Merge pull request #2243 from bookwyrm-social/list-crate-perms

Fixes list creation perms
This commit is contained in:
Mouse Reeve 2022-07-28 11:54:28 -07:00 committed by GitHub
commit 41b20c4dd5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 25 additions and 2 deletions

View file

@ -3,6 +3,7 @@ import json
from unittest.mock import patch from unittest.mock import patch
from django.contrib.auth.models import AnonymousUser from django.contrib.auth.models import AnonymousUser
from django.core.exceptions import PermissionDenied
from django.template.response import TemplateResponse from django.template.response import TemplateResponse
from django.test import TestCase from django.test import TestCase
from django.test.client import RequestFactory from django.test.client import RequestFactory
@ -28,6 +29,9 @@ class ListViews(TestCase):
localname="mouse", localname="mouse",
remote_id="https://example.com/users/mouse", remote_id="https://example.com/users/mouse",
) )
self.another_user = models.User.objects.create_user(
"rat@local.com", "rat@rat.com", "ratword", local=True, localname="rat"
)
self.anonymous_user = AnonymousUser self.anonymous_user = AnonymousUser
self.anonymous_user.is_authenticated = False self.anonymous_user.is_authenticated = False
@ -167,3 +171,20 @@ class ListViews(TestCase):
self.assertEqual(new_list.description, "wow") self.assertEqual(new_list.description, "wow")
self.assertEqual(new_list.privacy, "unlisted") self.assertEqual(new_list.privacy, "unlisted")
self.assertEqual(new_list.curation, "open") self.assertEqual(new_list.curation, "open")
def test_lists_create_permission_denied(self):
"""create list view"""
view = views.Lists.as_view()
request = self.factory.post(
"",
{
"name": "A list",
"description": "wow",
"privacy": "unlisted",
"curation": "open",
"user": self.local_user.id,
},
)
request.user = self.another_user
with self.assertRaises(PermissionDenied):
view(request)

View file

@ -36,11 +36,13 @@ class Lists(View):
form = forms.ListForm(request.POST) form = forms.ListForm(request.POST)
if not form.is_valid(): if not form.is_valid():
return redirect("lists") return redirect("lists")
book_list = form.save() book_list = form.save(commit=False)
book_list.raise_not_editable(request.user)
# list should not have a group if it is not group curated # list should not have a group if it is not group curated
if not book_list.curation == "group": if not book_list.curation == "group":
book_list.group = None book_list.group = None
book_list.save(broadcast=False) book_list.save()
return redirect(book_list.local_path) return redirect(book_list.local_path)