forked from mirrors/bookwyrm
Hide user pages to blocked users
This commit is contained in:
Mouse Reeve
parent
681f5482fd
commit
3f011445e2
3 changed files with 56 additions and 4 deletions
|
|
@ -16,6 +16,9 @@ class UserViews(TestCase):
|
|||
self.local_user = models.User.objects.create_user(
|
||||
'mouse@local.com', 'mouse@mouse.mouse', 'password',
|
||||
local=True, localname='mouse')
|
||||
self.rat = models.User.objects.create_user(
|
||||
'rat@local.com', 'rat@rat.rat', 'password',
|
||||
local=True, localname='rat')
|
||||
|
||||
|
||||
def test_user_page(self):
|
||||
|
|
@ -37,6 +40,18 @@ class UserViews(TestCase):
|
|||
self.assertEqual(result.status_code, 200)
|
||||
|
||||
|
||||
def test_user_page_blocked(self):
|
||||
''' there are so many views, this just makes sure it LOADS '''
|
||||
view = views.User.as_view()
|
||||
request = self.factory.get('')
|
||||
request.user = self.local_user
|
||||
self.rat.blocks.add(self.local_user)
|
||||
with patch('bookwyrm.views.user.is_api_request') as is_api:
|
||||
is_api.return_value = False
|
||||
result = view(request, 'rat')
|
||||
self.assertEqual(result.status_code, 404)
|
||||
|
||||
|
||||
def test_followers_page(self):
|
||||
''' there are so many views, this just makes sure it LOADS '''
|
||||
view = views.Followers.as_view()
|
||||
|
|
@ -56,6 +71,18 @@ class UserViews(TestCase):
|
|||
self.assertEqual(result.status_code, 200)
|
||||
|
||||
|
||||
def test_followers_page_blocked(self):
|
||||
''' there are so many views, this just makes sure it LOADS '''
|
||||
view = views.Followers.as_view()
|
||||
request = self.factory.get('')
|
||||
request.user = self.local_user
|
||||
self.rat.blocks.add(self.local_user)
|
||||
with patch('bookwyrm.views.user.is_api_request') as is_api:
|
||||
is_api.return_value = False
|
||||
result = view(request, 'rat')
|
||||
self.assertEqual(result.status_code, 404)
|
||||
|
||||
|
||||
def test_following_page(self):
|
||||
''' there are so many views, this just makes sure it LOADS '''
|
||||
view = views.Following.as_view()
|
||||
|
|
@ -75,6 +102,18 @@ class UserViews(TestCase):
|
|||
self.assertEqual(result.status_code, 200)
|
||||
|
||||
|
||||
def test_following_page_blocked(self):
|
||||
''' there are so many views, this just makes sure it LOADS '''
|
||||
view = views.Following.as_view()
|
||||
request = self.factory.get('')
|
||||
request.user = self.local_user
|
||||
self.rat.blocks.add(self.local_user)
|
||||
with patch('bookwyrm.views.user.is_api_request') as is_api:
|
||||
is_api.return_value = False
|
||||
result = view(request, 'rat')
|
||||
self.assertEqual(result.status_code, 404)
|
||||
|
||||
|
||||
def test_edit_profile_page(self):
|
||||
''' there are so many views, this just makes sure it LOADS '''
|
||||
view = views.EditUser.as_view()
|
||||
|
|
|
|||
|
|
@ -190,3 +190,9 @@ def handle_reading_status(user, shelf, book, privacy):
|
|||
status.save()
|
||||
|
||||
broadcast(user, status.to_create_activity(user))
|
||||
|
||||
def is_blocked(viewer, user):
|
||||
''' is this viewer blocked by the user? '''
|
||||
if viewer.is_authenticated and viewer in user.blocks.all():
|
||||
return True
|
||||
return False
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ from bookwyrm.activitypub import ActivitypubResponse
|
|||
from bookwyrm.broadcast import broadcast
|
||||
from bookwyrm.settings import PAGE_LENGTH
|
||||
from .helpers import get_activity_feed, get_user_from_username, is_api_request
|
||||
from .helpers import object_visible_to_user
|
||||
from .helpers import is_blocked, object_visible_to_user
|
||||
|
||||
|
||||
# pylint: disable= no-self-use
|
||||
|
|
@ -32,9 +32,8 @@ class User(View):
|
|||
return HttpResponseNotFound()
|
||||
|
||||
# make sure we're not blocked
|
||||
if request.user.is_authenticated:
|
||||
if request.user in user.blocks.all():
|
||||
return HttpResponseNotFound()
|
||||
if is_blocked(request.user, user):
|
||||
return HttpResponseNotFound()
|
||||
|
||||
if is_api_request(request):
|
||||
# we have a json request
|
||||
|
|
@ -102,6 +101,10 @@ class Followers(View):
|
|||
except models.User.DoesNotExist:
|
||||
return HttpResponseNotFound()
|
||||
|
||||
# make sure we're not blocked
|
||||
if is_blocked(request.user, user):
|
||||
return HttpResponseNotFound()
|
||||
|
||||
if is_api_request(request):
|
||||
return ActivitypubResponse(
|
||||
user.to_followers_activity(**request.GET))
|
||||
|
|
@ -123,6 +126,10 @@ class Following(View):
|
|||
except models.User.DoesNotExist:
|
||||
return HttpResponseNotFound()
|
||||
|
||||
# make sure we're not blocked
|
||||
if is_blocked(request.user, user):
|
||||
return HttpResponseNotFound()
|
||||
|
||||
if is_api_request(request):
|
||||
return ActivitypubResponse(
|
||||
user.to_following_activity(**request.GET))
|
||||
|
|
|
|||
Loading…
Reference in a new issue