Merge pull request #1337 from bookwyrm-social/feed-logic

Feed logic

bookwyrm/tests/views/test_feed.py

@@ -82,6 +82,27 @@ class FeedViews(TestCase):
 
         self.assertEqual(result.status_code, 404)
 
+    def test_status_page_not_found_wrong_user(self, *_):
+        """there are so many views, this just makes sure it LOADS"""
+        view = views.Status.as_view()
+        another_user = models.User.objects.create_user(
+            "rat@local.com",
+            "rat@rat.rat",
+            "password",
+            local=True,
+            localname="rat",
+        )
+        with patch("bookwyrm.models.activitypub_mixin.broadcast_task.delay"):
+            status = models.Status.objects.create(content="hi", user=another_user)
+
+        request = self.factory.get("")
+        request.user = self.local_user
+        with patch("bookwyrm.views.feed.is_api_request") as is_api:
+            is_api.return_value = False
+            result = view(request, "mouse", status.id)
+
+        self.assertEqual(result.status_code, 404)
+
     def test_status_page_with_image(self, *_):
         """there are so many views, this just makes sure it LOADS"""
         view = views.Status.as_view()

bookwyrm/views/feed.py

@@ -96,15 +96,11 @@ class Status(View):
         try:
             user = get_user_from_username(request.user, username)
             status = models.Status.objects.select_subclasses().get(
-                id=status_id, deleted=False
+                user=user, id=status_id, deleted=False
             )
         except (ValueError, models.Status.DoesNotExist):
             return HttpResponseNotFound()
 
-        # the url should have the poster's username in it
-        if user != status.user:
-            return HttpResponseNotFound()
-
         # make sure the user is authorized to see the status
         if not status.visible_to_user(request.user):
             return HttpResponseNotFound()