Check permissions when creating a status

2025-02-16 19:15:16 +00:00 · 2022-07-15 09:26:52 -07:00 · 2022-07-15 09:26:52 -07:00 · 7fdfd0c9c7
commit 7fdfd0c9c7
parent a2540e8361
2 changed files with 17 additions and 0 deletions
--- a/bookwyrm/tests/views/test_status.py
+++ b/bookwyrm/tests/views/test_status.py
@ -75,6 +75,22 @@ class StatusViews(TestCase):
        self.assertEqual(status.book, self.book)
        self.assertIsNone(status.edited_date)

+    def test_create_status_wrong_user(self, *_):
+        """You can't compose statuses for someone else"""
+        view = views.CreateStatus.as_view()
+        form = forms.CommentForm(
+            {
+                "content": "hi",
+                "user": self.remote_user.id,
+                "book": self.book.id,
+                "privacy": "public",
+            }
+        )
+        request = self.factory.post("", form.data)
+        request.user = self.local_user
+        with self.assertRaises(PermissionDenied):
+            view(request, "comment")
+
    def test_create_status_reply(self, *_):
        """create a status in reply to an existing status"""
        view = views.CreateStatus.as_view()
--- a/bookwyrm/views/status.py
+++ b/bookwyrm/views/status.py
@ -85,6 +85,7 @@ class CreateStatus(View):
            return redirect("/")

        status = form.save(commit=False)
+        status.raise_not_editable(request.user)
        # save the plain, unformatted version of the status for future editing
        status.raw_content = status.content
        if hasattr(status, "quote"):