discoman/python-tdd
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ensured my_list is viewable by auth user only
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details

Browse Source
This commit is contained in:
Disco DeDisco
2026-02-17 20:26:42 -05:00
parent 877e3f35cf
commit d74189f0b7
2 changed files with 22 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
src/apps/dashboard/tests/test_views.py
View File

@@ -149,12 +149,14 @@ class ListViewTest(TestCase):
class MyListsTest(TestCase): class MyListsTest(TestCase):
def test_my_lists_url_renders_my_lists_template(self): def test_my_lists_url_renders_my_lists_template(self):
user = User.objects.create(email="a@b.cde") user = User.objects.create(email="a@b.cde")
self.client.force_login(user)
response = self.client.get(f"/apps/dashboard/users/{user.id}/") response = self.client.get(f"/apps/dashboard/users/{user.id}/")
self.assertTemplateUsed(response, "apps/dashboard/my_lists.html") self.assertTemplateUsed(response, "apps/dashboard/my_lists.html")
def test_passes_correct_owner_to_template(self): def test_passes_correct_owner_to_template(self):
User.objects.create(email="wrong@owner.com") User.objects.create(email="wrongowner@example.com")
correct_user = User.objects.create(email="a@b.cde") correct_user = User.objects.create(email="a@b.cde")
self.client.force_login(correct_user)
response = self.client.get(f"/apps/dashboard/users/{correct_user.id}/") response = self.client.get(f"/apps/dashboard/users/{correct_user.id}/")
self.assertEqual(response.context["owner"], correct_user) self.assertEqual(response.context["owner"], correct_user)
@@ -164,3 +166,17 @@ class MyListsTest(TestCase):
self.client.post("/apps/dashboard/new_list", data={"text": "new item"}) self.client.post("/apps/dashboard/new_list", data={"text": "new item"})
new_list = List.objects.get() new_list = List.objects.get()
self.assertEqual(new_list.owner, user) self.assertEqual(new_list.owner, user)
def test_my_lists_redirects_if_not_logged_in(self):
user = User.objects.create(email="a@b.cde")
response = self.client.get(f"/apps/dashboard/users/{user.id}/")
self.assertRedirects(response, "/")
def test_my_lists_returns_403_for_wrong_user(self):
# create two users, login as user_a, request user_b's my_lists url
user1 = User.objects.create(email="a@b.cde")
user2 = User.objects.create(email="wrongowner@example.com")
self.client.force_login(user2)
response = self.client.get(f"/apps/dashboard/users/{user1.id}/")
# assert 403
self.assertEqual(response.status_code, 403)

5
src/apps/dashboard/views.py
View File

@@ -1,3 +1,4 @@
from django.http import HttpResponseForbidden
from django.shortcuts import redirect, render from django.shortcuts import redirect, render
from .forms import ExistingListItemForm, ItemForm from .forms import ExistingListItemForm, ItemForm
from .models import Item, List from .models import Item, List
@@ -31,4 +32,8 @@ def view_list(request, list_id):
def my_lists(request, user_id): def my_lists(request, user_id):
owner = User.objects.get(id=user_id) owner = User.objects.get(id=user_id)
if not request.user.is_authenticated:
return redirect("/")
if request.user.id != owner.id:
return HttpResponseForbidden()
return render(request, "apps/dashboard/my_lists.html", {"owner": owner}) return render(request, "apps/dashboard/my_lists.html", {"owner": owner})