ensured in apps.dashboard.views, w. passing ITs in .tests.integrated.test_views & passing FT in functional_tests.test_sharing, passes only to recipients & owner

2026-02-22 21:50:25 -05:00
parent 17eb83c760
commit a8c199b719
3 changed files with 43 additions and 1 deletions
--- a/src/apps/dashboard/tests/integrated/test_views.py
+++ b/src/apps/dashboard/tests/integrated/test_views.py
@@ -1,5 +1,4 @@
 import lxml.html
-from unittest import skip

 from django.test import TestCase
 from django.urls import reverse
@@ -219,3 +218,25 @@ class ShareListTest(TestCase):
        self.client.post(reverse("share_list", args=[our_list.id]),
                         data={"recipient": "owner@example.com"})
        self.assertNotIn(owner, our_list.shared_with.all())
+
+class ViewAuthListTest(TestCase):
+    def setUp(self):
+        self.owner = User.objects.create(email="disco@example.com")
+        self.our_list = List.objects.create(owner=self.owner)
+
+    def test_anonymous_user_is_redirected(self):
+        response = self.client.get(reverse("view_list", args=[self.our_list.id]))
+        self.assertRedirects(response, "/")
+
+    def test_non_owner_non_shared_user_gets_403(self):
+        stranger = User.objects.create(email="stranger@example.com")
+        self.client.force_login(stranger)
+        response = self.client.get(reverse("view_list", args=[self.our_list.id]))
+        self.assertEqual(response.status_code, 403)
+
+    def test_shared_with_user_can_access_list(self):
+        guest = User.objects.create(email="guest@example.com")
+        self.our_list.shared_with.add(guest)
+        self.client.force_login(guest)
+        response = self.client.get(reverse("view_list", args=[self.our_list.id]))
+        self.assertEqual(response.status_code, 200)