From 4fb834f10f697de65b3a62c9cfbb4896c9d22a04 Mon Sep 17 00:00:00 2001 From: Mouse Reeve Date: Sat, 28 Aug 2021 09:42:03 -0700 Subject: [PATCH 1/2] Simpler feed verification logic --- bookwyrm/views/feed.py | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/bookwyrm/views/feed.py b/bookwyrm/views/feed.py index 7a46ca57d..d17de8f96 100644 --- a/bookwyrm/views/feed.py +++ b/bookwyrm/views/feed.py @@ -96,15 +96,11 @@ class Status(View): try: user = get_user_from_username(request.user, username) status = models.Status.objects.select_subclasses().get( - id=status_id, deleted=False + user=user, id=status_id, deleted=False ) except (ValueError, models.Status.DoesNotExist): return HttpResponseNotFound() - # the url should have the poster's username in it - if user != status.user: - return HttpResponseNotFound() - # make sure the user is authorized to see the status if not status.visible_to_user(request.user): return HttpResponseNotFound() From e1af13d03830b22acace8587a1f3cfb1368e4b69 Mon Sep 17 00:00:00 2001 From: Mouse Reeve Date: Sat, 28 Aug 2021 09:55:06 -0700 Subject: [PATCH 2/2] Adds test --- bookwyrm/tests/views/test_feed.py | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/bookwyrm/tests/views/test_feed.py b/bookwyrm/tests/views/test_feed.py index 666c3e02b..e13dd7f8a 100644 --- a/bookwyrm/tests/views/test_feed.py +++ b/bookwyrm/tests/views/test_feed.py @@ -82,6 +82,27 @@ class FeedViews(TestCase): self.assertEqual(result.status_code, 404) + def test_status_page_not_found_wrong_user(self, *_): + """there are so many views, this just makes sure it LOADS""" + view = views.Status.as_view() + another_user = models.User.objects.create_user( + "rat@local.com", + "rat@rat.rat", + "password", + local=True, + localname="rat", + ) + with patch("bookwyrm.models.activitypub_mixin.broadcast_task.delay"): + status = models.Status.objects.create(content="hi", user=another_user) + + request = self.factory.get("") + request.user = self.local_user + with patch("bookwyrm.views.feed.is_api_request") as is_api: + is_api.return_value = False + result = view(request, "mouse", status.id) + + self.assertEqual(result.status_code, 404) + def test_status_page_with_image(self, *_): """there are so many views, this just makes sure it LOADS""" view = views.Status.as_view()