ensured in apps.dashboard.views, w. passing ITs in .tests.integrated.test_views & passing FT in functional_tests.test_sharing, passes only to recipients & owner

src/apps/dashboard/tests/integrated/test_views.py

@@ -1,5 +1,4 @@
 import lxml.html
-from unittest import skip
 
 from django.test import TestCase
 from django.urls import reverse
@@ -219,3 +218,25 @@ class ShareListTest(TestCase):
         self.client.post(reverse("share_list", args=[our_list.id]),
                          data={"recipient": "owner@example.com"})
         self.assertNotIn(owner, our_list.shared_with.all())
+
+class ViewAuthListTest(TestCase):
+    def setUp(self):
+        self.owner = User.objects.create(email="disco@example.com")
+        self.our_list = List.objects.create(owner=self.owner)
+
+    def test_anonymous_user_is_redirected(self):
+        response = self.client.get(reverse("view_list", args=[self.our_list.id]))
+        self.assertRedirects(response, "/")
+
+    def test_non_owner_non_shared_user_gets_403(self):
+        stranger = User.objects.create(email="stranger@example.com")
+        self.client.force_login(stranger)
+        response = self.client.get(reverse("view_list", args=[self.our_list.id]))
+        self.assertEqual(response.status_code, 403)
+
+    def test_shared_with_user_can_access_list(self):
+        guest = User.objects.create(email="guest@example.com")
+        self.our_list.shared_with.add(guest)
+        self.client.force_login(guest)
+        response = self.client.get(reverse("view_list", args=[self.our_list.id]))
+        self.assertEqual(response.status_code, 200)

src/apps/dashboard/views.py

@@ -23,6 +23,13 @@ def new_list(request):
 
 def view_list(request, list_id):
     our_list = List.objects.get(id=list_id)
+
+    if our_list.owner:
+        if not request.user.is_authenticated:
+            return redirect("/")
+        if request.user != our_list.owner and request.user not in our_list.shared_with.all():
+            return HttpResponseForbidden()
+
     form = ExistingListItemForm(for_list=our_list)
 
     if request.method == "POST":

src/functional_tests/test_sharing.py

@@ -1,5 +1,6 @@
 import os
 
+from django.conf import settings
 from selenium import webdriver
 from selenium.webdriver.common.by import By
 
@@ -57,3 +58,16 @@ class SharingTest(FunctionalTest):
         self.browser = disco_browser
         self.browser.refresh()
         list_page.wait_for_row_in_list_table("At your command, Disco King", 2)
+
+class ListAccessTest(FunctionalTest):
+    def test_stranger_cannot_access_owned_list(self):
+        self.create_pre_authenticated_session("disco@example.com")
+        self.browser.get(self.live_server_url)
+        list_page = ListPage(self).add_list_item("private eye")
+        list_url = self.browser.current_url
+
+        self.browser.delete_cookie(settings.SESSION_COOKIE_NAME)
+        self.browser.get(list_url)
+
+        self.assertNotEqual(self.browser.current_url, list_url)
+