forked from mirrors/bookwyrm
Fixes visible_to_user check for non-federated objs
why did this cause a problem _now_??
This commit is contained in:
parent
659986771f
commit
db4519b2e1
4 changed files with 90 additions and 90 deletions
|
@ -83,36 +83,6 @@ class ActivitypubMixin:
|
||||||
|
|
||||||
super().__init__(*args, **kwargs)
|
super().__init__(*args, **kwargs)
|
||||||
|
|
||||||
def visible_to_user(self, viewer):
|
|
||||||
""" is a user authorized to view an object? """
|
|
||||||
# make sure this is an object with privacy owned by a user
|
|
||||||
if not hasattr(self, "user") or not hasattr(self, "privacy"):
|
|
||||||
return None
|
|
||||||
|
|
||||||
# viewer can't see it if the object's owner blocked them
|
|
||||||
if viewer in self.user.blocks.all():
|
|
||||||
return False
|
|
||||||
|
|
||||||
# you can see your own posts and any public or unlisted posts
|
|
||||||
if viewer == self.user or self.privacy in ["public", "unlisted"]:
|
|
||||||
return True
|
|
||||||
|
|
||||||
# you can see the followers only posts of people you follow
|
|
||||||
if (
|
|
||||||
self.privacy == "followers"
|
|
||||||
and self.user.followers.filter(id=viewer.id).first()
|
|
||||||
):
|
|
||||||
return True
|
|
||||||
|
|
||||||
# you can see dms you are tagged in
|
|
||||||
if hasattr(self, "mention_users"):
|
|
||||||
if (
|
|
||||||
self.privacy == "direct"
|
|
||||||
and self.mention_users.filter(id=viewer.id).first()
|
|
||||||
):
|
|
||||||
return True
|
|
||||||
return False
|
|
||||||
|
|
||||||
@classmethod
|
@classmethod
|
||||||
def find_existing_by_remote_id(cls, remote_id):
|
def find_existing_by_remote_id(cls, remote_id):
|
||||||
""" look up a remote id in the db """
|
""" look up a remote id in the db """
|
||||||
|
|
|
@ -31,6 +31,36 @@ class BookWyrmModel(models.Model):
|
||||||
""" how to link to this object in the local app """
|
""" how to link to this object in the local app """
|
||||||
return self.get_remote_id().replace("https://%s" % DOMAIN, "")
|
return self.get_remote_id().replace("https://%s" % DOMAIN, "")
|
||||||
|
|
||||||
|
def visible_to_user(self, viewer):
|
||||||
|
""" is a user authorized to view an object? """
|
||||||
|
# make sure this is an object with privacy owned by a user
|
||||||
|
if not hasattr(self, "user") or not hasattr(self, "privacy"):
|
||||||
|
return None
|
||||||
|
|
||||||
|
# viewer can't see it if the object's owner blocked them
|
||||||
|
if viewer in self.user.blocks.all():
|
||||||
|
return False
|
||||||
|
|
||||||
|
# you can see your own posts and any public or unlisted posts
|
||||||
|
if viewer == self.user or self.privacy in ["public", "unlisted"]:
|
||||||
|
return True
|
||||||
|
|
||||||
|
# you can see the followers only posts of people you follow
|
||||||
|
if (
|
||||||
|
self.privacy == "followers"
|
||||||
|
and self.user.followers.filter(id=viewer.id).first()
|
||||||
|
):
|
||||||
|
return True
|
||||||
|
|
||||||
|
# you can see dms you are tagged in
|
||||||
|
if hasattr(self, "mention_users"):
|
||||||
|
if (
|
||||||
|
self.privacy == "direct"
|
||||||
|
and self.mention_users.filter(id=viewer.id).first()
|
||||||
|
):
|
||||||
|
return True
|
||||||
|
return False
|
||||||
|
|
||||||
|
|
||||||
@receiver(models.signals.post_save)
|
@receiver(models.signals.post_save)
|
||||||
# pylint: disable=unused-argument
|
# pylint: disable=unused-argument
|
||||||
|
|
|
@ -44,66 +44,6 @@ class ActivitypubMixins(TestCase):
|
||||||
"published": "2020-12-04T17:52:22.623807+00:00",
|
"published": "2020-12-04T17:52:22.623807+00:00",
|
||||||
}
|
}
|
||||||
|
|
||||||
def test_object_visible_to_user(self, _):
|
|
||||||
""" does a user have permission to view an object """
|
|
||||||
obj = models.Status.objects.create(
|
|
||||||
content="hi", user=self.remote_user, privacy="public"
|
|
||||||
)
|
|
||||||
self.assertTrue(obj.visible_to_user(self.local_user))
|
|
||||||
|
|
||||||
obj = models.Shelf.objects.create(
|
|
||||||
name="test", user=self.remote_user, privacy="unlisted"
|
|
||||||
)
|
|
||||||
self.assertTrue(obj.visible_to_user(self.local_user))
|
|
||||||
|
|
||||||
obj = models.Status.objects.create(
|
|
||||||
content="hi", user=self.remote_user, privacy="followers"
|
|
||||||
)
|
|
||||||
self.assertFalse(obj.visible_to_user(self.local_user))
|
|
||||||
|
|
||||||
obj = models.Status.objects.create(
|
|
||||||
content="hi", user=self.remote_user, privacy="direct"
|
|
||||||
)
|
|
||||||
self.assertFalse(obj.visible_to_user(self.local_user))
|
|
||||||
|
|
||||||
obj = models.Status.objects.create(
|
|
||||||
content="hi", user=self.remote_user, privacy="direct"
|
|
||||||
)
|
|
||||||
obj.mention_users.add(self.local_user)
|
|
||||||
self.assertTrue(obj.visible_to_user(self.local_user))
|
|
||||||
|
|
||||||
def test_object_visible_to_user_follower(self, _):
|
|
||||||
""" what you can see if you follow a user """
|
|
||||||
self.remote_user.followers.add(self.local_user)
|
|
||||||
obj = models.Status.objects.create(
|
|
||||||
content="hi", user=self.remote_user, privacy="followers"
|
|
||||||
)
|
|
||||||
self.assertTrue(obj.visible_to_user(self.local_user))
|
|
||||||
|
|
||||||
obj = models.Status.objects.create(
|
|
||||||
content="hi", user=self.remote_user, privacy="direct"
|
|
||||||
)
|
|
||||||
self.assertFalse(obj.visible_to_user(self.local_user))
|
|
||||||
|
|
||||||
obj = models.Status.objects.create(
|
|
||||||
content="hi", user=self.remote_user, privacy="direct"
|
|
||||||
)
|
|
||||||
obj.mention_users.add(self.local_user)
|
|
||||||
self.assertTrue(obj.visible_to_user(self.local_user))
|
|
||||||
|
|
||||||
def test_object_visible_to_user_blocked(self, _):
|
|
||||||
""" you can't see it if they block you """
|
|
||||||
self.remote_user.blocks.add(self.local_user)
|
|
||||||
obj = models.Status.objects.create(
|
|
||||||
content="hi", user=self.remote_user, privacy="public"
|
|
||||||
)
|
|
||||||
self.assertFalse(obj.visible_to_user(self.local_user))
|
|
||||||
|
|
||||||
obj = models.Shelf.objects.create(
|
|
||||||
name="test", user=self.remote_user, privacy="unlisted"
|
|
||||||
)
|
|
||||||
self.assertFalse(obj.visible_to_user(self.local_user))
|
|
||||||
|
|
||||||
# ActivitypubMixin
|
# ActivitypubMixin
|
||||||
def test_to_activity(self, _):
|
def test_to_activity(self, _):
|
||||||
""" model to ActivityPub json """
|
""" model to ActivityPub json """
|
||||||
|
|
|
@ -42,3 +42,63 @@ class BaseModel(TestCase):
|
||||||
instance.remote_id = None
|
instance.remote_id = None
|
||||||
base_model.set_remote_id(None, instance, False)
|
base_model.set_remote_id(None, instance, False)
|
||||||
self.assertIsNone(instance.remote_id)
|
self.assertIsNone(instance.remote_id)
|
||||||
|
|
||||||
|
def test_object_visible_to_user(self, _):
|
||||||
|
""" does a user have permission to view an object """
|
||||||
|
obj = models.Status.objects.create(
|
||||||
|
content="hi", user=self.remote_user, privacy="public"
|
||||||
|
)
|
||||||
|
self.assertTrue(obj.visible_to_user(self.local_user))
|
||||||
|
|
||||||
|
obj = models.Shelf.objects.create(
|
||||||
|
name="test", user=self.remote_user, privacy="unlisted"
|
||||||
|
)
|
||||||
|
self.assertTrue(obj.visible_to_user(self.local_user))
|
||||||
|
|
||||||
|
obj = models.Status.objects.create(
|
||||||
|
content="hi", user=self.remote_user, privacy="followers"
|
||||||
|
)
|
||||||
|
self.assertFalse(obj.visible_to_user(self.local_user))
|
||||||
|
|
||||||
|
obj = models.Status.objects.create(
|
||||||
|
content="hi", user=self.remote_user, privacy="direct"
|
||||||
|
)
|
||||||
|
self.assertFalse(obj.visible_to_user(self.local_user))
|
||||||
|
|
||||||
|
obj = models.Status.objects.create(
|
||||||
|
content="hi", user=self.remote_user, privacy="direct"
|
||||||
|
)
|
||||||
|
obj.mention_users.add(self.local_user)
|
||||||
|
self.assertTrue(obj.visible_to_user(self.local_user))
|
||||||
|
|
||||||
|
def test_object_visible_to_user_follower(self, _):
|
||||||
|
""" what you can see if you follow a user """
|
||||||
|
self.remote_user.followers.add(self.local_user)
|
||||||
|
obj = models.Status.objects.create(
|
||||||
|
content="hi", user=self.remote_user, privacy="followers"
|
||||||
|
)
|
||||||
|
self.assertTrue(obj.visible_to_user(self.local_user))
|
||||||
|
|
||||||
|
obj = models.Status.objects.create(
|
||||||
|
content="hi", user=self.remote_user, privacy="direct"
|
||||||
|
)
|
||||||
|
self.assertFalse(obj.visible_to_user(self.local_user))
|
||||||
|
|
||||||
|
obj = models.Status.objects.create(
|
||||||
|
content="hi", user=self.remote_user, privacy="direct"
|
||||||
|
)
|
||||||
|
obj.mention_users.add(self.local_user)
|
||||||
|
self.assertTrue(obj.visible_to_user(self.local_user))
|
||||||
|
|
||||||
|
def test_object_visible_to_user_blocked(self, _):
|
||||||
|
""" you can't see it if they block you """
|
||||||
|
self.remote_user.blocks.add(self.local_user)
|
||||||
|
obj = models.Status.objects.create(
|
||||||
|
content="hi", user=self.remote_user, privacy="public"
|
||||||
|
)
|
||||||
|
self.assertFalse(obj.visible_to_user(self.local_user))
|
||||||
|
|
||||||
|
obj = models.Shelf.objects.create(
|
||||||
|
name="test", user=self.remote_user, privacy="unlisted"
|
||||||
|
)
|
||||||
|
self.assertFalse(obj.visible_to_user(self.local_user))
|
||||||
|
|
Loading…
Reference in a new issue