ensured my_list is viewable by auth user only

2026-02-17 20:26:42 -05:00
parent 877e3f35cf
commit d74189f0b7
2 changed files with 22 additions and 1 deletions
--- a/src/apps/dashboard/tests/test_views.py
+++ b/src/apps/dashboard/tests/test_views.py
@@ -149,12 +149,14 @@ class ListViewTest(TestCase):
 class MyListsTest(TestCase):
    def test_my_lists_url_renders_my_lists_template(self):
        user = User.objects.create(email="a@b.cde")
+        self.client.force_login(user)
        response = self.client.get(f"/apps/dashboard/users/{user.id}/")
        self.assertTemplateUsed(response, "apps/dashboard/my_lists.html")

    def test_passes_correct_owner_to_template(self):
-        User.objects.create(email="wrong@owner.com")
+        User.objects.create(email="wrongowner@example.com")
        correct_user = User.objects.create(email="a@b.cde")
+        self.client.force_login(correct_user)
        response = self.client.get(f"/apps/dashboard/users/{correct_user.id}/")
        self.assertEqual(response.context["owner"], correct_user)

@@ -164,3 +166,17 @@ class MyListsTest(TestCase):
        self.client.post("/apps/dashboard/new_list", data={"text": "new item"})
        new_list = List.objects.get()
        self.assertEqual(new_list.owner, user)
+
+    def test_my_lists_redirects_if_not_logged_in(self):
+        user  = User.objects.create(email="a@b.cde")
+        response = self.client.get(f"/apps/dashboard/users/{user.id}/")
+        self.assertRedirects(response, "/")
+
+    def test_my_lists_returns_403_for_wrong_user(self):
+        # create two users, login as user_a, request user_b's my_lists url
+        user1 = User.objects.create(email="a@b.cde")
+        user2 = User.objects.create(email="wrongowner@example.com")
+        self.client.force_login(user2)
+        response = self.client.get(f"/apps/dashboard/users/{user1.id}/")
+        # assert 403
+        self.assertEqual(response.status_code, 403)
--- a/src/apps/dashboard/views.py
+++ b/src/apps/dashboard/views.py
@@ -1,3 +1,4 @@
+from django.http import HttpResponseForbidden
 from django.shortcuts import redirect, render
 from .forms import ExistingListItemForm, ItemForm
 from .models import Item, List
@@ -31,4 +32,8 @@ def view_list(request, list_id):
            
 def my_lists(request, user_id):
    owner = User.objects.get(id=user_id)
+    if not request.user.is_authenticated:
+        return redirect("/")
+    if request.user.id != owner.id:
+        return HttpResponseForbidden()
    return render(request, "apps/dashboard/my_lists.html", {"owner": owner})