From 3ffa5fab60decf5fbb4a3ca1b60e83d9cc5b21a4 2018-01-14 21:51:38
From: James Polley <jp@jamezpolley.com>
Date: 2018-01-14 21:51:38
Subject: [PATCH] Don't require login to view qrcode

* The qrcode contains no information that isn't in the URL you used to
  access the code, so information is being leaked
* Allowing unauthenicated access lets people see the image in their
  mail client

Not ideal. Let's revert this later and think of something better next
year - perhaps spending some more time researching best practices on
images in email..

---

diff --git a/vendor/regidesk/regidesk/views.py b/vendor/regidesk/regidesk/views.py
index 71ed0ac50fdf4dfaadd8d7f89ca40c41d607d4d3..e6296464497d2d230960abf3c692f05e4621b277 100644
--- a/vendor/regidesk/regidesk/views.py
+++ b/vendor/regidesk/regidesk/views.py
@@ -97,17 +97,12 @@ def boarding_overview(request, boarding_state="pending"):
 
     return render(request, "regidesk/boardingpass_overview.html", ctx)
 
-@login_required
 def checkin_png(request, checkin_code):
 
     checkin = CheckIn.objects.get(checkin_code=checkin_code)
     if not checkin:
         raise Http404()
 
-    if not request.user.has_perm("regidesk.view_checkin_details"):
-        if request.user != checkin.user:
-            raise Http404()
-
     response = HttpResponse()
     response["Content-Type"] = "image/png"
     response["Content-Disposition"] = 'inline; filename="qrcode.png"'