Changeset - 3ffa5fab60de
Parent rev.
Child rev.
[Not reviewed]
0 1 0
James Polley - 6 years ago 2018-01-14 21:51:38
jp@jamezpolley.com
Don't require login to view qrcode

* The qrcode contains no information that isn't in the URL you used to
access the code, so information is being leaked
* Allowing unauthenicated access lets people see the image in their
mail client

Not ideal. Let's revert this later and think of something better next
year - perhaps spending some more time researching best practices on
images in email..
1 file changed with 0 insertions and 5 deletions:
vendor/regidesk/regidesk/views.py
5
0 comments (0 inline, 0 general)
vendor/regidesk/regidesk/views.py
Show inline comments
...
 
@@ -52,107 +52,102 @@ def boardingpass(request):
 

			




	
	
	
		
 
    boardingpass = boardingpass.replace(not_qrcode_string, qrcode_string)


			




	
	
	
		
 
    ctx = { 'attendee': user.attendee,


			




	
	
	
		
 
        'boardingpass': boardingpass


			




	
	
	
		
 
    }


			




	
	
	
		
 

			




	
	
	
		
 
    response = render(request, "regidesk/boardingpass.html", ctx)


			




	
	
	
		
 
    return response


			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
@permission_required("regidesk.view_boarding_pass")


			




	
	
	
		
 
def boarding_overview(request, boarding_state="pending"):


			




	
	
	
		
 

			




	
	
	
		
 
    tickets = commerce.LineItem.objects.select_related(


			




	
	
	
		
 
        "invoice","invoice__user__attendee","product__category"


			




	
	
	
		
 
    ).filter(


			




	
	
	
		
 
        invoice__status=commerce.Invoice.STATUS_PAID,


			




	
	
	
		
 
        product__category=settings.TICKET_PRODUCT_CATEGORY,


			




	
	
	
		
 
        price__gte=0


			




	
	
	
		
 
    )


			




	
	
	
		
 

			




	
	
	
		
 
    ticketholders = { ticket.invoice.user: ticket.product.name for ticket in tickets }


			




	
	
	
		
 

			




	
	
	
		
 
    attendees = people.Attendee.objects.select_related(


			




	
	
	
		
 
            "attendeeprofilebase",


			




	
	
	
		
 
            "attendeeprofilebase__attendeeprofile",


			




	
	
	
		
 
            "user",


			




	
	
	
		
 
            "user__checkin"


			




	
	
	
		
 
        ).filter(user__in=ticketholders)


			




	
	
	
		
 

			




	
	
	
		
 
    profiles = AttendeeProfile.objects.filter(


			




	
	
	
		
 
        attendee__in=attendees


			




	
	
	
		
 
    ).select_related(


			




	
	
	
		
 
        "attendee", "attendee__user",


			




	
	
	
		
 
    )


			




	
	
	
		
 
    profiles_by_attendee = dict((i.attendee, i) for i in profiles)


			




	
	
	
		
 

			




	
	
	
		
 
    bp_templates = BoardingPassTemplate.objects.all()


			




	
	
	
		
 

			




	
	
	
		
 
    ctx = {


			




	
	
	
		
 
        "boarding_state": boarding_state,


			




	
	
	
		
 
        "attendees": attendees,


			




	
	
	
		
 
        "profiles": profiles_by_attendee,


			




	
	
	
		
 
        "templates": bp_templates,


			




	
	
	
		
 
    }


			




	
	
	
		
 

			




	
	
	
		
 
    return render(request, "regidesk/boardingpass_overview.html", ctx)


			




	
	
	
		
 

			




	
	
	
		
 
@login_required


			




	
	
	
		
 
def checkin_png(request, checkin_code):


			




	
	
	
		
 

			




	
	
	
		
 
    checkin = CheckIn.objects.get(checkin_code=checkin_code)


			




	
	
	
		
 
    if not checkin:


			




	
	
	
		
 
        raise Http404()


			




	
	
	
		
 

			




	
	
	
		
 
    if not request.user.has_perm("regidesk.view_checkin_details"):


			




	
	
	
		
 
        if request.user != checkin.user:


			




	
	
	
		
 
            raise Http404()


			




	
	
	
		
 

			




	
	
	
		
 
    response = HttpResponse()


			




	
	
	
		
 
    response["Content-Type"] = "image/png"


			




	
	
	
		
 
    response["Content-Disposition"] = 'inline; filename="qrcode.png"'


			




	
	
	
		
 

			




	
	
	
		
 
    qrcode = base64.b64decode(checkin.qrcode)


			




	
	
	
		
 
    response.write(qrcode)


			




	
	
	
		
 

			




	
	
	
		
 
    return response


			




	
	
	
		
 

			




	
	
	
		
 
@permission_required("regidesk.send_boarding_pass")


			




	
	
	
		
 
def boarding_prepare(request):


			




	
	
	
		
 

			




	
	
	
		
 
    attendee_pks = []


			




	
	
	
		
 
    try:


			




	
	
	
		
 
        for pk in request.POST.getlist("_selected_action"):


			




	
	
	
		
 
            attendee_pks.append(int(pk))


			




	
	
	
		
 
    except ValueError:


			




	
	
	
		
 
        return HttpResponseBadRequest()


			




	
	
	
		
 
    attendees = people.Attendee.objects.filter(pk__in=attendee_pks)


			




	
	
	
		
 
    attendees = attendees.select_related(


			




	
	
	
		
 
        "user", "attendeeprofilebase", "attendeeprofilebase__attendeeprofile")


			




	
	
	
		
 

			




	
	
	
		
 
    sample_checkin = CheckIn.objects.get_or_create(user=attendees[0].user)[0]


			




	
	
	
		
 
    rendered_template = {}


			




	
	
	
		
 
    sample_ctx = {}


			




	
	
	
		
 

			




	
	
	
		
 
    bp_template_pk = request.POST.get("template", "")


			




	
	
	
		
 
    if bp_template_pk:


			




	
	
	
		
 
        bp_template = BoardingPassTemplate.objects.get(pk=bp_template_pk)


			




	
	
	
		
 

			




	
	
	
		
 
        sample_ctx = {


			




	
	
	
		
 
            "user": sample_checkin.user,


			




	
	
	
		
 
            "boardingpass": sample_checkin.boardingpass,


			




	
	
	
		
 
            "code": sample_checkin.code,


			




	
	
	
		
 
            "qrcode": '<img src="data:image/png;base64,' + sample_checkin.qrcode + '"/>',


			




	
	
	
		
 
            "qrcode_url": request.build_absolute_uri(


			




	
	
	
		
 
                reverse("regidesk:checkin_png", args=[sample_checkin.code])),


			




	
	
	
		
 
        }


			




	
	
	
		
 
        ctx = Context(sample_ctx)


			




	
	
	
		
 
        ctx["invoices"] = invoices(ctx)


			




	
	
	
		
 
        ctx["items_pending"] = items_pending(ctx)


			




	
	
	
		
 
        ctx["items_purchased"] = items_purchased(ctx)


			




	
	
	
		
 
        ctx["missing_categories"] = missing_categories(ctx)


			




	
	
	
		
 

			




	
	
	
		
 
        subject = Template(bp_template.subject).render(ctx)


			




	
	
	
		
 
        rendered_template['plain'] = Template(bp_template.body).render(ctx)


			




	
	
	
		
 
        rendered_template['html'] = Template(bp_template.html_body).render(ctx)


			




	
	
	
		
 
    else:


			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







    


    

  


    








    
        Server instance: kapok.sfconservancy.org-12487
    
    
        This site is powered by
            Kallithea 0.6.3,
        which is
        © 2010–2020 by various authors & licensed under GPLv3.
            – SupportPrivacy Policy