Merge pull request #2228 from bookwyrm-social/status-perms

Check permissions when creating a status
This commit is contained in:
Mouse Reeve 2022-07-15 09:56:01 -07:00 committed by GitHub
commit b66ce2e6a5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 19 additions and 1 deletions

View file

@ -10,12 +10,13 @@ from bookwyrm.settings import DOMAIN
from bookwyrm.tests.validate_html import validate_html
# pylint: disable=invalid-name
@patch("bookwyrm.suggested_users.rerank_suggestions_task.delay")
@patch("bookwyrm.activitystreams.populate_stream_task.delay")
@patch("bookwyrm.lists_stream.populate_lists_task.delay")
@patch("bookwyrm.activitystreams.remove_status_task.delay")
@patch("bookwyrm.models.activitypub_mixin.broadcast_task.apply_async")
# pylint: disable=invalid-name
# pylint: disable=too-many-public-methods
class StatusViews(TestCase):
"""viewing and creating statuses"""
@ -75,6 +76,22 @@ class StatusViews(TestCase):
self.assertEqual(status.book, self.book)
self.assertIsNone(status.edited_date)
def test_create_status_wrong_user(self, *_):
"""You can't compose statuses for someone else"""
view = views.CreateStatus.as_view()
form = forms.CommentForm(
{
"content": "hi",
"user": self.remote_user.id,
"book": self.book.id,
"privacy": "public",
}
)
request = self.factory.post("", form.data)
request.user = self.local_user
with self.assertRaises(PermissionDenied):
view(request, "comment")
def test_create_status_reply(self, *_):
"""create a status in reply to an existing status"""
view = views.CreateStatus.as_view()

View file

@ -85,6 +85,7 @@ class CreateStatus(View):
return redirect("/")
status = form.save(commit=False)
status.raise_not_editable(request.user)
# save the plain, unformatted version of the status for future editing
status.raw_content = status.content
if hasattr(status, "quote"):