Don't show remote profiles to unauthenticated users

2024-05-31 22:58:18 +00:00 · 2023-07-20 20:00:57 -04:00 · 2023-07-20 20:00:57 -04:00 · aae1d10eea
parent 107f5b38ca
commit aae1d10eea
2 changed files with 28 additions and 1 deletions
--- a/bookwyrm/tests/views/test_user.py
+++ b/bookwyrm/tests/views/test_user.py
@ -4,7 +4,7 @@ from unittest.mock import patch
 from django.contrib.auth.models import AnonymousUser
 from django.http.response import Http404
 from django.template.response import TemplateResponse
-from django.test import TestCase
+from django.test import Client, TestCase
 from django.test.client import RequestFactory

 from bookwyrm import models, views
@ -152,6 +152,30 @@ class UserViews(TestCase):
        validate_html(result.render())
        self.assertEqual(result.status_code, 200)

+    def test_user_page_remote_anonymous(self):
+        """when a anonymous user tries to get a remote user"""
+        with patch("bookwyrm.models.user.set_remote_server"):
+            models.User.objects.create_user(
+                "nutria",
+                "",
+                "nutriaword",
+                local=False,
+                remote_id="https://example.com/users/nutria",
+                inbox="https://example.com/users/nutria/inbox",
+                outbox="https://example.com/users/nutria/outbox",
+            )
+
+        view = views.User.as_view()
+        request = self.factory.get("")
+        request.user = self.anonymous_user
+        with patch("bookwyrm.views.user.is_api_request") as is_api:
+            is_api.return_value = False
+            result = view(request, "nutria@example.com")
+        result.client = Client()
+        self.assertRedirects(
+            result, "https://example.com/users/nutria", fetch_redirect_response=False
+        )
+
    @patch("bookwyrm.suggested_users.rerank_suggestions_task.delay")
    @patch("bookwyrm.activitystreams.populate_stream_task.delay")
    def test_followers_page_blocked(self, *_):
--- a/bookwyrm/views/user.py
+++ b/bookwyrm/views/user.py
@ -23,6 +23,9 @@ class User(View):
        """profile page for a user"""
        user = get_user_from_username(request.user, username)

+        if not user.local and not request.user.is_authenticated:
+            return redirect(user.remote_id)
+
        if is_api_request(request):
            # we have a json request
            return ActivitypubResponse(user.to_activity())