ensured in apps.dashboard.views, w. passing ITs in .tests.integrated.test_views & passing FT in functional_tests.test_sharing, passes only to recipients & owner

2026-02-22 21:50:25 -05:00
parent 17eb83c760
commit a8c199b719
3 changed files with 43 additions and 1 deletions
--- a/src/apps/dashboard/views.py
+++ b/src/apps/dashboard/views.py
@@ -23,6 +23,13 @@ def new_list(request):

 def view_list(request, list_id):
    our_list = List.objects.get(id=list_id)
+
+    if our_list.owner:
+        if not request.user.is_authenticated:
+            return redirect("/")
+        if request.user != our_list.owner and request.user not in our_list.shared_with.all():
+            return HttpResponseForbidden()
+
    form = ExistingListItemForm(for_list=our_list)

    if request.method == "POST":