Conservancy/symposion_app
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Don't require login to view qrcode

Browse source 
* The qrcode contains no information that isn't in the URL you used to
  access the code, so information is being leaked
* Allowing unauthenicated access lets people see the image in their
  mail client

Not ideal. Let's revert this later and think of something better next
year - perhaps spending some more time researching best practices on
images in email..
This commit is contained in:
James Polley 2018-01-15 08:49:34 +11:00
parent 6770e83e5d
commit 3ffa5fab60
1 changed files with 0 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
vendor/regidesk/regidesk/views.py vendored
View file

@ -97,17 +97,12 @@ def boarding_overview(request, boarding_state="pending"):
return render(request, "regidesk/boardingpass_overview.html", ctx) return render(request, "regidesk/boardingpass_overview.html", ctx)
@login_required
def checkin_png(request, checkin_code): def checkin_png(request, checkin_code):
checkin = CheckIn.objects.get(checkin_code=checkin_code) checkin = CheckIn.objects.get(checkin_code=checkin_code)
if not checkin: if not checkin:
raise Http404() raise Http404()
if not request.user.has_perm("regidesk.view_checkin_details"):
if request.user != checkin.user:
raise Http404()
response = HttpResponse() response = HttpResponse()
response["Content-Type"] = "image/png" response["Content-Type"] = "image/png"
response["Content-Disposition"] = 'inline; filename="qrcode.png"' response["Content-Disposition"] = 'inline; filename="qrcode.png"'