Merge pull request #1337 from bookwyrm-social/feed-logic

Feed logic
This commit is contained in:
Mouse Reeve 2021-08-28 11:29:37 -07:00 committed by GitHub
commit 41ed5f3103
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 22 additions and 5 deletions

View file

@ -82,6 +82,27 @@ class FeedViews(TestCase):
self.assertEqual(result.status_code, 404) self.assertEqual(result.status_code, 404)
def test_status_page_not_found_wrong_user(self, *_):
"""there are so many views, this just makes sure it LOADS"""
view = views.Status.as_view()
another_user = models.User.objects.create_user(
"rat@local.com",
"rat@rat.rat",
"password",
local=True,
localname="rat",
)
with patch("bookwyrm.models.activitypub_mixin.broadcast_task.delay"):
status = models.Status.objects.create(content="hi", user=another_user)
request = self.factory.get("")
request.user = self.local_user
with patch("bookwyrm.views.feed.is_api_request") as is_api:
is_api.return_value = False
result = view(request, "mouse", status.id)
self.assertEqual(result.status_code, 404)
def test_status_page_with_image(self, *_): def test_status_page_with_image(self, *_):
"""there are so many views, this just makes sure it LOADS""" """there are so many views, this just makes sure it LOADS"""
view = views.Status.as_view() view = views.Status.as_view()

View file

@ -96,15 +96,11 @@ class Status(View):
try: try:
user = get_user_from_username(request.user, username) user = get_user_from_username(request.user, username)
status = models.Status.objects.select_subclasses().get( status = models.Status.objects.select_subclasses().get(
id=status_id, deleted=False user=user, id=status_id, deleted=False
) )
except (ValueError, models.Status.DoesNotExist): except (ValueError, models.Status.DoesNotExist):
return HttpResponseNotFound() return HttpResponseNotFound()
# the url should have the poster's username in it
if user != status.user:
return HttpResponseNotFound()
# make sure the user is authorized to see the status # make sure the user is authorized to see the status
if not status.visible_to_user(request.user): if not status.visible_to_user(request.user):
return HttpResponseNotFound() return HttpResponseNotFound()