forked from mirrors/bookwyrm
commit
41ed5f3103
2 changed files with 22 additions and 5 deletions
|
@ -82,6 +82,27 @@ class FeedViews(TestCase):
|
||||||
|
|
||||||
self.assertEqual(result.status_code, 404)
|
self.assertEqual(result.status_code, 404)
|
||||||
|
|
||||||
|
def test_status_page_not_found_wrong_user(self, *_):
|
||||||
|
"""there are so many views, this just makes sure it LOADS"""
|
||||||
|
view = views.Status.as_view()
|
||||||
|
another_user = models.User.objects.create_user(
|
||||||
|
"rat@local.com",
|
||||||
|
"rat@rat.rat",
|
||||||
|
"password",
|
||||||
|
local=True,
|
||||||
|
localname="rat",
|
||||||
|
)
|
||||||
|
with patch("bookwyrm.models.activitypub_mixin.broadcast_task.delay"):
|
||||||
|
status = models.Status.objects.create(content="hi", user=another_user)
|
||||||
|
|
||||||
|
request = self.factory.get("")
|
||||||
|
request.user = self.local_user
|
||||||
|
with patch("bookwyrm.views.feed.is_api_request") as is_api:
|
||||||
|
is_api.return_value = False
|
||||||
|
result = view(request, "mouse", status.id)
|
||||||
|
|
||||||
|
self.assertEqual(result.status_code, 404)
|
||||||
|
|
||||||
def test_status_page_with_image(self, *_):
|
def test_status_page_with_image(self, *_):
|
||||||
"""there are so many views, this just makes sure it LOADS"""
|
"""there are so many views, this just makes sure it LOADS"""
|
||||||
view = views.Status.as_view()
|
view = views.Status.as_view()
|
||||||
|
|
|
@ -96,15 +96,11 @@ class Status(View):
|
||||||
try:
|
try:
|
||||||
user = get_user_from_username(request.user, username)
|
user = get_user_from_username(request.user, username)
|
||||||
status = models.Status.objects.select_subclasses().get(
|
status = models.Status.objects.select_subclasses().get(
|
||||||
id=status_id, deleted=False
|
user=user, id=status_id, deleted=False
|
||||||
)
|
)
|
||||||
except (ValueError, models.Status.DoesNotExist):
|
except (ValueError, models.Status.DoesNotExist):
|
||||||
return HttpResponseNotFound()
|
return HttpResponseNotFound()
|
||||||
|
|
||||||
# the url should have the poster's username in it
|
|
||||||
if user != status.user:
|
|
||||||
return HttpResponseNotFound()
|
|
||||||
|
|
||||||
# make sure the user is authorized to see the status
|
# make sure the user is authorized to see the status
|
||||||
if not status.visible_to_user(request.user):
|
if not status.visible_to_user(request.user):
|
||||||
return HttpResponseNotFound()
|
return HttpResponseNotFound()
|
||||||
|
|
Loading…
Reference in a new issue