From 7c155d307bd9096b3f403558c182bee2def138bb Mon Sep 17 00:00:00 2001
From: Raphael Michel <mail@raphaelmichel.de>
Date: Fri, 31 Aug 2018 12:16:15 +0200
Subject: [PATCH] Return 404 for invalid check-in list ID

---
 src/pretix/api/views/checkin.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/pretix/api/views/checkin.py b/src/pretix/api/views/checkin.py
index f5931b20a..1bb317176 100644
--- a/src/pretix/api/views/checkin.py
+++ b/src/pretix/api/views/checkin.py
@@ -1,6 +1,7 @@
 from django.core.exceptions import ValidationError
 from django.db.models import Count, F, Max, OuterRef, Prefetch, Subquery
 from django.db.models.functions import Coalesce
+from django.http import Http404
 from django.shortcuts import get_object_or_404
 from django.utils.functional import cached_property
 from django.utils.timezone import now
@@ -181,7 +182,10 @@ class CheckinListPositionViewSet(viewsets.ReadOnlyModelViewSet):
 
     @cached_property
     def checkinlist(self):
-        return get_object_or_404(CheckinList, event=self.request.event, pk=self.kwargs.get("list"))
+        try:
+            return get_object_or_404(CheckinList, event=self.request.event, pk=self.kwargs.get("list"))
+        except ValueError:
+            raise Http404()
 
     def get_queryset(self):
         cqs = Checkin.objects.filter(