Changeset - 3ffa5fab60de
Parent rev.
Child rev.
[Not reviewed]
0 1 0
James Polley - 6 years ago 2018-01-14 21:51:38
jp@jamezpolley.com
Don't require login to view qrcode

* The qrcode contains no information that isn't in the URL you used to
access the code, so information is being leaked
* Allowing unauthenicated access lets people see the image in their
mail client

Not ideal. Let's revert this later and think of something better next
year - perhaps spending some more time researching best practices on
images in email..
1 file changed with 0 insertions and 5 deletions:
vendor/regidesk/regidesk/views.py
5
0 comments (0 inline, 0 general)
vendor/regidesk/regidesk/views.py
Show inline comments
...
 
@@ -99,3 +99,2 @@ def boarding_overview(request, boarding_state="pending"):
 

			




	
	
	
		
 
@login_required


			




	
	
	
		
 
def checkin_png(request, checkin_code):


			




	...
	
		
 
@@ -106,6 +105,2 @@ def checkin_png(request, checkin_code):


			




	
	
	
		
 

			




	
	
	
		
 
    if not request.user.has_perm("regidesk.view_checkin_details"):


			




	
	
	
		
 
        if request.user != checkin.user:


			




	
	
	
		
 
            raise Http404()


			




	
	
	
		
 

			




	
	
	
		
 
    response = HttpResponse()


			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







    


    

  


    








    
        Server instance: kapok.sfconservancy.org-31638
    
    
        This site is powered by
            Kallithea 0.6.3,
        which is
        © 2010–2020 by various authors & licensed under GPLv3.
            – SupportPrivacy Policy