From 3ffa5fab60decf5fbb4a3ca1b60e83d9cc5b21a4 Mon Sep 17 00:00:00 2001
From: James Polley <jp@jamezpolley.com>
Date: Mon, 15 Jan 2018 08:49:34 +1100
Subject: [PATCH] Don't require login to view qrcode

* The qrcode contains no information that isn't in the URL you used to
  access the code, so information is being leaked
* Allowing unauthenicated access lets people see the image in their
  mail client

Not ideal. Let's revert this later and think of something better next
year - perhaps spending some more time researching best practices on
images in email..
---
 vendor/regidesk/regidesk/views.py | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/vendor/regidesk/regidesk/views.py b/vendor/regidesk/regidesk/views.py
index 71ed0ac5..e6296464 100644
--- a/vendor/regidesk/regidesk/views.py
+++ b/vendor/regidesk/regidesk/views.py
@@ -97,17 +97,12 @@ def boarding_overview(request, boarding_state="pending"):
 
     return render(request, "regidesk/boardingpass_overview.html", ctx)
 
-@login_required
 def checkin_png(request, checkin_code):
 
     checkin = CheckIn.objects.get(checkin_code=checkin_code)
     if not checkin:
         raise Http404()
 
-    if not request.user.has_perm("regidesk.view_checkin_details"):
-        if request.user != checkin.user:
-            raise Http404()
-
     response = HttpResponse()
     response["Content-Type"] = "image/png"
     response["Content-Disposition"] = 'inline; filename="qrcode.png"'