Explicitly set SQL connection timezone

Co-authored-by: Martin Gross <gross@rami.io>

doc/admin/installation/docker_smallscale.rst

@@ -36,9 +36,6 @@ Linux and firewalls, we recommend that you start with `ufw`_.
           SSL certificates can be obtained for free these days. We also *do not* provide support for HTTP-only
           installations except for evaluation purposes.
 
-.. warning:: We recommend **PostgreSQL**. If you go for MySQL, make sure you run **MySQL 5.7 or newer** or
-             **MariaDB 10.2.7 or newer**.
-
 .. warning:: By default, using `ufw` in conjunction will not have any effect. Please make sure to either bind the exposed
              ports of your docker container explicitly to 127.0.0.1 or configure docker to respect any set up firewall
              rules.
@@ -61,6 +58,9 @@ directory writable to the user that runs pretix inside the docker container::
 Database
 --------
 
+.. warning:: **Please use PostgreSQL for all new installations**. If you need to go for MySQL, make sure you run
+             **MySQL 5.7 or newer** or **MariaDB 10.2.7 or newer**.
+
 Next, we need a database and a database user. We can create these with any kind of database managing tool or directly on
 our database's shell. Please make sure that UTF8 is used as encoding for the best compatibility. You can check this with
 the following command::
@@ -91,6 +91,8 @@ When using MySQL, make sure you set the character set of the database to ``utf8m
 
     mysql > CREATE DATABASE pretix DEFAULT CHARACTER SET utf8mb4 DEFAULT COLLATE utf8mb4_unicode_ci;
 
+You will also need to make sure that ``sql_mode`` in your ``my.cnf`` file does **not** include ``ONLY_FULL_GROUP_BY``.
+
 Redis
 -----
 

doc/admin/installation/manual_smallscale.rst

@@ -34,9 +34,6 @@ Linux and firewalls, we recommend that you start with `ufw`_.
           SSL certificates can be obtained for free these days. We also *do not* provide support for HTTP-only
           installations except for evaluation purposes.
 
-.. warning:: We recommend **PostgreSQL**. If you go for MySQL, make sure you run **MySQL 5.7 or newer** or
-             **MariaDB 10.2.7 or newer**.
-
 Unix user
 ---------
 
@@ -50,6 +47,9 @@ In this guide, all code lines prepended with a ``#`` symbol are commands that yo
 Database
 --------
 
+.. warning:: **Please use PostgreSQL for all new installations**. If you need to go for MySQL, make sure you run
+             **MySQL 5.7 or newer** or **MariaDB 10.2.7 or newer**.
+
 Having the database server installed, we still need a database and a database user. We can create these with any kind
 of database managing tool or directly on our database's shell. Please make sure that UTF8 is used as encoding for the
 best compatibility. You can check this with the following command::
@@ -65,6 +65,8 @@ When using MySQL, make sure you set the character set of the database to ``utf8m
 
     mysql > CREATE DATABASE pretix DEFAULT CHARACTER SET utf8mb4 DEFAULT COLLATE utf8mb4_unicode_ci;
 
+You will also need to make sure that ``sql_mode`` in your ``my.cnf`` file does **not** include ``ONLY_FULL_GROUP_BY``.
+
 Package dependencies
 --------------------
 

doc/plugins/imported_secrets.rst

@@ -0,0 +1,301 @@
+Secrets Import
+==============
+
+Usually, pretix generates ticket secrets (i.e. the QR code used for scanning) itself. You can read more about this
+process at :ref:`secret_generators`.
+
+With the "Secrets Import" plugin, you can upload your own list of secrets to be used instead. This is useful for
+integrating with third-party check-in systems.
+
+
+API Resource description
+-------------------------
+
+The secrets import plugin provides a HTTP API that allows you to create new secrets.
+
+The imported secret resource contains the following public fields:
+
+.. rst-class:: rest-resource-table
+
+===================================== ========================== =======================================================
+Field                                 Type                       Description
+===================================== ========================== =======================================================
+id                                    integer                    Internal ID of the secret
+secret                                string                     Actual string content of the secret (QR code content)
+used                                  boolean                    Whether the secret was already used for a ticket. If ``true``,
+                                                                 the secret can no longer be deleted. Secrets are never used
+                                                                 twice, even if an order is canceled or deleted.
+item                                  integer                    Internal ID of a product, or ``null``. If set, the secret
+                                                                 will only be used for tickets of this product.
+variation                             integer                    Internal ID of a product variation, or ``null``. If set, the secret
+                                                                 will only be used for tickets of this product variation.
+subevent                              integer                    Internal ID of an event series date, or ``null``. If set, the secret
+                                                                 will only be used for tickets of this event series date.
+===================================== ========================== =======================================================
+
+API Endpoints
+-------------
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/imported_secrets/
+
+   Returns a list of all secrets imported for an event.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/imported_secrets/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "count": 1,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id": 1,
+            "secret": "foobar",
+            "used": false,
+            "item": null,
+            "variation": null,
+            "subevent": null
+          }
+        ]
+      }
+
+   :query page: The page number in case of a multi-page result set, default is 1
+   :param organizer: The ``slug`` field of a valid organizer
+   :param event: The ``slug`` field of the event to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer or event does not exist **or** you have no permission to view it.
+
+.. http:get:: /api/v1/organizers/(organizer)/events/(event)/imported_secrets/(id)/
+
+   Returns information on one secret, identified by its ID.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/events/sampleconf/imported_secrets/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "secret": "foobar",
+        "used": false,
+        "item": null,
+        "variation": null,
+        "subevent": null
+      }
+
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :param event: The ``slug`` field of the event to fetch
+   :param id: The ``id`` field of the secret to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event/secret does not exist **or** you have no permission to view it.
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/imported_secrets/
+
+   Create a new secret.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/imported_secrets/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 166
+
+      {
+        "secret": "foobar",
+        "used": false,
+        "item": null,
+        "variation": null,
+        "subevent": null
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 201 Created
+      Vary: Accept
+      Content-Type: application/json
+
+      {
+        "id": 1,
+        "secret": "foobar",
+        "used": false,
+        "item": null,
+        "variation": null,
+        "subevent": null
+      }
+
+   :param organizer: The ``slug`` field of the organizer to a create new secret for
+   :param event: The ``slug`` field of the event to create a new secret for
+   :statuscode 201: no error
+   :statuscode 400: The secret could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create secrets.
+
+.. http:post:: /api/v1/organizers/(organizer)/events/(event)/imported_secrets/bulk_create/
+
+   Create new secrets in bulk (up to 500 per request). The request either succeeds or fails entirely.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      POST /api/v1/organizers/bigevents/events/sampleconf/imported_secrets/bulk_create/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 166
+
+      [
+        {
+          "secret": "foobar",
+          "used": false,
+          "item": null,
+          "variation": null,
+          "subevent": null
+        },
+        {
+          "secret": "baz",
+          "used": false,
+          "item": null,
+          "variation": null,
+          "subevent": null
+        }
+      ]
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+
+      [
+        {
+          "id": 1,
+          "secret": "foobar",
+          "used": false,
+          "item": null,
+          "variation": null,
+          "subevent": null
+        },
+        {
+          "id": 2,
+          "secret": "baz",
+          "used": false,
+          "item": null,
+          "variation": null,
+          "subevent": null
+        }
+      ]
+
+   :param organizer: The ``slug`` field of the organizer to create new secrets for
+   :param event: The ``slug`` field of the event to create new secrets for
+   :statuscode 201: no error
+   :statuscode 400: The secrets could not be created due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to create secrets.
+
+
+.. http:patch:: /api/v1/organizers/(organizer)/events/(event)/imported_secrets/(id)/
+
+   Update a secret. You can also use ``PUT`` instead of ``PATCH``. With ``PUT``, you have to provide all fields of
+   the resource, other fields will be reset to default. With ``PATCH``, you only need to provide the fields that you
+   want to change.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      PATCH /api/v1/organizers/bigevents/events/sampleconf/imported_secrets/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+      Content-Type: application/json
+      Content-Length: 34
+
+      {
+        "item": 2
+      }
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: text/javascript
+
+      {
+        "id": 1,
+        "secret": "foobar",
+        "used": false,
+        "item": 2,
+        "variation": null,
+        "subevent": null
+      }
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the secret to modify
+   :statuscode 200: no error
+   :statuscode 400: The secret could not be modified due to invalid submitted data.
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event/secret does not exist **or** you have no permission to change it.
+
+
+.. http:delete:: /api/v1/organizers/(organizer)/events/(event)/imported_secrets/(id)/
+
+   Delete a secret. You can only delete secrets that have not yet been used.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      DELETE /api/v1/organizers/bigevents/events/sampleconf/imported_secrets/1/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 204 No Content
+      Vary: Accept
+
+   :param organizer: The ``slug`` field of the organizer to modify
+   :param event: The ``slug`` field of the event to modify
+   :param id: The ``id`` field of the secret to delete
+   :statuscode 204: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event/secret does not exist **or** you have no permission to change it **or** the secret has already been used
+

doc/plugins/index.rst

@@ -17,4 +17,5 @@ If you want to **create** a plugin, please go to the
    campaigns
    certificates
    digital
+   imported_secrets
    webinar

doc/user/events/ticket_secrets.rst

@@ -1,3 +1,5 @@
+.. _secret_generators:
+
 Ticket secret generators
 ========================
 

src/pretix/__init__.py

@@ -19,4 +19,4 @@
 # You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
 # <https://www.gnu.org/licenses/>.
 #
-__version__ = "4.6.0"
+__version__ = "4.7.0.dev0"

src/pretix/api/views/order.py

@@ -659,12 +659,13 @@ class OrderViewSet(viewsets.ModelViewSet):
 
                 _order_placed_email(
                     request.event, order, payment.payment_provider if payment else None, email_template,
-                    log_entry, invoice, payment
+                    log_entry, invoice, payment, is_free=free_flow
                 )
                 if email_attendees:
                     for p in order.positions.all():
                         if p.addon_to_id is None and p.attendee_email and p.attendee_email != order.email:
-                            _order_placed_email_attendee(request.event, order, p, email_attendees_template, log_entry)
+                            _order_placed_email_attendee(request.event, order, p, email_attendees_template, log_entry,
+                                                         is_free=free_flow)
 
                 if not free_flow and order.status == Order.STATUS_PAID and payment:
                     payment._send_paid_mail(invoice, None, '')

src/pretix/base/email.py

@@ -33,6 +33,7 @@ from django.core.mail.backends.smtp import EmailBackend
 from django.db.models import Count
 from django.dispatch import receiver
 from django.template.loader import get_template
+from django.utils.formats import date_format
 from django.utils.timezone import now
 from django.utils.translation import (
     get_language, gettext_lazy as _, pgettext_lazy,
@@ -164,9 +165,20 @@ class TemplateBasedMailRenderer(BaseHTMLMailRenderer):
                 has_addons=Count('addons')
             ))
             htmlctx['cart'] = [(k, list(v)) for k, v in groupby(
-                positions, key=lambda op: (
-                    op.item, op.variation, op.subevent, op.attendee_name,
-                    (op.pk if op.addon_to_id else None), (op.pk if op.has_addons else None)
+                sorted(
+                    positions,
+                    key=lambda op: (
+                        (op.addon_to.positionid if op.addon_to_id else op.positionid),
+                        op.positionid
+                    )
+                ),
+                key=lambda op: (
+                    op.item,
+                    op.variation,
+                    op.subevent,
+                    op.attendee_name,
+                    (op.pk if op.addon_to_id else None),
+                    (op.pk if op.has_addons else None)
                 )
             )]
 
@@ -453,6 +465,15 @@ def base_placeholders(sender, **kwargs):
                 }
             ),
         ),
+        SimpleFunctionalMailTextPlaceholder(
+            'event_location', ['event_or_subevent'], lambda event_or_subevent: str(event_or_subevent.location or ''),
+            lambda event: str(event.location or ''),
+        ),
+        SimpleFunctionalMailTextPlaceholder(
+            'event_admission_time', ['event_or_subevent'],
+            lambda event_or_subevent: date_format(event_or_subevent.date_admission, 'TIME_FORMAT') if event_or_subevent.date_admission else '',
+            lambda event: date_format(event.date_admission, 'TIME_FORMAT') if event.date_admission else '',
+        ),
         SimpleFunctionalMailTextPlaceholder(
             'subevent', ['waiting_list_entry', 'event'],
             lambda waiting_list_entry, event: str(waiting_list_entry.subevent or event),
@@ -622,6 +643,10 @@ def base_placeholders(sender, **kwargs):
             'meta_%s' % k, ['event'], lambda event, k=k: event.meta_data[k],
             v
         ))
+        ph.append(SimpleFunctionalMailTextPlaceholder(
+            'meta_%s' % k, ['event_or_subevent'], lambda event_or_subevent, k=k: event_or_subevent.meta_data[k],
+            v
+        ))
 
     return ph
 

src/pretix/base/services/mail.py

@@ -77,7 +77,7 @@ from pretix.base.signals import email_filter, global_email_filter
 from pretix.celery_app import app
 from pretix.helpers.hierarkey import clean_filename
 from pretix.multidomain.urlreverse import build_absolute_uri
-from pretix.presale.ical import get_ical
+from pretix.presale.ical import get_private_icals
 
 logger = logging.getLogger('pretix.base.mail')
 INVALID_ADDRESS = 'invalid-pretix-mail-address'
@@ -430,18 +430,7 @@ def mail_send_task(self, *args, to: List[str], subject: str, body: str, html: st
                                     }
                                 )
                         if attach_ical:
-                            ical_events = set()
-                            if event.has_subevents:
-                                if position:
-                                    ical_events.add(position.subevent)
-                                else:
-                                    for p in order.positions.all():
-                                        ical_events.add(p.subevent)
-                            else:
-                                ical_events.add(order.event)
-
-                            for i, e in enumerate(ical_events):
-                                cal = get_ical([e])
+                            for i, cal in enumerate(get_private_icals(event, [position] if position else order.positions.all())):
                                 email.attach('event-{}.ics'.format(i), cal.serialize(), 'text/calendar')
 
             email = email_filter.send_chained(event, 'message', message=email, order=order, user=user)

src/pretix/base/services/orders.py

@@ -932,7 +932,7 @@ def _create_order(event: Event, email: str, positions: List[CartPosition], now_d
 
 
 def _order_placed_email(event: Event, order: Order, pprov: BasePaymentProvider, email_template, log_entry: str,
-                        invoice, payment: OrderPayment):
+                        invoice, payment: OrderPayment, is_free=False):
     email_context = get_email_context(event=event, order=order, payment=payment if pprov else None)
     email_subject = _('Your order: %(code)s') % {'code': order.code}
     try:
@@ -941,7 +941,7 @@ def _order_placed_email(event: Event, order: Order, pprov: BasePaymentProvider,
             log_entry,
             invoices=[invoice] if invoice and event.settings.invoice_email_attachment else [],
             attach_tickets=True,
-            attach_ical=event.settings.mail_attach_ical,
+            attach_ical=event.settings.mail_attach_ical and (not event.settings.mail_attach_ical_paid_only or is_free),
             attach_other_files=[a for a in [
                 event.settings.get('mail_attachment_new_order', as_type=str, default='')[len('file://'):]
             ] if a],
@@ -950,7 +950,7 @@ def _order_placed_email(event: Event, order: Order, pprov: BasePaymentProvider,
         logger.exception('Order received email could not be sent')
 
 
-def _order_placed_email_attendee(event: Event, order: Order, position: OrderPosition, email_template, log_entry: str):
+def _order_placed_email_attendee(event: Event, order: Order, position: OrderPosition, email_template, log_entry: str, is_free=False):
     email_context = get_email_context(event=event, order=order, position=position)
     email_subject = _('Your event registration: %(code)s') % {'code': order.code}
 
@@ -961,7 +961,7 @@ def _order_placed_email_attendee(event: Event, order: Order, position: OrderPosi
             invoices=[],
             attach_tickets=True,
             position=position,
-            attach_ical=event.settings.mail_attach_ical,
+            attach_ical=event.settings.mail_attach_ical and (not event.settings.mail_attach_ical_paid_only or is_free),
             attach_other_files=[a for a in [
                 event.settings.get('mail_attachment_new_order', as_type=str, default='')[len('file://'):]
             ] if a],
@@ -1070,11 +1070,13 @@ def _perform_order(event: Event, payment_provider: str, position_ids: List[str],
             email_attendees_template = event.settings.mail_text_order_placed_attendee
 
         if sales_channel in event.settings.mail_sales_channel_placed_paid:
-            _order_placed_email(event, order, pprov, email_template, log_entry, invoice, payment)
+            _order_placed_email(event, order, pprov, email_template, log_entry, invoice, payment,
+                                is_free=free_order_flow)
             if email_attendees:
                 for p in order.positions.all():
                     if p.addon_to_id is None and p.attendee_email and p.attendee_email != order.email:
-                        _order_placed_email_attendee(event, order, p, email_attendees_template, log_entry)
+                        _order_placed_email_attendee(event, order, p, email_attendees_template, log_entry,
+                                                     is_free=free_order_flow)
 
     return order.id
 

src/pretix/base/settings.py

@@ -1573,6 +1573,32 @@ DEFAULTS = {
             help_text=_("If enabled, we will attach an .ics calendar file to order confirmation emails."),
         )
     },
+    'mail_attach_ical_paid_only': {
+        'default': 'False',
+        'type': bool,
+        'form_class': forms.BooleanField,
+        'serializer_class': serializers.BooleanField,
+        'form_kwargs': dict(
+            label=_("Attach calendar files only after order has been paid"),
+            help_text=_("Use this if you e.g. put a private access link into the calendar file to make sure people only "
+                        "receive it after their payment was confirmed."),
+        )
+    },
+    'mail_attach_ical_description': {
+        'default': '',
+        'type': LazyI18nString,
+        'form_class': I18nFormField,
+        'form_kwargs': dict(
+            label=_("Event description"),
+            widget=I18nTextarea,
+            help_text=_(
+                "You can use this to share information with your attendees, such as travel information or the link to a digital event. "
+                "If you keep it empty, we will put a link to the event shop, the admission time, and your organizer name in there. "
+                "We do not allow using placeholders with sensitive person-specific data as calendar entries are often shared with an "
+                "unspecified number of people."
+            ),
+        )
+    },
     'mail_prefix': {
         'default': None,
         'type': str,

src/pretix/base/views/redirect.py

@@ -23,8 +23,8 @@ import urllib.parse
 
 from django.core import signing
 from django.http import HttpResponseBadRequest, HttpResponseRedirect
-from django.urls import reverse
 from django.shortcuts import render
+from django.urls import reverse
 
 
 def _is_samesite_referer(request):

src/pretix/control/forms/event.py

@@ -872,6 +872,8 @@ class MailSettingsForm(SettingsForm):
         'mail_attach_ical',
         'mail_attach_tickets',
         'mail_attachment_new_order',
+        'mail_attach_ical_paid_only',
+        'mail_attach_ical_description',
     ]
 
     mail_sales_channel_placed_paid = forms.MultipleChoiceField(
@@ -1079,7 +1081,8 @@ class MailSettingsForm(SettingsForm):
         'mail_text_download_reminder_attendee': ['event', 'order', 'position'],
         'mail_text_resend_link': ['event', 'order'],
         'mail_text_waiting_list': ['event', 'waiting_list_entry'],
-        'mail_text_resend_all_links': ['event', 'orders']
+        'mail_text_resend_all_links': ['event', 'orders'],
+        'mail_attach_ical_description': ['event', 'event_or_subevent'],
     }
 
     def _set_field_placeholders(self, fn, base_parameters):

src/pretix/control/templates/pretixcontrol/event/mail.html

@@ -14,7 +14,6 @@
                 <legend>{% trans "General" %}</legend>
                 {% bootstrap_field form.mail_prefix layout="control" %}
                 {% bootstrap_field form.mail_attach_tickets layout="control" %}
-                {% bootstrap_field form.mail_attach_ical layout="control" %}
                 {% url "control:organizer.settings.mail" organizer=request.organizer.slug as org_url %}
                 {% propagated request.event org_url "mail_from" "smtp_use_custom" "smtp_host" "smtp_port" "smtp_username" "smtp_password" "smtp_use_tls" "smtp_use_ssl" %}
                     <div class="form-group">
@@ -57,6 +56,12 @@
                 {% endpropagated %}
                 {% bootstrap_field form.mail_sales_channel_placed_paid layout="control" %}
             </fieldset>
+            <fieldset>
+                <legend>{% trans "Calendar invites" %}</legend>
+                {% bootstrap_field form.mail_attach_ical layout="control" %}
+                {% bootstrap_field form.mail_attach_ical_paid_only layout="control" %}
+                {% bootstrap_field form.mail_attach_ical_description layout="control" %}
+            </fieldset>
             <fieldset>
                 <legend>{% trans "E-mail design" %}</legend>
                 <div class="row">

src/pretix/control/templates/pretixcontrol/items/index.html

@@ -46,7 +46,7 @@
                 {% for c in cat_list %}
                     <tbody data-dnd-url="{% url "control:event.items.reorder" organizer=request.event.organizer.slug event=request.event.slug %}">
                     {% for i in c.list %}
-                        {% if forloop.counter0 == 0 and i.category %}<tr class="sortable-disabled"><th colspan="8" scope="colgroup" class="text-muted">{{ i.category.name }}</th></tr>{% endif %}
+                        {% if forloop.counter0 == 0 and i.category %}<tr class="sortable-disabled"><th colspan="8" scope="colgroup" class="text-muted">{{ i.category }}</th></tr>{% endif %}
                         <tr data-dnd-id="{{ i.id }}" {% if not i.active %}class="row-muted"{% endif %}>
                             <td><strong>
                                 {% if not i.active %}<strike>{% endif %}

src/pretix/control/templates/pretixcontrol/items/quota_delete.html

@@ -13,7 +13,7 @@
                 <ul>
                     {% for item in dependent %}
                         <li>
-                            <a href="{% url "control:event.item" organizer=request.event.organizer.slug event=request.event.slug item=item.pk %}">{{ item.name }}</a>
+                            <a href="{% url "control:event.item" organizer=request.event.organizer.slug event=request.event.slug item=item.pk %}">{{ item }}</a>
                         </li>
                     {% endfor %}
                 </ul>

src/pretix/presale/ical.py

@@ -28,11 +28,16 @@ from django.conf import settings
 from django.utils.formats import date_format
 from django.utils.translation import gettext as _
 
+from pretix.base.email import get_email_context
 from pretix.base.models import Event
 from pretix.multidomain.urlreverse import build_absolute_uri
 
 
-def get_ical(events):
+def get_public_ical(events):
+    """
+    Return an ical feed for a sequence of events or subevents. The calendar files will only include public
+    information.
+    """
     cal = vobject.iCalendar()
     cal.add('prodid').value = '-//pretix//{}//'.format(settings.PRETIX_INSTANCE_NAME.replace(" ", "_"))
     creation_time = datetime.datetime.now(pytz.utc)
@@ -83,3 +88,91 @@ def get_ical(events):
 
         vevent.add('description').value = '\n'.join(descr)
     return cal
+
+
+def get_private_icals(event, positions):
+    """
+    Return a list of ical objects based on a sequence of positions.
+
+    Unlike get_public_ical, this will
+
+    - Generate multiple ical files instead of one (but with deduplication applied)
+    - Respect the mail_attach_ical_description setting
+
+    It is private in the sense that mail_attach_ical_description may contain content not suited for
+    public display.
+
+    We however intentionally do not allow using placeholders based on the order and position
+    specifically. This is for two reasons:
+
+    - In reality, many people will add their invite to their calendar which is shared with a larger
+      team. People are probably not aware that they're sharing sensitive information such as their
+      secret ticket link with everyone they share their calendar with.
+
+    - It would be pretty hard to implement it in a way that doesn't require us to use distinct
+      settings fields for emails to customers and to attendees, which feels like an overcomplication.
+    """
+
+    from pretix.base.services.mail import TolerantDict
+
+    tz = pytz.timezone(event.settings.timezone)
+
+    creation_time = datetime.datetime.now(pytz.utc)
+    calobjects = []
+
+    evs = set(p.subevent or event for p in positions)
+    for ev in evs:
+        if isinstance(ev, Event):
+            url = build_absolute_uri(event, 'presale:event.index')
+        else:
+            url = build_absolute_uri(event, 'presale:event.index', {
+                'subevent': ev.pk
+            })
+
+        if event.settings.mail_attach_ical_description:
+            ctx = get_email_context(event=event, event_or_subevent=ev)
+            description = str(event.settings.mail_attach_ical_description).format_map(TolerantDict(ctx))
+        else:
+            # Default description
+            descr = []
+            descr.append(_('Tickets: {url}').format(url=url))
+            if ev.date_admission:
+                descr.append(str(_('Admission: {datetime}')).format(
+                    datetime=date_format(ev.date_admission.astimezone(tz), 'SHORT_DATETIME_FORMAT')
+                ))
+
+            descr.append(_('Organizer: {organizer}').format(organizer=event.organizer.name))
+            description = '\n'.join(descr)
+
+        cal = vobject.iCalendar()
+        cal.add('prodid').value = '-//pretix//{}//'.format(settings.PRETIX_INSTANCE_NAME.replace(" ", "_"))
+
+        vevent = cal.add('vevent')
+        vevent.add('summary').value = str(ev.name)
+        vevent.add('description').value = description
+        vevent.add('dtstamp').value = creation_time
+        if ev.location:
+            vevent.add('location').value = str(ev.location)
+
+        vevent.add('uid').value = 'pretix-{}-{}-{}@{}'.format(
+            event.organizer.slug,
+            event.organizer.slug, event.slug,
+            ev.pk if not isinstance(ev, Event) else '0',
+            urlparse(url).netloc
+        )
+
+        if event.settings.show_times:
+            vevent.add('dtstart').value = ev.date_from.astimezone(tz)
+        else:
+            vevent.add('dtstart').value = ev.date_from.astimezone(tz).date()
+
+        if event.settings.show_date_to and ev.date_to:
+            if event.settings.show_times:
+                vevent.add('dtend').value = ev.date_to.astimezone(tz)
+            else:
+                # with full-day events date_to in pretix is included (e.g. last day)
+                # whereas dtend in vcalendar is non-inclusive => add one day for export
+                vevent.add('dtend').value = ev.date_to.astimezone(tz).date() + datetime.timedelta(days=1)
+
+        calobjects.append(cal)
+    return calobjects

src/pretix/presale/views/event.py

@@ -70,7 +70,7 @@ from pretix.base.models.items import (
 from pretix.base.services.quotas import QuotaAvailability
 from pretix.helpers.compat import date_fromisocalendar
 from pretix.multidomain.urlreverse import eventreverse
-from pretix.presale.ical import get_ical
+from pretix.presale.ical import get_public_ical
 from pretix.presale.signals import item_description
 from pretix.presale.views.organizer import (
     EventListMixin, add_subevents_for_days, days_for_template,
@@ -719,7 +719,7 @@ class EventIcalDownload(EventViewMixin, View):
                 raise Http404(pgettext_lazy('subevent', 'Unknown date selected.'))
 
         event = self.request.event
-        cal = get_ical([subevent or event])
+        cal = get_public_ical([subevent or event])
 
         resp = HttpResponse(cal.serialize(), content_type='text/calendar')
         resp['Content-Disposition'] = 'attachment; filename="{}-{}-{}.ics"'.format(

src/pretix/presale/views/organizer.py

@@ -67,7 +67,7 @@ from pretix.helpers.formats.en.formats import (
     SHORT_MONTH_DAY_FORMAT, WEEK_FORMAT,
 )
 from pretix.multidomain.urlreverse import eventreverse
-from pretix.presale.ical import get_ical
+from pretix.presale.ical import get_public_ical
 from pretix.presale.views import OrganizerViewMixin
 
 
@@ -1159,9 +1159,9 @@ class OrganizerIcalDownload(OrganizerViewMixin, View):
 
         if 'locale' in request.GET and request.GET.get('locale') in dict(settings.LANGUAGES):
             with language(request.GET.get('locale'), self.request.organizer.settings.region):
-                cal = get_ical(events)
+                cal = get_public_ical(events)
         else:
-            cal = get_ical(events)
+            cal = get_public_ical(events)
 
         resp = HttpResponse(cal.serialize(), content_type='text/calendar')
         resp['Content-Disposition'] = 'attachment; filename="{}.ics"'.format(

src/pretix/settings.py

@@ -97,6 +97,8 @@ else:
             f.write(SECRET_KEY)
 
 # Adjustable settings
+LANGUAGE_CODE = config.get('locale', 'default', fallback='en')
+TIME_ZONE = config.get('locale', 'timezone', fallback='UTC')
 
 debug_fallback = "runserver" in sys.argv
 DEBUG = config.getboolean('django', 'debug', fallback=debug_fallback)
@@ -130,6 +132,7 @@ DATABASES = {
         'HOST': config.get('database', 'host', fallback=''),
         'PORT': config.get('database', 'port', fallback=''),
         'CONN_MAX_AGE': 0 if db_backend == 'sqlite3' else 120,
+        'TIME_ZONE': TIME_ZONE,
         'OPTIONS': db_options,
         'TEST': {
             'CHARSET': 'utf8mb4',
@@ -148,6 +151,7 @@ if config.has_section('replica'):
         'HOST': config.get('replica', 'host', fallback=DATABASES['default']['HOST']),
         'PORT': config.get('replica', 'port', fallback=DATABASES['default']['PORT']),
         'CONN_MAX_AGE': 0 if db_backend == 'sqlite3' else 120,
+        'TIME_ZONE': TIME_ZONE,
         'OPTIONS': db_options,
         'TEST': {
             'CHARSET': 'utf8mb4',
@@ -210,9 +214,6 @@ CURRENCY_PLACES = {
 
 ALLOWED_HOSTS = ['*']
 
-LANGUAGE_CODE = config.get('locale', 'default', fallback='en')
-TIME_ZONE = config.get('locale', 'timezone', fallback='UTC')
-
 MAIL_FROM = SERVER_EMAIL = DEFAULT_FROM_EMAIL = config.get('mail', 'from', fallback='pretix@localhost')
 MAIL_FROM_NOTIFICATIONS = config.get('mail', 'from_notifications', fallback=MAIL_FROM)
 MAIL_FROM_ORGANIZERS = config.get('mail', 'from_organizers', fallback=MAIL_FROM)