Error pages: Load event theme if available (Z#23224853)

Currently translated at 71.3% (4465 of 6257 strings)

Translation: pretix/pretix
Translate-URL: https://translate.pretix.eu/projects/pretix/pretix/nl_BE/

powered by weblate

doc/api/resources/orders.rst

@@ -1719,6 +1719,56 @@ List of all order positions
    :statuscode 401: Authentication failure
    :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
 
+.. http:get:: /api/v1/organizers/(organizer)/orderpositions/
+
+   Returns a list of all order positions within all events of a given organizer (with sufficient access permissions).
+
+   The supported query parameters and output format of this endpoint are almost identical to those of the list endpoint
+   within an event.
+   The only changes are that responses also contain the ``event`` attribute in each result and that the 'pdf_data'
+   parameter is not supported.
+
+   **Example request**:
+
+   .. sourcecode:: http
+
+      GET /api/v1/organizers/bigevents/orderpositions/ HTTP/1.1
+      Host: pretix.eu
+      Accept: application/json, text/javascript
+
+   **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Vary: Accept
+      Content-Type: application/json
+      X-Page-Generated: 2017-12-01T10:00:00Z
+
+      {
+        "count": 1,
+        "next": null,
+        "previous": null,
+        "results": [
+          {
+            "id:": 23442
+            "event": "sampleconf",
+            "order": "ABC12",
+            "positionid": 1,
+            "canceled": false,
+            "item": 1345,
+            ...
+          }
+        ]
+      }
+
+   :param organizer: The ``slug`` field of the organizer to fetch
+   :statuscode 200: no error
+   :statuscode 401: Authentication failure
+   :statuscode 403: The requested organizer/event does not exist **or** you have no permission to view this resource.
+
+
+
 Fetching individual positions
 -----------------------------
 

pyproject.toml

@@ -77,7 +77,7 @@ dependencies = [
   "phonenumberslite==9.0.*",
   "Pillow==12.1.*",
   "pretix-plugin-build",
-  "protobuf==6.33.*",
+  "protobuf==7.34.*",
   "psycopg2-binary",
   "pycountry",
   "pycparser==3.0",
@@ -92,7 +92,7 @@ dependencies = [
   "redis==7.1.*",
   "reportlab==4.4.*",
   "requests==2.32.*",
-  "sentry-sdk==2.53.*",
+  "sentry-sdk==2.54.*",
   "sepaxml==2.7.*",
   "stripe==7.9.*",
   "text-unidecode==1.*",

src/pretix/__init__.py

@@ -19,4 +19,4 @@
 # You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
 # <https://www.gnu.org/licenses/>.
 #
-__version__ = "2026.2.0.dev0"
+__version__ = "2026.3.0.dev0"

src/pretix/api/serializers/order.py

@@ -19,6 +19,7 @@
 # You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
 # <https://www.gnu.org/licenses/>.
 #
+import json
 import logging
 import os
 from collections import Counter, defaultdict
@@ -636,6 +637,14 @@ class OrderPositionSerializer(I18nAwareModelSerializer):
         return entry
 
 
+class OrganizerOrderPositionSerializer(OrderPositionSerializer):
+    event = SlugRelatedField(slug_field='slug', read_only=True)
+
+    class Meta(OrderPositionSerializer.Meta):
+        fields = OrderPositionSerializer.Meta.fields + ('event',)
+        read_only_fields = OrderPositionSerializer.Meta.read_only_fields + ('event',)
+
+
 class RequireAttentionField(serializers.Field):
     def to_representation(self, instance: OrderPosition):
         return instance.require_checkin_attention
@@ -1215,6 +1224,18 @@ class OrderCreateSerializer(I18nAwareModelSerializer):
             raise ValidationError('The given payment provider is not known.')
         return pp
 
+    def validate_payment_info(self, info):
+        if info:
+            try:
+                obj = json.loads(info)
+            except ValueError:
+                raise ValidationError('payment_info must be valid JSON.')
+
+            if not isinstance(obj, dict):
+                # only objects are allowed
+                raise ValidationError('payment_info must be a JSON object.')
+        return info
+
     def validate_expires(self, expires):
         if expires < now():
             raise ValidationError('Expiration date must be in the future.')

src/pretix/api/serializers/organizer.py

@@ -365,9 +365,10 @@ class TeamInviteSerializer(serializers.ModelSerializer):
     def _send_invite(self, instance):
         mail(
             instance.email,
-            _('pretix account invitation'),
+            _('Account invitation'),
             'pretixcontrol/email/invitation.txt',
             {
+                'instance': settings.PRETIX_INSTANCE_NAME,
                 'user': self,
                 'organizer': self.context['organizer'].name,
                 'team': instance.team.name,

src/pretix/api/urls.py

@@ -67,6 +67,7 @@ orga_router.register(r'invoices', order.InvoiceViewSet)
 orga_router.register(r'scheduled_exports', exporters.ScheduledOrganizerExportViewSet)
 orga_router.register(r'exporters', exporters.OrganizerExportersViewSet, basename='exporters')
 orga_router.register(r'transactions', order.OrganizerTransactionViewSet)
+orga_router.register(r'orderpositions', order.OrganizerOrderPositionViewSet, basename='orderpositions')
 
 team_router = routers.DefaultRouter()
 team_router.register(r'members', organizer.TeamMemberViewSet)
@@ -83,7 +84,7 @@ event_router.register(r'discounts', discount.DiscountViewSet)
 event_router.register(r'quotas', item.QuotaViewSet)
 event_router.register(r'vouchers', voucher.VoucherViewSet)
 event_router.register(r'orders', order.EventOrderViewSet)
-event_router.register(r'orderpositions', order.OrderPositionViewSet)
+event_router.register(r'orderpositions', order.EventOrderPositionViewSet)
 event_router.register(r'transactions', order.TransactionViewSet)
 event_router.register(r'invoices', order.InvoiceViewSet)
 event_router.register(r'revokedsecrets', order.RevokedSecretViewSet, basename='revokedsecrets')

src/pretix/api/views/order.py

@@ -57,9 +57,10 @@ from pretix.api.serializers.order import (
     BlockedTicketSecretSerializer, InvoiceSerializer, OrderCreateSerializer,
     OrderPaymentCreateSerializer, OrderPaymentSerializer,
     OrderPositionSerializer, OrderRefundCreateSerializer,
-    OrderRefundSerializer, OrderSerializer, OrganizerTransactionSerializer,
-    PriceCalcSerializer, PrintLogSerializer, RevokedTicketSecretSerializer,
-    SimulatedOrderSerializer, TransactionSerializer,
+    OrderRefundSerializer, OrderSerializer, OrganizerOrderPositionSerializer,
+    OrganizerTransactionSerializer, PriceCalcSerializer, PrintLogSerializer,
+    RevokedTicketSecretSerializer, SimulatedOrderSerializer,
+    TransactionSerializer,
 )
 from pretix.api.serializers.orderchange import (
     BlockNameSerializer, OrderChangeOperationSerializer,
@@ -1065,8 +1066,7 @@ with scopes_disabled():
             }
 
 
-class OrderPositionViewSet(viewsets.ModelViewSet):
-    serializer_class = OrderPositionSerializer
+class OrderPositionViewSetMixin:
     queryset = OrderPosition.all.none()
     filter_backends = (DjangoFilterBackend, RichOrderingFilter)
     ordering = ('order__datetime', 'positionid')
@@ -1087,8 +1087,7 @@ class OrderPositionViewSet(viewsets.ModelViewSet):
 
     def get_serializer_context(self):
         ctx = super().get_serializer_context()
-        ctx['event'] = self.request.event
-        ctx['pdf_data'] = self.request.query_params.get('pdf_data', 'false').lower() == 'true'
+        ctx['pdf_data'] = False
         ctx['check_quotas'] = self.request.query_params.get('check_quotas', 'true').lower() == 'true'
         return ctx
 
@@ -1097,9 +1096,8 @@ class OrderPositionViewSet(viewsets.ModelViewSet):
             qs = OrderPosition.all
         else:
             qs = OrderPosition.objects
-
-        qs = qs.filter(order__event=self.request.event)
-        if self.request.query_params.get('pdf_data', 'false').lower() == 'true':
+        qs = qs.filter(order__event__organizer=self.request.organizer)
+        if self.request.query_params.get('pdf_data', 'false').lower() == 'true' and getattr(self.request, 'event', None):
             prefetch_related_objects([self.request.organizer], 'meta_properties')
             prefetch_related_objects(
                 [self.request.event],
@@ -1154,9 +1152,9 @@ class OrderPositionViewSet(viewsets.ModelViewSet):
             qs = qs.prefetch_related(
                 Prefetch('checkins', queryset=Checkin.objects.select_related("device")),
                 Prefetch('print_logs', queryset=PrintLog.objects.select_related('device')),
-                'answers', 'answers__options', 'answers__question',
+                'answers', 'answers__options', 'answers__question', 'order__event', 'order__event__organizer'
             ).select_related(
-                'item', 'order', 'order__event', 'order__event__organizer', 'seat'
+                'item', 'order', 'seat'
             )
         return qs
 
@@ -1168,6 +1166,45 @@ class OrderPositionViewSet(viewsets.ModelViewSet):
                 return prov
         raise NotFound('Unknown output provider.')
 
+
+class OrganizerOrderPositionViewSet(OrderPositionViewSetMixin, viewsets.ReadOnlyModelViewSet):
+    serializer_class = OrganizerOrderPositionSerializer
+
+    def get_queryset(self):
+        qs = super().get_queryset()
+
+        perm = self.permission if self.request.method in SAFE_METHODS else self.write_permission
+
+        if isinstance(self.request.auth, (TeamAPIToken, Device)):
+            auth_obj = self.request.auth
+        elif self.request.user.is_authenticated:
+            auth_obj = self.request.user
+        else:
+            raise PermissionDenied("Unknown authentication scheme")
+
+        qs = qs.filter(
+            order__event__in=auth_obj.get_events_with_permission(perm, request=self.request).filter(
+                organizer=self.request.organizer
+            )
+        )
+
+        return qs
+
+
+class EventOrderPositionViewSet(OrderPositionViewSetMixin, viewsets.ModelViewSet):
+    serializer_class = OrderPositionSerializer
+
+    def get_serializer_context(self):
+        ctx = super().get_serializer_context()
+        ctx['event'] = self.request.event
+        ctx['pdf_data'] = self.request.query_params.get('pdf_data', 'false').lower() == 'true'
+        return ctx
+
+    def get_queryset(self):
+        qs = super().get_queryset()
+        qs = qs.filter(order__event=self.request.event)
+        return qs
+
     @action(detail=True, methods=['POST'], url_name='price_calc')
     def price_calc(self, request, *args, **kwargs):
         """

src/pretix/api/webhooks.py

@@ -183,6 +183,7 @@ class ParametrizedGiftcardWebhookEvent(ParametrizedWebhookEvent):
         return {
             'notification_id': logentry.pk,
             'issuer_id': logentry.organizer_id,
+            'issuer_slug': logentry.organizer.slug,
             'giftcard': giftcard.pk,
             'action': logentry.action_type,
         }
@@ -197,6 +198,7 @@ class ParametrizedGiftcardTransactionWebhookEvent(ParametrizedWebhookEvent):
         return {
             'notification_id': logentry.pk,
             'issuer_id': logentry.organizer_id,
+            'issuer_slug': logentry.organizer.slug,
             'acceptor_id': logentry.parsed_data.get('acceptor_id'),
             'acceptor_slug': logentry.parsed_data.get('acceptor_slug'),
             'giftcard': giftcard.pk,

src/pretix/base/datasync/datasync.py

@@ -216,7 +216,10 @@ class OutboundSyncProvider:
 
             try:
                 mapped_objects = self.sync_order(sq.order)
-                if not all(all(not res or res.sync_info.get("action", "") == "nothing_to_do" for res in res_list) for res_list in mapped_objects.values()):
+                actions_taken = [res and res.sync_info.get("action", "") for res_list in mapped_objects.values() for res in res_list]
+                should_write_logentry = any(action not in (None, "nothing_to_do") for action in actions_taken)
+                logger.info('Synced order %s to %s, actions: %r, log: %r', sq.order.code, sq.sync_provider, actions_taken, should_write_logentry)
+                if should_write_logentry:
                     sq.order.log_action("pretix.event.order.data_sync.success", {
                         "provider": self.identifier,
                         "objects": {
@@ -237,7 +240,7 @@ class OutboundSyncProvider:
                     sq.set_sync_error("exceeded", e.messages, e.full_message)
                 else:
                     logger.info(
-                        f"Could not sync order {sq.order.code} to {type(self).__name__} "
+                        f"Could not sync order {sq.order.code} to {sq.sync_provider} "
                         f"(transient error, attempt #{sq.failed_attempts}, next {sq.not_before})",
                         exc_info=True,
                     )

src/pretix/base/forms/widgets.py

@@ -42,6 +42,8 @@ from django.utils.html import escape
 from django.utils.timezone import get_current_timezone, now
 from django.utils.translation import gettext_lazy as _
 
+from pretix.helpers.format import PlainHtmlAlternativeString
+
 
 def replace_arabic_numbers(inp):
     if not isinstance(inp, str):
@@ -61,11 +63,18 @@ def replace_arabic_numbers(inp):
     return inp.translate(table)
 
 
+def format_placeholder_help_text(placeholder_name, sample_value):
+    if isinstance(sample_value, PlainHtmlAlternativeString):
+        sample_value = sample_value.plain
+    title = (_("Sample: %s") % sample_value) if sample_value else ""
+    return ('<button type="button" class="content-placeholder" title="%s">{%s}</button>' % (escape(title), escape(placeholder_name)))
+
+
 def format_placeholders_help_text(placeholders, event=None):
     placeholders = [(k, v.render_sample(event) if event else v) for k, v in placeholders.items()]
     placeholders.sort(key=lambda x: x[0])
     phs = [
-        '<button type="button" class="content-placeholder" title="%s">{%s}</button>' % (escape(_("Sample: %s") % v) if v else "", escape(k))
+        format_placeholder_help_text(k, v)
         for k, v in placeholders
     ]
     return _('Available placeholders: {list}').format(

src/pretix/base/invoicing/pdf.py

@@ -148,6 +148,10 @@ class NumberedCanvas(Canvas):
         self.restoreState()
 
 
+class InvoiceNotReadyException(Exception):
+    pass
+
+
 class BaseInvoiceRenderer:
     """
     This is the base class for all invoice renderers.

src/pretix/base/models/auth.py

@@ -346,7 +346,8 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
             {
                 'user': self,
                 'messages': msg,
-                'url': build_absolute_uri('control:user.settings')
+                'url': build_absolute_uri('control:user.settings'),
+                'instance': settings.PRETIX_INSTANCE_NAME,
             },
             event=None,
             user=self,
@@ -391,6 +392,7 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
                 'user': self,
                 'reason': msg,
                 'code': code,
+                'instance': settings.PRETIX_INSTANCE_NAME,
             },
             event=None,
             user=self,
@@ -430,6 +432,7 @@ class User(AbstractBaseUser, PermissionsMixin, LoggingMixin):
         mail(
             self.email, _('Password recovery'), 'pretixcontrol/email/forgot.txt',
             {
+                'instance': settings.PRETIX_INSTANCE_NAME,
                 'user': self,
                 'url': (build_absolute_uri('control:auth.forgot.recover')
                         + '?id=%d&token=%s' % (self.id, default_token_generator.make_token(self)))

src/pretix/base/models/datasync.py

@@ -86,7 +86,7 @@ class OrderSyncQueue(models.Model):
 
     def set_sync_error(self, failure_mode, messages, full_message):
         logger.exception(
-            f"Could not sync order {self.order.code} to {type(self).__name__} ({failure_mode})"
+            f"Could not sync order {self.order.code} to {self.sync_provider} ({failure_mode})"
         )
         self.order.log_action(f"pretix.event.order.data_sync.failed.{failure_mode}", {
             "provider": self.sync_provider,

src/pretix/base/models/waitinglist.py

@@ -181,10 +181,11 @@ class WaitingListEntry(LoggedModel):
                 block_quota=True,
                 item_id=self.item_id,
                 subevent_id=self.subevent_id,
-                waitinglistentries__isnull=False
+                waitinglistentries__isnull=False,
+                seat__isnull=True
             ).aggregate(free=Sum(F('max_usages') - F('redeemed')))['free'] or 0
             free_seats = num_free_seats_for_product - num_valid_vouchers_for_product
-            if not free_seats:
+            if free_seats < 1:
                 raise WaitingListException(_('No seat with this product is currently available.'))
 
         if '@' not in self.email:

src/pretix/base/services/invoices.py

@@ -51,6 +51,7 @@ from django_scopes import scope, scopes_disabled
 from i18nfield.strings import LazyI18nString
 
 from pretix.base.i18n import language
+from pretix.base.invoicing.pdf import InvoiceNotReadyException
 from pretix.base.invoicing.transmission import (
     get_transmission_types, transmission_providers,
 )
@@ -504,7 +505,7 @@ def generate_invoice(order: Order, trigger_pdf=True):
     return invoice
 
 
-@app.task(base=TransactionAwareTask)
+@app.task(base=TransactionAwareTask, throws=(InvoiceNotReadyException,))
 def invoice_pdf_task(invoice: int):
     with scopes_disabled():
         i = Invoice.objects.get(pk=invoice)

src/pretix/base/services/mail.py

@@ -409,6 +409,18 @@ def mail_send_task(self, **kwargs) -> bool:
         outgoing_mail.inflight_since = now()
         outgoing_mail.save(update_fields=["status", "inflight_since"])
 
+    # Performance optimization, saves database queries later on if we resolve the known relationships
+    if outgoing_mail.event_id:
+        assert outgoing_mail.event.organizer_id == outgoing_mail.organizer.pk
+        outgoing_mail.event.organizer = outgoing_mail.organizer
+    if outgoing_mail.order_id:
+        assert outgoing_mail.order.event_id == outgoing_mail.event_id
+        outgoing_mail.order.event = outgoing_mail.event
+        outgoing_mail.order.organizer = outgoing_mail.organizer
+    if outgoing_mail.orderposition_id:
+        assert outgoing_mail.orderposition.order_id == outgoing_mail.order_id
+        outgoing_mail.orderposition.order = outgoing_mail.order
+
     headers = dict(outgoing_mail.headers)
     headers.setdefault('X-PX-Correlation', str(outgoing_mail.guid))
     email = CustomEmail(

src/pretix/base/services/placeholders.py

@@ -24,6 +24,7 @@ import logging
 from datetime import timedelta
 from decimal import Decimal
 
+from django.db.models import Prefetch, prefetch_related_objects
 from django.dispatch import receiver
 from django.utils.formats import date_format
 from django.utils.html import escape, mark_safe
@@ -35,6 +36,7 @@ from pretix.base.forms.widgets import format_placeholders_help_text
 from pretix.base.i18n import (
     LazyCurrencyNumber, LazyDate, LazyExpiresDate, LazyNumber,
 )
+from pretix.base.models import EventMetaValue
 from pretix.base.reldate import RelativeDateWrapper
 from pretix.base.settings import PERSON_NAME_SCHEMES, get_name_parts_localized
 from pretix.base.signals import (
@@ -752,6 +754,11 @@ def base_placeholders(sender, **kwargs):
             name_scheme['sample'][f]
         ))
 
+    prefetch_related_objects(
+        [sender],
+        Prefetch('meta_values', queryset=EventMetaValue.objects.select_related("property"), to_attr="meta_values_cached")
+    )
+    prefetch_related_objects([sender.organizer], Prefetch('meta_properties'))
     for k, v in sender.meta_data.items():
         ph.append(MarkdownTextPlaceholder(
             'meta_%s' % k, ['event'], lambda event, k=k: event.meta_data[k],

src/pretix/base/services/shredder.py

@@ -176,6 +176,7 @@ def shred(self, event: Event, fileid: str, confirm_code: str, user: int=None, lo
                 _('Data shredding completed'),
                 'pretixbase/email/shred_completed.txt',
                 {
+                    'instance': settings.PRETIX_INSTANCE_NAME,
                     'user': user,
                     'organizer': event.organizer.name,
                     'event': str(event.name),

src/pretix/base/templates/error.html

@@ -12,6 +12,9 @@
     <meta charset="utf-8">
     <link rel="icon" href="{% static "pretixbase/img/favicon.ico" %}">
     {% block custom_header %}{% endblock %}
+    {% if css_theme %}
+        <link rel="stylesheet" type="text/css" href="{{ css_theme }}" />
+    {% endif %}
 </head>
 <body>
 <div class="container">

src/pretix/base/templates/pretixbase/email/shred_completed.txt

@@ -13,5 +13,5 @@ Start time: {{ start_time }} (new data added after this time might not have been
 
 Best regards,
 
-Your pretix team
+Your {{ instance }} team
 {% endblocktrans %}

src/pretix/base/templatetags/anonymize_email.py

@@ -0,0 +1,34 @@
+#
+# This file is part of pretix (Community Edition).
+#
+# Copyright (C) 2014-2020  Raphael Michel and contributors
+# Copyright (C) 2020-today pretix GmbH and contributors
+#
+# This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General
+# Public License as published by the Free Software Foundation in version 3 of the License.
+#
+# ADDITIONAL TERMS APPLY: Pursuant to Section 7 of the GNU Affero General Public License, additional terms are
+# applicable granting you additional permissions and placing additional restrictions on your usage of this software.
+# Please refer to the pretix LICENSE file to obtain the full terms applicable to this work. If you did not receive
+# this file, see <https://pretix.eu/about/en/license>.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
+# <https://www.gnu.org/licenses/>.
+#
+from django import template
+from django.utils.html import mark_safe
+
+register = template.Library()
+
+
+@register.filter("anon_email")
+def anon_email(value):
+    """Replaces @ with [at] and . with [dot] for anonymization."""
+    if not isinstance(value, str):
+        return value
+    value = value.replace("@", "[at]").replace(".", "[dot]")
+    return mark_safe(''.join(['&#{0};'.format(ord(char)) for char in value]))

src/pretix/base/timeframes.py

@@ -423,7 +423,7 @@ def resolve_timeframe_to_dates_inclusive(ref_dt, frame, timezone) -> Tuple[Optio
     raise ValueError(f"Invalid timeframe '{frame}'")
 
 
-def resolve_timeframe_to_datetime_start_inclusive_end_exclusive(ref_dt, frame, timezone) -> Tuple[Optional[date], Optional[date]]:
+def resolve_timeframe_to_datetime_start_inclusive_end_exclusive(ref_dt, frame, timezone) -> Tuple[Optional[datetime], Optional[datetime]]:
     """
     Given a serialized timeframe, evaluate it relative to `ref_dt` and return a tuple of datetimes
     where the first element ist the first possible datetime within the timeframe and the second

src/pretix/control/logdisplay.py

@@ -518,6 +518,7 @@ def pretixcontrol_orderposition_blocked_display(sender: Event, orderposition, bl
         'The order requires approval before it can continue to be processed.'),
     'pretix.event.order.approved': _('The order has been approved.'),
     'pretix.event.order.denied': _('The order has been denied (comment: "{comment}").'),
+    'pretix.event.order.vatid.validated': _('The customer VAT ID has been verified.'),
     'pretix.event.order.contact.changed': _('The email address has been changed from "{old_email}" '
                                             'to "{new_email}".'),
     'pretix.event.order.contact.confirmed': _(

src/pretix/control/templates/pretixcontrol/email/confirmation_code.txt

@@ -9,5 +9,5 @@ Please do never give this code to another person. Our support team will never as
 If this code was not requested by you, please contact us immediately.
 
 Best regards,
-Your pretix team
+Your {{ instance }} team
 {% endblocktrans %}

src/pretix/control/templates/pretixcontrol/email/forgot.txt

@@ -5,5 +5,5 @@ you requested a new password. Please go to the following page to reset your pass
 {{ url }}
 
 Best regards,  
-Your pretix team
-{% endblocktrans %}
+Your {{ instance }} team
+{% endblocktrans %}

src/pretix/control/templates/pretixcontrol/email/invitation.txt

@@ -1,6 +1,6 @@
 {% load i18n %}{% blocktrans with url=url|safe %}Hello,
 
-you have been invited to a team on pretix, a platform to perform event
+you have been invited to a team on {{ instance }}, a platform to perform event
 ticket sales.
 
 Organizer: {{ organizer }}
@@ -13,5 +13,5 @@ If you do not want to join, you can safely ignore or delete this email.
 
 Best regards,  
 
-Your pretix team
+Your {{ instance }} team
 {% endblocktrans %}

src/pretix/control/templates/pretixcontrol/email/security_notice.txt

@@ -1,6 +1,6 @@
 {% load i18n %}{% blocktrans with url=url|safe messages=messages|safe %}Hello,
 
-this is to inform you that the account information of your pretix account has been
+this is to inform you that the account information of your {{ instance }} account has been
 changed. In particular, the following changes have been performed:
 
 {{ messages }}
@@ -12,5 +12,5 @@ You can review and change your account settings here:
 {{ url }}
 
 Best regards,  
-Your pretix team
+Your {{ instance }} team
 {% endblocktrans %}

src/pretix/control/views/event.py

@@ -870,11 +870,15 @@ class MailSettingsPreview(EventPermissionRequiredMixin, View):
                                 )
 
                         except ValueError:
-                            msgs[self.supported_locale[idx]] = '<div class="alert alert-danger">{}</div>'.format(
-                                PlaceholderValidator.error_message)
+                            msgs[self.supported_locale[idx]] = format_html(
+                                '<div class="alert alert-danger">{}</div>',
+                                PlaceholderValidator.error_message
+                            )
                         except KeyError as e:
-                            msgs[self.supported_locale[idx]] = '<div class="alert alert-danger">{}</div>'.format(
-                                _('Invalid placeholder: {%(value)s}') % {'value': e.args[0]})
+                            msgs[self.supported_locale[idx]] = format_html(
+                                '<div class="alert alert-danger">{}</div>',
+                                _('Invalid placeholder: {%(value)s}') % {'value': e.args[0]}
+                            )
 
         return JsonResponse({
             'item': preview_item,

src/pretix/control/views/orders.py

@@ -1641,9 +1641,17 @@ class OrderCheckVATID(OrderView):
 
             try:
                 normalized_id = validate_vat_id(ia.vat_id, str(ia.country))
-                ia.vat_id_validated = True
-                ia.vat_id = normalized_id
-                ia.save()
+                with transaction.atomic():
+                    ia.vat_id_validated = True
+                    ia.vat_id = normalized_id
+                    ia.save()
+                    self.order.log_action(
+                        'pretix.event.order.vatid.validated',
+                        data={
+                            'vat_id': normalized_id,
+                        },
+                        user=self.request.user,
+                    )
             except VATIDFinalError as e:
                 messages.error(self.request, e.message)
             except VATIDTemporaryError:

src/pretix/control/views/organizer.py

@@ -1039,9 +1039,10 @@ class TeamMemberView(OrganizerDetailViewMixin, OrganizerPermissionRequiredMixin,
     def _send_invite(self, instance):
         mail(
             instance.email,
-            _('pretix account invitation'),
+            _('Account invitation'),
             'pretixcontrol/email/invitation.txt',
             {
+                'instance': settings.PRETIX_INSTANCE_NAME,
                 'user': self,
                 'organizer': self.request.organizer.name,
                 'team': instance.team.name,

src/pretix/control/views/waitinglist.py

@@ -280,11 +280,12 @@ class WaitingListView(EventPermissionRequiredMixin, WaitingListQuerySetMixin, Pa
                         block_quota=True,
                         item_id=wle.item_id,
                         subevent=wle.subevent_id,
-                        waitinglistentries__isnull=False
+                        waitinglistentries__isnull=False,
+                        seat__isnull=True
                     ).aggregate(free=Sum(F('max_usages') - F('redeemed')))['free'] or 0
                     free_seats = num_free_seats_for_product - num_valid_vouchers_for_product
                     wle.availability = (
-                        Quota.AVAILABILITY_GONE if free_seats == 0 else wle.availability[0],
+                        Quota.AVAILABILITY_GONE if free_seats < 1 else wle.availability[0],
                         min(free_seats, wle.availability[1]) if wle.availability[1] is not None else free_seats,
                     )
 

src/pretix/locale/djangojs.pot

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-20 13:01+0000\n"
+"POT-Creation-Date: 2026-02-24 11:50+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"

src/pretix/locale/gl/LC_MESSAGES/djangojs.po

@@ -8,8 +8,8 @@ msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2026-01-26 09:10+0000\n"
-"PO-Revision-Date: 2025-12-03 23:00+0000\n"
-"Last-Translator: sandra r <sandrarial@gestiontickets.online>\n"
+"PO-Revision-Date: 2026-03-02 21:00+0000\n"
+"Last-Translator: Sandra Rial Pérez <sandrarial@gestiontickets.online>\n"
 "Language-Team: Galician <https://translate.pretix.eu/projects/pretix/pretix-"
 "js/gl/>\n"
 "Language: gl\n"
@@ -17,7 +17,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=n != 1;\n"
-"X-Generator: Weblate 5.14.3\n"
+"X-Generator: Weblate 5.16.1\n"
 
 #: pretix/plugins/banktransfer/static/pretixplugins/banktransfer/ui.js:56
 #: pretix/plugins/banktransfer/static/pretixplugins/banktransfer/ui.js:62
@@ -162,12 +162,12 @@ msgstr "Pedidos pagados"
 #: pretix/plugins/statistics/static/pretixplugins/statistics/statistics.js:27
 #: pretix/plugins/statistics/static/pretixplugins/statistics/statistics.js:39
 msgid "Attendees (ordered)"
-msgstr ""
+msgstr "Asistentes (ordenados)"
 
 #: pretix/plugins/statistics/static/pretixplugins/statistics/statistics.js:27
 #: pretix/plugins/statistics/static/pretixplugins/statistics/statistics.js:39
 msgid "Attendees (paid)"
-msgstr ""
+msgstr "Asistentes (de pago)"
 
 #: pretix/plugins/statistics/static/pretixplugins/statistics/statistics.js:51
 msgid "Total revenue"
@@ -732,8 +732,8 @@ msgid ""
 "The items in your cart are no longer reserved for you. You can still "
 "complete your order as long as they’re available."
 msgstr ""
-"Os artigos da túa cesta xa non están reservados para ti. Aínda podes "
-"completar o teu pedido mentres estean dispoñibles."
+"Os artigos do teu carro xa non están reservados para ti. Podes completar o "
+"teu pedido sempre que estean dispoñibles."
 
 #: pretix/static/pretixpresale/js/ui/cart.js:49
 msgid "Cart expired"

src/pretix/plugins/paypal2/payment.py

@@ -802,31 +802,37 @@ class PaypalMethod(BasePaymentProvider):
                             all_captures_completed = False
                         else:
                             any_captures = True
-            if not (any_captures and all_captures_completed):
+
+            # Payment has at least one capture, but it is not yet completed
+            if any_captures and not all_captures_completed:
                 messages.warning(request, _('PayPal has not yet approved the payment. We will inform you as '
                                             'soon as the payment completed.'))
                 payment.info = json.dumps(pp_captured_order.dict())
                 payment.state = OrderPayment.PAYMENT_STATE_PENDING
                 payment.save()
                 return
+            # Payment has at least one capture and all captures are completed
+            elif any_captures and all_captures_completed:
+                if pp_captured_order.status != 'COMPLETED':
+                    payment.fail(info=pp_captured_order.dict())
+                    logger.error('Invalid state: %s' % repr(pp_captured_order.dict()))
+                    raise PaymentException(
+                        _('We were unable to process your payment. See below for details on how to proceed.')
+                    )
 
-            if pp_captured_order.status != 'COMPLETED':
-                payment.fail(info=pp_captured_order.dict())
-                logger.error('Invalid state: %s' % repr(pp_captured_order.dict()))
-                raise PaymentException(
-                    _('We were unable to process your payment. See below for details on how to proceed.')
-                )
+                if payment.state == OrderPayment.PAYMENT_STATE_CONFIRMED:
+                    logger.warning('PayPal success event even though order is already marked as paid')
+                    return
 
-            if payment.state == OrderPayment.PAYMENT_STATE_CONFIRMED:
-                logger.warning('PayPal success event even though order is already marked as paid')
+                try:
+                    payment.info = json.dumps(pp_captured_order.dict())
+                    payment.save(update_fields=['info'])
+                    payment.confirm()
+                except Quota.QuotaExceededException as e:
+                    raise PaymentException(str(e))
+            # Payment has not any captures yet - so it's probably in created status
+            else:
                 return
-
-            try:
-                payment.info = json.dumps(pp_captured_order.dict())
-                payment.save(update_fields=['info'])
-                payment.confirm()
-            except Quota.QuotaExceededException as e:
-                raise PaymentException(str(e))
         finally:
             if 'payment_paypal_oid' in request.session:
                 del request.session['payment_paypal_oid']
@@ -836,7 +842,7 @@ class PaypalMethod(BasePaymentProvider):
         try:
             if (
                     payment.info
-                    and payment.info_data['purchase_units'][0]['payments']['captures'][0]['status'] == 'pending'
+                    and payment.info_data['purchase_units'][0]['payments']['captures'][0]['status'] == 'PENDING'
             ):
                 retry = False
         except (KeyError, IndexError):

src/pretix/presale/templates/pretixpresale/event/base.html

@@ -6,6 +6,7 @@
 {% load eventurl %}
 {% load safelink %}
 {% load rich_text %}
+{% load anonymize_email %}
 {% block thetitle %}
     {% if messages %}
         {{ messages|join:" " }} :: 
@@ -219,7 +220,7 @@
 {% endblock %}
 {% block footernav %}
     {% if request.event.settings.contact_mail %}
-        <li><a href="mailto:{{ request.event.settings.contact_mail }}" target="_blank" rel="noopener">{% trans "Contact" %}</a></li>
+        <li><a href="{{ 'mailto:'|add:request.event.settings.contact_mail|anon_email }}" target="_blank" rel="noopener">{% trans "Contact" %}</a></li>
     {% endif %}
     {% if request.event.settings.privacy_url %}
         <li><a href="{% safelink request.event.settings.privacy_url %}" target="_blank" rel="noopener">{% trans "Privacy policy" %}</a></li>

src/pretix/presale/templates/pretixpresale/fragment_js.html

@@ -21,4 +21,5 @@
     <script type="text/javascript" src="{% static "pretixpresale/js/ui/cart.js" %}"></script>
     <script type="text/javascript" src="{% static "pretixpresale/js/ui/iframe.js" %}"></script>
     <script type="text/javascript" src="{% static "pretixbase/js/addressform.js" %}"></script>
+    <script type="text/javascript" src="{% static "pretixbase/js/deanonymize_email.js" %}"></script>
 {% endcompress %}

src/pretix/presale/templates/pretixpresale/organizers/base.html

@@ -5,6 +5,7 @@
 {% load thumb %}
 {% load eventurl %}
 {% load safelink %}
+{% load anonymize_email %}
 {% block thetitle %}
     {% block title %}{% endblock %}{% if url_name != "organizer.index" %} :: {% endif %}{{ organizer.name }}
 {% endblock %}
@@ -97,7 +98,7 @@
 {% endblock %}
 {% block footernav %}
     {% if not request.event and request.organizer.settings.contact_mail %}
-        <li><a href="mailto:{{ request.organizer.settings.contact_mail }}" target="_blank" rel="noopener">{% trans "Contact" %}</a></li>
+        <li><a href="{{ 'mailto:'|add:request.organizer.settings.contact_mail|anon_email }}" target="_blank" rel="noopener">{% trans "Contact" %}</a></li>
     {% endif %}
     {% if not request.event and request.organizer.settings.privacy_url %}
         <li><a href="{% safelink request.organizer.settings.privacy_url %}" target="_blank" rel="noopener">{% trans "Privacy policy" %}</a></li>

src/pretix/presale/views/oidc_op.py

@@ -393,7 +393,6 @@ class TokenView(View):
 
             if grant.code_challenge_method == "S256":
                 expected_challenge = base64.urlsafe_b64encode(hashlib.sha256(request.POST["code_verifier"].encode()).digest()).decode().rstrip("=")
-                print(grant.code_challenge, expected_challenge)
                 if expected_challenge != grant.code_challenge:
                     return JsonResponse({
                         "error": "invalid_grant",

src/pretix/settings.py

@@ -211,6 +211,10 @@ USE_X_FORWARDED_HOST = config.getboolean('pretix', 'trust_x_forwarded_host', fal
 
 
 REQUEST_ID_HEADER = config.get('pretix', 'request_id_header', fallback=False)
+if REQUEST_ID_HEADER in config.cp.BOOLEAN_STATES:
+    raise ImproperlyConfigured(
+        "request_id_header should be set to a header name, not a boolean value."
+    )
 
 if config.getboolean('pretix', 'trust_x_forwarded_proto', fallback=False):
     SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

src/pretix/static/npm_dir/package-lock.json

@@ -2776,9 +2776,9 @@
       }
     },
     "node_modules/minimatch": {
-      "version": "3.0.4",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz",
-      "integrity": "sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA==",
+      "version": "3.1.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
+      "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==",
       "optional": true,
       "dependencies": {
         "brace-expansion": "^1.1.7"
@@ -5642,9 +5642,9 @@
       "optional": true
     },
     "minimatch": {
-      "version": "3.0.4",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz",
-      "integrity": "sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA==",
+      "version": "3.1.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
+      "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==",
       "optional": true,
       "requires": {
         "brace-expansion": "^1.1.7"

src/pretix/static/pretixbase/js/deanonymize_email.js

@@ -0,0 +1,7 @@
+document.addEventListener('DOMContentLoaded', function() {
+    document.querySelectorAll('a[href^="mailto:"]').forEach(function(link) {
+        // Replace [at] with @ and the [dot] with . in both the href and the displayed text (if needed)
+        link.href = link.href.replace('[at]', '@').replace('[dot]', '.');
+        link.textContent = link.textContent.replace('[at]', '@').replace('[dot]', '.');
+    });
+});

src/tests/api/test_order_create.py

@@ -895,6 +895,41 @@ def test_order_create_payment_info_optional(token_client, organizer, event, item
     assert json.loads(p.info) == res['payment_info']
 
 
+@pytest.mark.django_db
+def test_order_create_payment_info_valid_object(token_client, organizer, event, item, quota, question):
+    res = copy.deepcopy(ORDER_CREATE_PAYLOAD)
+    res['positions'][0]['item'] = item.pk
+    res['positions'][0]['answers'][0]['question'] = question.pk
+
+    res["payment_info"] = [{"should": "fail"}]
+    resp = token_client.post(
+        '/api/v1/organizers/{}/events/{}/orders/'.format(
+            organizer.slug, event.slug
+        ), format='json', data=res
+    )
+    assert resp.status_code == 400
+
+    res['payment_info'] = {
+        'foo': {
+            'bar': [1, 2],
+            'test': False
+        }
+    }
+    resp = token_client.post(
+        '/api/v1/organizers/{}/events/{}/orders/'.format(
+            organizer.slug, event.slug
+        ), format='json', data=res
+    )
+    assert resp.status_code == 201
+    with scopes_disabled():
+        o = Order.objects.get(code=resp.data['code'])
+
+        p = o.payments.first()
+    assert p.provider == "banktransfer"
+    assert p.amount == o.total
+    assert json.loads(p.info) == res['payment_info']
+
+
 @pytest.mark.django_db
 def test_order_create_position_secret_optional(token_client, organizer, event, item, quota, question):
     res = copy.deepcopy(ORDER_CREATE_PAYLOAD)

src/tests/api/test_orders.py

@@ -34,7 +34,7 @@ from stripe import error
 from tests.plugins.stripe.test_checkout import apple_domain_create
 from tests.plugins.stripe.test_provider import MockedCharge
 
-from pretix.base.models import InvoiceAddress, Order, OrderPosition
+from pretix.base.models import InvoiceAddress, Order, OrderPosition, Team
 from pretix.base.models.orders import OrderFee, OrderPayment, OrderRefund
 
 
@@ -180,6 +180,41 @@ def order2(event2, item2):
         return o
 
 
+@pytest.fixture
+@scopes_disabled()
+def team2(organizer, event2):
+    team2 = Team.objects.create(
+        organizer=organizer,
+        name="Test-Team 2",
+        can_change_teams=True,
+        can_manage_gift_cards=True,
+        can_change_items=True,
+        can_create_events=True,
+        can_change_event_settings=True,
+        can_change_vouchers=True,
+        can_view_vouchers=True,
+        can_change_orders=True,
+        can_manage_customers=True,
+        can_manage_reusable_media=True,
+        can_change_organizer_settings=True,
+
+    )
+    team2.limit_events.add(event2)
+    team2.save()
+    return team2
+
+
+@pytest.fixture
+@scopes_disabled()
+def limited_token_client(client, team2):
+    team2.can_view_orders = True
+    team2.can_view_vouchers = True
+    team2.save()
+    t = team2.tokens.create(name='Foo')
+    client.credentials(HTTP_AUTHORIZATION='Token ' + t.token)
+    return client
+
+
 TEST_ORDERPOSITION_RES = {
     "id": 1,
     "order": "FOO",
@@ -987,8 +1022,64 @@ def test_refund_cancel(token_client, organizer, event, order):
     assert resp.status_code == 400
 
 
+@pytest.mark.parametrize(
+    "endpoint_template, response_code",
+    [('/api/v1/organizers/{}/events/{}/orderpositions/', 403), ('/api/v1/organizers/{}/orderpositions/', 200)]
+)
 @pytest.mark.django_db
-def test_orderposition_list(token_client, organizer, device, event, order, item, subevent, subevent2, question, django_assert_num_queries):
+def test_orderposition_list_limited_read(
+        endpoint_template, response_code, limited_token_client, organizer, device, event, order, item, subevent, subevent2, question
+):
+    endpoint = endpoint_template.format(organizer.slug, event.slug)
+
+    i2 = copy.copy(item)
+    i2.pk = None
+    i2.save()
+    with scopes_disabled():
+        var = item.variations.create(value="Children")
+        res = copy.copy(TEST_ORDERPOSITION_RES)
+        op = order.positions.first()
+        op.variation = var
+        op.save()
+        res["id"] = op.pk
+        res["item"] = item.pk
+        res["variation"] = var.pk
+        res["answers"][0]["question"] = question.pk
+        res["print_logs"][0]["id"] = op.print_logs.first().pk
+        res["print_logs"][0]["device_id"] = device.device_id
+
+    resp = limited_token_client.get(endpoint)
+    assert resp.status_code == response_code
+    if response_code == 200:
+        assert resp.json() == {'count': 0, 'next': None, 'previous': None, 'results': []}
+    else:
+        assert resp.json() == {'detail': 'You do not have permission to perform this action.'}
+
+
+@pytest.mark.parametrize(
+    ("endpoint_template", "endpoint_type"),
+    [
+        ('/api/v1/organizers/{}/events/{}/orderpositions/', "event"),
+        ('/api/v1/organizers/{}/orderpositions/', "organizer")
+    ],
+)
+@pytest.mark.django_db
+def test_orderposition_list(
+        endpoint_template,
+        endpoint_type,
+        token_client,
+        organizer,
+        device,
+        event,
+        order,
+        item,
+        subevent,
+        subevent2,
+        question,
+        django_assert_num_queries
+):
+    endpoint = endpoint_template.format(organizer.slug, event.slug)
+
     i2 = copy.copy(item)
     i2.pk = None
     i2.save()
@@ -1005,88 +1096,64 @@ def test_orderposition_list(token_client, organizer, device, event, order, item,
         res["answers"][0]["question"] = question.pk
         res["print_logs"][0]["id"] = op.print_logs.first().pk
         res["print_logs"][0]["device_id"] = device.device_id
+        if endpoint_type == "organizer":
+            res["event"] = event.slug
 
-    resp = token_client.get('/api/v1/organizers/{}/events/{}/orderpositions/'.format(organizer.slug, event.slug))
+    resp = token_client.get(endpoint)
     assert resp.status_code == 200
     assert [res] == resp.data['results']
 
-    resp = token_client.get(
-        '/api/v1/organizers/{}/events/{}/orderpositions/?order__status=n'.format(organizer.slug, event.slug))
+    resp = token_client.get(endpoint + '?order__status=n')
     assert [res] == resp.data['results']
-    resp = token_client.get(
-        '/api/v1/organizers/{}/events/{}/orderpositions/?order__status=p'.format(organizer.slug, event.slug))
+    resp = token_client.get(endpoint + '?order__status=p')
     assert [] == resp.data['results']
 
-    resp = token_client.get(
-        '/api/v1/organizers/{}/events/{}/orderpositions/?item={}'.format(organizer.slug, event.slug, item.pk))
+    resp = token_client.get(endpoint + '?item={}'.format(item.pk))
     assert [res] == resp.data['results']
-    resp = token_client.get(
-        '/api/v1/organizers/{}/events/{}/orderpositions/?item__in={},{}'.format(
-            organizer.slug, event.slug, item.pk, i2.pk
-        ))
+    resp = token_client.get(endpoint + '?item__in={},{}'.format(item.pk, i2.pk))
     assert [res] == resp.data['results']
-    resp = token_client.get(
-        '/api/v1/organizers/{}/events/{}/orderpositions/?item={}'.format(organizer.slug, event.slug, i2.pk))
+    resp = token_client.get(endpoint + '?item={}'.format(i2.pk))
     assert [] == resp.data['results']
 
-    resp = token_client.get(
-        '/api/v1/organizers/{}/events/{}/orderpositions/?variation={}'.format(organizer.slug, event.slug, var.pk))
+    resp = token_client.get(endpoint + '?variation={}'.format(var.pk))
     assert [res] == resp.data['results']
-    resp = token_client.get(
-        '/api/v1/organizers/{}/events/{}/orderpositions/?variation={}'.format(organizer.slug, event.slug, var2.pk))
+    resp = token_client.get(endpoint + '?variation={}'.format(var2.pk))
     assert [] == resp.data['results']
 
-    resp = token_client.get(
-        '/api/v1/organizers/{}/events/{}/orderpositions/?attendee_name=Peter'.format(organizer.slug, event.slug))
+    resp = token_client.get(endpoint + '?attendee_name=Peter')
     assert [res] == resp.data['results']
-    resp = token_client.get(
-        '/api/v1/organizers/{}/events/{}/orderpositions/?attendee_name=peter'.format(organizer.slug, event.slug))
+    resp = token_client.get(endpoint + '?attendee_name=peter')
     assert [res] == resp.data['results']
-    resp = token_client.get(
-        '/api/v1/organizers/{}/events/{}/orderpositions/?attendee_name=Mark'.format(organizer.slug, event.slug))
+    resp = token_client.get(endpoint + '?attendee_name=Mark')
     assert [] == resp.data['results']
 
-    resp = token_client.get(
-        '/api/v1/organizers/{}/events/{}/orderpositions/?secret=z3fsn8jyufm5kpk768q69gkbyr5f4h6w'.format(
-            organizer.slug, event.slug))
+    resp = token_client.get(endpoint + '?secret=z3fsn8jyufm5kpk768q69gkbyr5f4h6w')
     assert [res] == resp.data['results']
-    resp = token_client.get(
-        '/api/v1/organizers/{}/events/{}/orderpositions/?secret=abc123'.format(organizer.slug, event.slug))
+    resp = token_client.get(endpoint + '?secret=abc123')
     assert [] == resp.data['results']
 
-    resp = token_client.get(
-        '/api/v1/organizers/{}/events/{}/orderpositions/?pseudonymization_id=ABCDEFGHKL'.format(
-            organizer.slug, event.slug))
+    resp = token_client.get(endpoint + '?pseudonymization_id=ABCDEFGHKL')
     assert [res] == resp.data['results']
-    resp = token_client.get(
-        '/api/v1/organizers/{}/events/{}/orderpositions/?pseudonymization_id=FOO'.format(organizer.slug, event.slug))
+    resp = token_client.get(endpoint + '?pseudonymization_id=FOO')
     assert [] == resp.data['results']
 
-    resp = token_client.get(
-        '/api/v1/organizers/{}/events/{}/orderpositions/?search=FO'.format(organizer.slug, event.slug))
+    resp = token_client.get(endpoint + '?search=FO')
     assert [res] == resp.data['results']
-    resp = token_client.get(
-        '/api/v1/organizers/{}/events/{}/orderpositions/?search=z3fsn8j'.format(organizer.slug, event.slug))
+    resp = token_client.get(endpoint + '?search=z3fsn8j')
     assert [res] == resp.data['results']
-    resp = token_client.get(
-        '/api/v1/organizers/{}/events/{}/orderpositions/?search=Peter'.format(organizer.slug, event.slug))
+    resp = token_client.get(endpoint + '?search=Peter')
     assert [res] == resp.data['results']
-    resp = token_client.get(
-        '/api/v1/organizers/{}/events/{}/orderpositions/?search=5f4h6w'.format(organizer.slug, event.slug))
+    resp = token_client.get(endpoint + '?search=5f4h6w')
     assert [] == resp.data['results']
 
-    resp = token_client.get(
-        '/api/v1/organizers/{}/events/{}/orderpositions/?order=FOO'.format(organizer.slug, event.slug))
+    resp = token_client.get(endpoint + '?order=FOO')
     assert [res] == resp.data['results']
-    resp = token_client.get(
-        '/api/v1/organizers/{}/events/{}/orderpositions/?order=BAR'.format(organizer.slug, event.slug))
+    resp = token_client.get(endpoint + '?order=BAR')
     assert [] == resp.data['results']
 
-    resp = token_client.get(
-        '/api/v1/organizers/{}/events/{}/orderpositions/?has_checkin=false'.format(organizer.slug, event.slug))
+    resp = token_client.get(endpoint + '?has_checkin=false')
     assert [res] == resp.data['results']
-    resp = token_client.get(
-        '/api/v1/organizers/{}/events/{}/orderpositions/?has_checkin=true'.format(organizer.slug, event.slug))
+    resp = token_client.get(endpoint + '?has_checkin=true')
     assert [] == resp.data['results']
 
     with scopes_disabled():
@@ -1103,33 +1170,28 @@ def test_orderposition_list(token_client, organizer, device, event, order, item,
         'gate': None,
         'type': 'entry'
     }]
-    with django_assert_num_queries(16):
-        resp = token_client.get(
-            '/api/v1/organizers/{}/events/{}/orderpositions/?has_checkin=true'.format(organizer.slug, event.slug)
-        )
+    if '/events/' in endpoint:
+        with django_assert_num_queries(18):
+            resp = token_client.get(endpoint + '?has_checkin=true')
+    else:
+        with django_assert_num_queries(17):
+            resp = token_client.get(endpoint + '?has_checkin=true')
     assert [res] == resp.data['results']
 
     op.subevent = subevent
     op.save()
     res['subevent'] = subevent.pk
 
-    resp = token_client.get(
-        '/api/v1/organizers/{}/events/{}/orderpositions/?subevent={}'.format(organizer.slug, event.slug, subevent.pk))
+    resp = token_client.get(endpoint + '?subevent={}'.format(subevent.pk))
     assert [res] == resp.data['results']
-    resp = token_client.get(
-        '/api/v1/organizers/{}/events/{}/orderpositions/?subevent__in={},{}'.format(organizer.slug, event.slug,
-                                                                                    subevent.pk, subevent2.pk))
+    resp = token_client.get(endpoint + '?subevent__in={},{}'.format(subevent.pk, subevent2.pk))
     assert [res] == resp.data['results']
-    resp = token_client.get(
-        '/api/v1/organizers/{}/events/{}/orderpositions/?subevent={}'.format(organizer.slug, event.slug,
-                                                                             subevent.pk + 1))
+    resp = token_client.get(endpoint + '?subevent={}'.format(subevent.pk + 1))
     assert [] == resp.data['results']
 
-    resp = token_client.get(
-        '/api/v1/organizers/{}/events/{}/orderpositions/?include_canceled_positions=false'.format(organizer.slug, event.slug))
+    resp = token_client.get(endpoint + '?include_canceled_positions=false')
     assert len(resp.data['results']) == 1
-    resp = token_client.get(
-        '/api/v1/organizers/{}/events/{}/orderpositions/?include_canceled_positions=true'.format(organizer.slug, event.slug))
+    resp = token_client.get(endpoint + '?include_canceled_positions=true')
     assert len(resp.data['results']) == 2
 
 

src/tests/control/test_waitinglist.py

@@ -29,6 +29,8 @@ from pretix.base.models import (
     Event, Item, ItemVariation, Organizer, Quota, Team, User, Voucher,
     WaitingListEntry,
 )
+from pretix.base.models.seating import Seat, SeatingPlan
+from pretix.base.models.waitinglist import WaitingListException
 from pretix.control.views.dashboards import waitinglist_widgets
 
 
@@ -55,11 +57,11 @@ def env():
     WaitingListEntry.objects.create(
         event=event, item=item1, email='success@example.org', voucher=v
     )
-    v = Voucher.objects.create(item=item1, event=event, block_quota=True, redeemed=0, valid_until=now() - timedelta(days=5))
+    v = Voucher.objects.create(item=item2, event=event, block_quota=True, redeemed=0, valid_until=now() - timedelta(days=5))
     WaitingListEntry.objects.create(
         event=event, item=item2, email='expired@example.org', voucher=v
     )
-    v = Voucher.objects.create(item=item1, event=event, block_quota=True, redeemed=0, valid_until=now() + timedelta(days=5))
+    v = Voucher.objects.create(item=item2, event=event, block_quota=True, redeemed=0, valid_until=now() + timedelta(days=5))
     WaitingListEntry.objects.create(
         event=event, item=item2, email='valid@example.org', voucher=v
     )
@@ -345,5 +347,75 @@ def test_dashboard(client, env):
         quota.items.add(env['item1'])
         w = waitinglist_widgets(env['event'])
 
-    assert '1' in w[0]['content']
+    assert '2' in w[0]['content']
     assert '5' in w[1]['content']
+
+
+@pytest.mark.django_db
+def test_waitinglist_seat_calc(client, env):
+    item = env['item1']
+    event = env['event']
+    wle = env['wle']
+
+    SeatingPlan.objects.create(
+        name="Plan", organizer=event.organizer, layout="{}"
+    )
+    event.seat_category_mappings.create(
+        layout_category='Stalls', product=item
+    )
+    for i in range(2):
+        event.seats.create(seat_number=f"A{i}", product=item, seat_guid=f"A{i}")
+
+    quota = Quota.objects.create(event=event, size=10)
+    quota.items.add(item)
+
+    client.login(email='dummy@dummy.dummy', password='dummy')
+
+    # Calculated availability should not be more than number of available seats
+    response = client.get('/control/event/dummy/dummy/waitinglist/')
+    assert len(response.context['entries']) == 5
+    for entry in response.context['entries']:
+        assert entry.availability == (Quota.AVAILABILITY_OK, 2)
+
+    # Sending out a voucher reduces availability by 1
+    with scopes_disabled():
+        wle.send_voucher()
+
+    voucher = wle.voucher
+    assert voucher
+
+    response = client.get('/control/event/dummy/dummy/waitinglist/')
+    assert len(response.context['entries']) == 4
+    for entry in response.context['entries']:
+        assert entry.availability == (Quota.AVAILABILITY_OK, 1)
+
+    # Assigning a seat to a voucher does not decrease availability further
+    with scopes_disabled():
+        voucher.seat = Seat.objects.get(seat_guid="A0")
+        voucher.save()
+
+    response = client.get('/control/event/dummy/dummy/waitinglist/')
+    assert len(response.context['entries']) == 4
+    for entry in response.context['entries']:
+        assert entry.availability == (Quota.AVAILABILITY_OK, 1)
+
+    with scopes_disabled():
+        wle2 = WaitingListEntry.objects.filter(item=item, voucher__isnull=True).first()
+        wle2.send_voucher()
+
+    # Overbooking is handled correctly
+    # Regression test for calculation that used `not free_seats` instead of `free_seats < 1`
+    with scopes_disabled():
+        # Block seat
+        seat = Seat.objects.get(seat_guid="A1")
+        seat.blocked = True
+        seat.save()
+
+    response = client.get('/control/event/dummy/dummy/waitinglist/')
+    assert len(response.context['entries']) == 3
+    for entry in response.context['entries']:
+        assert entry.availability == (Quota.AVAILABILITY_GONE, -1)
+
+    with scopes_disabled(), pytest.raises(WaitingListException):
+        wle3 = WaitingListEntry.objects.filter(item=item, voucher__isnull=True).first()
+        wle3.send_voucher()