diff --git a/bookwyrm/tests/views/test_status.py b/bookwyrm/tests/views/test_status.py index 0026c52b5..1159b3863 100644 --- a/bookwyrm/tests/views/test_status.py +++ b/bookwyrm/tests/views/test_status.py @@ -10,12 +10,13 @@ from bookwyrm.settings import DOMAIN from bookwyrm.tests.validate_html import validate_html -# pylint: disable=invalid-name @patch("bookwyrm.suggested_users.rerank_suggestions_task.delay") @patch("bookwyrm.activitystreams.populate_stream_task.delay") @patch("bookwyrm.lists_stream.populate_lists_task.delay") @patch("bookwyrm.activitystreams.remove_status_task.delay") @patch("bookwyrm.models.activitypub_mixin.broadcast_task.apply_async") +# pylint: disable=invalid-name +# pylint: disable=too-many-public-methods class StatusViews(TestCase): """viewing and creating statuses""" @@ -75,6 +76,22 @@ class StatusViews(TestCase): self.assertEqual(status.book, self.book) self.assertIsNone(status.edited_date) + def test_create_status_wrong_user(self, *_): + """You can't compose statuses for someone else""" + view = views.CreateStatus.as_view() + form = forms.CommentForm( + { + "content": "hi", + "user": self.remote_user.id, + "book": self.book.id, + "privacy": "public", + } + ) + request = self.factory.post("", form.data) + request.user = self.local_user + with self.assertRaises(PermissionDenied): + view(request, "comment") + def test_create_status_reply(self, *_): """create a status in reply to an existing status""" view = views.CreateStatus.as_view() diff --git a/bookwyrm/views/status.py b/bookwyrm/views/status.py index 8c14b3cdd..c0a045f8a 100644 --- a/bookwyrm/views/status.py +++ b/bookwyrm/views/status.py @@ -85,6 +85,7 @@ class CreateStatus(View): return redirect("/") status = form.save(commit=False) + status.raise_not_editable(request.user) # save the plain, unformatted version of the status for future editing status.raw_content = status.content if hasattr(status, "quote"):