Merge branch 'master' into feature/microsoft-auth

# Conflicts: # app/app.py # app/create_database.py # app/models/user.py # requirements.in # requirements.txt
2023-04-19 20:55:35 +02:00 · 2023-04-19 20:55:35 +02:00 · aab522eef9
parent 841c3d5fb8 02afba70a9
commit aab522eef9
33 changed files with 653 additions and 208 deletions
--- a/README.md
+++ b/README.md
@ -26,7 +26,7 @@ Afterwards upgrade the database to the latest version using
 	cd app
 	python3 app.py db upgrade
-You can now still seed the database by running, note that you might want to put your name in the `HALDIS_ADMIN_USERS` in `app/config.py`
+You can now still seed the database by running, note that you might want to put your name in the `HALDIS_ADMINS` in `app/config.py`
 	./populate-db.sh
--- a/app/add_admins.py
+++ b/app/add_admins.py
@ -10,5 +10,5 @@ def add() -> None:
    """Add users as admin."""
    for username in Configuration.HALDIS_ADMINS:
        user = User()
-        user.configure(username, True, 0)
+        user.configure(username, True, 0, associations=["zeus"])
        db.session.add(user)
--- a/app/admin.py
+++ b/app/admin.py
@ -28,11 +28,12 @@ class OrderAdminModel(ModelBaseView):
    "Class for the model of a OrderAdmin"
    # pylint: disable=too-few-public-methods
    column_default_sort = ("starttime", True)
-    column_list = ["starttime", "stoptime", "location_name", "location_id", "courier"]
+    column_list = ["starttime", "stoptime", "location_name", "location_id", "courier", "association"]
    column_labels = {
        "starttime": "Start Time",
        "stoptime": "Closing Time",
        "location_id": "HLDS Location ID",
        "association": "Association",
    }
    form_excluded_columns = ["items", "courier_id"]
    can_delete = False
@ -44,6 +45,7 @@ class OrderItemAdminModel(ModelBaseView):
    column_default_sort = ("order_id", True)
    column_list = [
        "order_id",
        "slug",
        "order.location_name",
        "user_name",
        "user",
--- a/app/app.py
+++ b/app/app.py
@ -3,6 +3,7 @@
 """Main Haldis script"""
 import logging
 import sentry_sdk
 import typing
 from datetime import datetime
 from logging.handlers import TimedRotatingFileHandler
@ -20,7 +21,8 @@ from markupsafe import Markup
 from config import Configuration
 from models import db
 from models.anonymous_user import AnonymouseUser
-from utils import euro_string, price_range_string
+from sentry_sdk.integrations.flask import FlaskIntegration
 from utils import euro_string, price_range_string, ignore_none
 from auth.zeus import init_oauth
@ -156,6 +158,7 @@ def add_template_filters(app: Flask) -> None:
    app.template_filter("price_range")(price_range_string)
    app.template_filter("any")(any)
    app.template_filter("all")(all)
    app.template_filter("ignore_none")(ignore_none)
 def create_app():
@ -174,10 +177,16 @@ def create_app():
    def inject_config():
        return dict(configuration=Configuration)
-    return app_manager
+    return app, app_manager
 # For usage when you directly call the script with python
 if __name__ == "__main__":
-    app_mgr = create_app()
+    if Configuration.SENTRY_DSN:
        sentry_sdk.init(
            dsn=Configuration.SENTRY_DSN,
            integrations=[FlaskIntegration()]
        )
    app, app_mgr = create_app()
    app_mgr.run()
--- a/app/auth/zeus.py
+++ b/app/auth/zeus.py
@ -83,7 +83,7 @@ def login_and_redirect_user(user) -> Response:
 def create_user(username) -> User:
    """Create a temporary user if it is needed"""
    user = User()
-    user.configure(username, False, 1)
+    user.configure(username, False, 1, associations=["zeus"])
    db.session.add(user)
    db.session.commit()
    return user
--- a/app/config.example.py
+++ b/app/config.example.py
@ -8,10 +8,11 @@ class Configuration:
    SQLALCHEMY_DATABASE_URI = "sqlite:///haldis.db"
    SQLALCHEMY_TRACK_MODIFICATIONS = False
    DEBUG = True
-    HALDIS_ADMIN_USERS = []
+    HALDIS_ADMINS = []
    SECRET_KEY = "<change>"
    SLACK_WEBHOOK = None
    LOGFILE = "haldis.log"
    SENTRY_DSN = None
    ZEUS_KEY = "tomtest"
    ZEUS_SECRET = "blargh"
--- a/app/create_database.py
+++ b/app/create_database.py
@ -4,7 +4,7 @@ import add_admins
 from app import create_app, db
-app_manager = create_app()
+app, app_manager = create_app()
 entry_sets = {
    "admins": add_admins.add,
--- a/app/database/muhscheme.txt
+++ b/app/database/muhscheme.txt
@ -9,6 +9,7 @@ user
 order
 	id
 	slug                secret used in URL
 	courier_id
 	location_id         HLDS identifier
 	location_name       this allows historical orders to keep the same location name
--- a/app/forms.py
+++ b/app/forms.py
@ -24,13 +24,17 @@ class OrderForm(Form):
        "Starttime", default=datetime.now, format="%d-%m-%Y %H:%M"
    )
    stoptime = DateTimeField("Stoptime", format="%d-%m-%Y %H:%M")
    association = SelectField("Association", coerce=str, validators=[validators.required()])
    submit_button = SubmitField("Submit")
    def populate(self) -> None:
        "Fill in the options for courier for an Order"
        if current_user.is_admin():
-            self.courier_id.choices = [(0, None)] + [
+            self.courier_id.choices = [
-                (u.id, u.username) for u in User.query.order_by("username")
+                (0, None),
                (current_user.id, current_user.username),
            ] + [
                (u.id, u.username) for u in User.query.order_by("username") if u.id != current_user.id
            ]
        else:
            self.courier_id.choices = [
@ -38,6 +42,7 @@ class OrderForm(Form):
                (current_user.id, current_user.username),
            ]
        self.location_id.choices = [(l.id, l.name) for l in location_definitions]
        self.association.choices = current_user.association_list()
        if self.stoptime.data is None:
            self.stoptime.data = datetime.now() + timedelta(hours=1)
--- a/app/migrations/versions/29ccbe077c57_add_slug.py
+++ b/app/migrations/versions/29ccbe077c57_add_slug.py
@ -0,0 +1,30 @@
 """add slug
 Revision ID: 29ccbe077c57
 Revises: 55013fe95bea
 Create Date: 2022-05-20 19:46:11.924218
 """
 # revision identifiers, used by Alembic.
 revision = '29ccbe077c57'
 down_revision = '55013fe95bea'
 from alembic import op
 import sqlalchemy as sa
 from sqlalchemy.sql import text
 def upgrade():
    op.add_column('order', sa.Column(
        'slug',
        sa.String(length=8),
        nullable=False,
        # Default: random alphanumerical string
        server_default=text('SUBSTRING(MD5(RAND()) FROM 1 FOR 7)')
    ))
    op.create_unique_constraint('order_slug_unique', 'order', ['slug'])
 def downgrade():
    op.drop_constraint('order_slug_unique', 'order', type_='unique')
    op.drop_column('order', 'slug')
--- a/app/migrations/versions/55013fe95bea_create_price_modified_column.py
+++ b/app/migrations/versions/55013fe95bea_create_price_modified_column.py
@ -0,0 +1,21 @@
 """Create price_modified column
 Revision ID: 55013fe95bea
 Revises: 9159a6fed021
 Create Date: 2022-04-22 01:00:03.729596
 """
 # revision identifiers, used by Alembic.
 revision = '55013fe95bea'
 down_revision = '9159a6fed021'
 from alembic import op
 import sqlalchemy as sa
 def upgrade():
    op.add_column('order_item', sa.Column('price_modified', sa.DateTime(), nullable=True))
 def downgrade():
    op.drop_column('order_item', 'price_modified')
--- a/app/migrations/versions/9eac0f3d7b1e_.py
+++ b/app/migrations/versions/9eac0f3d7b1e_.py
@ -0,0 +1,22 @@
 """empty message
 Revision ID: 9eac0f3d7b1e
 Revises: ('f6a6004bf4b9', '29ccbe077c57')
 Create Date: 2022-05-30 18:35:43.918797
 """
 # revision identifiers, used by Alembic.
 revision = '9eac0f3d7b1e'
 down_revision = ('f6a6004bf4b9', '29ccbe077c57')
 from alembic import op
 import sqlalchemy as sa
 def upgrade():
    pass
 def downgrade():
    pass
--- a/app/migrations/versions/f6a6004bf4b9_add_user_associations.py
+++ b/app/migrations/versions/f6a6004bf4b9_add_user_associations.py
@ -0,0 +1,28 @@
 """Add user associations
 Revision ID: f6a6004bf4b9
 Revises: 55013fe95bea
 Create Date: 2022-05-24 21:23:27.770365
 """
 # revision identifiers, used by Alembic.
 revision = 'f6a6004bf4b9'
 down_revision = '55013fe95bea'
 from alembic import op
 import sqlalchemy as sa
 def upgrade():
    # ### commands auto generated by Alembic - please adjust! ###
    op.add_column('order', sa.Column('association', sa.String(length=120), server_default='', nullable=False))
    op.add_column('user', sa.Column('associations', sa.String(length=255), server_default='', nullable=False))
    # ### end Alembic commands ###
 def downgrade():
    # ### commands auto generated by Alembic - please adjust! ###
    op.drop_column('user', 'associations')
    op.drop_column('order', 'association')
    # ### end Alembic commands ###
--- a/app/models/anonymous_user.py
+++ b/app/models/anonymous_user.py
@ -1,10 +1,14 @@
 "AnonymouseUser for people who are not logged in the normal way"
 from typing import List
 # pylint: disable=R0201,C0111
 class AnonymouseUser:
    id = None
    def association_list(self) -> List[str]:
        return []
    def is_active(self) -> bool:
        return False
--- a/app/models/order.py
+++ b/app/models/order.py
@ -1,7 +1,9 @@
-"Script for everything Order related in the database"
+"""Script for everything Order related in the database"""
 import typing
 from collections import defaultdict
 from datetime import datetime
 import secrets
 import string
 from hlds.definitions import location_definitions
 from utils import first
@ -9,9 +11,16 @@ from utils import first
 from .database import db
 from .user import User
 BASE31_ALPHABET = '23456789abcdefghjkmnpqrstuvwxyz'
 def generate_slug():
    secret = ''.join(secrets.choice(BASE31_ALPHABET) for i in range(8))
    while Order.query.filter(Order.slug == secret).first() is not None:
        secret = ''.join(secrets.choice(BASE31_ALPHABET) for i in range(8))
    return secret
 class Order(db.Model):
-    "Class used for configuring the Order model in the database"
+    """Class used for configuring the Order model in the database"""
    id = db.Column(db.Integer, primary_key=True)
    courier_id = db.Column(db.Integer, nullable=True)
    location_id = db.Column(db.String(64))
@ -19,6 +28,8 @@ class Order(db.Model):
    starttime = db.Column(db.DateTime)
    stoptime = db.Column(db.DateTime)
    public = db.Column(db.Boolean, default=True)
    slug = db.Column(db.String(8), default=generate_slug, unique=True)
    association = db.Column(db.String(120), nullable=False, server_default="")
    items = db.relationship("OrderItem", backref="order", lazy="dynamic")
@ -47,7 +58,7 @@ class Order(db.Model):
        self.location_name = self.location.name
    def for_user(self, anon=None, user=None) -> typing.List:
-        "Get the items for a certain user"
+        """Get the items for a certain user"""
        return list(
            filter(
                (lambda i: i.user == user)
@ -58,7 +69,7 @@ class Order(db.Model):
        )
    def group_by_user(self) -> typing.List[typing.Tuple[str, typing.List]]:
-        "Group items of an Order by user"
+        """Group items of an Order by user"""
        group: typing.Dict[str, typing.List] = {}
        # pylint: disable=E1133
@ -78,7 +89,7 @@ class Order(db.Model):
    ) -> typing.List[
        typing.Tuple[str, int, typing.List[typing.Tuple[str, typing.List]]]
    ]:
-        "Group items of an Order by dish"
+        """Group items of an Order by dish"""
        group: typing.Dict[str, typing.Dict[str, typing.List]] = defaultdict(
            lambda: defaultdict(list)
        )
@ -101,11 +112,11 @@ class Order(db.Model):
        )
    def is_closed(self) -> bool:
-        "Return whether or not the order is closed"
+        """Return whether the order is closed"""
        return self.stoptime and datetime.now() > self.stoptime
    def can_close(self, user_id: int) -> bool:
-        "Check if a user can close the Order"
+        """Check if a user can close the Order"""
        if self.stoptime and self.stoptime < datetime.now():
            return False
        user = None
@ -114,3 +125,13 @@ class Order(db.Model):
        if self.courier_id == user_id or (user and user.is_admin()):
            return True
        return False
    def can_modify_prices(self, user_id: int) -> bool:
        if not self.is_closed():
            return False
        user = User.query.filter_by(id=user_id).first()
        return user and (user.is_admin() or user == self.courier)
    def can_modify_payment(self, user_id: int) -> bool:
        user = User.query.filter_by(id=user_id).first()
        return user and (user.is_admin() or user == self.courier)
--- a/app/models/orderitem.py
+++ b/app/models/orderitem.py
@ -10,7 +10,7 @@ from .user import User
 class OrderItem(db.Model):
-    "Class used for configuring the OrderItem model in the database"
+    """Class used for configuring the OrderItem model in the database"""
    id = db.Column(db.Integer, primary_key=True)
    order_id = db.Column(db.Integer, db.ForeignKey("order.id"), nullable=False)
    user_id = db.Column(db.Integer, db.ForeignKey("user.id"))
@ -18,6 +18,7 @@ class OrderItem(db.Model):
    dish_id = db.Column(db.String(64), nullable=True)
    dish_name = db.Column(db.String(120), nullable=True)
    price = db.Column(db.Integer, nullable=True)
    price_modified = db.Column(db.DateTime, nullable=True)
    paid = db.Column(db.Boolean, default=False, nullable=True)
    comment = db.Column(db.Text(), nullable=True)
    hlds_data_version = db.Column(db.String(40), nullable=True)
@ -60,7 +61,7 @@ class OrderItem(db.Model):
    # pylint: disable=W0613
    def can_delete(self, order_id: int, user_id: int, name: str) -> bool:
-        "Check if a user can delete an item"
+        """Check if a user can delete an item"""
        if int(self.order_id) != int(order_id):
            return False
        if self.order.is_closed():
@ -73,3 +74,12 @@ class OrderItem(db.Model):
        if user and (user.is_admin() or user == self.order.courier):
            return True
        return False
    # pylint: disable=W0613
    def can_modify_payment(self, order_id: int, user_id: int) -> bool:
        if int(self.order_id) != int(order_id):
            return False
        user = User.query.filter(User.id == user_id).first()
        if user and (user.is_admin() or user == self.order.courier):
            return True
        return False
--- a/app/models/user.py
+++ b/app/models/user.py
@ -1,4 +1,6 @@
 "Script for everything User related in the database"
 from typing import List, Optional
 from models import db
@ -11,6 +13,9 @@ class User(db.Model):
    # Microsoft OAUTH info
    microsoft_uuid = db.Column(db.String(120), unique=True)
    ugent_username = db.Column(db.String(80), unique=True)
    # Association logic
    associations = db.Column(db.String(255), nullable=False, server_default="")
    # Relations
    runs = db.relation(
        "Order",
@ -20,12 +25,18 @@ class User(db.Model):
    )
    orderItems = db.relationship("OrderItem", backref="user", lazy="dynamic")
-    def configure(self, username: str, admin: bool, bias: int, microsoft_uuid: str = None) -> None:
+    def association_list(self) -> List[str]:
        return self.associations.split(",")
    def configure(self, username: str, admin: bool, bias: int, microsoft_uuid: str = None, associations: Optional[List[str]] = None) -> None:
        """Configure the User"""
        if associations is None:
            associations = []
        self.username = username
        self.admin = admin
        self.bias = bias
        self.microsoft_uuid = microsoft_uuid
        self.associations = ",".join(associations)
    # pylint: disable=C0111, R0201
    def is_authenticated(self) -> bool:
--- a/app/notification.py
+++ b/app/notification.py
@ -11,29 +11,29 @@ from models.order import Order
 def webhook_text(order: Order) -> typing.Optional[str]:
-    "Function that makes the text for the notification"
+    """Function that makes the text for the notification"""
    if order.location_id == "test":
        return None
    if order.courier is not None:
        # pylint: disable=C0301, C0209
        return "<!channel|@channel> {3} is going to {1}, order <{0}|here>! Deadline in {2} minutes!".format(
-            url_for("order_bp.order_from_id", order_id=order.id, _external=True),
+            url_for("order_bp.order_from_slug", order_slug=order.slug, _external=True),
            order.location_name,
            remaining_minutes(order.stoptime),
-            order.courier.username.title(),
+            order.courier.username,
        )
    # pylint: disable=C0209
    return "<!channel|@channel> New order for {}. Deadline in {} minutes. <{}|Open here.>".format(
        order.location_name,
        remaining_minutes(order.stoptime),
-        url_for("order_bp.order_from_id", order_id=order.id, _external=True),
+        url_for("order_bp.order_from_slug", order_slug=order.slug, _external=True),
    )
 def post_order_to_webhook(order: Order) -> None:
-    "Function that sends the notification for the order"
+    """Function that sends the notification for the order"""
    message = webhook_text(order)
    if message:
        webhookthread = WebhookSenderThread(message, app.config["SLACK_WEBHOOK"])
@ -41,7 +41,7 @@ def post_order_to_webhook(order: Order) -> None:
 class WebhookSenderThread(Thread):
-    "Extension of the Thread class, which sends a webhook for the notification"
+    """Extension of the Thread class, which sends a webhook for the notification"""
    def __init__(self, message: str, url: str) -> None:
        super().__init__()
@ -52,7 +52,7 @@ class WebhookSenderThread(Thread):
        self.slack_webhook()
    def slack_webhook(self) -> None:
-        "The webhook for the specified chat platform"
+        """The webhook for the specified chat platform"""
        if self.url:
            requests.post(self.url, json={"text": self.message})
        else:
@ -60,9 +60,9 @@ class WebhookSenderThread(Thread):
 def remaining_minutes(value) -> str:
-    "Return the remaining minutes until the deadline of and order"
+    """Return the remaining minutes until the deadline of and order"""
    delta = value - datetime.now()
    if delta.total_seconds() < 0:
        return "0"
-    minutes = delta.total_seconds() // 60
+    minutes = int(delta.total_seconds() // 60)
    return f"{minutes:02}"
--- a/app/passenger_wsgi.py
+++ b/app/passenger_wsgi.py
@ -18,7 +18,9 @@ sys.path.append(os.getcwd())
 # Phusion Passenger expects this file to be called `passenger_wsgi.py`
 # and the WSGI object to be called `application`
-from app import app as application
+from app import create_app
 application, appmgr = create_app()
 # For running on the server with passenger etc
 if __name__ == "__main__":
--- a/app/static/css/main.css
+++ b/app/static/css/main.css
@ -243,9 +243,9 @@ details summary {
 }
 details summary:before {
 	font-style: normal;
-	content: "⯈";
+	content: "▸";
 	padding-right: 0.4em;
 }
 details[open] summary:before {
-	content: "⯆";
+	content: "▾";
 }
--- a/app/static/js/jquery.min.js
+++ b/app/static/js/jquery.min.js
--- a/app/static/js/qrcode.min.js
+++ b/app/static/js/qrcode.min.js
--- a/app/templates/order.html
+++ b/app/templates/order.html
@ -12,18 +12,39 @@
 {% block metas %}
 	{{ super() }}
 	<meta name="robots" content="noindex, nofollow">
 	<script type="text/javascript" src="{{ url_for('static', filename='js/jquery.min.js') }}"></script>
 	<script type="text/javascript" src="{{ url_for('static', filename='js/qrcode.min.js') }}"></script>
 {% endblock %}
 {% block container %}
-<header>
+<header class="row">
-	<h2 id="order-title">Order {{ order.id }}</h2>
+	<div class="col-md-2" style="padding-top: 2em">
 		<div id="qrcode"></div>
 		<script type="text/javascript">
 			var qrcode = new QRCode(document.getElementById("qrcode"), {
 					text: "{{ url_for("order_bp.order_from_slug", order_slug=order.slug, _external=True) }}",
 					width: 128,
 					height: 128,
 					colorDark : "#000000",
 					colorLight : "#ffffff",
 					correctLevel : QRCode.CorrectLevel.H
 			});
 		</script>
 	</div>
 	<div class="col-md-10">
 		<h2 id="order-title">Order {{ order.id }}</h2>
-	<div class="location">
+		<div class="location">
-		{% if order.location %}
+			{% if order.location %}
-			<a href="{{ url_for('general_bp.location', location_id=order.location_id) }}">{{ order.location_name }}</a>
+				<a href="{{ url_for('general_bp.location', location_id=order.location_id) }}">{{ order.location_name }}</a>
-		{% else %}
+			{% else %}
-			{{ order.location_name }}
+				{{ order.location_name }}
-		{% endif %}
+			{% endif %}
 		</div>
 		<div>
 			Unique order link: <code>{{ url_for("order_bp.order_from_slug", order_slug=order.slug, _external=True) }}</code>
 		</div>
 	</div>
 </header>
@ -36,7 +57,7 @@
 					{% for item in my_items %}
 					<li class="spacecake">
 						{% if item.can_delete(order.id, current_user.id, session.get('anon_name', '')) -%}
-							<form action="{{ url_for('order_bp.delete_item', order_id=order.id, item_id=item.id) }}" method="post" style="display:inline">
+							<form action="{{ url_for('order_bp.delete_item', order_slug=order.slug, item_id=item.id) }}" method="post" style="display:inline">
 								<button class="btn btn-link btn-sm" type="submit" style="padding: 0 0.5em;"><span class="glyphicon glyphicon-remove"></span></button>
 							</form>
 						{%- endif %}
@ -65,7 +86,7 @@
 			<h3>Add item to order</h3>
 			{% for dish in order.location.dishes %}
-				<form method="post" action="{{ url_for('order_bp.order_item_create', order_id=order.id) }}" id="dish_{{ dish.id }}">
+				<form method="post" action="{{ url_for('order_bp.order_item_create', order_slug=order.slug) }}" id="dish_{{ dish.id }}">
 					{{ form.csrf_token }}
 					<input type="hidden" name="dish_id" value="{{ dish.id }}" />
@ -134,60 +155,66 @@
 		<div class="box" id="order_info">
 			<h3>Order information</h3>
-			<dl>
+			<div class="row">
-				<div>
+				<dl class="col-md-10 col-lg-8">
-					<dt>Order opens</dt>
+					<div>
-					<dd>{{ order.starttime.strftime("%Y-%m-%d, %H:%M") }}</dd>
+						<dt>Order opens</dt>
 						<dd>{{ order.starttime.strftime("%Y-%m-%d, %H:%M") }}</dd>
-					<dt>Order closes</dt>
+						<dt>Order closes</dt>
-					<dd>
+						<dd>
-						{% if order.stoptime %}
+							{% if order.stoptime %}
-							{% set stoptimefmt = (
+								{% set stoptimefmt = (
-								"%H:%M" if order.stoptime.date() == order.starttime.date()
+									"%H:%M" if order.stoptime.date() == order.starttime.date()
-								else "%Y-%m-%d, %H:%M"
+									else "%Y-%m-%d, %H:%M"
-							) %}
+								) %}
-							{{ order.stoptime.strftime(stoptimefmt) }} ({{  order.stoptime|countdown }})
+								{{ order.stoptime.strftime(stoptimefmt) }} ({{  order.stoptime|countdown }})
-						{% else %}
+							{% else %}
-							Never
+								Never
-						{% endif %}
+							{% endif %}
-					</dd>
+						</dd>
 					</div>
 					<div>
 						<dt>Location</dt>
 						<dd>
 							{% if order.location %}
 								<a href="{{ url_for('general_bp.location', location_id=order.location_id) }}">{{ order.location_name }}</a>
 							{% else %}
 								{{ order.location_name }}
 							{% endif %}
 						</dd>
 						<dt>Courier</dt>
 						<dd>
 							{% if order.courier == None %}
 								{% if not current_user.is_anonymous() %}
 								<form action="{{ url_for('order_bp.volunteer', order_slug=order.slug) }}" method="post" style="display:inline">
 									<input type="submit" class="btn btn-primary btn-sm" value="Volunteer"></input>
 								</form>
 								{% else %}No-one yet{% endif %}
 							{% else %}
 								{{ order.courier.username }}
 							{% endif %}
 						</dd>
 					</div>
 				</dl>
 				<div class="col-md-2 col-lg-4">
 					<img src="https://dsa.ugent.be/api/verenigingen/{{ order.association }}/logo" class="img-responsive align-top" style="max-width:200px;width:100%">
 				</div>
 				<div>
 					<dt>Location</dt>
 					<dd>
 						{% if order.location %}
 							<a href="{{ url_for('general_bp.location', location_id=order.location_id) }}">{{ order.location_name }}</a>
 						{% else %}
 							{{ order.location_name }}
 						{% endif %}
 					</dd>
 					<dt>Courier</dt>
 					<dd>
 						{% if order.courier == None %}
 							{% if not current_user.is_anonymous() %}
 							<form action="{{ url_for('order_bp.volunteer', order_id=order.id) }}" method="post" style="display:inline">
 								<input type="submit" class="btn btn-primary btn-sm" value="Volunteer"></input>
 							</form>
 							{% else %}No-one yet{% endif %}
 						{% else %}
 							{{ order.courier.username }}
 						{% endif %}
 					</dd>
 				</div>
 			</dl>
 			<div>
 				{% if order.can_close(current_user.id) -%}
 					<form action="{{ url_for('order_bp.close_order', order_id=order.id) }}" method="post" style="display:inline">
 						<input type="submit" class="btn btn-danger" value="Close"></input>
 					</form>
 				{% endif %}
 				{% if courier_or_admin %}
 					<a class="btn" href="{{ url_for('order_bp.order_edit', order_id=order.id) }}">Edit</a>
 				{%- endif %}
 			</div>
 			{% if order.can_close(current_user.id) -%}
 				<form action="{{ url_for('order_bp.close_order', order_slug=order.slug) }}" method="post" style="display:inline">
 					<input type="submit" class="btn btn-danger" value="Close"></input>
 				</form>
 			{% endif %}
 			{% if courier_or_admin %}
 				<a class="btn" href="{{ url_for('order_bp.order_edit', order_slug=order.slug) }}">Edit</a>
 			{%- endif %}
 		</div>
 		<div class="box" id="how_to_order">
@ -258,7 +285,7 @@
 			<div class="footer">
 				Total {{ order.items.count() }} items — {{ total_price|euro }}
 				&nbsp;
-				<a class="btn btn-sm" href="{{ url_for('order_bp.items_shop_view', order_id=order.id) }}">Shop view</a>
+				<a class="btn btn-sm" href="{{ url_for('order_bp.items_shop_view', order_slug=order.slug) }}">Shop view</a>
 			</div>
 		</div>
 	</div>
@ -267,6 +294,7 @@
 <section class="single_column">
 	<div class="box" id="per_person">
 		<h3>Items per person</h3>
 		<form action="{{ url_for('order_bp.modify_items', order_slug=order.slug) }}" method="post">
 		<table class="table table-condensed">
 			<thead>
 				<tr><th>Total</th><th>Name</th><th>Items</th></tr>
@ -276,35 +304,37 @@
 				<tr>
 					<td>
 						{% set paid = order_items | map(attribute="paid") | all %}
-						<input type="checkbox" name="{{ user_name }}"
+						<input type="checkbox" name="user_names" value="{{ user_name }}"
-									  {{ "disabled" if paid }} style="{{ 'opacity: 0.5' if paid }}">
+								{{ "disabled" if not order.can_modify_payment(current_user.id) }}>
-						<span class="price">{{ order_items | map(attribute="price") | sum | euro }}</span>
+						<span class="price" style="{{ 'opacity: 0.5' if paid }}">
 							{{ order_items | map(attribute="price") | ignore_none | sum | euro }}
 						</span>
-						{% if paid %}paid{% endif %}
+						{% if paid %}<span class="glyphicon glyphicon-ok" style="opacity: 0.5"></span>{% endif %}
 					</td>
-					<td>{{ user_name }}</td>
+					<td style="{{ 'opacity: 0.5' if paid }}">{{ user_name }}</td>
 					<td class="items">
 						<ul>
 						{% for item in order_items %}
 							<li class="{{ 'paid' if item.paid }}">
 								<div class="actions">
 								{% if item.can_delete(order.id, current_user.id, session.get('anon_name', '')) -%}
-									<form action="{{ url_for('order_bp.delete_item', order_id=order.id, item_id=item.id) }}" method="post" style="display:inline">
+									<button class="btn btn-link btn-sm" type="submit" name="delete_item" value="{{ item.id }}" style="padding: 0 0.5em;"><span class="glyphicon glyphicon-remove"></span></button>
 										<button class="btn btn-link btn-sm" type="submit" style="padding: 0 0.5em;"><span class="glyphicon glyphicon-remove"></span></button>
 									</form>
 								{% else %}
-									<span class="glyphicon glyphicon-remove" style="color: var(--gray3); padding: 0 0.5em"></span>
+									<span class="glyphicon glyphicon-remove" style="color: var(--gray3); padding: 0 0.5em; cursor: not-allowed"></span>
 								{%- endif %}
 								</div>
-								<div class="price_aligned">{{ item.price|euro }}</div>
+								<div class="price_aligned">
 									{{ item.price|euro }}
 									{% if item.price_modified %}
 										<span class="glyphicon glyphicon-pencil" style="opacity: 0.5" title="Edited"></span>
 									{% endif %}
 								</div>
 								<div class="item_description">{{ item.dish_name }}{{ "; " + item.comment if item.comment }}</div>
 							</li>
 						{% endfor %}
 							<li>
 								<button class="btn btn-link btn-sm" onclick="alert('TODO')" style="color: green; padding: 0 0.5em;"><span class="glyphicon glyphicon-plus"></span></button>
 							</li>
 						</ul>
 					</td>
@ -314,11 +344,21 @@
 		</table>
 		<div class="footer">
 			{% if order.can_modify_payment(current_user.id) %}
 			On selected:
-			<button class="btn btn-sm"><span class="glyphicon glyphicon-ok"></span> Mark paid (TODO)</button>
+			<button name="action" value="mark_paid" class="btn btn-sm"><span class="glyphicon glyphicon-ok"></span> Mark paid</button>
-			<button class="btn btn-sm"><span class="glyphicon glyphicon-piggy-bank"></span> Tab (TODO)</button>
+			<button name="action" value="mark_unpaid" class="btn btn-sm">Mark unpaid</button>
-			<button class="btn btn-sm"><span class="glyphicon glyphicon-qrcode"></span> QR code (TODO)</button>
+			{% endif %}
 			{% if order.can_modify_prices(current_user.id) %}
 				&nbsp; <span style="border-left: 1px solid var(--gray0); display: inline-block;">&nbsp;</span>&nbsp;
 				<a href="{{ url_for('order_bp.prices', order_slug=order.slug) }}" class="btn btn-sm">
 					<span class="glyphicon glyphicon-pencil"></span>  Edit prices
 				</a>
 			{% endif %}
 		</div>
 		</form>
 	</div>
 </section>
 {% endblock %}
--- a/app/templates/order_edit.html
+++ b/app/templates/order_edit.html
@ -11,7 +11,7 @@
 				<h3>Edit order</h3>
 				<div class="row darker">
 					<div class="col-sm-12">
-						<form method="post" action="{{ url_for('.order_edit', order_id=order_id) }}">
+						<form method="post" action="{{ url_for('.order_edit', order_slug=order_slug) }}">
 							{{ form.csrf_token }}
 							<div class="form-group select2 {{ 'has-errors' if form.courier_id.errors else ''}}">
 								{{ form.courier_id.label(class='control-label') }}<br>
--- a/app/templates/order_prices.html
+++ b/app/templates/order_prices.html
@ -0,0 +1,132 @@
 {% extends "layout.html" %}
 {% set active_page = "orders" -%}
 {% import "utils.html" as util %}
 {% block metas %}
 	{{ super() }}
 	<meta name="robots" content="noindex, nofollow">
 {% endblock %}
 {% block container %}
 <header>
 	<h2 id="order-title">Edit prices</h2>
 	<div>Only applied to <a href="{{ url_for('order_bp.order_from_slug', order_slug=order.slug) }}">order {{ order.id }}</a>. To permanently change prices for {{ order.location_name }}, edit the <a href="https://git.zeus.gent/haldis/menus/-/blob/master/{{order.location_id}}.hlds">HLDS location definition</a>.</div>
 </header>
 <form action="{{ url_for('order_bp.prices', order_slug=order.slug) }}" method="post">
 	<div class="col-md-6" id="per_dish">
 		<h3>Per dish</h3>
 		<div class="noscript">This functionality requires JavaScript.</div>
 		<div class="script">
 			<table class="table table-condensed">
 				<thead>
 					<tr><th colspan="2">Dish</th><th>Price</th></tr>
 				</thead>
 				<tbody>
 				{% for dish_name, dish_quantity, dish_comment_groups in order.group_by_dish() -%}
 					{% set has_comments = dish_comment_groups | length > 1 or (dish_comment_groups | map("first") | any) -%}
 					{% for comment, items in dish_comment_groups -%}
 						<tr>
 							{% if loop.first %}
 							<td rowspan="{{dish_comment_groups | length }}">
 								<span class="quantity">{{ dish_quantity }}</span> ×
 								{{ dish_name }}
 							</td>
 							{% endif %}
 							<td>
 								<span class="quantity">{{ items | length }}</span> ×
 								{% if comment %}{{ comment }}
 								{% else %}<i>No comment</i>
 								{% endif %}
 							</td>
 							<td>
 								{% set price = items[0].price | euro("") %}
 								{% set item_ids = items | map(attribute="id") %}
 								€ <input type="text" data-for-items="{{ item_ids | join(",") }}" value="{{ price }}">
 							</td>
 						</tr>
 					{% endfor %}
 				{%- endfor %}
 				</tbody>
 			</table>
 		</div>
 	</div>
 	<div class="col-md-6" id="per_person">
 		<h3>Per person</h3>
 		<table class="table table-condensed">
 			<thead>
 				<tr><th>Name</th><th>Items</th></tr>
 			</thead>
 			<tbody>
 			{% for user_name, order_items in order.group_by_user() -%}
 				<tr>
 					<td>{{ user_name }}</td>
 					<td class="items">
 						<ul>
 						{% for item in order_items %}
 							<li class="{{ 'paid' if item.paid }}">
 								€ <input type="text" value="{{ item.price|euro("") }}" name="item_{{ item.id }}" id="item_{{ item.id }}">
 								<span class="item_description">{{ item.dish_name }}{{ "; " + item.comment if item.comment }}</span>
 							</li>
 						{% endfor %}
 						</ul>
 					</td>
 				</tr>
 			{%- endfor %}
 			</tbody>
 		</table>
 	</div>
 	<div>
 		<a href="{{ url_for('order_bp.order_from_slug', order_slug=order.slug) }}" class="btn btn-sm">Cancel</a>
 		<button class="btn btn-sm btn-primary">Apply</button>
 	</div>
 </form>
 {% endblock %}
 {% block styles %}
 	{{ super() }}
 	<style>
 .script {
 	display: none;
 }
 #per_dish ul, #per_person ul {
 	list-style-type: none;
 	padding: 0;
 }
 #per_dish input, #per_person input {
 	width: 3em;
 }
 	</style>
 {% endblock %}
 {% block scripts %}
 	{{ super() }}
 	<script type="text/javascript">
 		"use strict";
 		$(window).on("load", () => {
 			$(".noscript").css("display", "none");
 			$(".script").css("display", "unset");
 			function updatePerPersonPrices(e) {
 				console.log(e.target);
 				for (let item_id of e.target.dataset.forItems.split(",")) {
 					$("#item_" + item_id).val(e.target.value);
 				}
 			};
 			$("#per_dish input").on("change", updatePerPersonPrices);
 			$("#per_dish input").on("keyup", updatePerPersonPrices);
 		});
 	</script>
 {% endblock %}
--- a/app/templates/orders.html
+++ b/app/templates/orders.html
@ -38,6 +38,11 @@
 								{{ form.location_id(class='form-control select') }}
 								{{ util.render_form_field_errors(form.location_id) }}
 							</div>
 							<div class="form-group select2 {{ 'has-errors' if form.association.errors else ''}}{{ ' required' if form.association.flags.required }}">
 								{{ form.association.label(class='control-label') }}
 								{{ form.association(class='form-control select') }}
 								{{ util.render_form_field_errors(form.association) }}
 							</div>
 							{% if current_user.is_admin() %}
 								<div class="form-group{{ ' has-error' if form.starttime.errors }}{{ ' required' if form.starttime.flags.required }}{{ ' hidden' if not current_user.is_admin() }}">
 									{{ form.starttime.label(class='control-label') }}
--- a/app/templates/utils.html
+++ b/app/templates/utils.html
@ -1,15 +1,18 @@
 {% macro render_order(order) -%}
 <div class="row order_row">
-	<div class="col-md-8 col-lg-9 order_data">
+	<div class="col-md-6 order_data">
 		<h5>{{ order.location_name }}</h5>
-		<b class="amount_of_orders">{{ order.items.count() }} orders</b></p>
+		<b class="amount_of_orders">{{ order.items.count() }} items ordered for {{ order.association }}</b></p>
 		<p class="time_data">
 		{% if order.stoptime %}
 			<span><b>Closes </b>{{ order.stoptime.strftime("%H:%M") }}</span>{{ order.stoptime|countdown }}
 		{% else %}open{% endif %}<br/>
 	</div>
-	<div class="col-md-4 col-lg-3 expand_button_wrapper">
+	<div class="col-md-3">
-		<a class="btn btn-primary btn-block align-bottom expand_button" href="{{ url_for('order_bp.order_from_id', order_id=order.id) }}">Expand</a>
+		<img src="https://dsa.ugent.be/api/verenigingen/{{ order.association }}/logo" class="img-responsive align-bottom" style="max-width:200px;width:100%">
 	</div>
 	<div class="col-md-3 expand_button_wrapper">
 		<a class="btn btn-primary btn-block align-bottom expand_button" href="{{ url_for('order_bp.order_from_slug', order_slug=order.slug) }}">Expand</a>
 	</div>
 </div>
 {%- endmacro %}
--- a/app/utils.py
+++ b/app/utils.py
@ -1,16 +1,27 @@
 "Script which contains several utils for Haldis"
-from typing import Iterable
+import re
 from typing import Iterable, Optional
-def euro_string(value: int) -> str:
+def euro_string(value: Optional[int], unit="€ ") -> str:
    """
    Convert cents to string formatted euro
    """
    if value is None:
        return "✗"
    euro, cents = divmod(value, 100)
    if cents:
-        return f"€ {euro}.{cents:02}"
+        return f"{unit}{euro}.{cents:02}"
-    return f"€ {euro}"
+    return f"{unit}{euro}"
 def parse_euro_string(value: str) -> Optional[int]:
    m = re.fullmatch("(?:€ ?)?([0-9]+)(?:[.,]([0-9]+))?", value)
    if not m:
        return None
    cents_02 = "{:0<2.2}".format(m.group(2)) if m.group(2) else "00"
    return int(m.group(1)) * 100 + int(cents_02)
 def price_range_string(price_range, include_upper=False):
--- a/app/views/general.py
+++ b/app/views/general.py
@ -9,7 +9,7 @@ from flask import Blueprint, Flask, abort
 from flask import current_app as app
 from flask import (jsonify, make_response, render_template, request,
                   send_from_directory, url_for)
-from flask_login import login_required
+from flask_login import current_user, login_required
 from hlds.definitions import location_definitions
 from hlds.models import Location
 from models import Order
@ -34,7 +34,9 @@ def home() -> str:
        (Order.stoptime > prev_day) & (Order.stoptime < datetime.now())
    )
    return render_template(
-        "home.html", orders=get_orders(), recently_closed=recently_closed
+        "home.html", orders=get_orders(
            ((datetime.now() > Order.starttime) & (Order.stoptime > datetime.now()) | (Order.stoptime == None))
        ), recently_closed=recently_closed
    )
--- a/app/views/order.py
+++ b/app/views/order.py
@ -1,5 +1,6 @@
-"Script to generate the order related views of Haldis"
+"""Script to generate the order related views of Haldis"""
 import random
 import re
 import typing
 from datetime import datetime
@ -11,7 +12,7 @@ from forms import AnonOrderItemForm, OrderForm, OrderItemForm
 from hlds.definitions import location_definition_version, location_definitions
 from models import Order, OrderItem, User, db
 from notification import post_order_to_webhook
-from utils import ignore_none
+from utils import ignore_none, parse_euro_string
 from werkzeug.wrappers import Response
 order_bp = Blueprint("order_bp", "order")
@ -19,8 +20,8 @@ order_bp = Blueprint("order_bp", "order")
@order_bp.route("/")
 def orders(form: OrderForm = None) -> str:
-    "Generate general order view"
+    """Generate general order view"""
-    if form is None and not current_user.is_anonymous():
+    if form is None and current_user.association_list():
        form = OrderForm()
        location_id = request.args.get("location_id")
        form.location_id.default = location_id
@ -32,7 +33,10 @@ def orders(form: OrderForm = None) -> str:
@order_bp.route("/create", methods=["POST"])
@login_required
 def order_create() -> typing.Union[str, Response]:
-    "Generate order create view"
+    """Generate order create view"""
    if not current_user.association_list():
        flash("Not allowed to create an order.", "info")
        abort(401)
    orderForm = OrderForm()
    orderForm.populate()
    if orderForm.validate_on_submit():
@ -42,14 +46,14 @@ def order_create() -> typing.Union[str, Response]:
        db.session.add(order)
        db.session.commit()
        post_order_to_webhook(order)
-        return redirect(url_for("order_bp.order_from_id", order_id=order.id))
+        return redirect(url_for("order_bp.order_from_slug", order_slug=order.slug))
    return orders(form=orderForm)
-@order_bp.route("/<order_id>")
+@order_bp.route("/<order_slug>")
-def order_from_id(order_id: int, form: OrderForm = None, dish_id=None) -> str:
+def order_from_slug(order_slug: str, form: OrderForm = None, dish_id=None) -> str:
-    "Generate order view from id"
+    """Generate order view from id"""
-    order = Order.query.filter(Order.id == order_id).first()
+    order = Order.query.filter(Order.slug == order_slug).first()
    if order is None:
        abort(404)
    if current_user.is_anonymous() and not order.public:
@ -61,8 +65,8 @@ def order_from_id(order_id: int, form: OrderForm = None, dish_id=None) -> str:
            form.populate(order.location)
    if order.is_closed():
        form = None
-    total_price = sum(o.price for o in order.items)
+    total_price = sum(o.price or 0 for o in order.items)
-    debts = sum(o.price for o in order.items if not o.paid)
+    debts = sum(o.price or 0 for o in order.items if not o.paid)
    dish = order.location.dish_by_id(dish_id) if order.location else None
@ -76,44 +80,44 @@ def order_from_id(order_id: int, form: OrderForm = None, dish_id=None) -> str:
    )
-@order_bp.route("/<order_id>/items")
+@order_bp.route("/<order_slug>/items")
-def items_shop_view(order_id: int) -> str:
+def items_shop_view(order_slug: int) -> str:
-    "Generate order items view from id"
+    """Generate order items view from id"""
-    order = Order.query.filter(Order.id == order_id).first()
+    order = Order.query.filter(Order.slug == order_slug).first()
    if order is None:
        abort(404)
    if current_user.is_anonymous() and not order.public:
        flash("Please login to see this order.", "info")
        abort(401)
-    total_price = sum(o.price for o in order.items)
+    total_price = sum(o.price or 0 for o in order.items)
    return render_template("order_items.html", order=order, total_price=total_price)
-@order_bp.route("/<order_id>/edit", methods=["GET", "POST"])
+@order_bp.route("/<order_slug>/edit", methods=["GET", "POST"])
@login_required
-def order_edit(order_id: int) -> typing.Union[str, Response]:
+def order_edit(order_slug: str) -> typing.Union[str, Response]:
-    "Generate order edit view from id"
+    """Generate order edit view from id"""
-    order = Order.query.filter(Order.id == order_id).first()
+    order = Order.query.filter(Order.slug == order_slug).first()
    if current_user.id is not order.courier_id and not current_user.is_admin():
        abort(401)
    if order is None:
        abort(404)
-    orderForm = OrderForm(obj=order)
+    order_form = OrderForm(obj=order)
-    orderForm.populate()
+    order_form.populate()
-    if orderForm.validate_on_submit():
+    if order_form.validate_on_submit():
-        orderForm.populate_obj(order)
+        order_form.populate_obj(order)
        order.update_from_hlds()
        db.session.commit()
-        return redirect(url_for("order_bp.order_from_id", order_id=order.id))
+        return redirect(url_for("order_bp.order_from_slug", order_slug=order.slug))
-    return render_template("order_edit.html", form=orderForm, order_id=order_id)
+    return render_template("order_edit.html", form=order_form, order_slug=order.slug)
-@order_bp.route("/<order_id>/create", methods=["GET", "POST"])
+@order_bp.route("/<order_slug>/create", methods=["GET", "POST"])
-def order_item_create(order_id: int) -> typing.Any:
+def order_item_create(order_slug: str) -> typing.Any:
    # type is 'typing.Union[str, Response]', but this errors due to
    #   https://github.com/python/mypy/issues/7187
-    "Add item to order from id"
+    """Add item to order from slug"""
-    current_order = Order.query.filter(Order.id == order_id).first()
+    current_order = Order.query.filter(Order.slug == order_slug).first()
    if current_order is None:
        abort(404)
    if current_order.is_closed():
@ -122,7 +126,7 @@ def order_item_create(order_id: int) -> typing.Any:
        flash("Please login to see this order.", "info")
        abort(401)
    location = current_order.location
-    # If location doesn't exist any more, adding items is nonsensical
+    # If location doesn't exist anymore, adding items is nonsensical
    if not location:
        abort(404)
    form = AnonOrderItemForm() if current_user.is_anonymous() else OrderItemForm()
@ -170,7 +174,7 @@ def order_item_create(order_id: int) -> typing.Any:
            return redirect(
                url_for(
                    "order_bp.order_item_create",
-                    order_id=order_id,
+                    order_slug=current_order.slug,
                    dish=form.dish_id.data,
                    user_name=user_name,
                    comment=comment,
@ -179,14 +183,13 @@ def order_item_create(order_id: int) -> typing.Any:
    # If the form was not submitted (GET request) or the form had errors: show form again
    if not form.validate_on_submit():
-        return order_from_id(order_id, form=form, dish_id=dish_id)
+        return order_from_slug(current_order.slug, form=form, dish_id=dish_id)
    # Form was submitted and is valid
    item = OrderItem()
    form.populate_obj(item)
    item.hlds_data_version = location_definition_version
-    item.order_id = order_id
+    item.order_id = current_order.id
    if not current_user.is_anonymous():
        item.user_id = current_user.id
    else:
@ -221,59 +224,82 @@ def order_item_create(order_id: int) -> typing.Any:
    db.session.add(item)
    db.session.commit()
-    flash("Ordered %s" % (item.dish_name), "success")
+    flash("Ordered %s" % item.dish_name, "success")
-    return redirect(url_for("order_bp.order_from_id", order_id=order_id))
+    return redirect(url_for("order_bp.order_from_slug", order_slug=order_slug))
-@order_bp.route("/<order_id>/<user_name>/user_paid", methods=["POST"])
+@order_bp.route("/<order_slug>/modify_items", methods=["POST"])
@login_required
 # pylint: disable=R1710
-def items_user_paid(order_id: int, user_name: str) -> typing.Optional[Response]:
+def modify_items(order_slug: str) -> typing.Optional[Response]:
-    "Indicate payment status for a user in an order"
+    if "delete_item" in request.form:
-    user = User.query.filter(User.username == user_name).first()
+        return delete_item(order_slug, int(request.form["delete_item"]))
-    items: typing.List[OrderItem] = []
+    user_names = request.form.getlist("user_names")
-    if user:
+    if request.form.get("action") == "mark_paid":
-        items = OrderItem.query.filter(
+        return set_items_paid(order_slug, user_names, True)
-            (OrderItem.user_id == user.id) & (OrderItem.order_id == order_id)
+    elif request.form.get("action") == "mark_unpaid":
-        ).all()
+        return set_items_paid(order_slug, user_names, False)
    else:
-        items = OrderItem.query.filter(
+        abort(404)
-            (OrderItem.user_name == user_name) & (OrderItem.order_id == order_id)
+        return None
-        ).all()
+
-    current_order = Order.query.filter(Order.id == order_id).first()
+def set_items_paid(order_slug: str, user_names: typing.Iterable[str], paid: bool):
-    if current_order.courier_id == current_user.id or current_user.admin:
+    order = Order.query.filter(Order.slug == order_slug).first()
    total_paid_items = 0
    total_failed_items = 0
    for user_name in user_names:
        user = User.query.filter(User.username == user_name).first()
        items: typing.List[OrderItem] = []
        if user:
            items = OrderItem.query.filter(
                (OrderItem.user_id == user.id) & (OrderItem.order_id == order.id)
            ).all()
        else:
            items = OrderItem.query.filter(
                (OrderItem.user_name == user_name) & (OrderItem.order_id == order.id)
            ).all()
        for item in items:
-            item.paid = True
+            if item.can_modify_payment(order.id, current_user.id):
-        db.session.commit()
+                if item.paid != paid:
-        flash("Paid %d items for %s" % (len(items), item.for_name), "success")
+                    item.paid = paid
-        return redirect(url_for("order_bp.order_from_id", order_id=order_id))
+                    total_paid_items += 1
-    abort(404)
+            else:
                total_failed_items += 1
    db.session.commit()
    if total_failed_items == 0:
        flash("Marked %d items as paid" % (total_paid_items,), "success")
    else:
        flash("Failed to mark %d items as paid (succeeded in marking %d items as paid)" % (total_failed_items, total_paid_items), "error")
    return redirect(url_for("order_bp.order_from_slug", order_slug=order_slug))
-@order_bp.route("/<order_id>/<item_id>/delete", methods=["POST"])
+@order_bp.route("/<order_slug>/<item_id>/delete", methods=["POST"])
 # pylint: disable=R1710
-def delete_item(order_id: int, item_id: int) -> typing.Any:
+def delete_item(order_slug: str, item_id: int) -> typing.Any:
    # type is 'typing.Optional[Response]', but this errors due to
    #   https://github.com/python/mypy/issues/7187
-    "Delete an item from an order"
+    """Delete an item from an order"""
-    item = OrderItem.query.filter(OrderItem.id == item_id).first()
+    item: OrderItem = OrderItem.query.filter(OrderItem.id == item_id).first()
    order: Order = Order.query.filter(Order.slug == order_slug).first()
    user_id = None
    if not current_user.is_anonymous():
        user_id = current_user.id
-    if item.can_delete(order_id, user_id, session.get("anon_name", "")):
+    if item.can_delete(order.id, user_id, session.get("anon_name", "")):
        dish_name = item.dish_name
        db.session.delete(item)
        db.session.commit()
-        flash("Deleted %s" % (dish_name), "success")
+        flash("Deleted %s" % dish_name, "success")
-        return redirect(url_for("order_bp.order_from_id", order_id=order_id))
+        return redirect(url_for("order_bp.order_from_slug", order_slug=order_slug))
    abort(404)
-@order_bp.route("/<order_id>/volunteer", methods=["POST"])
+@order_bp.route("/<order_slug>/volunteer", methods=["POST"])
@login_required
-def volunteer(order_id: int) -> Response:
+def volunteer(order_slug: str) -> Response:
-    "Add a volunteer to an order"
+    """Add a volunteer to an order"""
-    order = Order.query.filter(Order.id == order_id).first()
+    order = Order.query.filter(Order.slug == order_slug).first()
    if order is None:
        abort(404)
    if order.courier_id is None or order.courier_id == 0:
@ -282,14 +308,14 @@ def volunteer(order_id: int) -> Response:
        flash("Thank you for volunteering!")
    else:
        flash("Volunteering not possible!")
-    return redirect(url_for("order_bp.order_from_id", order_id=order_id))
+    return redirect(url_for("order_bp.order_from_slug", order_slug=order.slug))
-@order_bp.route("/<order_id>/close", methods=["POST"])
+@order_bp.route("/<order_slug>/close", methods=["POST"])
@login_required
-def close_order(order_id: int) -> typing.Optional[Response]:
+def close_order(order_slug: str) -> typing.Optional[Response]:
-    "Close an order"
+    """Close an order"""
-    order = Order.query.filter(Order.id == order_id).first()
+    order = Order.query.filter(Order.slug == order_slug).first()
    if order is None:
        abort(404)
    if (
@ -301,12 +327,54 @@ def close_order(order_id: int) -> typing.Optional[Response]:
            if courier is not None:
                order.courier_id = courier.id
        db.session.commit()
-        return redirect(url_for("order_bp.order_from_id", order_id=order_id))
+        return redirect(url_for("order_bp.order_from_slug", order_slug=order_slug))
    return None
@order_bp.route("/<order_slug>/prices", methods=["GET", "POST"])
@login_required
 def prices(order_slug: str) -> typing.Optional[Response]:
    order = Order.query.filter(Order.slug == order_slug).first()
    if order is None:
        abort(404)
    if not order.can_modify_prices(current_user.id):
        flash("You cannot modify the prices at this time.", "error")
        return redirect(url_for("order_bp.order_from_slug", order_slug=order.slug))
    if request.method == "GET":
        return render_template(
            "order_prices.html",
            order=order,
        )
    else:
        new_prices = {}
        for key, value in request.form.items():
            m = re.fullmatch("item_([0-9]+)", key)
            if not m:
                continue
            item_id = int(m.group(1))
            price = parse_euro_string(value)
            if not price:
                flash(f"Could not recognize '{value}' as a price")
                continue
            new_prices[item_id] = price
        for item in order.items:
            new_price = new_prices.get(item.id)
            if new_price is not None and new_price != item.price:
                item.price = new_price
                item.price_modified = datetime.now()
        db.session.commit()
    return redirect(url_for("order_bp.order_from_slug", order_slug=order.slug))
 def select_user(items) -> typing.Optional[User]:
-    "Select a random user from those who are signed up for the order"
+    """Select a random user from those who are signed up for the order"""
    user = None
    # remove non users
    items = [i for i in items if i.user_id]
@ -325,19 +393,20 @@ def select_user(items) -> typing.Optional[User]:
 def get_orders(expression=None) -> typing.List[Order]:
-    "Give the list of all currently open and public Orders"
+    """Give the list of all currently open and public Orders"""
    order_list: typing.List[OrderForm] = []
    if expression is None:
-        expression = (datetime.now() > Order.starttime) & (
+        expression = ((datetime.now() > Order.starttime) & (
-            Order.stoptime
+                Order.stoptime
-            > datetime.now()
+                > datetime.now()
-            # pylint: disable=C0121
+                # pylint: disable=C0121
-        ) | (Order.stoptime == None)
+            ) | (Order.stoptime == None)
        ) & (Order.association.in_(current_user.association_list()))
    if not current_user.is_anonymous():
        order_list = Order.query.filter(expression).all()
    else:
        order_list = Order.query.filter(
            # pylint: disable=C0121
-            expression & (Order.public == True)
+            expression & (Order.public == True) & (Order.association.in_(current_user.association_list()))
        ).all()
    return order_list
--- a/populate-db.sh
+++ b/populate-db.sh
@ -4,3 +4,6 @@ set -euo pipefail
 cd "$(dirname "$0")/app"
 env python create_database.py setup_database
 latest_revision=$(env python app.py db heads | sed "s/ (head)$//")
 echo Stamping db at $latest_revision
 env python app.py db stamp $latest_revision
--- a/requirements.in
+++ b/requirements.in
@ -13,3 +13,4 @@ pymysql
 pyyaml
 tatsu<5.6 # >=5.6 needs Python >=3.8
 microsoftgraph-python
 sentry-sdk[flask]
--- a/requirements.txt
+++ b/requirements.txt
@ -11,11 +11,15 @@ appdirs==1.4.4
 black==21.6b0
    # via -r requirements.in
 blinker==1.4
-    # via flask-debugtoolbar
+    # via
    #   flask-debugtoolbar
    #   sentry-sdk
 cachelib==0.1.1
    # via flask-oauthlib
 certifi==2021.5.30
-    # via requests
+    # via
    #   requests
    #   sentry-sdk
 chardet==4.0.0
    # via requests
 click==7.1.2
@ -36,6 +40,7 @@ flask==1.1.4
    #   flask-script
    #   flask-sqlalchemy
    #   flask-wtf
    #   sentry-sdk
 flask-admin==1.5.8
    # via -r requirements.in
 flask-bootstrap==3.3.7.1
@ -100,6 +105,8 @@ requests==2.25.1
    #   requests-oauthlib
 requests-oauthlib==1.1.0
    # via flask-oauthlib
 sentry-sdk[flask]==1.10.1
    # via -r requirements.in
 six==1.16.0
    # via python-dateutil
 sqlalchemy==1.4.18
@ -110,8 +117,10 @@ tatsu==4.4.0
    # via -r requirements.in
 toml==0.10.2
    # via black
-urllib3==1.26.5
+urllib3==1.26.12
-    # via requests
+    # via
    #   requests
    #   sentry-sdk
 visitor==0.1.3
    # via flask-bootstrap
 werkzeug==1.0.1