From 3f011445e29b63dd1aaf40c1455096caf80b99e1 Mon Sep 17 00:00:00 2001
From: Mouse Reeve <mousereeve@riseup.net>
Date: Tue, 26 Jan 2021 08:31:55 -0800
Subject: [PATCH] Hide user pages to blocked users

---
 bookwyrm/tests/views/test_user.py | 39 +++++++++++++++++++++++++++++++
 bookwyrm/views/helpers.py         |  6 +++++
 bookwyrm/views/user.py            | 15 ++++++++----
 3 files changed, 56 insertions(+), 4 deletions(-)

diff --git a/bookwyrm/tests/views/test_user.py b/bookwyrm/tests/views/test_user.py
index 0e2ad9044..95c4db0ad 100644
--- a/bookwyrm/tests/views/test_user.py
+++ b/bookwyrm/tests/views/test_user.py
@@ -16,6 +16,9 @@ class UserViews(TestCase):
         self.local_user = models.User.objects.create_user(
             'mouse@local.com', 'mouse@mouse.mouse', 'password',
             local=True, localname='mouse')
+        self.rat = models.User.objects.create_user(
+            'rat@local.com', 'rat@rat.rat', 'password',
+            local=True, localname='rat')
 
 
     def test_user_page(self):
@@ -37,6 +40,18 @@ class UserViews(TestCase):
         self.assertEqual(result.status_code, 200)
 
 
+    def test_user_page_blocked(self):
+        ''' there are so many views, this just makes sure it LOADS '''
+        view = views.User.as_view()
+        request = self.factory.get('')
+        request.user = self.local_user
+        self.rat.blocks.add(self.local_user)
+        with patch('bookwyrm.views.user.is_api_request') as is_api:
+            is_api.return_value = False
+            result = view(request, 'rat')
+        self.assertEqual(result.status_code, 404)
+
+
     def test_followers_page(self):
         ''' there are so many views, this just makes sure it LOADS '''
         view = views.Followers.as_view()
@@ -56,6 +71,18 @@ class UserViews(TestCase):
         self.assertEqual(result.status_code, 200)
 
 
+    def test_followers_page_blocked(self):
+        ''' there are so many views, this just makes sure it LOADS '''
+        view = views.Followers.as_view()
+        request = self.factory.get('')
+        request.user = self.local_user
+        self.rat.blocks.add(self.local_user)
+        with patch('bookwyrm.views.user.is_api_request') as is_api:
+            is_api.return_value = False
+            result = view(request, 'rat')
+        self.assertEqual(result.status_code, 404)
+
+
     def test_following_page(self):
         ''' there are so many views, this just makes sure it LOADS '''
         view = views.Following.as_view()
@@ -75,6 +102,18 @@ class UserViews(TestCase):
         self.assertEqual(result.status_code, 200)
 
 
+    def test_following_page_blocked(self):
+        ''' there are so many views, this just makes sure it LOADS '''
+        view = views.Following.as_view()
+        request = self.factory.get('')
+        request.user = self.local_user
+        self.rat.blocks.add(self.local_user)
+        with patch('bookwyrm.views.user.is_api_request') as is_api:
+            is_api.return_value = False
+            result = view(request, 'rat')
+        self.assertEqual(result.status_code, 404)
+
+
     def test_edit_profile_page(self):
         ''' there are so many views, this just makes sure it LOADS '''
         view = views.EditUser.as_view()
diff --git a/bookwyrm/views/helpers.py b/bookwyrm/views/helpers.py
index 5872b2de5..6bda81c8b 100644
--- a/bookwyrm/views/helpers.py
+++ b/bookwyrm/views/helpers.py
@@ -190,3 +190,9 @@ def handle_reading_status(user, shelf, book, privacy):
     status.save()
 
     broadcast(user, status.to_create_activity(user))
+
+def is_blocked(viewer, user):
+    ''' is this viewer blocked by the user? '''
+    if viewer.is_authenticated and viewer in user.blocks.all():
+        return True
+    return False
diff --git a/bookwyrm/views/user.py b/bookwyrm/views/user.py
index 2a4211b85..acf19c448 100644
--- a/bookwyrm/views/user.py
+++ b/bookwyrm/views/user.py
@@ -18,7 +18,7 @@ from bookwyrm.activitypub import ActivitypubResponse
 from bookwyrm.broadcast import broadcast
 from bookwyrm.settings import PAGE_LENGTH
 from .helpers import get_activity_feed, get_user_from_username, is_api_request
-from .helpers import object_visible_to_user
+from .helpers import is_blocked, object_visible_to_user
 
 
 # pylint: disable= no-self-use
@@ -32,9 +32,8 @@ class User(View):
             return HttpResponseNotFound()
 
         # make sure we're not blocked
-        if request.user.is_authenticated:
-            if request.user in user.blocks.all():
-                return HttpResponseNotFound()
+        if is_blocked(request.user, user):
+            return HttpResponseNotFound()
 
         if is_api_request(request):
             # we have a json request
@@ -102,6 +101,10 @@ class Followers(View):
         except models.User.DoesNotExist:
             return HttpResponseNotFound()
 
+        # make sure we're not blocked
+        if is_blocked(request.user, user):
+            return HttpResponseNotFound()
+
         if is_api_request(request):
             return ActivitypubResponse(
                 user.to_followers_activity(**request.GET))
@@ -123,6 +126,10 @@ class Following(View):
         except models.User.DoesNotExist:
             return HttpResponseNotFound()
 
+        # make sure we're not blocked
+        if is_blocked(request.user, user):
+            return HttpResponseNotFound()
+
         if is_api_request(request):
             return ActivitypubResponse(
                 user.to_following_activity(**request.GET))