Merge pull request #2910 from WesleyAC/no-unauthed-remote-profile-view

Don't show remote profiles to unauthenticated users
This commit is contained in:
Mouse Reeve 2023-07-20 19:06:50 -07:00 committed by GitHub
commit c947360da8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 28 additions and 1 deletions

View file

@ -4,7 +4,7 @@ from unittest.mock import patch
from django.contrib.auth.models import AnonymousUser from django.contrib.auth.models import AnonymousUser
from django.http.response import Http404 from django.http.response import Http404
from django.template.response import TemplateResponse from django.template.response import TemplateResponse
from django.test import TestCase from django.test import Client, TestCase
from django.test.client import RequestFactory from django.test.client import RequestFactory
from bookwyrm import models, views from bookwyrm import models, views
@ -152,6 +152,30 @@ class UserViews(TestCase):
validate_html(result.render()) validate_html(result.render())
self.assertEqual(result.status_code, 200) self.assertEqual(result.status_code, 200)
def test_user_page_remote_anonymous(self):
"""when a anonymous user tries to get a remote user"""
with patch("bookwyrm.models.user.set_remote_server"):
models.User.objects.create_user(
"nutria",
"",
"nutriaword",
local=False,
remote_id="https://example.com/users/nutria",
inbox="https://example.com/users/nutria/inbox",
outbox="https://example.com/users/nutria/outbox",
)
view = views.User.as_view()
request = self.factory.get("")
request.user = self.anonymous_user
with patch("bookwyrm.views.user.is_api_request") as is_api:
is_api.return_value = False
result = view(request, "nutria@example.com")
result.client = Client()
self.assertRedirects(
result, "https://example.com/users/nutria", fetch_redirect_response=False
)
@patch("bookwyrm.suggested_users.rerank_suggestions_task.delay") @patch("bookwyrm.suggested_users.rerank_suggestions_task.delay")
@patch("bookwyrm.activitystreams.populate_stream_task.delay") @patch("bookwyrm.activitystreams.populate_stream_task.delay")
def test_followers_page_blocked(self, *_): def test_followers_page_blocked(self, *_):

View file

@ -23,6 +23,9 @@ class User(View):
"""profile page for a user""" """profile page for a user"""
user = get_user_from_username(request.user, username) user = get_user_from_username(request.user, username)
if not user.local and not request.user.is_authenticated:
return redirect(user.remote_id)
if is_api_request(request): if is_api_request(request):
# we have a json request # we have a json request
return ActivitypubResponse(user.to_activity()) return ActivitypubResponse(user.to_activity())