Files
@ 3ffa5fab60de
Branch filter:
Location: symposion_app/vendor/regidesk/regidesk/views.py
3ffa5fab60de
8.5 KiB
text/x-python
Don't require login to view qrcode
* The qrcode contains no information that isn't in the URL you used to
access the code, so information is being leaked
* Allowing unauthenicated access lets people see the image in their
mail client
Not ideal. Let's revert this later and think of something better next
year - perhaps spending some more time researching best practices on
images in email..
* The qrcode contains no information that isn't in the URL you used to
access the code, so information is being leaked
* Allowing unauthenicated access lets people see the image in their
mail client
Not ideal. Let's revert this later and think of something better next
year - perhaps spending some more time researching best practices on
images in email..
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 | import base64
import logging
from datetime import datetime
from email.mime.image import MIMEImage
from django.core.exceptions import ValidationError
from django.core.mail import EmailMultiAlternatives
from django.conf import settings
from django.contrib import messages
from django.contrib.auth.decorators import permission_required, user_passes_test, login_required
from django.contrib.auth.models import User, Group
from django.db import transaction
from django.db.models import F, Q
from django.db.models import Count, Max, Sum
from django.http import Http404
from django.http import HttpResponse, HttpResponseBadRequest
from django.shortcuts import redirect, render
from django.template import Template, Context
from django.urls import reverse
from registrasion import util
from registrasion.models import commerce, people
from registrasion.templatetags.registrasion_tags import items_purchased, items_pending
from registrasion.templatetags.registrasion_tags import invoices, missing_categories
from symposion.conference.models import Conference
from regidesk import forms
from regidesk.models import BoardingPass, BoardingPassTemplate, CheckIn
AttendeeProfile = util.get_object_from_name(settings.ATTENDEE_PROFILE_MODEL)
def _staff_only(user):
''' Returns true if the user is staff. '''
return user.is_staff
@login_required
def boardingpass(request):
user=request.user
checkin = CheckIn.objects.get_or_create(user=user)[0]
if not checkin.boardingpass:
messages.add_message(request, messages.WARNING, 'Your boarding pass has not been prepared. Please try again later.')
return redirect('/')
boardingpass = checkin.boardingpass.html_body
qrcode_url = request.build_absolute_uri(reverse("regidesk:checkin_png", args=[checkin.code]))
qrcode = checkin.qrcode
qrcode_string ='<img src="data:image/png;base64,' + qrcode + '"/>'
not_qrcode_string = '<img src="cid:qrcode.png"/>'
boardingpass = boardingpass.replace(not_qrcode_string, qrcode_string)
ctx = { 'attendee': user.attendee,
'boardingpass': boardingpass
}
response = render(request, "regidesk/boardingpass.html", ctx)
return response
@permission_required("regidesk.view_boarding_pass")
def boarding_overview(request, boarding_state="pending"):
tickets = commerce.LineItem.objects.select_related(
"invoice","invoice__user__attendee","product__category"
).filter(
invoice__status=commerce.Invoice.STATUS_PAID,
product__category=settings.TICKET_PRODUCT_CATEGORY,
price__gte=0
)
ticketholders = { ticket.invoice.user: ticket.product.name for ticket in tickets }
attendees = people.Attendee.objects.select_related(
"attendeeprofilebase",
"attendeeprofilebase__attendeeprofile",
"user",
"user__checkin"
).filter(user__in=ticketholders)
profiles = AttendeeProfile.objects.filter(
attendee__in=attendees
).select_related(
"attendee", "attendee__user",
)
profiles_by_attendee = dict((i.attendee, i) for i in profiles)
bp_templates = BoardingPassTemplate.objects.all()
ctx = {
"boarding_state": boarding_state,
"attendees": attendees,
"profiles": profiles_by_attendee,
"templates": bp_templates,
}
return render(request, "regidesk/boardingpass_overview.html", ctx)
def checkin_png(request, checkin_code):
checkin = CheckIn.objects.get(checkin_code=checkin_code)
if not checkin:
raise Http404()
response = HttpResponse()
response["Content-Type"] = "image/png"
response["Content-Disposition"] = 'inline; filename="qrcode.png"'
qrcode = base64.b64decode(checkin.qrcode)
response.write(qrcode)
return response
@permission_required("regidesk.send_boarding_pass")
def boarding_prepare(request):
attendee_pks = []
try:
for pk in request.POST.getlist("_selected_action"):
attendee_pks.append(int(pk))
except ValueError:
return HttpResponseBadRequest()
attendees = people.Attendee.objects.filter(pk__in=attendee_pks)
attendees = attendees.select_related(
"user", "attendeeprofilebase", "attendeeprofilebase__attendeeprofile")
sample_checkin = CheckIn.objects.get_or_create(user=attendees[0].user)[0]
rendered_template = {}
sample_ctx = {}
bp_template_pk = request.POST.get("template", "")
if bp_template_pk:
bp_template = BoardingPassTemplate.objects.get(pk=bp_template_pk)
sample_ctx = {
"user": sample_checkin.user,
"boardingpass": sample_checkin.boardingpass,
"code": sample_checkin.code,
"qrcode": '<img src="data:image/png;base64,' + sample_checkin.qrcode + '"/>',
"qrcode_url": request.build_absolute_uri(
reverse("regidesk:checkin_png", args=[sample_checkin.code])),
}
ctx = Context(sample_ctx)
ctx["invoices"] = invoices(ctx)
ctx["items_pending"] = items_pending(ctx)
ctx["items_purchased"] = items_purchased(ctx)
ctx["missing_categories"] = missing_categories(ctx)
subject = Template(bp_template.subject).render(ctx)
rendered_template['plain'] = Template(bp_template.body).render(ctx)
rendered_template['html'] = Template(bp_template.html_body).render(ctx)
else:
bp_template = None
subject = None
ctx = {
"attendees": attendees,
"template": bp_template,
"attendee_pks": attendee_pks,
"rendered_template": rendered_template,
"subject": subject,
"sample": sample_ctx,
}
request.session.set_expiry=(300)
request.session['boarding_attendees'] = attendee_pks
request.session['template'] = bp_template.pk
response = render(request, "regidesk/boardingpass_prepare.html", ctx)
return response
@permission_required("regidesk.send_boarding_pass")
def boarding_send(request):
BOARDING_GROUP = getattr(settings, "REGIDESK_BOARDING_GROUP", None)
if BOARDING_GROUP and Group.objects.filter(name=BOARDING_GROUP):
boarding_users = User.objects.filter(groups__name=BOARDING_GROUP)
else:
boarding_users = User.objects.all()
attendees = people.Attendee.objects.filter(pk__in=request.session['boarding_attendees'])
attendees = attendees.select_related(
"user", "attendeeprofilebase", "attendeeprofilebase__attendeeprofile")
logging.debug(attendees)
template_pk = request.session['template']
template = BoardingPassTemplate.objects.get(pk=template_pk)
for attendee in attendees:
user = attendee.user
checkin = CheckIn.objects.get_or_create(user=user)
ctx = {
"user": user,
"checkin": user.checkin,
"code": user.checkin.code,
"qrcode": user.checkin.qrcode,
"qrcode_url": request.build_absolute_uri(
reverse("regidesk:checkin_png", args=[user.checkin.code])),
}
ctx = Context(ctx)
ctx["invoices"] = invoices(ctx)
ctx["items_pending"] = items_pending(ctx)
ctx["items_purchased"] = items_purchased(ctx)
ctx["missing_categories"] = missing_categories(ctx)
subject = Template(template.subject).render(ctx)
body = Template(template.body).render(ctx)
if template.html_body:
html_body = Template(template.html_body).render(ctx)
else:
html_body = None
bpass = BoardingPass(template=template, to_address=user.email,
from_address=template.from_address,
subject=subject, body=body,
html_body=html_body
)
bpass.save()
if user.checkin.boardingpass:
user.checkin.boardingpass.delete()
user.checkin.boardingpass = bpass
user.checkin.save()
msg = EmailMultiAlternatives(
bpass.subject,
bpass.body,
bpass.from_address,
[bpass.to_address,],
)
msg.content_subtype="plain"
msg.mixed_subtype="related"
if bpass.html_body:
msg.attach_alternative(bpass.html_body, "text/html")
msg.attach(filename="qrcode.png", content=user.checkin.qrcode, mimetype="image/png")
if user in boarding_users:
with transaction.atomic():
msg.send()
bpass.sent = datetime.now()
bpass.save()
messages.success(request, "Sent boarding pass to %s" % attendee)
request.session['boarding_attendees'].remove(attendee.pk)
return redirect("regidesk:boarding_overview")
|