From 364b053d9addf6962e4e7e6d8294790f9d30b64e Mon Sep 17 00:00:00 2001
From: Mouse Reeve <mousereeve@riseup.net>
Date: Tue, 23 Feb 2021 12:41:37 -0800
Subject: [PATCH] Better user block privacy

---
 bookwyrm/models/user.py              | 10 ++++++++++
 bookwyrm/tests/views/test_helpers.py |  8 +++++---
 bookwyrm/views/feed.py               |  2 +-
 bookwyrm/views/follow.py             |  8 ++++----
 bookwyrm/views/helpers.py            |  6 +++---
 bookwyrm/views/search.py             |  2 +-
 bookwyrm/views/shelf.py              |  2 +-
 bookwyrm/views/user.py               |  6 +++---
 8 files changed, 28 insertions(+), 16 deletions(-)

diff --git a/bookwyrm/models/user.py b/bookwyrm/models/user.py
index a65317fa..108f4345 100644
--- a/bookwyrm/models/user.py
+++ b/bookwyrm/models/user.py
@@ -112,6 +112,16 @@ class User(OrderedCollectionPageMixin, AbstractUser):
 
     activity_serializer = activitypub.Person
 
+    @classmethod
+    def viewer_aware_objects(cls, viewer):
+        ''' the user queryset filtered for the context of the logged in user '''
+        queryset = cls.objects.filter(is_active=True)
+        if viewer.is_authenticated:
+            queryset = queryset.exclude(
+                blocks=viewer
+            )
+        return queryset
+
     def to_outbox(self, filter_type=None, **kwargs):
         ''' an ordered collection of statuses '''
         if filter_type:
diff --git a/bookwyrm/tests/views/test_helpers.py b/bookwyrm/tests/views/test_helpers.py
index b75d61d5..577b45e5 100644
--- a/bookwyrm/tests/views/test_helpers.py
+++ b/bookwyrm/tests/views/test_helpers.py
@@ -56,12 +56,14 @@ class ViewsHelpers(TestCase):
     def test_get_user_from_username(self):
         ''' works for either localname or username '''
         self.assertEqual(
-            views.helpers.get_user_from_username('mouse'), self.local_user)
+            views.helpers.get_user_from_username(
+                self.local_user, 'mouse'), self.local_user)
         self.assertEqual(
             views.helpers.get_user_from_username(
-                'mouse@local.com'), self.local_user)
+                self.local_user, 'mouse@local.com'), self.local_user)
         with self.assertRaises(models.User.DoesNotExist):
-            views.helpers.get_user_from_username('mojfse@example.com')
+            views.helpers.get_user_from_username(
+                self.local_user, 'mojfse@example.com')
 
 
     def test_is_api_request(self):
diff --git a/bookwyrm/views/feed.py b/bookwyrm/views/feed.py
index 0e550f0c..e67a893d 100644
--- a/bookwyrm/views/feed.py
+++ b/bookwyrm/views/feed.py
@@ -65,7 +65,7 @@ class DirectMessage(View):
         user = None
         if username:
             try:
-                user = get_user_from_username(username)
+                user = get_user_from_username(request.user, username)
             except models.User.DoesNotExist:
                 pass
         if user:
diff --git a/bookwyrm/views/follow.py b/bookwyrm/views/follow.py
index c59f2e6d..e1b1a0bb 100644
--- a/bookwyrm/views/follow.py
+++ b/bookwyrm/views/follow.py
@@ -13,7 +13,7 @@ def follow(request):
     ''' follow another user, here or abroad '''
     username = request.POST['user']
     try:
-        to_follow = get_user_from_username(username)
+        to_follow = get_user_from_username(request.user, username)
     except models.User.DoesNotExist:
         return HttpResponseBadRequest()
 
@@ -33,7 +33,7 @@ def unfollow(request):
     ''' unfollow a user '''
     username = request.POST['user']
     try:
-        to_unfollow = get_user_from_username(username)
+        to_unfollow = get_user_from_username(request.user, username)
     except models.User.DoesNotExist:
         return HttpResponseBadRequest()
 
@@ -52,7 +52,7 @@ def accept_follow_request(request):
     ''' a user accepts a follow request '''
     username = request.POST['user']
     try:
-        requester = get_user_from_username(username)
+        requester = get_user_from_username(request.user, username)
     except models.User.DoesNotExist:
         return HttpResponseBadRequest()
 
@@ -75,7 +75,7 @@ def delete_follow_request(request):
     ''' a user rejects a follow request '''
     username = request.POST['user']
     try:
-        requester = get_user_from_username(username)
+        requester = get_user_from_username(request.user, username)
     except models.User.DoesNotExist:
         return HttpResponseBadRequest()
 
diff --git a/bookwyrm/views/helpers.py b/bookwyrm/views/helpers.py
index 842b8d1c..7e0550fb 100644
--- a/bookwyrm/views/helpers.py
+++ b/bookwyrm/views/helpers.py
@@ -9,13 +9,13 @@ from bookwyrm.status import create_generated_note
 from bookwyrm.utils import regex
 
 
-def get_user_from_username(username):
+def get_user_from_username(viewer, username):
     ''' helper function to resolve a localname or a username to a user '''
     # raises DoesNotExist if user is now found
     try:
-        return models.User.objects.get(localname=username)
+        return models.User.viwer_aware_objects(viewer).get(localname=username)
     except models.User.DoesNotExist:
-        return models.User.objects.get(username=username)
+        return models.User.viewer_aware_objects(viewer).get(username=username)
 
 
 def is_api_request(request):
diff --git a/bookwyrm/views/search.py b/bookwyrm/views/search.py
index a4cd7337..98be166f 100644
--- a/bookwyrm/views/search.py
+++ b/bookwyrm/views/search.py
@@ -33,7 +33,7 @@ class Search(View):
             handle_remote_webfinger(query)
 
         # do a  user search
-        user_results = models.User.objects.annotate(
+        user_results = models.User.viewer_aware_objects(request.user).annotate(
             similarity=Greatest(
                 TrigramSimilarity('username', query),
                 TrigramSimilarity('localname', query),
diff --git a/bookwyrm/views/shelf.py b/bookwyrm/views/shelf.py
index 02502ff6..70d3d1de 100644
--- a/bookwyrm/views/shelf.py
+++ b/bookwyrm/views/shelf.py
@@ -19,7 +19,7 @@ class Shelf(View):
     def get(self, request, username, shelf_identifier):
         ''' display a shelf '''
         try:
-            user = get_user_from_username(username)
+            user = get_user_from_username(request.user, username)
         except models.User.DoesNotExist:
             return HttpResponseNotFound()
 
diff --git a/bookwyrm/views/user.py b/bookwyrm/views/user.py
index 4da0fdac..7a238ce7 100644
--- a/bookwyrm/views/user.py
+++ b/bookwyrm/views/user.py
@@ -26,7 +26,7 @@ class User(View):
     def get(self, request, username):
         ''' profile page for a user '''
         try:
-            user = get_user_from_username(username)
+            user = get_user_from_username(request.user, username)
         except models.User.DoesNotExist:
             return HttpResponseNotFound()
 
@@ -96,7 +96,7 @@ class Followers(View):
     def get(self, request, username):
         ''' list of followers '''
         try:
-            user = get_user_from_username(username)
+            user = get_user_from_username(request.user, username)
         except models.User.DoesNotExist:
             return HttpResponseNotFound()
 
@@ -121,7 +121,7 @@ class Following(View):
     def get(self, request, username):
         ''' list of followers '''
         try:
-            user = get_user_from_username(username)
+            user = get_user_from_username(request.user, username)
         except models.User.DoesNotExist:
             return HttpResponseNotFound()