diff --git a/bookwyrm/tests/views/test_feed.py b/bookwyrm/tests/views/test_feed.py index 666c3e02..e13dd7f8 100644 --- a/bookwyrm/tests/views/test_feed.py +++ b/bookwyrm/tests/views/test_feed.py @@ -82,6 +82,27 @@ class FeedViews(TestCase): self.assertEqual(result.status_code, 404) + def test_status_page_not_found_wrong_user(self, *_): + """there are so many views, this just makes sure it LOADS""" + view = views.Status.as_view() + another_user = models.User.objects.create_user( + "rat@local.com", + "rat@rat.rat", + "password", + local=True, + localname="rat", + ) + with patch("bookwyrm.models.activitypub_mixin.broadcast_task.delay"): + status = models.Status.objects.create(content="hi", user=another_user) + + request = self.factory.get("") + request.user = self.local_user + with patch("bookwyrm.views.feed.is_api_request") as is_api: + is_api.return_value = False + result = view(request, "mouse", status.id) + + self.assertEqual(result.status_code, 404) + def test_status_page_with_image(self, *_): """there are so many views, this just makes sure it LOADS""" view = views.Status.as_view() diff --git a/bookwyrm/views/feed.py b/bookwyrm/views/feed.py index 7a46ca57..d17de8f9 100644 --- a/bookwyrm/views/feed.py +++ b/bookwyrm/views/feed.py @@ -96,15 +96,11 @@ class Status(View): try: user = get_user_from_username(request.user, username) status = models.Status.objects.select_subclasses().get( - id=status_id, deleted=False + user=user, id=status_id, deleted=False ) except (ValueError, models.Status.DoesNotExist): return HttpResponseNotFound() - # the url should have the poster's username in it - if user != status.user: - return HttpResponseNotFound() - # make sure the user is authorized to see the status if not status.visible_to_user(request.user): return HttpResponseNotFound()