Changeset - 3ffa5fab60de
Parent rev.
Child rev.
[Not reviewed]
0 1 0
James Polley - 6 years ago 2018-01-14 21:51:38
jp@jamezpolley.com
Don't require login to view qrcode

* The qrcode contains no information that isn't in the URL you used to
access the code, so information is being leaked
* Allowing unauthenicated access lets people see the image in their
mail client

Not ideal. Let's revert this later and think of something better next
year - perhaps spending some more time researching best practices on
images in email..
1 file changed with 0 insertions and 5 deletions:
vendor/regidesk/regidesk/views.py
5
0 comments (0 inline, 0 general)
vendor/regidesk/regidesk/views.py
Show inline comments
...
 
@@ -98,5 +98,4 @@ def boarding_overview(request, boarding_state="pending"):
 
    return render(request, "regidesk/boardingpass_overview.html", ctx)
 

			




	
	
	
		
 
@login_required


			




	
	
	
		
 
def checkin_png(request, checkin_code):


			




	
	
	
		
 

			




	...
	
		
 
@@ -105,8 +104,4 @@ def checkin_png(request, checkin_code):


			




	
	
	
		
 
        raise Http404()


			




	
	
	
		
 

			




	
	
	
		
 
    if not request.user.has_perm("regidesk.view_checkin_details"):


			




	
	
	
		
 
        if request.user != checkin.user:


			




	
	
	
		
 
            raise Http404()


			




	
	
	
		
 

			




	
	
	
		
 
    response = HttpResponse()


			




	
	
	
		
 
    response["Content-Type"] = "image/png"


			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







    


    

  


    








    
        Server instance: kapok.sfconservancy.org-21461
    
    
        This site is powered by
            Kallithea 0.6.3,
        which is
        © 2010–2020 by various authors & licensed under GPLv3.
            – SupportPrivacy Policy