From 1d0b7fa64ffa68d8663f026690e2144bea2023ae Mon Sep 17 00:00:00 2001
From: Mouse Reeve <mousereeve@riseup.net>
Date: Wed, 11 Nov 2020 10:14:04 -0800
Subject: [PATCH] Proper privacy on user page shelf previews

---
 bookwyrm/views.py | 38 ++++++++++++++++++++++++--------------
 1 file changed, 24 insertions(+), 14 deletions(-)

diff --git a/bookwyrm/views.py b/bookwyrm/views.py
index 69058608d..34cc25b9d 100644
--- a/bookwyrm/views.py
+++ b/bookwyrm/views.py
@@ -323,25 +323,36 @@ def user_page(request, username):
         return JsonResponse(user.to_activity(), encoder=ActivityEncoder)
     # otherwise we're at a UI view
 
-    shelves = []
-    for user_shelf in user.shelf_set.all():
+    shelf_preview = []
+
+    # only show other shelves that should be visible
+    shelves = user.shelf_set
+    is_self = request.user.id == user.id
+    if not is_self:
+        follower = user.followers.filter(id=request.user.id).exists()
+        if follower:
+            shelves = shelves.filter(privacy__in=['public', 'followers'])
+        else:
+            shelves = shelves.filter(privacy='public')
+
+    for user_shelf in shelves.all():
         if not user_shelf.books.count():
             continue
-        shelves.append({
+        shelf_preview.append({
             'name': user_shelf.name,
             'remote_id': user_shelf.remote_id,
             'books': user_shelf.books.all()[:3],
             'size': user_shelf.books.count(),
         })
-        if len(shelves) > 2:
+        if len(shelf_preview) > 2:
             break
 
     data = {
         'title': user.name,
         'user': user,
-        'is_self': request.user.id == user.id,
-        'shelves': shelves,
-        'shelf_count': user.shelf_set.count(),
+        'is_self': is_self,
+        'shelves': shelf_preview,
+        'shelf_count': shelves.count(),
         'activities': get_activity_feed(user, 'self')[:15],
     }
 
@@ -394,12 +405,6 @@ def following_page(request, username):
     return TemplateResponse(request, 'following.html', data)
 
 
-@csrf_exempt
-def user_shelves_page(request, username):
-    ''' list of followers '''
-    return shelf_page(request, username, None)
-
-
 @csrf_exempt
 def status_page(request, username, status_id):
     ''' display a particular status (and replies, etc) '''
@@ -606,6 +611,12 @@ def tag_page(request, tag_id):
     return TemplateResponse(request, 'tag.html', data)
 
 
+@csrf_exempt
+def user_shelves_page(request, username):
+    ''' list of followers '''
+    return shelf_page(request, username, None)
+
+
 def shelf_page(request, username, shelf_identifier):
     ''' display a shelf '''
     try:
@@ -632,7 +643,6 @@ def shelf_page(request, username, shelf_identifier):
         if follower:
             shelves = shelves.filter(privacy__in=['public', 'followers'])
         else:
-            print('hi')
             shelves = shelves.filter(privacy='public')