From d74189f0b70333e11e8fc8d44a0a2ac9e652bb04 Mon Sep 17 00:00:00 2001
From: Disco DeDisco <adamcraighamilton@gmail.com>
Date: Tue, 17 Feb 2026 20:26:42 -0500
Subject: [PATCH] ensured my_list is viewable by auth user only

---
 src/apps/dashboard/tests/test_views.py | 18 +++++++++++++++++-
 src/apps/dashboard/views.py            |  5 +++++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/src/apps/dashboard/tests/test_views.py b/src/apps/dashboard/tests/test_views.py
index 508cb6a..9b603eb 100644
--- a/src/apps/dashboard/tests/test_views.py
+++ b/src/apps/dashboard/tests/test_views.py
@@ -149,12 +149,14 @@ class ListViewTest(TestCase):
 class MyListsTest(TestCase):
     def test_my_lists_url_renders_my_lists_template(self):
         user = User.objects.create(email="a@b.cde")
+        self.client.force_login(user)
         response = self.client.get(f"/apps/dashboard/users/{user.id}/")
         self.assertTemplateUsed(response, "apps/dashboard/my_lists.html")
 
     def test_passes_correct_owner_to_template(self):
-        User.objects.create(email="wrong@owner.com")
+        User.objects.create(email="wrongowner@example.com")
         correct_user = User.objects.create(email="a@b.cde")
+        self.client.force_login(correct_user)
         response = self.client.get(f"/apps/dashboard/users/{correct_user.id}/")
         self.assertEqual(response.context["owner"], correct_user)
 
@@ -164,3 +166,17 @@ class MyListsTest(TestCase):
         self.client.post("/apps/dashboard/new_list", data={"text": "new item"})
         new_list = List.objects.get()
         self.assertEqual(new_list.owner, user)
+
+    def test_my_lists_redirects_if_not_logged_in(self):
+        user  = User.objects.create(email="a@b.cde")
+        response = self.client.get(f"/apps/dashboard/users/{user.id}/")
+        self.assertRedirects(response, "/")
+
+    def test_my_lists_returns_403_for_wrong_user(self):
+        # create two users, login as user_a, request user_b's my_lists url
+        user1 = User.objects.create(email="a@b.cde")
+        user2 = User.objects.create(email="wrongowner@example.com")
+        self.client.force_login(user2)
+        response = self.client.get(f"/apps/dashboard/users/{user1.id}/")
+        # assert 403
+        self.assertEqual(response.status_code, 403)
diff --git a/src/apps/dashboard/views.py b/src/apps/dashboard/views.py
index 8ef57c4..ead4ae2 100644
--- a/src/apps/dashboard/views.py
+++ b/src/apps/dashboard/views.py
@@ -1,3 +1,4 @@
+from django.http import HttpResponseForbidden
 from django.shortcuts import redirect, render
 from .forms import ExistingListItemForm, ItemForm
 from .models import Item, List
@@ -31,4 +32,8 @@ def view_list(request, list_id):
             
 def my_lists(request, user_id):
     owner = User.objects.get(id=user_id)
+    if not request.user.is_authenticated:
+        return redirect("/")
+    if request.user.id != owner.id:
+        return HttpResponseForbidden()
     return render(request, "apps/dashboard/my_lists.html", {"owner": owner})