admin Posts (NOTE_UNLOCK): readonly input + 'No response needed' placeholder + secUser focus glow + buddy btn suppressed + view POST 403 + Line.admin_solicited listener nukes errant writes; share Lines: drop ts suffix, author = sharer (adman fallback for anon legacy), silent no-op on re-share — TDD

- billboard/0005 adds Line.admin_solicited (BooleanField default False); RunPython backfills existing note_unlock Lines to True. Note.grant_if_new sets admin_solicited=True on its system prose. - billboard.models post_save signal: any Line saved on a Post.kind=NOTE_UNLOCK without admin_solicited=True is deleted (defense-in-depth alongside the view guard). - billboard.views.view_post hard-rejects POST on NOTE_UNLOCK kind (HTTP 403) — clean view-level contract; the post_save listener is the safety net for ORM/API paths that bypass it. - templates/apps/billboard/post.html: NOTE_UNLOCK branch renders the input as readonly w. 'No response needed at this time' placeholder + no method/action; user_post branch keeps the regular composer. Buddy panel include guarded behind `{% if post.kind != 'note_unlock' %}` — friend invites don't apply to admin threads. - SCSS: .post-line-form input.form-control[readonly]:focus uses --secUser glow (cooler than the regular --terUser composer focus). - share_post: drop the iso-timestamp suffix on Line.text (just 'Shared with {email}'); author = request.user (anon legacy fallback to adman so AnonymousUser doesn't break the FK); re-share of an already-in-shared_with recipient is a silent no-op (no second Line, brief: null in JSON response). Buddy panel JS now reads data-sharer-name from server-rendered display_name so the optimistic _appendLine matches the post-refresh state. - new ITs: test_admin_posts (PostRejectsAdminWritesTest, UnsolicitedLineListenerTest, NoteGrantSetsAdminSolicitedTest) — 7 tests; share_post tests rewritten for the new contract (drop ts, author=sharer, silent re-share dedup) — 12 tests; new FT test_admin_post_readonly w. AdminPostInputReadonlyTest + AdminPostHasNoBuddyBtnTest + UserPostInputUnaffectedTest — 4 tests. 827 ITs + 18 buddy/sharing FTs green. Code architected by Disco DeDisco <discodedisco@outlook.com> Git commit message Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-08 21:52:34 -04:00
parent 6f76f6c176
commit b3eb14140c
10 changed files with 427 additions and 51 deletions
--- a/src/apps/billboard/tests/integrated/test_admin_posts.py
+++ b/src/apps/billboard/tests/integrated/test_admin_posts.py
@@ -0,0 +1,126 @@
+"""ITs for admin-Post (kind=NOTE_UNLOCK) write protection.
+
+Three guards stack:
+  1. post.html input is `readonly` w. "No response needed…" placeholder
+     (FT covers this — `functional_tests/test_admin_post_readonly.py`).
+  2. view_post POST handler hard-rejects writes (HTTP 403). This file's
+     PostRejectsAdminWritesTest.
+  3. post_save signal nukes any Line saved on a NOTE_UNLOCK Post that
+     lacks `admin_solicited=True` — defense-in-depth for paths that
+     bypass the view (raw API, ORM, etc.). UnsolicitedLineListenerTest.
+
+Bug A — May 2026.
+"""
+from django.test import TestCase
+from django.urls import reverse
+
+from apps.billboard.models import Brief, Line, Post
+from apps.drama.models import Note
+from apps.lyric.models import User, get_or_create_adman
+
+
+class PostRejectsAdminWritesTest(TestCase):
+    """POST /billboard/post/<note_unlock>/ → HTTP 403, no Line appended."""
+
+    def setUp(self):
+        self.user = User.objects.create(email="admin-rej@test.io")
+        self.client.force_login(self.user)
+        Note.grant_if_new(self.user, "stargazer")
+        self.admin_post = Post.objects.get(
+            owner=self.user, kind=Post.KIND_NOTE_UNLOCK,
+        )
+        self.line_count_before = Line.objects.filter(post=self.admin_post).count()
+
+    def test_post_to_admin_post_returns_403(self):
+        resp = self.client.post(
+            reverse("billboard:view_post", args=[self.admin_post.id]),
+            data={"text": "errant response"},
+        )
+        self.assertEqual(resp.status_code, 403)
+
+    def test_post_to_admin_post_does_not_append_line(self):
+        self.client.post(
+            reverse("billboard:view_post", args=[self.admin_post.id]),
+            data={"text": "errant response"},
+        )
+        self.assertEqual(
+            Line.objects.filter(post=self.admin_post).count(),
+            self.line_count_before,
+        )
+
+    def test_post_to_user_post_still_succeeds(self):
+        """Regression: kind=USER_POST still accepts compose."""
+        user_post = Post.objects.create(
+            owner=self.user, kind=Post.KIND_USER_POST, title="composing",
+        )
+        Line.objects.create(post=user_post, text="seed", author=self.user)
+        resp = self.client.post(
+            reverse("billboard:view_post", args=[user_post.id]),
+            data={"text": "valid append"},
+        )
+        # 302 redirect on success
+        self.assertEqual(resp.status_code, 302)
+        self.assertTrue(
+            Line.objects.filter(post=user_post, text="valid append").exists(),
+        )
+
+
+class UnsolicitedLineListenerTest(TestCase):
+    """post_save signal deletes any Line saved on a NOTE_UNLOCK Post without
+    `admin_solicited=True`. Note.grant_if_new sets it; everything else
+    defaults to False, so a stray ORM-level write gets nuked."""
+
+    def setUp(self):
+        self.user = User.objects.create(email="listener@test.io")
+        Note.grant_if_new(self.user, "stargazer")
+        self.admin_post = Post.objects.get(
+            owner=self.user, kind=Post.KIND_NOTE_UNLOCK,
+        )
+
+    def test_unsolicited_line_on_note_unlock_post_is_deleted(self):
+        unsolicited = Line.objects.create(
+            post=self.admin_post,
+            text="errant ORM write",
+            author=self.user,
+            # admin_solicited defaults to False
+        )
+        # Signal fires post_save; the Line should be gone.
+        self.assertFalse(
+            Line.objects.filter(pk=unsolicited.pk).exists(),
+            "Unsolicited Line on NOTE_UNLOCK Post must be deleted",
+        )
+
+    def test_admin_solicited_line_on_note_unlock_post_persists(self):
+        """The Note grant Lines are admin_solicited=True — must NOT be nuked."""
+        adman = get_or_create_adman()
+        line = Line.objects.create(
+            post=self.admin_post,
+            text="valid system prose",
+            author=adman,
+            admin_solicited=True,
+        )
+        self.assertTrue(Line.objects.filter(pk=line.pk).exists())
+
+    def test_unsolicited_line_on_user_post_persists(self):
+        """User-typed Lines on user_post posts default to admin_solicited=False
+        and must NOT be nuked — the listener only guards NOTE_UNLOCK."""
+        up = Post.objects.create(
+            owner=self.user, kind=Post.KIND_USER_POST, title="x",
+        )
+        line = Line.objects.create(
+            post=up, text="user-typed line", author=self.user,
+        )
+        self.assertTrue(Line.objects.filter(pk=line.pk).exists())
+
+
+class NoteGrantSetsAdminSolicitedTest(TestCase):
+    """Note.grant_if_new must persist Lines with admin_solicited=True so
+    they survive the listener pass."""
+
+    def test_grant_creates_line_with_admin_solicited_true(self):
+        u = User.objects.create(email="grant@test.io")
+        Note.grant_if_new(u, "stargazer")
+        post = Post.objects.get(owner=u, kind=Post.KIND_NOTE_UNLOCK)
+        # Exactly one Line on a fresh grant
+        line = post.lines.get()
+        self.assertTrue(line.admin_solicited)
--- a/src/apps/billboard/tests/integrated/test_share_post.py
+++ b/src/apps/billboard/tests/integrated/test_share_post.py
@@ -85,16 +85,42 @@ class SharePostAsyncTest(TestCase):
        self.assertEqual(body["brief"]["kind"], "share_invite")
        self.assertIn("alice@test.io", body["line_text"])

-    def test_async_share_line_text_dedupes_via_timestamp(self):
-        """Two consecutive shares of the same email must not collide on the
-        Line.unique_together(post, text) constraint — the share line should
-        carry a timestamp suffix."""
+    def test_async_reshare_same_recipient_is_silent_noop(self):
+        """Sharing the same recipient twice is a silent no-op — Post.shared_with
+        M2M is idempotent so a second add is meaningless, and we don't want a
+        duplicate Line cluttering the thread. Response is 200 with brief=null."""
        User.objects.create(email="alice@test.io")
        self._share_async("alice@test.io")
-        # Second share — should append a second distinct Line, not 500.
+        self.assertEqual(self.post.lines.count(), 1)
+        before_brief_count = Brief.objects.filter(owner=self.sharer).count()
+
        response = self._share_async("alice@test.io")
+
        self.assertEqual(response.status_code, 200)
-        self.assertEqual(self.post.lines.count(), 2)
+        self.assertEqual(response.json()["brief"], None)
+        # No second Line, no second Brief.
+        self.assertEqual(self.post.lines.count(), 1)
+        self.assertEqual(
+            Brief.objects.filter(owner=self.sharer).count(),
+            before_brief_count,
+        )
+
+    def test_async_share_line_text_drops_timestamp(self):
+        """The share Line's text is plain "Shared with X" — no "at <iso ts>"
+        suffix (timestamp display lives on the per-Line `<time>` element now)."""
+        User.objects.create(email="alice@test.io")
+        self._share_async("alice@test.io")
+        line = self.post.lines.first()
+        self.assertEqual(line.text, "Shared with alice@test.io")
+        self.assertNotIn(" at ", line.text)
+
+    def test_async_share_line_author_is_sharer_not_adman(self):
+        """User-created share Lines attribute to the sharer (the post owner
+        doing the share), not the system adman entity."""
+        User.objects.create(email="alice@test.io")
+        self._share_async("alice@test.io")
+        line = self.post.lines.first()
+        self.assertEqual(line.author, self.sharer)


 class SharePostLegacyRedirectTest(TestCase):