Merge pull request #2223 from bookwyrm-social/shelf-edit-perms

Shelf edit perms
2024-06-15 19:50:41 +00:00 · 2022-07-14 12:22:33 -07:00 · 2022-07-14 12:22:33 -07:00 · 44b86baa5b
parent 95a72ae902 317a239d40
commit 44b86baa5b
2 changed files with 33 additions and 18 deletions
--- a/bookwyrm/tests/views/shelf/test_shelf_actions.py
+++ b/bookwyrm/tests/views/shelf/test_shelf_actions.py
@ -32,6 +32,14 @@ class ShelfActionViews(TestCase):
                localname="mouse",
                remote_id="https://example.com/users/mouse",
            )
+            self.another_user = models.User.objects.create_user(
+                "rat@local.com",
+                "rat@rat.com",
+                "ratword",
+                local=True,
+                localname="rat",
+                remote_id="https://example.com/users/rat",
+            )
        self.work = models.Work.objects.create(title="Test Work")
        self.book = models.Edition.objects.create(
            title="Example Edition",
@ -66,7 +74,7 @@ class ShelfActionViews(TestCase):

    def test_shelve_to_read(self, *_):
        """special behavior for the to-read shelf"""
-        shelf = models.Shelf.objects.get(identifier="to-read")
+        shelf = models.Shelf.objects.get(user=self.local_user, identifier="to-read")
        request = self.factory.post(
            "", {"book": self.book.id, "shelf": shelf.identifier}
        )
@ -79,7 +87,7 @@ class ShelfActionViews(TestCase):

    def test_shelve_reading(self, *_):
        """special behavior for the reading shelf"""
-        shelf = models.Shelf.objects.get(identifier="reading")
+        shelf = models.Shelf.objects.get(user=self.local_user, identifier="reading")
        request = self.factory.post(
            "", {"book": self.book.id, "shelf": shelf.identifier}
        )
@ -92,7 +100,7 @@ class ShelfActionViews(TestCase):

    def test_shelve_read(self, *_):
        """special behavior for the read shelf"""
-        shelf = models.Shelf.objects.get(identifier="read")
+        shelf = models.Shelf.objects.get(user=self.local_user, identifier="read")
        request = self.factory.post(
            "", {"book": self.book.id, "shelf": shelf.identifier}
        )
@ -105,11 +113,13 @@ class ShelfActionViews(TestCase):

    def test_shelve_read_with_change_shelf(self, *_):
        """special behavior for the read shelf"""
-        previous_shelf = models.Shelf.objects.get(identifier="reading")
+        previous_shelf = models.Shelf.objects.get(
+            user=self.local_user, identifier="reading"
+        )
        models.ShelfBook.objects.create(
            shelf=previous_shelf, user=self.local_user, book=self.book
        )
-        shelf = models.Shelf.objects.get(identifier="read")
+        shelf = models.Shelf.objects.get(user=self.local_user, identifier="read")

        request = self.factory.post(
            "",
@ -160,11 +170,24 @@ class ShelfActionViews(TestCase):

        views.create_shelf(request)

-        shelf = models.Shelf.objects.get(name="new shelf name")
+        shelf = models.Shelf.objects.get(user=self.local_user, name="new shelf name")
        self.assertEqual(shelf.privacy, "unlisted")
        self.assertEqual(shelf.description, "desc")
        self.assertEqual(shelf.user, self.local_user)

+    def test_create_shelf_wrong_user(self, *_):
+        """a brand new custom shelf"""
+        form = forms.ShelfForm()
+        form.data["user"] = self.another_user.id
+        form.data["name"] = "new shelf name"
+        form.data["description"] = "desc"
+        form.data["privacy"] = "unlisted"
+        request = self.factory.post("", form.data)
+        request.user = self.local_user
+
+        with self.assertRaises(PermissionDenied):
+            views.create_shelf(request)
+
    def test_delete_shelf(self, *_):
        """delete a brand new custom shelf"""
        request = self.factory.post("")
@ -177,18 +200,8 @@ class ShelfActionViews(TestCase):

    def test_delete_shelf_unauthorized(self, *_):
        """delete a brand new custom shelf"""
-        with patch("bookwyrm.suggested_users.rerank_suggestions_task.delay"), patch(
-            "bookwyrm.activitystreams.populate_stream_task.delay"
-        ), patch("bookwyrm.lists_stream.populate_lists_task.delay"):
-            rat = models.User.objects.create_user(
-                "rat@local.com",
-                "rat@mouse.mouse",
-                "password",
-                local=True,
-                localname="rat",
-            )
        request = self.factory.post("")
-        request.user = rat
+        request.user = self.another_user

        with self.assertRaises(PermissionDenied):
            views.delete_shelf(request, self.shelf.id)
--- a/bookwyrm/views/shelf/shelf_actions.py
+++ b/bookwyrm/views/shelf/shelf_actions.py
@ -15,7 +15,9 @@ def create_shelf(request):
    if not form.is_valid():
        return redirect("user-shelves", request.user.localname)

-    shelf = form.save()
+    shelf = form.save(commit=False)
+    shelf.raise_not_editable(request.user)
+    shelf.save()
    return redirect(shelf.local_path)