diff --git a/bookwyrm/tests/views/test_helpers.py b/bookwyrm/tests/views/test_helpers.py index bd8928962..5e42b3785 100644 --- a/bookwyrm/tests/views/test_helpers.py +++ b/bookwyrm/tests/views/test_helpers.py @@ -248,3 +248,63 @@ class ViewsHelpers(TestCase): views.helpers.handle_reading_status( self.local_user, self.shelf, self.book, 'public') self.assertFalse(models.GeneratedNote.objects.exists()) + + def test_object_visible_to_user(self): + ''' does a user have permission to view an object ''' + obj = models.Status.objects.create( + content='hi', user=self.remote_user, privacy='public') + self.assertTrue( + views.helpers.object_visible_to_user(self.local_user, obj)) + + obj = models.Shelf.objects.create( + name='test', user=self.remote_user, privacy='unlisted') + self.assertTrue( + views.helpers.object_visible_to_user(self.local_user, obj)) + + obj = models.Status.objects.create( + content='hi', user=self.remote_user, privacy='followers') + self.assertFalse( + views.helpers.object_visible_to_user(self.local_user, obj)) + + obj = models.Status.objects.create( + content='hi', user=self.remote_user, privacy='direct') + self.assertFalse( + views.helpers.object_visible_to_user(self.local_user, obj)) + + obj = models.Status.objects.create( + content='hi', user=self.remote_user, privacy='direct') + obj.mention_users.add(self.local_user) + self.assertTrue( + views.helpers.object_visible_to_user(self.local_user, obj)) + + def test_object_visible_to_user_follower(self): + ''' what you can see if you follow a user ''' + self.remote_user.followers.add(self.local_user) + obj = models.Status.objects.create( + content='hi', user=self.remote_user, privacy='followers') + self.assertTrue( + views.helpers.object_visible_to_user(self.local_user, obj)) + + obj = models.Status.objects.create( + content='hi', user=self.remote_user, privacy='direct') + self.assertFalse( + views.helpers.object_visible_to_user(self.local_user, obj)) + + obj = models.Status.objects.create( + content='hi', user=self.remote_user, privacy='direct') + obj.mention_users.add(self.local_user) + self.assertTrue( + views.helpers.object_visible_to_user(self.local_user, obj)) + + def test_object_visible_to_user_blocked(self): + ''' you can't see it if they block you ''' + self.remote_user.blocks.add(self.local_user) + obj = models.Status.objects.create( + content='hi', user=self.remote_user, privacy='public') + self.assertFalse( + views.helpers.object_visible_to_user(self.local_user, obj)) + + obj = models.Shelf.objects.create( + name='test', user=self.remote_user, privacy='unlisted') + self.assertFalse( + views.helpers.object_visible_to_user(self.local_user, obj)) diff --git a/bookwyrm/views/helpers.py b/bookwyrm/views/helpers.py index 601593246..f899680f0 100644 --- a/bookwyrm/views/helpers.py +++ b/bookwyrm/views/helpers.py @@ -38,11 +38,21 @@ def object_visible_to_user(viewer, obj): ''' is a user authorized to view an object? ''' if not obj: return False + + # viewer can't see it if the object's owner blocked them + if viewer in obj.user.blocks.all(): + return False + + # you can see your own posts and any public or unlisted posts if viewer == obj.user or obj.privacy in ['public', 'unlisted']: return True + + # you can see the followers only posts of people you follow if obj.privacy == 'followers' and \ obj.user.followers.filter(id=viewer.id).first(): return True + + # you can see dms you are tagged in if isinstance(obj, models.Status): if obj.privacy == 'direct' and \ obj.mention_users.filter(id=viewer.id).first():