ensured in apps.dashboard.views, w. passing ITs in .tests.integrated.test_views & passing FT in functional_tests.test_sharing, passes only to recipients & owner

src/functional_tests/test_sharing.py

@@ -1,5 +1,6 @@
 import os
 
+from django.conf import settings
 from selenium import webdriver
 from selenium.webdriver.common.by import By
 
@@ -57,3 +58,16 @@ class SharingTest(FunctionalTest):
         self.browser = disco_browser
         self.browser.refresh()
         list_page.wait_for_row_in_list_table("At your command, Disco King", 2)
+
+class ListAccessTest(FunctionalTest):
+    def test_stranger_cannot_access_owned_list(self):
+        self.create_pre_authenticated_session("disco@example.com")
+        self.browser.get(self.live_server_url)
+        list_page = ListPage(self).add_list_item("private eye")
+        list_url = self.browser.current_url
+
+        self.browser.delete_cookie(settings.SESSION_COOKIE_NAME)
+        self.browser.get(list_url)
+
+        self.assertNotEqual(self.browser.current_url, list_url)
+