Fixes visible_to_user check for non-federated objs

why did this cause a problem _now_??

bookwyrm/models/activitypub_mixin.py

@@ -83,36 +83,6 @@ class ActivitypubMixin:
 
         super().__init__(*args, **kwargs)
 
-    def visible_to_user(self, viewer):
-        """ is a user authorized to view an object? """
-        # make sure this is an object with privacy owned by a user
-        if not hasattr(self, "user") or not hasattr(self, "privacy"):
-            return None
-
-        # viewer can't see it if the object's owner blocked them
-        if viewer in self.user.blocks.all():
-            return False
-
-        # you can see your own posts and any public or unlisted posts
-        if viewer == self.user or self.privacy in ["public", "unlisted"]:
-            return True
-
-        # you can see the followers only posts of people you follow
-        if (
-            self.privacy == "followers"
-            and self.user.followers.filter(id=viewer.id).first()
-        ):
-            return True
-
-        # you can see dms you are tagged in
-        if hasattr(self, "mention_users"):
-            if (
-                self.privacy == "direct"
-                and self.mention_users.filter(id=viewer.id).first()
-            ):
-                return True
-        return False
-
     @classmethod
     def find_existing_by_remote_id(cls, remote_id):
         """ look up a remote id in the db """

bookwyrm/models/base_model.py

@@ -31,6 +31,36 @@ class BookWyrmModel(models.Model):
         """ how to link to this object in the local app """
         return self.get_remote_id().replace("https://%s" % DOMAIN, "")
 
+    def visible_to_user(self, viewer):
+        """ is a user authorized to view an object? """
+        # make sure this is an object with privacy owned by a user
+        if not hasattr(self, "user") or not hasattr(self, "privacy"):
+            return None
+
+        # viewer can't see it if the object's owner blocked them
+        if viewer in self.user.blocks.all():
+            return False
+
+        # you can see your own posts and any public or unlisted posts
+        if viewer == self.user or self.privacy in ["public", "unlisted"]:
+            return True
+
+        # you can see the followers only posts of people you follow
+        if (
+            self.privacy == "followers"
+            and self.user.followers.filter(id=viewer.id).first()
+        ):
+            return True
+
+        # you can see dms you are tagged in
+        if hasattr(self, "mention_users"):
+            if (
+                self.privacy == "direct"
+                and self.mention_users.filter(id=viewer.id).first()
+            ):
+                return True
+        return False
+
 
 @receiver(models.signals.post_save)
 # pylint: disable=unused-argument

bookwyrm/tests/models/test_activitypub_mixin.py

@@ -44,66 +44,6 @@ class ActivitypubMixins(TestCase):
             "published": "2020-12-04T17:52:22.623807+00:00",
         }
 
-    def test_object_visible_to_user(self, _):
-        """ does a user have permission to view an object """
-        obj = models.Status.objects.create(
-            content="hi", user=self.remote_user, privacy="public"
-        )
-        self.assertTrue(obj.visible_to_user(self.local_user))
-
-        obj = models.Shelf.objects.create(
-            name="test", user=self.remote_user, privacy="unlisted"
-        )
-        self.assertTrue(obj.visible_to_user(self.local_user))
-
-        obj = models.Status.objects.create(
-            content="hi", user=self.remote_user, privacy="followers"
-        )
-        self.assertFalse(obj.visible_to_user(self.local_user))
-
-        obj = models.Status.objects.create(
-            content="hi", user=self.remote_user, privacy="direct"
-        )
-        self.assertFalse(obj.visible_to_user(self.local_user))
-
-        obj = models.Status.objects.create(
-            content="hi", user=self.remote_user, privacy="direct"
-        )
-        obj.mention_users.add(self.local_user)
-        self.assertTrue(obj.visible_to_user(self.local_user))
-
-    def test_object_visible_to_user_follower(self, _):
-        """ what you can see if you follow a user """
-        self.remote_user.followers.add(self.local_user)
-        obj = models.Status.objects.create(
-            content="hi", user=self.remote_user, privacy="followers"
-        )
-        self.assertTrue(obj.visible_to_user(self.local_user))
-
-        obj = models.Status.objects.create(
-            content="hi", user=self.remote_user, privacy="direct"
-        )
-        self.assertFalse(obj.visible_to_user(self.local_user))
-
-        obj = models.Status.objects.create(
-            content="hi", user=self.remote_user, privacy="direct"
-        )
-        obj.mention_users.add(self.local_user)
-        self.assertTrue(obj.visible_to_user(self.local_user))
-
-    def test_object_visible_to_user_blocked(self, _):
-        """ you can't see it if they block you """
-        self.remote_user.blocks.add(self.local_user)
-        obj = models.Status.objects.create(
-            content="hi", user=self.remote_user, privacy="public"
-        )
-        self.assertFalse(obj.visible_to_user(self.local_user))
-
-        obj = models.Shelf.objects.create(
-            name="test", user=self.remote_user, privacy="unlisted"
-        )
-        self.assertFalse(obj.visible_to_user(self.local_user))
-
     # ActivitypubMixin
     def test_to_activity(self, _):
         """ model to ActivityPub json """

bookwyrm/tests/models/test_base_model.py

@@ -42,3 +42,63 @@ class BaseModel(TestCase):
         instance.remote_id = None
         base_model.set_remote_id(None, instance, False)
         self.assertIsNone(instance.remote_id)
+
+    def test_object_visible_to_user(self, _):
+        """ does a user have permission to view an object """
+        obj = models.Status.objects.create(
+            content="hi", user=self.remote_user, privacy="public"
+        )
+        self.assertTrue(obj.visible_to_user(self.local_user))
+
+        obj = models.Shelf.objects.create(
+            name="test", user=self.remote_user, privacy="unlisted"
+        )
+        self.assertTrue(obj.visible_to_user(self.local_user))
+
+        obj = models.Status.objects.create(
+            content="hi", user=self.remote_user, privacy="followers"
+        )
+        self.assertFalse(obj.visible_to_user(self.local_user))
+
+        obj = models.Status.objects.create(
+            content="hi", user=self.remote_user, privacy="direct"
+        )
+        self.assertFalse(obj.visible_to_user(self.local_user))
+
+        obj = models.Status.objects.create(
+            content="hi", user=self.remote_user, privacy="direct"
+        )
+        obj.mention_users.add(self.local_user)
+        self.assertTrue(obj.visible_to_user(self.local_user))
+
+    def test_object_visible_to_user_follower(self, _):
+        """ what you can see if you follow a user """
+        self.remote_user.followers.add(self.local_user)
+        obj = models.Status.objects.create(
+            content="hi", user=self.remote_user, privacy="followers"
+        )
+        self.assertTrue(obj.visible_to_user(self.local_user))
+
+        obj = models.Status.objects.create(
+            content="hi", user=self.remote_user, privacy="direct"
+        )
+        self.assertFalse(obj.visible_to_user(self.local_user))
+
+        obj = models.Status.objects.create(
+            content="hi", user=self.remote_user, privacy="direct"
+        )
+        obj.mention_users.add(self.local_user)
+        self.assertTrue(obj.visible_to_user(self.local_user))
+
+    def test_object_visible_to_user_blocked(self, _):
+        """ you can't see it if they block you """
+        self.remote_user.blocks.add(self.local_user)
+        obj = models.Status.objects.create(
+            content="hi", user=self.remote_user, privacy="public"
+        )
+        self.assertFalse(obj.visible_to_user(self.local_user))
+
+        obj = models.Shelf.objects.create(
+            name="test", user=self.remote_user, privacy="unlisted"
+        )
+        self.assertFalse(obj.visible_to_user(self.local_user))