
-
-    def update(self, instance: HierarkeyProxy, validated_data):
-        for attr, value in validated_data.items():
-            if isinstance(value, FieldFile):
-                # Delete old file
-                fname = instance.get(attr, as_type=File)
-                if fname:
-                    try:
-                        default_storage.delete(fname.name)
-                    except OSError:  # pragma: no cover
-                        logger.error('Deleting file %s failed.' % fname.name)
-
-                # Create new file
-                newname = default_storage.save(self.get_new_filename(value.name), value)
-                instance.set(attr, File(file=value, name=newname))
-                self.changed_data.append(attr)
-            elif isinstance(self.fields[attr], UploadedFileField):
-                if value is None:
-                    fname = instance.get(attr, as_type=File)
-                    if fname:
-                        try:
-                            default_storage.delete(fname.name)
-                        except OSError:  # pragma: no cover
-                            logger.error('Deleting file %s failed.' % fname.name)
-                    instance.delete(attr)
-                else:
-                    # file is unchanged
-                    continue
-            elif value is None:
-                instance.delete(attr)
-                self.changed_data.append(attr)
-            elif instance.get(attr, as_type=type(value)) != value:
-                instance.set(attr, value)
-                self.changed_data.append(attr)
-        return instance
-
-    def get_new_filename(self, name: str) -> str:
-        raise NotImplementedError()
--- a/src/pretix/api/serializers/waitinglist.py
+++ b/src/pretix/api/serializers/waitinglist.py
@@ -8,7 +8,7 @@ class WaitingListSerializer(I18nAwareModelSerializer):

    class Meta:
        model = WaitingListEntry
-        fields = ('id', 'created', 'name', 'name_parts', 'email', 'phone', 'voucher', 'item', 'variation', 'locale', 'subevent', 'priority')
+        fields = ('id', 'created', 'email', 'voucher', 'item', 'variation', 'locale', 'subevent', 'priority')
        read_only_fields = ('id', 'created', 'voucher')

    def validate(self, data):
@@ -32,11 +32,4 @@ class WaitingListSerializer(I18nAwareModelSerializer):
            if availability[0] == 100:
                raise ValidationError("This product is currently available.")

-        if data.get('name') and data.get('name_parts'):
-            raise ValidationError(
-                {'name': ['Do not specify name if you specified name_parts.']}
-            )
-        if data.get('name_parts') and '_scheme' not in data.get('name_parts'):
-            data['name_parts']['_scheme'] = event.settings.name_scheme
-
        return data
--- a/src/pretix/api/urls.py
+++ b/src/pretix/api/urls.py
@@ -7,8 +7,8 @@ from rest_framework import routers
 from pretix.api.views import cart

 from .views import (
-    checkin, device, event, exporters, item, oauth, order, organizer, upload,
-    user, version, voucher, waitinglist, webhooks,
+    checkin, device, event, exporters, item, oauth, order, organizer, user,
+    version, voucher, waitinglist, webhooks,
 )

 router = routers.DefaultRouter()
@@ -95,7 +95,6 @@ urlpatterns = [
    url(r"^device/roll$", device.RollKeyView.as_view(), name="device.roll"),
    url(r"^device/revoke$", device.RevokeKeyView.as_view(), name="device.revoke"),
    url(r"^device/eventselection$", device.EventSelectionView.as_view(), name="device.eventselection"),
-    url(r"^upload$", upload.UploadView.as_view(), name="upload"),
    url(r"^me$", user.MeView.as_view(), name="user.me"),
    url(r"^version$", version.VersionView.as_view(), name="version"),
 ]
--- a/src/pretix/api/views/checkin.py
+++ b/src/pretix/api/views/checkin.py
@@ -22,17 +22,16 @@ from pretix.api.views import RichOrderingFilter
 from pretix.api.views.order import OrderPositionFilter
 from pretix.base.i18n import language
 from pretix.base.models import (
-    CachedFile, Checkin, CheckinList, Event, Order, OrderPosition, Question,
+    Checkin, CheckinList, Event, Order, OrderPosition,
 )
 from pretix.base.services.checkin import (
-    CheckInError, RequiredQuestionsError, SQLLogic, perform_checkin,
+    CheckInError, RequiredQuestionsError, perform_checkin,
 )
 from pretix.helpers.database import FixedOrderBy

 with scopes_disabled():
    class CheckinListFilter(FilterSet):
        subevent_match = django_filters.NumberFilter(method='subevent_match_qs')
-        ends_after = django_filters.rest_framework.IsoDateTimeFilter(method='ends_after_qs')

        class Meta:
            model = CheckinList
@@ -43,35 +42,19 @@ with scopes_disabled():
                Q(subevent_id=value) | Q(subevent_id__isnull=True)
            )

-        def ends_after_qs(self, queryset, name, value):
-            expr = (
-                Q(subevent__isnull=True) |
-                Q(
-                    Q(Q(subevent__date_to__isnull=True) & Q(subevent__date_from__gte=value))
-                    | Q(Q(subevent__date_to__isnull=False) & Q(subevent__date_to__gte=value))
-                )
-            )
-            return queryset.filter(expr)
-

 class CheckinListViewSet(viewsets.ModelViewSet):
    serializer_class = CheckinListSerializer
    queryset = CheckinList.objects.none()
    filter_backends = (DjangoFilterBackend,)
    filterset_class = CheckinListFilter
-    permission = ('can_view_orders', 'can_checkin_orders',)
+    permission = 'can_view_orders'
    write_permission = 'can_change_event_settings'

    def get_queryset(self):
        qs = self.request.event.checkin_lists.prefetch_related(
            'limit_products',
        )
-
-        if 'subevent' in self.request.query_params.getlist('expand'):
-            qs = qs.prefetch_related(
-                'subevent', 'subevent__event', 'subevent__subeventitem_set', 'subevent__subeventitemvariation_set',
-                'subevent__seat_category_mappings', 'subevent__meta_values'
-            )
        return qs

    def perform_create(self, serializer):
@@ -172,37 +155,15 @@ class CheckinListViewSet(viewsets.ModelViewSet):

 with scopes_disabled():
    class CheckinOrderPositionFilter(OrderPositionFilter):
-        check_rules = django_filters.rest_framework.BooleanFilter(method='check_rules_qs')
-        # check_rules is currently undocumented on purpose, let's get a feel for the performance impact first
-
-        def __init__(self, *args, **kwargs):
-            self.checkinlist = kwargs.pop('checkinlist')
-            super().__init__(*args, **kwargs)

        def has_checkin_qs(self, queryset, name, value):
            return queryset.filter(last_checked_in__isnull=not value)

-        def check_rules_qs(self, queryset, name, value):
-            if not self.checkinlist.rules:
-                return queryset
-            return queryset.filter(SQLLogic(self.checkinlist).apply(self.checkinlist.rules))
-
-
-class ExtendedBackend(DjangoFilterBackend):
-    def get_filterset_kwargs(self, request, queryset, view):
-        kwargs = super().get_filterset_kwargs(request, queryset, view)
-
-        # merge filterset kwargs provided by view class
-        if hasattr(view, 'get_filterset_kwargs'):
-            kwargs.update(view.get_filterset_kwargs())
-
-        return kwargs
-

 class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
    serializer_class = CheckinListOrderPositionSerializer
    queryset = OrderPosition.all.none()
-    filter_backends = (ExtendedBackend, RichOrderingFilter)
+    filter_backends = (DjangoFilterBackend, RichOrderingFilter)
    ordering = ('attendee_name_cached', 'positionid')
    ordering_fields = (
        'order__code', 'order__datetime', 'positionid', 'attendee_name',
@@ -226,13 +187,8 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
    }

    filterset_class = CheckinOrderPositionFilter
-    permission = ('can_view_orders', 'can_checkin_orders')
-    write_permission = ('can_change_orders', 'can_checkin_orders')
-
-    def get_filterset_kwargs(self):
-        return {
-            'checkinlist': self.checkinlist,
-        }
+    permission = 'can_view_orders'
+    write_permission = 'can_change_orders'

    @cached_property
    def checkinlist(self):
@@ -253,7 +209,7 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
            order__event=self.request.event,
        ).annotate(
            last_checked_in=Subquery(cqs)
-        ).prefetch_related('order__event', 'order__event__organizer')
+        )
        if self.checkinlist.subevent:
            qs = qs.filter(
                subevent=self.checkinlist.subevent
@@ -299,22 +255,6 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
        if not self.checkinlist.all_products and not ignore_products:
            qs = qs.filter(item__in=self.checkinlist.limit_products.values_list('id', flat=True))

-        if 'subevent' in self.request.query_params.getlist('expand'):
-            qs = qs.prefetch_related(
-                'subevent', 'subevent__event', 'subevent__subeventitem_set', 'subevent__subeventitemvariation_set',
-                'subevent__seat_category_mappings', 'subevent__meta_values'
-            )
-
-        if 'item' in self.request.query_params.getlist('expand'):
-            qs = qs.prefetch_related('item', 'item__addons', 'item__bundles', 'item__meta_values', 'item__variations').select_related('item__tax_rule')
-
-        if 'variation' in self.request.query_params.getlist('expand'):
-            qs = qs.prefetch_related('variation')
-
-        if 'pk' not in self.request.resolver_match.kwargs and 'can_view_orders' not in self.request.eventpermset \
-                and len(self.request.query_params.get('search', '')) < 3:
-            qs = qs.none()
-
        return qs

    @action(detail=False, methods=['POST'], url_name='redeem', url_path='(?P<pk>.*)/redeem')
@@ -362,10 +302,7 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
            for q in op.item.questions.filter(ask_during_checkin=True):
                if str(q.pk) in aws:
                    try:
-                        if q.type == Question.TYPE_FILE:
-                            given_answers[q] = self._handle_file_upload(aws[str(q.pk)])
-                        else:
-                            given_answers[q] = q.clean_answer(aws[str(q.pk)])
+                        given_answers[q] = q.clean_answer(aws[str(q.pk)])
                    except ValidationError:
                        pass

@@ -415,25 +352,3 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
                'require_attention': op.item.checkin_attention or op.order.checkin_attention,
                'position': CheckinListOrderPositionSerializer(op, context=self.get_serializer_context()).data
            }, status=201)
-
-    def _handle_file_upload(self, data):
-        try:
-            cf = CachedFile.objects.get(
-                session_key=f'api-upload-{str(type(self.request.user or self.request.auth))}-{(self.request.user or self.request.auth).pk}',
-                file__isnull=False,
-                pk=data[len("file:"):],
-            )
-        except (ValidationError, IndexError):  # invalid uuid
-            raise ValidationError('The submitted file ID "{fid}" was not found.'.format(fid=data))
-        except CachedFile.DoesNotExist:
-            raise ValidationError('The submitted file ID "{fid}" was not found.'.format(fid=data))
-
-        allowed_types = (
-            'image/png', 'image/jpeg', 'image/gif', 'application/pdf'
-        )
-        if cf.type not in allowed_types:
-            raise ValidationError('The submitted file "{fid}" has a file type that is not allowed in this field.'.format(fid=data))
-        if cf.file.size > 10 * 1024 * 1024:
-            raise ValidationError('The submitted file "{fid}" is too large to be used in this field.'.format(fid=data))
-
-        return cf.file
--- a/src/pretix/api/views/device.py
+++ b/src/pretix/api/views/device.py
@@ -53,8 +53,8 @@ class DeviceSerializer(serializers.ModelSerializer):


 class InitializeView(APIView):
-    authentication_classes = ()
-    permission_classes = ()
+    authentication_classes = tuple()
+    permission_classes = tuple()

    def post(self, request, format=None):
        serializer = InitializationRequestSerializer(data=request.data)
--- a/src/pretix/api/views/event.py
+++ b/src/pretix/api/views/event.py
@@ -259,7 +259,7 @@ class SubEventViewSet(ConditionalListView, viewsets.ModelViewSet):
        qs = filter_qs_by_attr(qs, self.request)

        return qs.prefetch_related(
-            'subeventitem_set', 'subeventitemvariation_set', 'seat_category_mappings', 'meta_values'
+            'subeventitem_set', 'subeventitemvariation_set', 'seat_category_mappings'
        )

    def list(self, request, **kwargs):
@@ -365,13 +365,9 @@ class EventSettingsView(views.APIView):

    def get(self, request, *args, **kwargs):
        if isinstance(request.auth, Device):
-            s = DeviceEventSettingsSerializer(instance=request.event.settings, event=request.event, context={
-                'request': request
-            })
+            s = DeviceEventSettingsSerializer(instance=request.event.settings, event=request.event)
        elif 'can_change_event_settings' in request.eventpermset:
-            s = EventSettingsSerializer(instance=request.event.settings, event=request.event, context={
-                'request': request
-            })
+            s = EventSettingsSerializer(instance=request.event.settings, event=request.event)
        else:
            raise PermissionDenied()
        if 'explain' in request.GET:
@@ -386,7 +382,7 @@ class EventSettingsView(views.APIView):

    def patch(self, request, *wargs, **kwargs):
        s = EventSettingsSerializer(instance=request.event.settings, data=request.data, partial=True,
-                                    event=request.event, context={'request': request})
+                                    event=request.event)
        s.is_valid(raise_exception=True)
        with transaction.atomic():
            s.save()
@@ -396,9 +392,6 @@ class EventSettingsView(views.APIView):
                }
            )
        if any(p in s.changed_data for p in SETTINGS_AFFECTING_CSS):
-            regenerate_css.apply_async(args=(request.event.pk,))
-        s = EventSettingsSerializer(
-            instance=request.event.settings, event=request.event, context={
-                'request': request
-            })
+            regenerate_css.apply_async(args=(request.organizer.pk,))
+        s = EventSettingsSerializer(instance=request.event.settings, event=request.event)
        return Response(s.data)
--- a/src/pretix/api/views/item.py
+++ b/src/pretix/api/views/item.py
@@ -49,9 +49,7 @@ class ItemViewSet(ConditionalListView, viewsets.ModelViewSet):
    write_permission = 'can_change_items'

    def get_queryset(self):
-        return self.request.event.items.select_related('tax_rule').prefetch_related(
-            'variations', 'addons', 'bundles', 'meta_values'
-        ).all()
+        return self.request.event.items.select_related('tax_rule').prefetch_related('variations', 'addons', 'bundles').all()

    def perform_create(self, serializer):
        serializer.save(event=self.request.event)
--- a/src/pretix/api/views/order.py
+++ b/src/pretix/api/views/order.py
@@ -1,6 +1,4 @@
 import datetime
-import mimetypes
-import os
 from decimal import Decimal

 import django_filters
@@ -14,7 +12,6 @@ from django.utils.timezone import make_aware, now
 from django.utils.translation import gettext as _
 from django_filters.rest_framework import DjangoFilterBackend, FilterSet
 from django_scopes import scopes_disabled
-from PIL import Image
 from rest_framework import mixins, serializers, status, viewsets
 from rest_framework.decorators import action
 from rest_framework.exceptions import (
@@ -38,9 +35,8 @@ from pretix.base.models import (
    Order, OrderFee, OrderPayment, OrderPosition, OrderRefund, Quota, SubEvent,
    TaxRule, TeamAPIToken, generate_secret,
 )
-from pretix.base.models.orders import QuestionAnswer, RevokedTicketSecret
+from pretix.base.models.orders import RevokedTicketSecret
 from pretix.base.payment import PaymentException
-from pretix.base.pdf import get_images
 from pretix.base.secrets import assign_ticket_secret
 from pretix.base.services import tickets
 from pretix.base.services.invoices import (
@@ -767,7 +763,7 @@ with scopes_disabled():
            }


-class OrderPositionViewSet(mixins.DestroyModelMixin, mixins.UpdateModelMixin, viewsets.ReadOnlyModelViewSet):
+class OrderPositionViewSet(mixins.DestroyModelMixin, viewsets.ReadOnlyModelViewSet):
    serializer_class = OrderPositionSerializer
    queryset = OrderPosition.all.none()
    filter_backends = (DjangoFilterBackend, OrderingFilter)
@@ -787,11 +783,6 @@ class OrderPositionViewSet(mixins.DestroyModelMixin, mixins.UpdateModelMixin, vi
        },
    }

-    def get_serializer_context(self):
-        ctx = super().get_serializer_context()
-        ctx['event'] = self.request.event
-        return ctx
-
    def get_queryset(self):
        if self.request.query_params.get('include_canceled_positions', 'false') == 'true':
            qs = OrderPosition.all
@@ -917,62 +908,6 @@ class OrderPositionViewSet(mixins.DestroyModelMixin, mixins.UpdateModelMixin, vi
                'tax_rule': tr.pk if tr else None,
            })

-    @action(detail=True, url_name='answer', url_path=r'answer/(?P<question>\d+)')
-    def answer(self, request, **kwargs):
-        pos = self.get_object()
-        answer = get_object_or_404(
-            QuestionAnswer,
-            orderposition=self.get_object(),
-            question_id=kwargs.get('question')
-        )
-        if not answer.file:
-            raise NotFound()
-
-        ftype, ignored = mimetypes.guess_type(answer.file.name)
-        resp = FileResponse(answer.file, content_type=ftype or 'application/binary')
-        resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}-{}"'.format(
-            self.request.event.slug.upper(),
-            pos.order.code,
-            pos.positionid,
-            os.path.basename(answer.file.name).split('.', 1)[1]
-        )
-        return resp
-
-    @action(detail=True, url_name='pdf_image', url_path=r'pdf_image/(?P<key>[^/]+)')
-    def pdf_image(self, request, key, **kwargs):
-        pos = self.get_object()
-
-        image_vars = get_images(request.event)
-        if key not in image_vars:
-            raise NotFound('Unknown key')
-
-        image_file = image_vars[key]['evaluate'](pos, pos.order, pos.subevent or self.request.event)
-        if image_file is None:
-            raise NotFound('No image available')
-
-        if getattr(image_file, 'name', ''):
-            ftype, ignored = mimetypes.guess_type(image_file.name)
-            extension = os.path.basename(image_file.name).split('.')[-1]
-        else:
-            img = Image.open(image_file)
-            ftype = Image.MIME[img.format]
-            extensions = {
-                'GIF': 'gif', 'TIFF': 'tif', 'BMP': 'bmp', 'JPEG': 'jpg', 'PNG': 'png'
-            }
-            extension = extensions.get(img.format, 'bin')
-            if hasattr(image_file, 'seek'):
-                image_file.seek(0)
-
-        resp = FileResponse(image_file, content_type=ftype or 'application/binary')
-        resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}-{}.{}"'.format(
-            self.request.event.slug.upper(),
-            pos.order.code,
-            pos.positionid,
-            key,
-            extension,
-        )
-        return resp
-
    @action(detail=True, url_name='download', url_path='download/(?P<output>[^/]+)')
    def download(self, request, output, **kwargs):
        provider = self._get_output_provider(output)
@@ -1016,44 +951,6 @@ class OrderPositionViewSet(mixins.DestroyModelMixin, mixins.UpdateModelMixin, vi
        except Quota.QuotaExceededException as e:
            raise ValidationError(str(e))

-    def update(self, request, *args, **kwargs):
-        partial = kwargs.get('partial', False)
-        if not partial:
-            return Response(
-                {"detail": "Method \"PUT\" not allowed."},
-                status=status.HTTP_405_METHOD_NOT_ALLOWED,
-            )
-        return super().update(request, *args, **kwargs)
-
-    def perform_update(self, serializer):
-        with transaction.atomic():
-            old_data = self.get_serializer_class()(instance=serializer.instance, context=self.get_serializer_context()).data
-            serializer.save()
-            new_data = serializer.data
-
-            if old_data != new_data:
-                log_data = self.request.data
-                if 'answers' in log_data:
-                    for a in new_data['answers']:
-                        log_data[f'question_{a["question"]}'] = a["answer"]
-                    log_data.pop('answers', None)
-                serializer.instance.order.log_action(
-                    'pretix.event.order.modified',
-                    user=self.request.user,
-                    auth=self.request.auth,
-                    data={
-                        'data': [
-                            dict(
-                                position=serializer.instance.pk,
-                                **log_data
-                            )
-                        ]
-                    }
-                )
-
-        tickets.invalidate_cache.apply_async(kwargs={'event': serializer.instance.order.event.pk, 'order': serializer.instance.order.pk})
-        order_modified.send(sender=serializer.instance.order.event, order=serializer.instance.order)
-

 class PaymentViewSet(CreateModelMixin, viewsets.ReadOnlyModelViewSet):
    serializer_class = OrderPaymentSerializer
--- a/src/pretix/api/views/organizer.py
+++ b/src/pretix/api/views/organizer.py
@@ -425,9 +425,7 @@ class OrganizerSettingsView(views.APIView):
    permission = 'can_change_organizer_settings'

    def get(self, request, *args, **kwargs):
-        s = OrganizerSettingsSerializer(instance=request.organizer.settings, organizer=request.organizer, context={
-            'request': request
-        })
+        s = OrganizerSettingsSerializer(instance=request.organizer.settings, organizer=request.organizer)
        if 'explain' in request.GET:
            return Response({
                fname: {
@@ -441,9 +439,7 @@ class OrganizerSettingsView(views.APIView):
    def patch(self, request, *wargs, **kwargs):
        s = OrganizerSettingsSerializer(
            instance=request.organizer.settings, data=request.data, partial=True,
-            organizer=request.organizer, context={
-                'request': request
-            }
+            organizer=request.organizer
        )
        s.is_valid(raise_exception=True)
        with transaction.atomic():
@@ -455,7 +451,5 @@ class OrganizerSettingsView(views.APIView):
            )
        if any(p in s.changed_data for p in SETTINGS_AFFECTING_CSS):
            regenerate_organizer_css.apply_async(args=(request.organizer.pk,))
-        s = OrganizerSettingsSerializer(instance=request.organizer.settings, organizer=request.organizer, context={
-            'request': request
-        })
+        s = OrganizerSettingsSerializer(instance=request.organizer.settings, organizer=request.organizer)
        return Response(s.data)
--- a/src/pretix/api/views/upload.py
+++ b/src/pretix/api/views/upload.py
@@ -1,55 +0,0 @@
-import datetime
-
-from django.utils.timezone import now
-from oauth2_provider.contrib.rest_framework import OAuth2Authentication
-from rest_framework.authentication import SessionAuthentication
-from rest_framework.exceptions import ValidationError
-from rest_framework.parsers import FileUploadParser
-from rest_framework.response import Response
-from rest_framework.views import APIView
-
-from pretix.api.auth.device import DeviceTokenAuthentication
-from pretix.api.auth.permission import AnyAuthenticatedClientPermission
-from pretix.api.auth.token import TeamTokenAuthentication
-from pretix.base.models import CachedFile
-
-ALLOWED_TYPES = {
-    'image/gif': {'.gif'},
-    'image/jpeg': {'.jpg', '.jpeg'},
-    'image/png': {'.png'},
-    'application/pdf': {'.pdf'},
-}
-
-
-class UploadView(APIView):
-    authentication_classes = (
-        SessionAuthentication, OAuth2Authentication, DeviceTokenAuthentication, TeamTokenAuthentication
-    )
-    parser_classes = [FileUploadParser]
-    permission_classes = [AnyAuthenticatedClientPermission]
-
-    def post(self, request):
-        if 'file' not in request.data:
-            raise ValidationError('No file has been submitted.')
-        file_obj = request.data['file']
-        content_type = file_obj.content_type.split(";")[0]  # ignore e.g. "; charset=…"
-        if content_type not in ALLOWED_TYPES:
-            raise ValidationError('Content type "{type}" is not allowed'.format(type=content_type))
-        if not any(file_obj.name.endswith(ext) for ext in ALLOWED_TYPES[content_type]):
-            raise ValidationError('File name "{name}" has an invalid extension for type "{type}"'.format(
-                name=file_obj.name,
-                type=content_type
-            ))
-        cf = CachedFile.objects.create(
-            expires=now() + datetime.timedelta(days=1),
-            date=now(),
-            web_download=False,
-            filename=file_obj.name,
-            type=content_type,
-            session_key=f'api-upload-{str(type(request.user or request.auth))}-{(request.user or request.auth).pk}'
-        )
-        cf.file.save(file_obj.name, file_obj)
-        cf.save()
-        return Response({
-            'id': f'file:{cf.pk}'
-        }, status=201)
--- a/src/pretix/api/views/version.py
+++ b/src/pretix/api/views/version.py
@@ -6,7 +6,6 @@ from rest_framework.views import APIView

 from pretix import __version__
 from pretix.api.auth.device import DeviceTokenAuthentication
-from pretix.api.auth.permission import AnyAuthenticatedClientPermission
 from pretix.api.auth.token import TeamTokenAuthentication


@@ -49,7 +48,6 @@ class VersionView(APIView):
    authentication_classes = (
        SessionAuthentication, OAuth2Authentication, DeviceTokenAuthentication, TeamTokenAuthentication
    )
-    permission_classes = [AnyAuthenticatedClientPermission]

    def get(self, request, format=None):
        return Response({
--- a/src/pretix/api/webhooks.py
+++ b/src/pretix/api/webhooks.py
@@ -257,7 +257,7 @@ def register_default_webhook_events(sender, **kwargs):
    )


-@app.task(base=TransactionAwareTask, max_retries=9, default_retry_delay=900, acks_late=True)
+@app.task(base=TransactionAwareTask, acks_late=True)
 def notify_webhooks(logentry_ids: list):
    if not isinstance(logentry_ids, list):
        logentry_ids = [logentry_ids]
--- a/src/pretix/base/email.py
+++ b/src/pretix/base/email.py
@@ -2,12 +2,10 @@ import inspect
 import logging
 from datetime import timedelta
 from decimal import Decimal
-from itertools import groupby
 from smtplib import SMTPResponseException

 from django.conf import settings
 from django.core.mail.backends.smtp import EmailBackend
-from django.db.models import Count
 from django.dispatch import receiver
 from django.template.loader import get_template
 from django.utils.timezone import now
@@ -130,21 +128,9 @@ class TemplateBasedMailRenderer(BaseHTMLMailRenderer):

        if order:
            htmlctx['order'] = order
-            positions = list(order.positions.select_related(
-                'item', 'variation', 'subevent', 'addon_to'
-            ).annotate(
-                has_addons=Count('addons')
-            ))
-            htmlctx['cart'] = [(k, list(v)) for k, v in groupby(
-                positions, key=lambda op: (
-                    op.item, op.variation, op.subevent, op.attendee_name,
-                    (op.pk if op.addon_to_id else None), (op.pk if op.has_addons else None)
-                )
-            )]

        if position:
            htmlctx['position'] = position
-            htmlctx['ev'] = position.subevent or self.event

        tpl = get_template(self.template_name)
        body_html = inline_css(tpl.render(htmlctx))
@@ -251,8 +237,6 @@ def get_email_context(**kwargs):
    from pretix.base.models import InvoiceAddress

    event = kwargs['event']
-    if 'position' in kwargs:
-        kwargs.setdefault("position_or_address", kwargs['position'])
    if 'order' in kwargs:
        try:
            kwargs['invoice_address'] = kwargs['order'].invoice_address
@@ -443,30 +427,28 @@ def base_placeholders(sender, **kwargs):
            'orders', ['event', 'orders'], lambda event, orders: '\n' + '\n\n'.join(
                '* {} - {}'.format(
                    order.full_code,
-                    build_absolute_uri(event, 'presale:event.order.open', kwargs={
+                    build_absolute_uri(event, 'presale:event.order', kwargs={
                        'event': event.slug,
                        'organizer': event.organizer.slug,
                        'order': order.code,
-                        'secret': order.secret,
-                        'hash': order.email_confirm_hash(),
+                        'secret': order.secret
                    }),
                )
                for order in orders
            ), lambda event: '\n' + '\n\n'.join(
                '* {} - {}'.format(
                    '{}-{}'.format(event.slug.upper(), order['code']),
-                    build_absolute_uri(event, 'presale:event.order.open', kwargs={
+                    build_absolute_uri(event, 'presale:event.order', kwargs={
                        'event': event.slug,
                        'organizer': event.organizer.slug,
                        'order': order['code'],
-                        'secret': order['secret'],
-                        'hash': order['hash'],
+                        'secret': order['secret']
                    }),
                )
                for order in [
-                    {'code': 'F8VVL', 'secret': '6zzjnumtsx136ddy', 'hash': 'abcdefghi'},
-                    {'code': 'HIDHK', 'secret': '98kusd8ofsj8dnkd', 'hash': 'jklmnopqr'},
-                    {'code': 'OPKSB', 'secret': '09pjdksflosk3njd', 'hash': 'stuvwxy2z'}
+                    {'code': 'F8VVL', 'secret': '6zzjnumtsx136ddy'},
+                    {'code': 'HIDHK', 'secret': '98kusd8ofsj8dnkd'},
+                    {'code': 'OPKSB', 'secret': '09pjdksflosk3njd'}
                ]
            ),
        ),
@@ -484,8 +466,7 @@ def base_placeholders(sender, **kwargs):
            '68CYU2H6ZTP3WLK5'
        ),
        SimpleFunctionalMailTextPlaceholder(
-            # join vouchers with two spaces at end of line so markdown-parser inserts a <br>
-            'voucher_list', ['voucher_list'], lambda voucher_list: '  \n'.join(voucher_list),
+            'voucher_list', ['voucher_list'], lambda voucher_list: '\n'.join(voucher_list),
            '    68CYU2H6ZTP3WLK5\n    7MB94KKPVEPSMVF2'
        ),
        SimpleFunctionalMailTextPlaceholder(
--- a/src/pretix/base/exporter.py
+++ b/src/pretix/base/exporter.py
@@ -1,5 +1,4 @@
 import io
-import re
 import tempfile
 from collections import OrderedDict, namedtuple
 from decimal import Decimal
@@ -11,21 +10,11 @@ from django.db.models import QuerySet
 from django.utils.formats import localize
 from django.utils.translation import gettext, gettext_lazy as _
 from openpyxl import Workbook
-from openpyxl.cell.cell import ILLEGAL_CHARACTERS_RE, KNOWN_TYPES
+from openpyxl.cell.cell import KNOWN_TYPES

 from pretix.base.models import Event


-def excel_safe(val):
-    if not isinstance(val, KNOWN_TYPES):
-        val = str(val)
-
-    if isinstance(val, str):
-        val = re.sub(ILLEGAL_CHARACTERS_RE, '', val)
-
-    return val
-
-
 class BaseExporter:
    """
    This is the base class for all data exporters
@@ -192,7 +181,7 @@ class ListExporter(BaseExporter):
                total = line.total
                continue
            ws.append([
-                excel_safe(val) if not isinstance(val, KNOWN_TYPES) else val
+                str(val) if not isinstance(val, KNOWN_TYPES) else val
                for val in line
            ])
            if total:
@@ -253,10 +242,7 @@ class MultiSheetListExporter(ListExporter):
        pass

    def iterate_sheet(self, form_data, sheet):
-        if hasattr(self, 'iterate_' + sheet):
-            yield from getattr(self, 'iterate_' + sheet)(form_data)
-        else:
-            raise NotImplementedError()  # noqa
+        raise NotImplementedError()  # noqa

    def _render_sheet_csv(self, form_data, sheet, output_file=None, **kwargs):
        total = 0
@@ -302,9 +288,6 @@ class MultiSheetListExporter(ListExporter):
        n_sheets = len(self.sheets)
        for i_sheet, (s, l) in enumerate(self.sheets):
            ws = wb.create_sheet(str(l))
-            if hasattr(self, 'prepare_xlsx_sheet_' + s):
-                getattr(self, 'prepare_xlsx_sheet_' + s)(ws)
-
            total = 0
            counter = 0
            for i, line in enumerate(self.iterate_sheet(form_data, sheet=s)):
@@ -312,7 +295,7 @@ class MultiSheetListExporter(ListExporter):
                    total = line.total
                    continue
                ws.append([
-                    excel_safe(val)
+                    str(val) if not isinstance(val, KNOWN_TYPES) else val
                    for val in line
                ])
                if total:
--- a/src/pretix/base/exporters/invoices.py
+++ b/src/pretix/base/exporters/invoices.py
@@ -18,7 +18,6 @@ from ...control.forms.filter import get_all_payment_providers
 from ...helpers import GroupConcat
 from ...helpers.iter import chunked_iterable
 from ..exporter import BaseExporter, MultiSheetListExporter
-from ..services.export import ExportError
 from ..services.invoices import invoice_pdf_task
 from ..signals import (
    register_data_exporters, register_multievent_data_exporters,
@@ -67,7 +66,7 @@ class InvoiceExporterMixin:
        )

    def invoices_queryset(self, form_data: dict):
-        qs = Invoice.objects.filter(event__in=self.events).select_related('order')
+        qs = Invoice.objects.filter(event__in=self.events)

        if form_data.get('payment_provider'):
            qs = qs.annotate(
@@ -112,16 +111,14 @@ class InvoiceExporter(InvoiceExporterMixin, BaseExporter):
                        if not i.file:
                            invoice_pdf_task.apply(args=(i.pk,))
                            i.refresh_from_db()
-                        if not i.file:
-                            raise ExportError('Could not generate PDF for invoice {nr}'.format(nr=i.full_invoice_no))
                        i.file.open('rb')
-                        zipf.writestr('{}-{}.pdf'.format(i.number, i.order.code), i.file.read())
+                        zipf.writestr('{}.pdf'.format(i.number), i.file.read())
                        i.file.close()
                    except FileNotFoundError:
                        invoice_pdf_task.apply(args=(i.pk,))
                        i.refresh_from_db()
                        i.file.open('rb')
-                        zipf.writestr('{}-{}.pdf'.format(i.number, i.order.code), i.file.read())
+                        zipf.writestr('{}.pdf'.format(i.number), i.file.read())
                        i.file.close()
                    counter += 1
                    if total and counter % max(10, total // 100) == 0:
--- a/src/pretix/base/exporters/orderlist.py
+++ b/src/pretix/base/exporters/orderlist.py
@@ -1,22 +1,18 @@
 from collections import OrderedDict
 from decimal import Decimal

-import dateutil
 import pytz
 from django import forms
 from django.db.models import (
-    Case, CharField, Count, DateTimeField, F, IntegerField, Max, Min, OuterRef,
-    Q, Subquery, Sum, When,
+    CharField, Count, DateTimeField, IntegerField, Max, OuterRef, Subquery,
+    Sum,
 )
-from django.db.models.functions import Coalesce, TruncDate
 from django.dispatch import receiver
 from django.utils.functional import cached_property
-from django.utils.timezone import get_current_timezone, now
 from django.utils.translation import gettext as _, gettext_lazy, pgettext

 from pretix.base.models import (
-    GiftCard, GiftCardTransaction, Invoice, InvoiceAddress, Order,
-    OrderPosition, Question,
+    GiftCard, Invoice, InvoiceAddress, Order, OrderPosition, Question,
 )
 from pretix.base.models.orders import OrderFee, OrderPayment, OrderRefund
 from pretix.base.services.quotas import QuotaAvailability
@@ -49,61 +45,22 @@ class OrderListExporter(MultiSheetListExporter):

    @property
    def additional_form_fields(self):
-        d = [
-            ('paid_only',
-             forms.BooleanField(
-                 label=_('Only paid orders'),
-                 initial=True,
-                 required=False
-             )),
-            ('include_payment_amounts',
-             forms.BooleanField(
-                 label=_('Include payment amounts'),
-                 initial=False,
-                 required=False
-             )),
-            ('group_multiple_choice',
-             forms.BooleanField(
-                 label=_('Show multiple choice answers grouped in one column'),
-                 initial=False,
-                 required=False
-             )),
-            ('date_from',
-             forms.DateField(
-                 label=_('Start date'),
-                 widget=forms.DateInput(attrs={'class': 'datepickerfield'}),
-                 required=False,
-                 help_text=_('Only include orders created on or after this date.')
-             )),
-            ('date_to',
-             forms.DateField(
-                 label=_('End date'),
-                 widget=forms.DateInput(attrs={'class': 'datepickerfield'}),
-                 required=False,
-                 help_text=_('Only include orders issued on or before this date.')
-             )),
-            ('event_date_from',
-             forms.DateField(
-                 label=_('Start event date'),
-                 widget=forms.DateInput(attrs={'class': 'datepickerfield'}),
-                 required=False,
-                 help_text=_('Only include orders including at least one ticket for a date on or after this date. '
-                             'Will also include other dates in case of mixed orders!')
-             )),
-            ('event_date_to',
-             forms.DateField(
-                 label=_('End event date'),
-                 widget=forms.DateInput(attrs={'class': 'datepickerfield'}),
-                 required=False,
-                 help_text=_('Only include orders including at least one ticket for a date on or after this date. '
-                             'Will also include other dates in case of mixed orders!')
-             )),
-        ]
-        d = OrderedDict(d)
-        if not self.is_multievent and not self.event.has_subevents:
-            del d['event_date_from']
-            del d['event_date_to']
-        return d
+        return OrderedDict(
+            [
+                ('paid_only',
+                 forms.BooleanField(
+                     label=_('Only paid orders'),
+                     initial=True,
+                     required=False
+                 )),
+                ('include_payment_amounts',
+                 forms.BooleanField(
+                     label=_('Include payment amounts'),
+                     initial=False,
+                     required=False
+                 )),
+            ]
+        )

    def _get_all_payment_methods(self, qs):
        pps = dict(get_all_payment_providers())
@@ -141,52 +98,6 @@ class OrderListExporter(MultiSheetListExporter):
    def event_object_cache(self):
        return {e.pk: e for e in self.events}

-    def _date_filter(self, qs, form_data, rel):
-        annotations = {}
-        filters = {}
-
-        if form_data.get('date_from'):
-            date_value = form_data.get('date_from')
-            if isinstance(date_value, str):
-                date_value = dateutil.parser.parse(date_value).date()
-
-            annotations['date'] = TruncDate(f'{rel}datetime')
-            filters['date__gte'] = date_value
-
-        if form_data.get('date_to'):
-            date_value = form_data.get('date_to')
-            if isinstance(date_value, str):
-                date_value = dateutil.parser.parse(date_value).date()
-
-            annotations['date'] = TruncDate(f'{rel}datetime')
-            filters['date__lte'] = date_value
-
-        if form_data.get('event_date_from'):
-            date_value = form_data.get('event_date_from')
-            if isinstance(date_value, str):
-                date_value = dateutil.parser.parse(date_value).date()
-
-            annotations['event_date_max'] = Case(
-                When(**{f'{rel}event__has_subevents': True}, then=Max(f'{rel}all_positions__subevent__date_from')),
-                default=F(f'{rel}event__date_from'),
-            )
-            filters['event_date_max__gte'] = date_value
-
-        if form_data.get('event_date_to'):
-            date_value = form_data.get('event_date_to')
-            if isinstance(date_value, str):
-                date_value = dateutil.parser.parse(date_value).date()
-
-            annotations['event_date_min'] = Case(
-                When(**{f'{rel}event__has_subevents': True}, then=Min(f'{rel}all_positions__subevent__date_from')),
-                default=F(f'{rel}event__date_from'),
-            )
-            filters['event_date_min__lte'] = date_value
-
-        if filters:
-            return qs.annotate(**annotations).filter(**filters)
-        return qs
-
    def iterate_orders(self, form_data: dict):
        p_date = OrderPayment.objects.filter(
            order=OuterRef('pk'),
@@ -223,9 +134,6 @@ class OrderListExporter(MultiSheetListExporter):
            invoice_numbers=Subquery(i_numbers, output_field=CharField()),
            pcnt=Subquery(s, output_field=IntegerField())
        ).select_related('invoice_address')
-
-        qs = self._date_filter(qs, form_data, rel='')
-
        if form_data['paid_only']:
            qs = qs.filter(status=Order.STATUS_PAID)
        tax_rates = self._get_all_tax_rates(qs)
@@ -391,8 +299,6 @@ class OrderListExporter(MultiSheetListExporter):
        if form_data['paid_only']:
            qs = qs.filter(order__status=Order.STATUS_PAID)

-        qs = self._date_filter(qs, form_data, rel='order__')
-
        headers = [
            _('Event slug'),
            _('Order code'),
@@ -491,8 +397,6 @@ class OrderListExporter(MultiSheetListExporter):
        if form_data['paid_only']:
            qs = qs.filter(order__status=Order.STATUS_PAID)

-        qs = self._date_filter(qs, form_data, rel='order__')
-
        has_subevents = self.events.filter(has_subevents=True).exists()

        headers = [
@@ -545,14 +449,9 @@ class OrderListExporter(MultiSheetListExporter):
        for q in questions:
            if q.type == Question.TYPE_CHOICE_MULTIPLE:
                options[q.pk] = []
-                if form_data['group_multiple_choice']:
-                    for o in q.options.all():
-                        options[q.pk].append(o)
-                    headers.append(str(q.question))
-                else:
-                    for o in q.options.all():
-                        headers.append(str(q.question) + ' – ' + str(o.answer))
-                        options[q.pk].append(o)
+                for o in q.options.all():
+                    headers.append(str(q.question) + ' – ' + str(o.answer))
+                    options[q.pk].append(o)
            else:
                headers.append(str(q.question))
        headers += [
@@ -652,11 +551,8 @@ class OrderListExporter(MultiSheetListExporter):
                        acache[a.question_id] = str(a)
                for q in questions:
                    if q.type == Question.TYPE_CHOICE_MULTIPLE:
-                        if form_data['group_multiple_choice']:
-                            row.append(", ".join(str(o.answer) for o in options[q.pk] if o.pk in acache.get(q.pk, set())))
-                        else:
-                            for o in options[q.pk]:
-                                row.append(_('Yes') if o.pk in acache.get(q.pk, set()) else _('No'))
+                        for o in options[q.pk]:
+                            row.append(_('Yes') if o.pk in acache.get(q.pk, set()) else _('No'))
                    else:
                        row.append(acache.get(q.pk, ''))

@@ -742,7 +638,7 @@ class PaymentListExporter(ListExporter):

        headers = [
            _('Event slug'), _('Order'), _('Payment ID'), _('Creation date'), _('Completion date'), _('Status'),
-            _('Status code'), _('Amount'), _('Payment method'), _('Comment')
+            _('Status code'), _('Amount'), _('Payment method')
        ]
        yield headers

@@ -764,8 +660,7 @@ class PaymentListExporter(ListExporter):
                obj.get_state_display(),
                obj.state,
                obj.amount * (-1 if isinstance(obj, OrderRefund) else 1),
-                provider_names.get(obj.provider, obj.provider),
-                obj.comment if isinstance(obj, OrderRefund) else "",
+                provider_names.get(obj.provider, obj.provider)
            ]
            yield row

@@ -781,18 +676,13 @@ class QuotaListExporter(ListExporter):
    verbose_name = gettext_lazy('Quota availabilities')

    def iterate_list(self, form_data):
-        has_subevents = self.event.has_subevents
        headers = [
            _('Quota name'), _('Total quota'), _('Paid orders'), _('Pending orders'), _('Blocking vouchers'),
            _('Current user\'s carts'), _('Waiting list'), _('Exited orders'), _('Current availability')
        ]
-        if has_subevents:
-            headers.append(pgettext('subevent', 'Date'))
-            headers.append(_('Start date'))
-            headers.append(_('End date'))
        yield headers

-        quotas = list(self.event.quotas.select_related('subevent'))
+        quotas = list(self.event.quotas.all())
        qa = QuotaAvailability(full_results=True)
        qa.queue(*quotas)
        qa.compute()
@@ -810,18 +700,6 @@ class QuotaListExporter(ListExporter):
                qa.count_exited_orders[quota],
                _('Infinite') if avail[1] is None else avail[1]
            ]
-            if has_subevents:
-                if quota.subevent:
-                    row.append(quota.subevent.name)
-                    row.append(quota.subevent.date_from.astimezone(self.event.timezone).strftime('%Y-%m-%d %H:%M:%S'))
-                    if quota.subevent.date_to:
-                        row.append(quota.subevent.date_to.astimezone(self.event.timezone).strftime('%Y-%m-%d %H:%M:%S'))
-                    else:
-                        row.append('')
-                else:
-                    row.append('')
-                    row.append('')
-                    row.append('')
            yield row

    def get_filename(self):
@@ -872,116 +750,6 @@ class GiftcardRedemptionListExporter(ListExporter):
            return '{}_giftcardredemptions'.format(self.event.slug)


-def generate_GiftCardListExporter(organizer):  # hackhack
-    class GiftcardListExporter(ListExporter):
-        identifier = 'giftcardlist'
-        verbose_name = gettext_lazy('Gift cards')
-
-        @property
-        def additional_form_fields(self):
-            return OrderedDict(
-                [
-                    ('date', forms.DateTimeField(
-                        label=_('Show value at'),
-                        initial=now(),
-                    )),
-                    ('testmode', forms.ChoiceField(
-                        label=_('Test mode'),
-                        choices=(
-                            ('', _('All')),
-                            ('yes', _('Test mode')),
-                            ('no', _('Live')),
-                        ),
-                        initial='no',
-                        required=False
-                    )),
-                    ('state', forms.ChoiceField(
-                        label=_('Status'),
-                        choices=(
-                            ('', _('All')),
-                            ('empty', _('Empty')),
-                            ('valid_value', _('Valid and with value')),
-                            ('expired_value', _('Expired and with value')),
-                            ('expired', _('Expired')),
-                        ),
-                        initial='valid_value',
-                        required=False
-                    ))
-                ]
-            )
-
-        def iterate_list(self, form_data):
-            s = GiftCardTransaction.objects.filter(
-                card=OuterRef('pk'),
-                datetime__lte=form_data['date']
-            ).order_by().values('card').annotate(s=Sum('value')).values('s')
-            qs = organizer.issued_gift_cards.filter(
-                issuance__lte=form_data['date']
-            ).annotate(
-                cached_value=Coalesce(Subquery(s), Decimal('0.00')),
-            ).order_by('issuance').prefetch_related(
-                'transactions', 'transactions__order', 'transactions__order__event', 'transactions__order__invoices'
-            )
-
-            if form_data.get('testmode') == 'yes':
-                qs = qs.filter(testmode=True)
-            elif form_data.get('testmode') == 'no':
-                qs = qs.filter(testmode=False)
-
-            if form_data.get('state') == 'empty':
-                qs = qs.filter(cached_value=0)
-            elif form_data.get('state') == 'valid_value':
-                qs = qs.exclude(cached_value=0).filter(Q(expires__isnull=True) | Q(expires__gte=form_data['date']))
-            elif form_data.get('state') == 'expired_value':
-                qs = qs.exclude(cached_value=0).filter(expires__lt=form_data['date'])
-            elif form_data.get('state') == 'expired':
-                qs = qs.filter(expires__lt=form_data['date'])
-
-            headers = [
-                _('Gift card code'),
-                _('Test mode card'),
-                _('Creation date'),
-                _('Expiry date'),
-                _('Special terms and conditions'),
-                _('Currency'),
-                _('Current value'),
-                _('Created in order'),
-                _('Last invoice number of order'),
-                _('Last invoice date of order'),
-            ]
-            yield headers
-
-            tz = get_current_timezone()
-            for obj in qs:
-                o = None
-                i = None
-                trans = list(obj.transactions.all())
-                if trans:
-                    o = trans[0].order
-                if o:
-                    invs = list(o.invoices.all())
-                    if invs:
-                        i = invs[-1]
-                row = [
-                    obj.secret,
-                    _('Yes') if obj.testmode else _('No'),
-                    obj.issuance.astimezone(tz).date().strftime('%Y-%m-%d'),
-                    obj.expires.astimezone(tz).date().strftime('%Y-%m-%d') if obj.expires else '',
-                    obj.conditions or '',
-                    obj.currency,
-                    obj.cached_value,
-                    o.full_code if o else '',
-                    i.number if i else '',
-                    i.date.strftime('%Y-%m-%d') if i else '',
-                ]
-                yield row
-
-        def get_filename(self):
-            return '{}_giftcards'.format(organizer.slug)
-
-    return GiftcardListExporter
-
-
@receiver(register_data_exporters, dispatch_uid="exporter_orderlist")
 def register_orderlist_exporter(sender, **kwargs):
    return OrderListExporter
@@ -1015,8 +783,3 @@ def register_giftcardredemptionlist_exporter(sender, **kwargs):
@receiver(register_multievent_data_exporters, dispatch_uid="multiexporter_giftcardredemptionlist")
 def register_multievent_i_giftcardredemptionlist_exporter(sender, **kwargs):
    return GiftcardRedemptionListExporter
-
-
-@receiver(register_multievent_data_exporters, dispatch_uid="multiexporter_giftcardlist")
-def register_multievent_i_giftcardlist_exporter(sender, **kwargs):
-    return generate_GiftCardListExporter(sender)
--- a/src/pretix/base/exporters/waitinglist.py
+++ b/src/pretix/base/exporters/waitinglist.py
@@ -82,9 +82,7 @@ class WaitingListExporter(ListExporter):

        headers = [
            _('Date'),
-            _('Name'),
            _('Email'),
-            _('Phone number'),
            _('Product name'),
            _('Variation'),
            _('Event slug'),
@@ -119,9 +117,7 @@ class WaitingListExporter(ListExporter):

            row = [
                entry.created.astimezone(tz).strftime(datetime_format),  # alternative: .isoformat(),
-                entry.name,
                entry.email,
-                entry.phone,
                str(entry.item) if entry.item else "",
                str(entry.variation) if entry.variation else "",
                entry.event.slug,
--- a/src/pretix/base/forms/questions.py
+++ b/src/pretix/base/forms/questions.py
@@ -9,14 +9,12 @@ import pycountry
 import pytz
 import vat_moss.errors
 import vat_moss.id
-from babel import Locale
 from django import forms
 from django.contrib import messages
 from django.core.exceptions import ValidationError
 from django.core.validators import MaxValueValidator, MinValueValidator
 from django.db.models import QuerySet
 from django.forms import Select
-from django.utils import translation
 from django.utils.formats import date_format
 from django.utils.html import escape
 from django.utils.safestring import mark_safe
@@ -26,7 +24,9 @@ from django_countries import countries
 from django_countries.fields import Country, CountryField
 from phonenumber_field.formfields import PhoneNumberField
 from phonenumber_field.phonenumber import PhoneNumber
-from phonenumber_field.widgets import PhoneNumberPrefixWidget
+from phonenumber_field.widgets import (
+    PhoneNumberPrefixWidget, PhonePrefixSelect,
+)
 from phonenumbers import NumberParseException, national_significant_number
 from phonenumbers.data import _COUNTRY_CODE_TO_REGION_CODE

@@ -100,7 +100,7 @@ class NamePartsWidget(forms.MultiWidget):
        if not isinstance(value, list):
            value = self.decompress(value)
        output = []
-        final_attrs = self.build_attrs(attrs or {})
+        final_attrs = self.build_attrs(attrs or dict())
        if 'required' in final_attrs:
            del final_attrs['required']
        id_ = final_attrs.get('id', None)
@@ -122,8 +122,6 @@ class NamePartsWidget(forms.MultiWidget):
                    these_attrs.pop('data-no-required-attr', None)
                these_attrs['autocomplete'] = (self.attrs.get('autocomplete', '') + ' ' + self.autofill_map.get(self.scheme['fields'][i][0], 'off')).strip()
                these_attrs['data-size'] = self.scheme['fields'][i][2]
-                if len(self.widgets) > 1:
-                    these_attrs['aria-label'] = self.scheme['fields'][i][1]
            else:
                these_attrs = final_attrs
            output.append(widget.render(name + '_%s' % i, widget_value, these_attrs, renderer=renderer))
@@ -207,48 +205,16 @@ class NamePartsFormField(forms.MultiValueField):
        return value


-class WrappedPhonePrefixSelect(Select):
-    initial = None
-
-    def __init__(self, initial=None):
-        choices = [("", "---------")]
-        language = get_babel_locale()  # changed from default implementation that used the django locale
-        locale = Locale(translation.to_locale(language))
-        for prefix, values in _COUNTRY_CODE_TO_REGION_CODE.items():
-            prefix = "+%d" % prefix
-            if initial and initial in values:
-                self.initial = prefix
-            for country_code in values:
-                country_name = locale.territories.get(country_code)
-                if country_name:
-                    choices.append((prefix, "{} {}".format(country_name, prefix)))
-        super().__init__(choices=sorted(choices, key=lambda item: item[1]), attrs={'aria-label': pgettext_lazy('phonenumber', 'International area code')})
-
-    def render(self, name, value, *args, **kwargs):
-        return super().render(name, value or self.initial, *args, **kwargs)
-
-    def get_context(self, name, value, attrs):
-        if value and self.choices[1][0] != value:
-            matching_choices = len([1 for p, c in self.choices if p == value])
-            if matching_choices > 1:
-                # Some countries share a phone prefix, for example +1 is used all over the Americas.
-                # This causes a UX problem: If the default value or the existing data is +12125552368,
-                # the widget will just show the first <option> entry with value="+1" as selected,
-                # which alphabetically is America Samoa, although most numbers statistically are from
-                # the US. As a workaround, we detect this case and add an aditional choice value with
-                # just <option value="+1">+1</option> without an explicit country.
-                self.choices.insert(1, (value, value))
-        context = super().get_context(name, value, attrs)
-        return context
+class WrappedPhonePrefixSelect(PhonePrefixSelect):
+    def __init__(self, *args, **kwargs):
+        with language(get_babel_locale()):
+            super().__init__(*args, **kwargs)


 class WrappedPhoneNumberPrefixWidget(PhoneNumberPrefixWidget):

    def __init__(self, attrs=None, initial=None):
-        attrs = {
-            'aria-label': pgettext_lazy('phonenumber', 'Phone number (without international area code)')
-        }
-        widgets = (WrappedPhonePrefixSelect(initial), forms.TextInput(attrs=attrs))
+        widgets = (WrappedPhonePrefixSelect(initial), forms.TextInput())
        super(PhoneNumberPrefixWidget, self).__init__(widgets, attrs)

    def render(self, name, value, attrs=None, renderer=None):
@@ -449,7 +415,6 @@ class BaseQuestionsForm(forms.Form):
            c = [('', pgettext_lazy('address', 'Select state'))]
            fprefix = str(self.prefix) + '-' if self.prefix is not None and self.prefix != '-' else ''
            cc = None
-            state = None
            if fprefix + 'country' in self.data:
                cc = str(self.data[fprefix + 'country'])
            elif country:
@@ -458,7 +423,6 @@ class BaseQuestionsForm(forms.Form):
                types, form = COUNTRIES_WITH_STATE_IN_ADDRESS[cc]
                statelist = [s for s in pycountry.subdivisions.get(country_code=cc) if s.type in types]
                c += sorted([(s.code[3:], s.name) for s in statelist], key=lambda s: s[1])
-                state = (cartpos.state if cartpos else orderpos.state)
            elif fprefix + 'state' in self.data:
                self.data = self.data.copy()
                del self.data[fprefix + 'state']
@@ -467,7 +431,6 @@ class BaseQuestionsForm(forms.Form):
                label=pgettext_lazy('address', 'State'),
                required=False,
                choices=c,
-                initial=state,
                widget=forms.Select(attrs={
                    'autocomplete': 'address-level1',
                }),
@@ -698,9 +661,8 @@ class BaseQuestionsForm(forms.Form):
        if not self.all_optional:
            for q in question_cache.values():
                answer = d.get('question_%d' % q.pk)
-                field = self['question_%d' % q.pk]
-                if question_is_required(q) and not answer and answer != 0 and not field.errors:
-                    raise ValidationError({'question_%d' % q.pk: [_('This field is required.')]})
+                if question_is_required(q) and not answer and answer != 0:
+                    raise ValidationError({'question_%d' % q.pk: [_('This field is required')]})

        return d

@@ -856,13 +818,11 @@ class BaseInvoiceAddressForm(forms.ModelForm):
        ) and len(data.get('name_parts', {})) == 1:
            # Do not save the country if it is the only field set -- we don't know the user even checked it!
            self.cleaned_data['country'] = ''
-
-        if data.get('vat_id') and is_eu_country(data.get('country')) and data.get('vat_id')[:2] != cc_to_vat_prefix(str(data.get('country'))):
-            raise ValidationError(_('Your VAT ID does not match the selected country.'))
-
        if self.validate_vat_id and self.instance.vat_id_validated and 'vat_id' not in self.changed_data:
            pass
        elif self.validate_vat_id and data.get('is_business') and is_eu_country(data.get('country')) and data.get('vat_id'):
+            if data.get('vat_id')[:2] != cc_to_vat_prefix(str(data.get('country'))):
+                raise ValidationError(_('Your VAT ID does not match the selected country.'))
            try:
                result = vat_moss.id.validate(data.get('vat_id'))
                if result:
--- a/src/pretix/base/forms/widgets.py
+++ b/src/pretix/base/forms/widgets.py
@@ -16,15 +16,12 @@ class DatePickerWidget(forms.DateInput):
        date_attrs = dict(attrs)
        date_attrs.setdefault('class', 'form-control')
        date_attrs['class'] += ' datepickerfield'
-        date_attrs['autocomplete'] = 'off'
+        date_attrs['autocomplete'] = 'date-picker-do-not-autofill'

-        def placeholder():
-            df = date_format or get_format('DATE_INPUT_FORMATS')[0]
-            return now().replace(
-                year=2000, month=12, day=31, hour=18, minute=0, second=0, microsecond=0
-            ).strftime(df)
-
-        date_attrs['placeholder'] = lazy(placeholder, str)
+        df = date_format or get_format('DATE_INPUT_FORMATS')[0]
+        date_attrs['placeholder'] = now().replace(
+            year=2000, month=12, day=31, hour=18, minute=0, second=0, microsecond=0
+        ).strftime(df)

        forms.DateInput.__init__(self, date_attrs, date_format)

@@ -37,15 +34,12 @@ class TimePickerWidget(forms.TimeInput):
        time_attrs = dict(attrs)
        time_attrs.setdefault('class', 'form-control')
        time_attrs['class'] += ' timepickerfield'
-        time_attrs['autocomplete'] = 'off'
+        time_attrs['autocomplete'] = 'time-picker-do-not-autofill'

-        def placeholder():
-            tf = time_format or get_format('TIME_INPUT_FORMATS')[0]
-            return now().replace(
-                year=2000, month=1, day=1, hour=0, minute=0, second=0, microsecond=0
-            ).strftime(tf)
-
-        time_attrs['placeholder'] = lazy(placeholder, str)
+        tf = time_format or get_format('TIME_INPUT_FORMATS')[0]
+        time_attrs['placeholder'] = now().replace(
+            year=2000, month=12, day=31, hour=18, minute=0, second=0, microsecond=0
+        ).strftime(tf)

        forms.TimeInput.__init__(self, time_attrs, time_format)

@@ -111,8 +105,8 @@ class SplitDateTimePickerWidget(forms.SplitDateTimeWidget):
        time_attrs.setdefault('autocomplete', 'off')
        date_attrs['class'] += ' datepickerfield'
        time_attrs['class'] += ' timepickerfield'
-        date_attrs['autocomplete'] = 'off'
-        time_attrs['autocomplete'] = 'off'
+        date_attrs['autocomplete'] = 'date-picker-do-not-autofill'
+        time_attrs['autocomplete'] = 'time-picker-do-not-autofill'
        if min_date:
            date_attrs['data-min'] = (
                min_date if isinstance(min_date, date) else min_date.astimezone(get_current_timezone()).date()
--- a/src/pretix/base/invoice.py
+++ b/src/pretix/base/invoice.py
@@ -12,10 +12,12 @@ from django.utils.formats import date_format, localize
 from django.utils.translation import (
    get_language, gettext, gettext_lazy, pgettext,
 )
+from PIL.Image import BICUBIC
 from reportlab.lib import pagesizes
 from reportlab.lib.enums import TA_LEFT, TA_RIGHT
 from reportlab.lib.styles import ParagraphStyle, StyleSheet1
 from reportlab.lib.units import mm
+from reportlab.lib.utils import ImageReader
 from reportlab.pdfbase import pdfmetrics
 from reportlab.pdfbase.pdfmetrics import stringWidth
 from reportlab.pdfbase.ttfonts import TTFont
@@ -29,7 +31,6 @@ from pretix.base.decimal import round_decimal
 from pretix.base.models import Event, Invoice, Order
 from pretix.base.signals import register_invoice_renderers
 from pretix.base.templatetags.money import money_filter
-from pretix.helpers.reportlab import ThumbnailingImageReader

 logger = logging.getLogger(__name__)

@@ -220,6 +221,26 @@ class BaseReportlabInvoiceRenderer(BaseInvoiceRenderer):
        return 'invoice.pdf', 'application/pdf', buffer.read()


+class ThumbnailingImageReader(ImageReader):
+    def resize(self, width, height, dpi):
+        if width is None:
+            width = height * self._image.size[0] / self._image.size[1]
+        if height is None:
+            height = width * self._image.size[1] / self._image.size[0]
+        self._image.thumbnail(
+            size=(int(width * dpi / 72), int(height * dpi / 72)),
+            resample=BICUBIC
+        )
+        self._data = None
+        return width, height
+
+    def _jpeg_fh(self):
+        # Bypass a reportlab-internal optimization that falls back to the original
+        # file handle if the file is a JPEG, and therefore does not respect the
+        # (smaller) size of the modified image.
+        return None
+
+
 class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
    identifier = 'classic'
    verbose_name = pgettext('invoice', 'Classic renderer (pretix 1.0)')
@@ -255,10 +276,8 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
    invoice_from_top = 17 * mm

    def _draw_invoice_from(self, canvas):
-        p = Paragraph(
-            bleach.clean(self.invoice.full_invoice_from, tags=[]).strip().replace('\n', '<br />\n'),
-            style=self.stylesheet['InvoiceFrom']
-        )
+        p = Paragraph(self.invoice.full_invoice_from.strip().replace('\n', '<br />\n'), style=self.stylesheet[
+            'InvoiceFrom'])
        p.wrapOn(canvas, self.invoice_from_width, self.invoice_from_height)
        p_size = p.wrap(self.invoice_from_width, self.invoice_from_height)
        p.drawOn(canvas, self.invoice_from_left, self.pagesize[1] - p_size[1] - self.invoice_from_top)
@@ -363,7 +382,6 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
    def _draw_event(self, canvas):
        def shorten(txt):
            txt = str(txt)
-            txt = bleach.clean(txt, tags=[]).strip()
            p = Paragraph(txt.strip().replace('\n', '<br />\n'), style=self.stylesheet['Normal'])
            p_size = p.wrap(self.event_width, self.event_height)

@@ -444,18 +462,13 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
        story = []
        if self.invoice.custom_field:
            story.append(Paragraph(
-                '{}: {}'.format(
-                    bleach.clean(str(self.invoice.event.settings.invoice_address_custom_field), tags=[]).strip().replace('\n', '<br />\n'),
-                    bleach.clean(self.invoice.custom_field, tags=[]).strip().replace('\n', '<br />\n'),
-                ),
+                '{}: {}'.format(self.invoice.event.settings.invoice_address_custom_field, self.invoice.custom_field),
                self.stylesheet['Normal']
            ))

        if self.invoice.internal_reference:
            story.append(Paragraph(
-                pgettext('invoice', 'Customer reference: {reference}').format(
-                    reference=bleach.clean(self.invoice.internal_reference, tags=[]).strip().replace('\n', '<br />\n'),
-                ),
+                pgettext('invoice', 'Customer reference: {reference}').format(reference=self.invoice.internal_reference),
                self.stylesheet['Normal']
            ))

@@ -474,10 +487,7 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
            ))

        if self.invoice.introductory_text:
-            story.append(Paragraph(
-                self.invoice.introductory_text,
-                self.stylesheet['Normal']
-            ))
+            story.append(Paragraph(self.invoice.introductory_text, self.stylesheet['Normal']))
            story.append(Spacer(1, 10 * mm))

        return story
@@ -577,16 +587,10 @@ class ClassicInvoiceRenderer(BaseReportlabInvoiceRenderer):
        story.append(Spacer(1, 15 * mm))

        if self.invoice.payment_provider_text:
-            story.append(Paragraph(
-                self.invoice.payment_provider_text,
-                self.stylesheet['Normal']
-            ))
+            story.append(Paragraph(self.invoice.payment_provider_text, self.stylesheet['Normal']))

        if self.invoice.additional_text:
-            story.append(Paragraph(
-                self.invoice.additional_text,
-                self.stylesheet['Normal']
-            ))
+            story.append(Paragraph(self.invoice.additional_text, self.stylesheet['Normal']))
            story.append(Spacer(1, 15 * mm))

        tstyledata = [
@@ -718,10 +722,7 @@ class Modern1Renderer(ClassicInvoiceRenderer):
    def _draw_invoice_from(self, canvas):
        if not self.invoice.invoice_from:
            return
-        c = [
-            bleach.clean(l, tags=[]).strip().replace('\n', '<br />\n')
-            for l in self.invoice.address_invoice_from.strip().split('\n')
-        ]
+        c = self.invoice.address_invoice_from.strip().split('\n')
        p = Paragraph(' · '.join(c), style=self.stylesheet['Sender'])
        p.wrapOn(canvas, self.invoice_to_width, 15.7 * mm)
        p.drawOn(canvas, self.invoice_to_left, self.pagesize[1] - self.invoice_to_top + 2 * mm)
--- a/src/pretix/base/management/commands/runperiodic.py
+++ b/src/pretix/base/management/commands/runperiodic.py
@@ -16,8 +16,6 @@ class Command(BaseCommand):
    def add_arguments(self, parser):
        parser.add_argument('--tasks', action='store', type=str, help='Only execute the tasks with this name '
                                                                      '(dotted path, comma separation)')
-        parser.add_argument('--exclude', action='store', type=str, help='Exclude the tasks with this name '
-                                                                        '(dotted path, comma separation)')

    def handle(self, *args, **options):
        verbosity = int(options['verbosity'])
@@ -30,12 +28,9 @@ class Command(BaseCommand):
            if options.get('tasks'):
                if name not in options.get('tasks').split(','):
                    continue
-            if options.get('exclude'):
-                if name in options.get('exclude').split(','):
-                    continue

            if verbosity > 1:
-                self.stdout.write(f'INFO Running {name}…')
+                self.stdout.write(f'Running {name}…')
            t0 = time.time()
            try:
                r = receiver(signal=periodic_task, sender=self)
@@ -45,13 +40,13 @@ class Command(BaseCommand):
                if settings.SENTRY_ENABLED:
                    from sentry_sdk import capture_exception
                    capture_exception(err)
-                    self.stdout.write(self.style.ERROR(f'ERROR runperiodic {str(err)}\n'))
+                    self.stdout.write(self.style.ERROR(f'FAIL: {str(err)}\n'))
                else:
-                    self.stdout.write(self.style.ERROR(f'ERROR runperiodic {str(err)}\n'))
+                    self.stdout.write(self.style.ERROR(f'FAIL: {str(err)}\n'))
                    traceback.print_exc()
            else:
                if options.get('verbosity') > 1:
                    if r is SKIPPED:
-                        self.stdout.write(self.style.SUCCESS(f'INFO Skipped {name}'))
+                        self.stdout.write(self.style.SUCCESS(f'Skipped {name}'))
                    else:
-                        self.stdout.write(self.style.SUCCESS(f'INFO Completed {name} in {round(time.time() - t0, 3)}s'))
+                        self.stdout.write(self.style.SUCCESS(f'Completed {name} in {round(time.time() - t0, 3)}s'))
--- a/src/pretix/base/metrics.py
+++ b/src/pretix/base/metrics.py
@@ -1,6 +1,4 @@
-import json
 import math
-import time
 from collections import defaultdict

 from django.apps import apps
@@ -8,7 +6,6 @@ from django.conf import settings
 from django.db import connection

 from pretix.base.models import Event, Invoice, Order, OrderPosition, Organizer
-from pretix.celery_app import app

 if settings.HAS_REDIS:
    import django_redis
@@ -251,19 +248,6 @@ def metric_values():
        else:
            metrics['pretix_model_instances']['{model="%s"}' % m._meta] = estimate_count_fast(m)

-    if settings.HAS_CELERY:
-        client = app.broker_connection().channel().client
-        for q in settings.CELERY_TASK_QUEUES:
-            llen = client.llen(q.name)
-            lfirst = client.lindex(q.name, -1)
-            metrics['pretix_celery_tasks_queued_count']['{queue="%s"}' % q.name] = llen
-            if lfirst:
-                ldata = json.loads(lfirst)
-                dt = time.time() - ldata.get('created', 0)
-                metrics['pretix_celery_tasks_queued_age_seconds']['{queue="%s"}' % q.name] = dt
-            else:
-                metrics['pretix_celery_tasks_queued_age_seconds']['{queue="%s"}' % q.name] = 0
-
    return metrics


--- a/src/pretix/base/migrations/0175_orderrefund_comment.py
+++ b/src/pretix/base/migrations/0175_orderrefund_comment.py
@@ -1,18 +0,0 @@
-# Generated by Django 3.0.11 on 2021-01-15 09:21
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('pretixbase', '0174_merge_20201222_1031'),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name='orderrefund',
-            name='comment',
-            field=models.TextField(null=True),
-        ),
-    ]
--- a/src/pretix/base/migrations/0176_auto_20210205_1512.py
+++ b/src/pretix/base/migrations/0176_auto_20210205_1512.py
@@ -1,28 +0,0 @@
-# Generated by Django 3.0.11 on 2021-02-05 15:12
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('pretixbase', '0175_orderrefund_comment'),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name='eventmetaproperty',
-            name='allowed_values',
-            field=models.TextField(null=True),
-        ),
-        migrations.AddField(
-            model_name='eventmetaproperty',
-            name='protected',
-            field=models.BooleanField(default=False),
-        ),
-        migrations.AddField(
-            model_name='eventmetaproperty',
-            name='required',
-            field=models.BooleanField(default=False),
-        ),
-    ]
--- a/src/pretix/base/migrations/0177_auto_20210301_1510.py
+++ b/src/pretix/base/migrations/0177_auto_20210301_1510.py
@@ -1,30 +0,0 @@
-# Generated by Django 3.0.10 on 2021-03-01 15:10
-
-import jsonfallback.fields
-import phonenumber_field.modelfields
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('pretixbase', '0176_auto_20210205_1512'),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name='waitinglistentry',
-            name='name_cached',
-            field=models.CharField(max_length=255, null=True),
-        ),
-        migrations.AddField(
-            model_name='waitinglistentry',
-            name='name_parts',
-            field=jsonfallback.fields.FallbackJSONField(default=dict),
-        ),
-        migrations.AddField(
-            model_name='waitinglistentry',
-            name='phone',
-            field=phonenumber_field.modelfields.PhoneNumberField(max_length=128, null=True, region=None),
-        ),
-    ]
--- a/src/pretix/base/migrations/0178_auto_20210308_1326.py
+++ b/src/pretix/base/migrations/0178_auto_20210308_1326.py
@@ -1,34 +0,0 @@
-# Generated by Django 3.0.12 on 2021-03-08 13:26
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('pretixbase', '0177_auto_20210301_1510'),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name='invoiceline',
-            name='attendee_name',
-            field=models.TextField(null=True),
-        ),
-        migrations.AddField(
-            model_name='invoiceline',
-            name='event_date_to',
-            field=models.DateTimeField(null=True),
-        ),
-        migrations.AddField(
-            model_name='invoiceline',
-            name='item',
-            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.PROTECT, to='pretixbase.Item'),
-        ),
-        migrations.AddField(
-            model_name='invoiceline',
-            name='variation',
-            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.PROTECT, to='pretixbase.ItemVariation'),
-        ),
-    ]
--- a/src/pretix/base/migrations/0179_auto_20210311_1653.py
+++ b/src/pretix/base/migrations/0179_auto_20210311_1653.py
@@ -1,54 +0,0 @@
-# Generated by Django 3.0.10 on 2021-03-11 16:53
-
-from django.db import migrations
-
-
-def clean_duplicates(apps, schema_editor):
-    while True:
-        # Double subquery to avoid MySQL error 1093
-        delete_options = """
-            DELETE
-            FROM pretixbase_questionanswer_options
-            WHERE questionanswer_id IN (
-                SELECT minid FROM (
-                    SELECT MIN(qa.id) minid
-                    FROM pretixbase_questionanswer qa
-                    GROUP BY qa.cartposition_id, qa.orderposition_id, qa.question_id
-                    HAVING COUNT(*) > 1
-                ) AS tmptable
-            );
-        """
-        delete_answers = """
-            DELETE
-            FROM pretixbase_questionanswer
-            WHERE pretixbase_questionanswer.id IN (
-                SELECT minid FROM (
-                    SELECT MIN(qa.id) minid
-                    FROM pretixbase_questionanswer qa
-                    GROUP BY qa.cartposition_id, qa.orderposition_id, qa.question_id
-                    HAVING COUNT(*) > 1
-                ) AS tmptable
-            );
-        """
-        with schema_editor.connection.cursor() as cursor:
-            cursor.execute(delete_options)
-            cursor.execute(delete_answers)
-            if cursor.rowcount == 0:
-                return
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('pretixbase', '0178_auto_20210308_1326'),
-    ]
-
-    operations = [
-        migrations.RunPython(
-            clean_duplicates,
-            migrations.RunPython.noop,
-        ),
-        migrations.AlterUniqueTogether(
-            name='questionanswer',
-            unique_together={('orderposition', 'question'), ('cartposition', 'question')},
-        ),
-    ]
--- a/src/pretix/base/migrations/0180_auto_20210324_1309.py
+++ b/src/pretix/base/migrations/0180_auto_20210324_1309.py
@@ -1,29 +0,0 @@
-# Generated by Django 3.0.12 on 2021-03-24 13:09
-
-from django.db import migrations
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('pretixbase', '0179_auto_20210311_1653'),
-    ]
-
-    operations = [
-        migrations.RemoveField(
-            model_name='quota',
-            name='cached_availability_number',
-        ),
-        migrations.RemoveField(
-            model_name='quota',
-            name='cached_availability_paid_orders',
-        ),
-        migrations.RemoveField(
-            model_name='quota',
-            name='cached_availability_state',
-        ),
-        migrations.RemoveField(
-            model_name='quota',
-            name='cached_availability_time',
-        ),
-    ]
--- a/src/pretix/base/migrations/0181_team_can_checkin_orders.py
+++ b/src/pretix/base/migrations/0181_team_can_checkin_orders.py
@@ -1,18 +0,0 @@
-# Generated by Django 3.0.12 on 2021-03-29 08:12
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('pretixbase', '0180_auto_20210324_1309'),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name='team',
-            name='can_checkin_orders',
-            field=models.BooleanField(default=False),
-        ),
-    ]
--- a/src/pretix/base/models/checkin.py
+++ b/src/pretix/base/models/checkin.py
@@ -1,5 +1,4 @@
 from django.conf import settings
-from django.core.exceptions import ValidationError
 from django.db import models
 from django.db.models import Exists, F, Max, OuterRef, Q, Subquery
 from django.utils.timezone import now
@@ -143,54 +142,6 @@ class CheckinList(LoggedModel):
    def __str__(self):
        return self.name

-    @classmethod
-    def validate_rules(cls, rules, seen_nonbool=False, depth=0):
-        # While we implement a full jsonlogic machine on Python-level, we also use the logic rules to generate
-        # SQL queries, which is not a full implementation of JSON logic right now, but makes some assumptions,
-        # e.g. it does not support something like (a AND b) == (c OR D)
-        # Every change to our supported JSON logic must be done
-        # * in pretix.base.services.checkin
-        # * in pretix.base.models.checkin
-        # * in checkinrules.js
-        # * in libpretixsync
-        top_level_operators = {
-            '<', '<=', '>', '>=', '==', '!=', 'inList', 'isBefore', 'isAfter', 'or', 'and'
-        }
-        allowed_operators = top_level_operators | {
-            'buildTime', 'objectList', 'lookup', 'var',
-        }
-        allowed_vars = {
-            'product', 'variation', 'now', 'entries_number', 'entries_today', 'entries_days'
-        }
-        if not rules or not isinstance(rules, dict):
-            return
-
-        if len(rules) > 1:
-            raise ValidationError(f'Rules should not include dictionaries with more than one key, found: "{rules}".')
-
-        operator = list(rules.keys())[0]
-
-        if operator not in allowed_operators:
-            raise ValidationError(f'Logic operator "{operator}" is currently not allowed.')
-
-        if depth == 0 and operator not in top_level_operators:
-            raise ValidationError(f'Logic operator "{operator}" is currently not allowed on the first level.')
-
-        values = rules[operator]
-        if not isinstance(values, list) and not isinstance(values, tuple):
-            values = [values]
-
-        if operator == 'var':
-            if values[0] not in allowed_vars:
-                raise ValidationError(f'Logic variable "{values[0]}" is currently not allowed.')
-            return
-
-        if operator in ('or', 'and') and seen_nonbool:
-            raise ValidationError(f'You cannot use OR/AND logic on a level below a comparison operator.')
-
-        for v in values:
-            cls.validate_rules(v, seen_nonbool=seen_nonbool or operator not in ('or', 'and'), depth=depth + 1)
-

 class Checkin(models.Model):
    """
--- a/src/pretix/base/models/event.py
+++ b/src/pretix/base/models/event.py
@@ -10,18 +10,15 @@ from django.conf import settings
 from django.core.exceptions import ValidationError
 from django.core.files.storage import default_storage
 from django.core.mail import get_connection
-from django.core.validators import (
-    MaxValueValidator, MinLengthValidator, MinValueValidator, RegexValidator,
-)
+from django.core.validators import RegexValidator
 from django.db import models
 from django.db.models import Exists, OuterRef, Prefetch, Q, Subquery, Value
 from django.template.defaultfilters import date as _date
-from django.urls import reverse
 from django.utils.crypto import get_random_string
 from django.utils.formats import date_format
 from django.utils.functional import cached_property
 from django.utils.timezone import make_aware, now
-from django.utils.translation import gettext, gettext_lazy as _
+from django.utils.translation import gettext_lazy as _
 from django_scopes import ScopedManager, scopes_disabled
 from i18nfield.fields import I18nCharField, I18nTextField

@@ -212,8 +209,7 @@ class EventMixin:
            & Q(Q(item__available_until__isnull=True) | Q(item__available_until__gte=now()))
            & Q(Q(item__category__isnull=True) | Q(item__category__is_addon=False))
            & Q(item__sales_channels__contains=channel)
-            & Q(item__hide_without_voucher=False)
-            & Q(item__require_bundling=False)
+            & Q(item__hide_without_voucher=False)  # TODO: does this make sense?
            & Q(quotas__pk=OuterRef('pk'))
        ).order_by().values_list('quotas__pk').annotate(
            items=GroupConcat('pk', delimiter=',')
@@ -357,11 +353,8 @@ class Event(EventMixin, LoggedModel):
            "remembered, but you can also choose to use a random value. "
            "This will be used in URLs, order codes, invoice numbers, and bank transfer references."),
        validators=[
-            MinLengthValidator(
-                limit_value=2,
-            ),
            RegexValidator(
-                regex="^[a-zA-Z0-9][a-zA-Z0-9.-]*[a-zA-Z0-9]$",
+                regex="^[a-zA-Z0-9][a-zA-Z0-9.-]*$",
                message=_("The slug may only contain letters, numbers, dots and dashes."),
            ),
            EventSlugBanlistValidator()
@@ -400,18 +393,10 @@ class Event(EventMixin, LoggedModel):
    geo_lat = models.FloatField(
        verbose_name=_("Latitude"),
        null=True, blank=True,
-        validators=[
-            MinValueValidator(-90),
-            MaxValueValidator(90),
-        ]
    )
    geo_lon = models.FloatField(
        verbose_name=_("Longitude"),
        null=True, blank=True,
-        validators=[
-            MinValueValidator(-180),
-            MaxValueValidator(180),
-        ]
    )
    plugins = models.TextField(
        null=False, blank=True,
@@ -658,6 +643,10 @@ class Event(EventMixin, LoggedModel):
            oldid = q.pk
            q.pk = None
            q.event = self
+            q.cached_availability_state = None
+            q.cached_availability_number = None
+            q.cached_availability_paid_orders = None
+            q.cached_availability_time = None
            q.closed = False
            q.save()
            q.log_action('pretix.object.cloned')
@@ -694,9 +683,9 @@ class Event(EventMixin, LoggedModel):
                for k, v in rules.items():
                    if k == 'lookup':
                        if v[0] == 'product':
-                            v[1] = str(item_map.get(int(v[1]), 0).pk) if int(v[1]) in item_map else "0"
+                            v[1] = str(item_map.get(int(v[1]), 0).pk)
                        elif v[0] == 'variation':
-                            v[1] = str(variation_map.get(int(v[1]), 0).pk) if int(v[1]) in variation_map else "0"
+                            v[1] = str(variation_map.get(int(v[1]), 0).pk)
                    else:
                        _walk_rules(v)
            elif isinstance(rules, list):
@@ -859,7 +848,7 @@ class Event(EventMixin, LoggedModel):
        Returns the currently configured ticket secret generator.
        """
        tsgs = self.ticket_secret_generators
-        return tsgs.get(self.settings.ticket_secret_generator, tsgs.get('random'))
+        return tsgs[self.settings.ticket_secret_generator]

    def get_data_shredders(self) -> dict:
        """
@@ -951,18 +940,6 @@ class Event(EventMixin, LoggedModel):
        if not self.quotas.exists():
            issues.append(_('You need to configure at least one quota to sell anything.'))

-        for mp in self.organizer.meta_properties.all():
-            if mp.required and not self.meta_data.get(mp.name):
-                issues.append(
-                    ('<a {a_attr}>' + gettext('You need to fill the meta parameter "{property}".') + '</a>').format(
-                        property=mp.name,
-                        a_attr='href="%s#id_prop-%d-value"' % (
-                            reverse('control:event.settings', kwargs={'organizer': self.organizer.slug, 'event': self.slug}),
-                            mp.pk
-                        )
-                    )
-                )
-
        responses = event_live_issues.send(self)
        for receiver, response in sorted(responses, key=lambda r: str(r[0])):
            if response:
@@ -1144,18 +1121,10 @@ class SubEvent(EventMixin, LoggedModel):
    geo_lat = models.FloatField(
        verbose_name=_("Latitude"),
        null=True, blank=True,
-        validators=[
-            MinValueValidator(-90),
-            MaxValueValidator(90),
-        ]
    )
    geo_lon = models.FloatField(
        verbose_name=_("Longitude"),
-        null=True, blank=True,
-        validators=[
-            MinValueValidator(-180),
-            MaxValueValidator(180),
-        ]
+        null=True, blank=True
    )
    frontpage_text = I18nTextField(
        null=True, blank=True,
@@ -1373,26 +1342,7 @@ class EventMetaProperty(LoggedModel):
        ],
        verbose_name=_("Name"),
    )
-    default = models.TextField(blank=True, verbose_name=_("Default value"))
-    protected = models.BooleanField(default=False,
-                                    verbose_name=_("Can only be changed by organizer-level administrators"))
-    required = models.BooleanField(
-        default=False, verbose_name=_("Required for events"),
-        help_text=_("If checked, an event can only be taken live if the property is set. In event series, its always "
-                    "optional to set a value for individual dates")
-    )
-    allowed_values = models.TextField(
-        null=True, blank=True,
-        verbose_name=_("Valid values"),
-        help_text=_("If you keep this empty, any value is allowed. Otherwise, enter one possible value per line.")
-    )
-
-    def full_clean(self, exclude=None, validate_unique=True):
-        super().full_clean(exclude, validate_unique)
-        if self.default and self.required:
-            raise ValidationError(_("A property can either be required or have a default value, not both."))
-        if self.default and self.allowed_values and self.default not in self.allowed_values.splitlines():
-            raise ValidationError(_("You cannot set a default value that is not a valid value."))
+    default = models.TextField(blank=True)


 class EventMetaValue(LoggedModel):
--- a/src/pretix/base/models/invoices.py
+++ b/src/pretix/base/models/invoices.py
@@ -273,14 +273,6 @@ class InvoiceLine(models.Model):
    :type subevent: SubEvent
    :param event_date_from: Event date of the (sub)event at the time the invoice was created
    :type event_date_from: datetime
-    :param event_date_to: Event end date of the (sub)event at the time the invoice was created
-    :type event_date_to: datetime
-    :param item: The item this line refers to
-    :type item: Item
-    :param variation: The variation this line refers to
-    :type variation: ItemVariation
-    :param attendee_name: The attendee name at the time the invoice was created
-    :type attendee_name: str
    """
    invoice = models.ForeignKey('Invoice', related_name='lines', on_delete=models.CASCADE)
    position = models.PositiveIntegerField(default=0)
@@ -291,10 +283,6 @@ class InvoiceLine(models.Model):
    tax_name = models.CharField(max_length=190)
    subevent = models.ForeignKey('SubEvent', null=True, blank=True, on_delete=models.PROTECT)
    event_date_from = models.DateTimeField(null=True)
-    event_date_to = models.DateTimeField(null=True)
-    item = models.ForeignKey('Item', null=True, blank=True, on_delete=models.PROTECT)
-    variation = models.ForeignKey('ItemVariation', null=True, blank=True, on_delete=models.PROTECT)
-    attendee_name = models.TextField(null=True, blank=True)

    @property
    def net_value(self):
--- a/src/pretix/base/models/items.py
+++ b/src/pretix/base/models/items.py
@@ -7,7 +7,6 @@ from typing import Tuple

 import dateutil.parser
 import pytz
-from django.conf import settings
 from django.core.exceptions import ValidationError
 from django.core.validators import RegexValidator
 from django.db import models
@@ -18,7 +17,6 @@ from django.utils.functional import cached_property
 from django.utils.timezone import is_naive, make_aware, now
 from django.utils.translation import gettext_lazy as _, pgettext_lazy
 from django_countries.fields import Country
-from django_redis import get_redis_connection
 from django_scopes import ScopedManager
 from i18nfield.fields import I18nCharField, I18nTextField

@@ -1028,7 +1026,7 @@ class Question(LoggedModel):
        (TYPE_PHONENUMBER, _("Phone number")),
    )
    UNLOCALIZED_TYPES = [TYPE_DATE, TYPE_TIME, TYPE_DATETIME]
-    ASK_DURING_CHECKIN_UNSUPPORTED = [TYPE_PHONENUMBER]
+    ASK_DURING_CHECKIN_UNSUPPORTED = [TYPE_FILE, TYPE_PHONENUMBER]

    event = models.ForeignKey(
        Event,
@@ -1071,7 +1069,6 @@ class Question(LoggedModel):
    )
    ask_during_checkin = models.BooleanField(
        verbose_name=_('Ask during check-in instead of in the ticket buying process'),
-        help_text=_('Not supported by all check-in apps for all question types.'),
        default=False
    )
    hidden = models.BooleanField(
@@ -1088,23 +1085,17 @@ class Question(LoggedModel):
    )
    dependency_values = MultiStringField(default=[])
    valid_number_min = models.DecimalField(decimal_places=6, max_digits=16, null=True, blank=True,
-                                           verbose_name=_('Minimum value'),
-                                           help_text=_('Currently not supported in our apps and during check-in'))
+                                           verbose_name=_('Minimum value'), help_text=_('Currently not supported in our apps'))
    valid_number_max = models.DecimalField(decimal_places=6, max_digits=16, null=True, blank=True,
-                                           verbose_name=_('Maximum value'),
-                                           help_text=_('Currently not supported in our apps and during check-in'))
+                                           verbose_name=_('Maximum value'), help_text=_('Currently not supported in our apps'))
    valid_date_min = models.DateField(null=True, blank=True,
-                                      verbose_name=_('Minimum value'),
-                                      help_text=_('Currently not supported in our apps and during check-in'))
+                                      verbose_name=_('Minimum value'), help_text=_('Currently not supported in our apps'))
    valid_date_max = models.DateField(null=True, blank=True,
-                                      verbose_name=_('Maximum value'),
-                                      help_text=_('Currently not supported in our apps and during check-in'))
+                                      verbose_name=_('Maximum value'), help_text=_('Currently not supported in our apps'))
    valid_datetime_min = models.DateTimeField(null=True, blank=True,
-                                              verbose_name=_('Minimum value'),
-                                              help_text=_('Currently not supported in our apps and during check-in'))
+                                              verbose_name=_('Minimum value'), help_text=_('Currently not supported in our apps'))
    valid_datetime_max = models.DateTimeField(null=True, blank=True,
-                                              verbose_name=_('Maximum value'),
-                                              help_text=_('Currently not supported in our apps and during check-in'))
+                                              verbose_name=_('Maximum value'), help_text=_('Currently not supported in our apps'))

    objects = ScopedManager(organizer='event__organizer')

@@ -1382,6 +1373,10 @@ class Quota(LoggedModel):
        blank=True,
        verbose_name=_("Variations")
    )
+    cached_availability_state = models.PositiveIntegerField(null=True, blank=True)
+    cached_availability_number = models.PositiveIntegerField(null=True, blank=True)
+    cached_availability_paid_orders = models.PositiveIntegerField(null=True, blank=True)
+    cached_availability_time = models.DateTimeField(null=True, blank=True)

    close_when_sold_out = models.BooleanField(
        verbose_name=_('Close this quota permanently once it is sold out'),
@@ -1426,10 +1421,14 @@ class Quota(LoggedModel):
            self.event.cache.clear()

    def rebuild_cache(self, now_dt=None):
-        if settings.HAS_REDIS:
-            rc = get_redis_connection("redis")
-            rc.hdel(f'quotas:{self.event_id}:availabilitycache', str(self.pk))
-            self.availability(now_dt=now_dt)
+        self.cached_availability_time = None
+        self.cached_availability_number = None
+        self.cached_availability_state = None
+        self.availability(now_dt=now_dt)
+
+    def cache_is_hot(self, now_dt=None):
+        now_dt = now_dt or now()
+        return self.cached_availability_time and (now_dt - self.cached_availability_time).total_seconds() < 120

    def availability(
            self, now_dt: datetime=None, count_waitinglist=True, _cache=None, allow_cache=False
@@ -1452,6 +1451,9 @@ class Quota(LoggedModel):
        """
        from ..services.quotas import QuotaAvailability

+        if allow_cache and self.cache_is_hot() and count_waitinglist:
+            return self.cached_availability_state, self.cached_availability_number
+
        if _cache and count_waitinglist is not _cache.get('_count_waitinglist', True):
            _cache.clear()

@@ -1459,7 +1461,7 @@ class Quota(LoggedModel):
            return _cache[self.pk]
        qa = QuotaAvailability(count_waitinglist=count_waitinglist, early_out=False)
        qa.queue(self)
-        qa.compute(now_dt=now_dt, allow_cache=allow_cache)
+        qa.compute(now_dt=now_dt)
        res = qa.results[self]

        if _cache is not None:
--- a/src/pretix/base/models/orders.py
+++ b/src/pretix/base/models/orders.py
@@ -2,6 +2,7 @@ import copy
 import hashlib
 import json
 import logging
+import os
 import string
 from collections import Counter
 from datetime import datetime, time, timedelta
@@ -614,26 +615,21 @@ class Order(LockModel, LoggedModel):
        return proposals

    @staticmethod
-    def normalize_code(code, is_fallback=False):
-        d = {
+    def normalize_code(code):
+        tr = str.maketrans({
            '2': 'Z',
            '4': 'A',
            '5': 'S',
            '6': 'G',
-        }
-        if is_fallback:
-            d['8'] = 'B'
-            # 8 has been removed from the character set only in 2021, which means there are a lot of order codes
-            # with an 8 in it around. We only want to replace this when this is used in a fallback.
-        tr = str.maketrans(d)
+        })
        return code.upper().translate(tr)

    def assign_code(self):
        # This omits some character pairs completely because they are hard to read even on screens (1/I and O/0)
        # and includes only one of two characters for some pairs because they are sometimes hard to distinguish in
-        # handwriting (2/Z, 4/A, 5/S, 6/G, 8/B). This allows for better detection e.g. in incoming wire transfers that
+        # handwriting (2/Z, 4/A, 5/S, 6/G). This allows for better detection e.g. in incoming wire transfers that
        # might include OCR'd handwritten text
-        charset = list('ABCDEFGHJKLMNPQRSTUVWXYZ379')
+        charset = list('ABCDEFGHJKLMNPQRSTUVWXYZ3789')
        iteration = 0
        length = settings.ENTROPY['order_code']
        while True:
@@ -665,8 +661,6 @@ class Order(LockModel, LoggedModel):
        related to the order. This checks order status and modification deadlines. It also
        returns ``False`` if there are no questions that can be answered.
        """
-        from .checkin import Checkin
-
        if self.status not in (Order.STATUS_PENDING, Order.STATUS_PAID, Order.STATUS_EXPIRED):
            return False

@@ -682,21 +676,10 @@ class Order(LockModel, LoggedModel):

        if modify_deadline is not None and now() > modify_deadline:
            return False
-
-        positions = list(
-            self.positions.all().annotate(
-                has_checkin=Exists(Checkin.objects.filter(position_id=OuterRef('pk')))
-            ).select_related('item').prefetch_related('item__questions')
-        )
-        if not self.event.settings.allow_modifications_after_checkin:
-            for cp in positions:
-                if cp.has_checkin:
-                    return False
-
        if self.event.settings.get('invoice_address_asked', as_type=bool):
            return True
        ask_names = self.event.settings.get('attendee_names_asked', as_type=bool)
-        for cp in positions:
+        for cp in self.positions.all().prefetch_related('item__questions'):
            if (cp.item.admission and ask_names) or cp.item.questions.all():
                return True

@@ -983,9 +966,6 @@ class QuestionAnswer(models.Model):

    objects = ScopedManager(organizer='question__event__organizer')

-    class Meta:
-        unique_together = [['orderposition', 'question'], ['cartposition', 'question']]
-
    @property
    def backend_file_url(self):
        if self.file:
@@ -1239,9 +1219,6 @@ class AbstractPosition(models.Model):
                else self.variation.quotas.filter(subevent=self.subevent))

    def save(self, *args, **kwargs):
-        update_fields = kwargs.get('update_fields', [])
-        if 'attendee_name_parts' in update_fields:
-            update_fields.append('attendee_name_cached')
        self.attendee_name_cached = self.attendee_name
        if self.attendee_name_parts is None:
            self.attendee_name_parts = {}
@@ -1507,7 +1484,7 @@ class OrderPayment(models.Model):
                       OrderRefund.REFUND_STATE_CREATED)
        ).aggregate(s=Sum('amount'))['s'] or Decimal('0.00')
        if payment_sum - refund_sum < self.order.total:
-            logger.info('Confirmed payment {} but payment sum is {} and refund sum is {}.'.format(
+            logger.info('Confirmed payment {} but payment sum is {} and refund sum is.'.format(
                self.full_id, payment_sum, refund_sum
            ))
            return
@@ -1731,11 +1708,6 @@ class OrderRefund(models.Model):
        max_length=255,
        verbose_name=_("Payment provider")
    )
-    comment = models.TextField(
-        verbose_name=_("Refund reason"),
-        help_text=_('May be shown to the end user or used e.g. as part of a payment reference.'),
-        null=True, blank=True
-    )
    info = models.TextField(
        verbose_name=_("Payment information"),
        null=True, blank=True
@@ -1774,7 +1746,7 @@ class OrderRefund(models.Model):
        Marks the refund as complete. This does not modify the state of the order.

        :param user: The user who performed the change
-        :param auth: The API auth token that performed the change
+        :param user: The API auth token that performed the change
        """
        self.state = self.REFUND_STATE_DONE
        self.execution_date = self.execution_date or now()
@@ -2335,6 +2307,7 @@ def cachedticket_name(instance, filename: str) -> str:
        no=instance.order_position.positionid,
        code=instance.order_position.order.code,
        secret=secret,
+        ext=os.path.splitext(filename)[1]
    )


--- a/src/pretix/base/models/organizer.py
+++ b/src/pretix/base/models/organizer.py
@@ -1,10 +1,9 @@
 import string
 from datetime import date, datetime, time

-from django.core.validators import MinLengthValidator, RegexValidator
+from django.core.validators import RegexValidator
 from django.db import models
 from django.db.models import Exists, OuterRef, Q
-from django.urls import reverse
 from django.utils.crypto import get_random_string
 from django.utils.functional import cached_property
 from django.utils.timezone import get_current_timezone, make_aware, now
@@ -39,11 +38,8 @@ class Organizer(LoggedModel):
            "Should be short, only contain lowercase letters, numbers, dots, and dashes. Every slug can only be used "
            "once. This is being used in URLs to refer to your organizer accounts and your events."),
        validators=[
-            MinLengthValidator(
-                limit_value=2,
-            ),
            RegexValidator(
-                regex="^[a-zA-Z0-9][a-zA-Z0-9.-]*[a-zA-Z0-9]$",
+                regex="^[a-zA-Z0-9][a-zA-Z0-9.-]+$",
                message=_("The slug may only contain letters, numbers, dots and dashes.")
            ),
            OrganizerSlugBanlistValidator()
@@ -89,15 +85,6 @@ class Organizer(LoggedModel):

        return ObjectRelatedCache(self)

-    @cached_property
-    def all_logentries_link(self):
-        return reverse(
-            'control:organizer.log',
-            kwargs={
-                'organizer': self.slug,
-            }
-        )
-
    @property
    def has_gift_cards(self):
        return self.cache.get_or_set(
@@ -174,8 +161,6 @@ class Team(LoggedModel):
    :type can_view_orders: bool
    :param can_change_orders: If ``True``, the members can change details of orders of the associated events.
    :type can_change_orders: bool
-    :param can_checkin_orders: If ``True``, the members can perform check-in related actions.
-    :type can_checkin_orders: bool
    :param can_view_vouchers: If ``True``, the members can inspect details of all vouchers of the associated events.
    :type can_view_vouchers: bool
    :param can_change_vouchers: If ``True``, the members can change and create vouchers for the associated events.
@@ -222,12 +207,6 @@ class Team(LoggedModel):
        default=False,
        verbose_name=_("Can change orders")
    )
-    can_checkin_orders = models.BooleanField(
-        default=False,
-        verbose_name=_("Can perform check-ins"),
-        help_text=_('This includes searching for attendees, which can be used to obtain personal information about '
-                    'attendees. Users with "can change orders" can also perform check-ins.')
-    )
    can_view_vouchers = models.BooleanField(
        default=False,
        verbose_name=_("Can view vouchers")
--- a/src/pretix/base/models/waitinglist.py
+++ b/src/pretix/base/models/waitinglist.py
@@ -5,14 +5,11 @@ from django.db import models, transaction
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _, pgettext_lazy
 from django_scopes import ScopedManager
-from jsonfallback.fields import FallbackJSONField
-from phonenumber_field.modelfields import PhoneNumberField

 from pretix.base.email import get_email_context
 from pretix.base.i18n import language
 from pretix.base.models import Voucher
 from pretix.base.services.mail import mail
-from pretix.base.settings import PERSON_NAME_SCHEMES

 from .base import LoggedModel
 from .event import Event, SubEvent
@@ -40,21 +37,9 @@ class WaitingListEntry(LoggedModel):
        verbose_name=_("On waiting list since"),
        auto_now_add=True
    )
-    name_cached = models.CharField(
-        max_length=255,
-        verbose_name=_("Name"),
-        blank=True, null=True,
-    )
-    name_parts = FallbackJSONField(
-        blank=True, default=dict
-    )
    email = models.EmailField(
        verbose_name=_("E-mail address")
    )
-    phone = PhoneNumberField(
-        null=True, blank=True,
-        verbose_name=_("Phone number")
-    )
    voucher = models.ForeignKey(
        'Voucher',
        verbose_name=_("Assigned voucher"),
@@ -98,27 +83,6 @@ class WaitingListEntry(LoggedModel):
        WaitingListEntry.clean_itemvar(self.event, self.item, self.variation)
        WaitingListEntry.clean_subevent(self.event, self.subevent)

-    def save(self, *args, **kwargs):
-        update_fields = kwargs.get('update_fields', [])
-        if 'name_parts' in update_fields:
-            update_fields.append('name_cached')
-        self.name_cached = self.name
-        if self.name_parts is None:
-            self.name_parts = {}
-        super().save(*args, **kwargs)
-
-    @property
-    def name(self):
-        if not self.name_parts:
-            return None
-        if '_legacy' in self.name_parts:
-            return self.name_parts['_legacy']
-        if '_scheme' in self.name_parts:
-            scheme = PERSON_NAME_SCHEMES[self.name_parts['_scheme']]
-        else:
-            scheme = PERSON_NAME_SCHEMES[self.event.settings.name_scheme]
-        return scheme['concatenation'](self.name_parts).strip()
-
    def send_voucher(self, quota_cache=None, user=None, auth=None):
        availability = (
            self.variation.check_quotas(count_waitinglist=False, subevent=self.subevent, _cache=quota_cache)
--- a/src/pretix/base/notifications.py
+++ b/src/pretix/base/notifications.py
@@ -1,6 +1,5 @@
 import logging
 from collections import OrderedDict, namedtuple
-from itertools import groupby

 from django.dispatch import receiver
 from django.utils.formats import date_format
@@ -183,33 +182,15 @@ class ParametrizedOrderNotificationType(NotificationType):
            n.add_attribute(pgettext_lazy('subevent', 'Dates'), '\n'.join(ses))
        else:
            n.add_attribute(_('Event date'), order.event.get_date_range_display())
-
-        positions = list(order.positions.select_related('item', 'variation', 'subevent'))
-        fees = list(order.fees.all())
-
        n.add_attribute(_('Order code'), order.code)
-        n.add_attribute(_('Net total'), money_filter(sum([p.net_price for p in positions] + [f.net_value for f in fees]), logentry.event.currency))
        n.add_attribute(_('Order total'), money_filter(order.total, logentry.event.currency))
        n.add_attribute(_('Pending amount'), money_filter(order.pending_sum, logentry.event.currency))
-        n.add_attribute(_('Order date'), date_format(order.datetime.astimezone(logentry.event.timezone), 'SHORT_DATETIME_FORMAT'))
+        n.add_attribute(_('Order date'), date_format(order.datetime, 'SHORT_DATETIME_FORMAT'))
        n.add_attribute(_('Order status'), order.get_status_display())
        n.add_attribute(_('Order positions'), str(order.positions.count()))
-
-        def sortkey(op):
-            return op.item_id, op.variation_id, op.subevent_id
-
-        def groupkey(op):
-            return op.item, op.variation, op.subevent
-
-        cart = [(k, list(v)) for k, v in groupby(sorted(positions, key=sortkey), key=groupkey)]
        items = []
-        for (item, variation, subevent), pos in cart:
-            ele = [str(len(pos)) + 'x ' + str(item)]
-            if variation:
-                ele.append(str(variation.value))
-            if subevent:
-                ele.append(str(subevent))
-            items.append(' – '.join(ele))
+        for it in self.event.items.filter(id__in=order.positions.values_list('item', flat=True)):
+            items.append(str(it.name))
        n.add_attribute(_('Purchased products'), '\n'.join(items))
        n.add_action(_('View order details'), order_url)
        return n
--- a/src/pretix/base/payment.py
+++ b/src/pretix/base/payment.py
@@ -9,7 +9,7 @@ import pytz
 from django import forms
 from django.conf import settings
 from django.contrib import messages
-from django.core.exceptions import ImproperlyConfigured, ValidationError
+from django.core.exceptions import ImproperlyConfigured
 from django.db import transaction
 from django.dispatch import receiver
 from django.forms import Form
@@ -706,24 +706,12 @@ class BasePaymentProvider:
        It should return HTML code containing information regarding the current payment
        status and, if applicable, next steps.

-        The default implementation returns an empty string.
+        The default implementation returns the verbose name of the payment provider.

        :param order: The order object
        """
        return ''

-    def payment_control_render_short(self, payment: OrderPayment) -> str:
-        """
-        Will be called if the *event administrator* performs an action on the payment. Should
-        return a very short version of the payment method. Usually, this should return e.g.
-        a transaction ID or account identifier, but no information on status, dates, etc.
-
-        The default implementation falls back to ``payment_presale_render``.
-
-        :param order: The order object
-        """
-        return self.payment_presale_render(payment)
-
    def refund_control_render(self, request: HttpRequest, refund: OrderRefund) -> str:
        """
        Will be called if the *event administrator* views the details of a refund.
@@ -737,19 +725,6 @@ class BasePaymentProvider:
        """
        return ''

-    def payment_presale_render(self, payment: OrderPayment) -> str:
-        """
-        Will be called if the *ticket customer* views the details of a payment. This is
-        currently used e.g. when the customer requests a refund to show which payment
-        method is used for the refund. This should only include very basic information
-        about the payment, such as "VISA card ****9999", and never raw payment information.
-
-        The default implementation returns the public name of the payment provider.
-
-        :param order: The order object
-        """
-        return self.public_name
-
    def payment_refund_supported(self, payment: OrderPayment) -> bool:
        """
        Will be called to check if the provider supports automatic refunding for this
@@ -785,32 +760,6 @@ class BasePaymentProvider:
        """
        raise PaymentException(_('Automatic refunds are not supported by this payment provider.'))

-    def new_refund_control_form_render(self, request: HttpRequest, order: Order) -> str:
-        """
-        Render a form that will be shown to backend users when trying to create a new refund.
-
-        Usually, refunds are created from an existing payment object, e.g. if there is a credit card
-        payment and the credit card provider returns ``True`` from ``payment_refund_supported``, the system
-        will automatically create an ``OrderRefund`` and call ``execute_refund`` on that payment. This method
-        can and should not be used in that situation! Instead, by implementing this method you can add a refund
-        flow for this payment provider that starts without an existing payment. For example, even though an order
-        was paid by credit card, it could easily be refunded by SEPA bank transfer. In that case, the SEPA bank
-        transfer provider would implement this method and return a form that asks for the IBAN.
-
-        This method should return HTML or ``None``. All form fields should have a globally unique name.
-        """
-        return
-
-    def new_refund_control_form_process(self, request: HttpRequest, amount: Decimal, order: Order) -> OrderRefund:
-        """
-        Process a backend user's request to initiate a new refund with an amount of ``amount`` for ``order``.
-
-        This method should parse the input provided to the form created and either raise ``ValidationError``
-        or return an ``OrderRefund`` object in ``created`` state that has not yet been saved to the database.
-        The system will then call ``execute_refund`` on that object.
-        """
-        raise ValidationError('Not implemented')
-
    def shred_payment_info(self, obj: Union[OrderPayment, OrderRefund]):
        """
        When personal data is removed from an event, this method is called to scrub payment-related data
@@ -950,7 +899,7 @@ class ManualPayment(BasePaymentProvider):

    @property
    def public_name(self):
-        return str(self.settings.get('public_name', as_type=LazyI18nString) or _('Manual payment'))
+        return str(self.settings.get('public_name', as_type=LazyI18nString))

    @property
    def settings_form_fields(self):
@@ -970,17 +919,17 @@ class ManualPayment(BasePaymentProvider):
                    label=_('Payment process description in order confirmation emails'),
                    help_text=_('This text will be included for the {payment_info} placeholder in order confirmation '
                                'mails. It should instruct the user on how to proceed with the payment. You can use '
-                                'the placeholders {order}, {amount}, {currency} and {amount_with_currency}.'),
+                                'the placeholders {order}, {total}, {currency} and {total_with_currency}.'),
                    widget=I18nTextarea,
-                    validators=[PlaceholderValidator(['{order}', '{amount}', '{currency}', '{amount_with_currency}'])],
+                    validators=[PlaceholderValidator(['{order}', '{total}', '{currency}', '{total_with_currency}'])],
                )),
                ('pending_description', I18nFormField(
                    label=_('Payment process description for pending orders'),
                    help_text=_('This text will be shown on the order confirmation page for pending orders. '
                                'It should instruct the user on how to proceed with the payment. You can use '
-                                'the placeholders {order}, {amount}, {currency} and {amount_with_currency}.'),
+                                'the placeholders {order}, {total}, {currency} and {total_with_currency}.'),
                    widget=I18nTextarea,
-                    validators=[PlaceholderValidator(['{order}', '{amount}', '{currency}', '{amount_with_currency}'])],
+                    validators=[PlaceholderValidator(['{order}', '{total}', '{currency}', '{total_with_currency}'])],
                )),
            ] + list(super().settings_form_fields.items())
        )
@@ -1001,24 +950,21 @@ class ManualPayment(BasePaymentProvider):
    def checkout_confirm_render(self, request):
        return self.payment_form_render(request)

-    def format_map(self, order, payment):
+    def format_map(self, order):
        return {
            'order': order.code,
-            'amount': payment.amount,
-            'currency': self.event.currency,
-            'amount_with_currency': money_filter(payment.amount, self.event.currency),
-            # {total} and {total_with_currency} are deprecated
            'total': order.total,
-            'total_with_currency': money_filter(order.total, self.event.currency),
+            'currency': self.event.currency,
+            'total_with_currency': money_filter(order.total, self.event.currency)
        }

-    def order_pending_mail_render(self, order, payment) -> str:
-        msg = str(self.settings.get('email_instructions', as_type=LazyI18nString)).format_map(self.format_map(order, payment))
+    def order_pending_mail_render(self, order) -> str:
+        msg = str(self.settings.get('email_instructions', as_type=LazyI18nString)).format_map(self.format_map(order))
        return msg

    def payment_pending_render(self, request, payment) -> str:
        return rich_text(
-            str(self.settings.get('pending_description', as_type=LazyI18nString)).format_map(self.format_map(payment.order, payment))
+            str(self.settings.get('pending_description', as_type=LazyI18nString)).format_map(self.format_map(payment.order))
        )


--- a/src/pretix/base/pdf.py
+++ b/src/pretix/base/pdf.py
@@ -1,5 +1,4 @@
 import copy
-import hashlib
 import itertools
 import logging
 import os
@@ -36,9 +35,9 @@ from reportlab.platypus import Paragraph

 from pretix.base.i18n import language
 from pretix.base.invoice import ThumbnailingImageReader
-from pretix.base.models import Order, OrderPosition, Question
+from pretix.base.models import Order, OrderPosition
 from pretix.base.settings import PERSON_NAME_SCHEMES
-from pretix.base.signals import layout_image_variables, layout_text_variables
+from pretix.base.signals import layout_text_variables
 from pretix.base.templatetags.money import money_filter
 from pretix.base.templatetags.phone_format import phone_format
 from pretix.presale.style import get_fonts
@@ -155,11 +154,6 @@ DEFAULT_VARIABLES = OrderedDict((
        "editor_sample": _("Sample event name"),
        "evaluate": lambda op, order, ev: str(ev.name)
    }),
-    ("event_series_name", {
-        "label": _("Event series"),
-        "editor_sample": _("Sample event name"),
-        "evaluate": lambda op, order, ev: str(order.event.name)
-    }),
    ("event_date", {
        "label": _("Event date"),
        "editor_sample": _("May 31st, 2017"),
@@ -298,11 +292,6 @@ DEFAULT_VARIABLES = OrderedDict((
        "editor_sample": _("Event organizer info text"),
        "evaluate": lambda op, order, ev: str(order.event.settings.organizer_info_text)
    }),
-    ("event_info_text", {
-        "label": _("Event info text"),
-        "editor_sample": _("Event info text"),
-        "evaluate": lambda op, order, ev: str(order.event.settings.event_info_text)
-    }),
    ("now_date", {
        "label": _("Printing date"),
        "editor_sample": _("2017-05-31"),
@@ -350,47 +339,6 @@ DEFAULT_VARIABLES = OrderedDict((
        "evaluate": lambda op, order, ev: str(op.seat.seat_number if op.seat else "")
    }),
 ))
-DEFAULT_IMAGES = OrderedDict([])
-
-
-@receiver(layout_image_variables, dispatch_uid="pretix_base_layout_image_variables_questions")
-def images_from_questions(sender, *args, **kwargs):
-    def get_answer(op, order, event, question_id, etag):
-        a = None
-        if op.addon_to:
-            if 'answers' in getattr(op.addon_to, '_prefetched_objects_cache', {}):
-                try:
-                    a = [a for a in op.addon_to.answers.all() if a.question_id == question_id][0]
-                except IndexError:
-                    pass
-            else:
-                a = op.addon_to.answers.filter(question_id=question_id).first()
-
-        if 'answers' in getattr(op, '_prefetched_objects_cache', {}):
-            try:
-                a = [a for a in op.answers.all() if a.question_id == question_id][0]
-            except IndexError:
-                pass
-        else:
-            a = op.answers.filter(question_id=question_id).first()
-
-        if not a or not a.file or not any(a.file.name.lower().endswith(e) for e in (".jpg", ".jpeg", ".png", ".gif", ".bmp", ".tif", ".tiff")):
-            return None
-        else:
-            if etag:
-                return hashlib.sha1(a.file.name.encode()).hexdigest()
-            return a.file
-
-    d = {}
-    for q in sender.questions.all():
-        if q.type != Question.TYPE_FILE:
-            continue
-        d['question_{}'.format(q.identifier)] = {
-            'label': _('Question: {question}').format(question=q.question),
-            'evaluate': partial(get_answer, question_id=q.pk, etag=False),
-            'etag': partial(get_answer, question_id=q.pk, etag=True),
-        }
-    return d


@receiver(layout_text_variables, dispatch_uid="pretix_base_layout_text_variables_questions")
@@ -421,8 +369,6 @@ def variables_from_questions(sender, *args, **kwargs):

    d = {}
    for q in sender.questions.all():
-        if q.type == Question.TYPE_FILE:
-            continue
        d['question_{}'.format(q.pk)] = {
            'label': _('Question: {question}').format(question=q.question),
            'editor_sample': _('<Answer: {question}>').format(question=q.question),
@@ -441,15 +387,6 @@ def _get_ia_name_part(key, op, order, ev):
    return order.invoice_address.name_parts.get(key, '') if getattr(order, 'invoice_address', None) else ''


-def get_images(event):
-    v = copy.copy(DEFAULT_IMAGES)
-
-    for recv, res in layout_image_variables.send(sender=event):
-        v.update(res)
-
-    return v
-
-
 def get_variables(event):
    v = copy.copy(DEFAULT_VARIABLES)

@@ -490,7 +427,6 @@ class Renderer:
        self.layout = layout
        self.background_file = background_file
        self.variables = get_variables(event)
-        self.images = get_images(event)
        self.event = event
        if self.background_file:
            self.bg_bytes = self.background_file.read()
@@ -578,47 +514,6 @@ class Renderer:
                return '(error)'
        return ''

-    def _draw_imagearea(self, canvas: Canvas, op: OrderPosition, order: Order, o: dict):
-        ev = self._get_ev(op, order)
-        if not o['content'] or o['content'] not in self.images:
-            image_file = None
-        else:
-            try:
-                image_file = self.images[o['content']]['evaluate'](op, order, ev)
-            except:
-                logger.exception('Failed to process variable.')
-                image_file = None
-
-        if image_file:
-            ir = ThumbnailingImageReader(image_file)
-            try:
-                ir.resize(float(o['width']) * mm, float(o['height']) * mm, 300)
-            except:
-                logger.exception("Can not resize image")
-                pass
-            canvas.drawImage(
-                image=ir,
-                x=float(o['left']) * mm,
-                y=float(o['bottom']) * mm,
-                width=float(o['width']) * mm,
-                height=float(o['height']) * mm,
-                preserveAspectRatio=True,
-                anchor='c',  # centered in frame
-                mask='auto'
-            )
-        else:
-            canvas.saveState()
-            canvas.setFillColorRGB(.8, .8, .8, alpha=1)
-            canvas.rect(
-                x=float(o['left']) * mm,
-                y=float(o['bottom']) * mm,
-                width=float(o['width']) * mm,
-                height=float(o['height']) * mm,
-                stroke=0,
-                fill=1,
-            )
-            canvas.restoreState()
-
    def _draw_textarea(self, canvas: Canvas, op: OrderPosition, order: Order, o: dict):
        font = o['fontfamily']
        if o['bold']:
@@ -677,8 +572,6 @@ class Renderer:
        for o in self.layout:
            if o['type'] == "barcodearea":
                self._draw_barcodearea(canvas, op, o)
-            elif o['type'] == "imagearea":
-                self._draw_imagearea(canvas, op, order, o)
            elif o['type'] == "textarea":
                self._draw_textarea(canvas, op, order, o)
            elif o['type'] == "poweredby":
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Raphael Michel	fe5a2286a4	Update cache handling	2021-01-01 20:13:09 +01:00
Raphael Michel	3d66bfee7f	Update checkout.py	2021-01-01 20:13:09 +01:00
Raphael Michel	0b495a4070	Validate email addresses fo valid DNS names	2021-01-01 20:13:09 +01:00