mirror of
https://github.com/bookwyrm-social/bookwyrm.git
synced 2024-10-31 22:19:00 +00:00
Merge pull request #2910 from WesleyAC/no-unauthed-remote-profile-view
Don't show remote profiles to unauthenticated users
This commit is contained in:
commit
c947360da8
2 changed files with 28 additions and 1 deletions
|
@ -4,7 +4,7 @@ from unittest.mock import patch
|
|||
from django.contrib.auth.models import AnonymousUser
|
||||
from django.http.response import Http404
|
||||
from django.template.response import TemplateResponse
|
||||
from django.test import TestCase
|
||||
from django.test import Client, TestCase
|
||||
from django.test.client import RequestFactory
|
||||
|
||||
from bookwyrm import models, views
|
||||
|
@ -152,6 +152,30 @@ class UserViews(TestCase):
|
|||
validate_html(result.render())
|
||||
self.assertEqual(result.status_code, 200)
|
||||
|
||||
def test_user_page_remote_anonymous(self):
|
||||
"""when a anonymous user tries to get a remote user"""
|
||||
with patch("bookwyrm.models.user.set_remote_server"):
|
||||
models.User.objects.create_user(
|
||||
"nutria",
|
||||
"",
|
||||
"nutriaword",
|
||||
local=False,
|
||||
remote_id="https://example.com/users/nutria",
|
||||
inbox="https://example.com/users/nutria/inbox",
|
||||
outbox="https://example.com/users/nutria/outbox",
|
||||
)
|
||||
|
||||
view = views.User.as_view()
|
||||
request = self.factory.get("")
|
||||
request.user = self.anonymous_user
|
||||
with patch("bookwyrm.views.user.is_api_request") as is_api:
|
||||
is_api.return_value = False
|
||||
result = view(request, "nutria@example.com")
|
||||
result.client = Client()
|
||||
self.assertRedirects(
|
||||
result, "https://example.com/users/nutria", fetch_redirect_response=False
|
||||
)
|
||||
|
||||
@patch("bookwyrm.suggested_users.rerank_suggestions_task.delay")
|
||||
@patch("bookwyrm.activitystreams.populate_stream_task.delay")
|
||||
def test_followers_page_blocked(self, *_):
|
||||
|
|
|
@ -23,6 +23,9 @@ class User(View):
|
|||
"""profile page for a user"""
|
||||
user = get_user_from_username(request.user, username)
|
||||
|
||||
if not user.local and not request.user.is_authenticated:
|
||||
return redirect(user.remote_id)
|
||||
|
||||
if is_api_request(request):
|
||||
# we have a json request
|
||||
return ActivitypubResponse(user.to_activity())
|
||||
|
|
Loading…
Reference in a new issue