refactored to green: all references in urlpatterns thruout project to apps/ dir now skip it & point directly to the app contained w.in (i.e., not apps/lyric/ or apps/dashboard/, but lyric/ or dashboard/ now

ensured in apps.dashboard.views, w. passing ITs in .tests.integrated.test_views & passing FT in functional_tests.test_sharing, passes only to recipients & owner
plugged share_list() FBV ability for user to share list w. self as recipient
2026-02-22 22:08:34 -05:00 · 2026-02-22 21:50:25 -05:00 · 2026-02-22 21:18:22 -05:00
7 changed files with 93 additions and 40 deletions
--- a/src/apps/dashboard/tests/integrated/test_models.py
+++ b/src/apps/dashboard/tests/integrated/test_models.py
@@ -43,7 +43,7 @@ class ItemModelTest(TestCase):
 class ListModelTest(TestCase):
        def test_get_absolute_url(self):
            mylist = List.objects.create()
-            self.assertEqual(mylist.get_absolute_url(), f"/apps/dashboard/{mylist.id}/")
+            self.assertEqual(mylist.get_absolute_url(), f"/dashboard/{mylist.id}/")

        def test_list_items_order(self):
            list1 = List.objects.create()
--- a/src/apps/dashboard/tests/integrated/test_views.py
+++ b/src/apps/dashboard/tests/integrated/test_views.py
@@ -1,7 +1,7 @@
 import lxml.html
-from unittest import skip

 from django.test import TestCase
+from django.urls import reverse
 from django.utils import html

 from apps.dashboard.forms import (
@@ -21,26 +21,26 @@ class HomePageTest(TestCase):
        response = self.client.get('/')
        parsed = lxml.html.fromstring(response.content)
        forms = parsed.cssselect('form[method=POST]')
-        self.assertIn("/apps/dashboard/new_list", [form.get("action") for form in forms])
-        [form] = [form for form in forms if form.get("action") == "/apps/dashboard/new_list"]
+        self.assertIn("/dashboard/new_list", [form.get("action") for form in forms])
+        [form] = [form for form in forms if form.get("action") == "/dashboard/new_list"]
        inputs = form.cssselect("input")
        self.assertIn("text", [input.get("name") for input in inputs])

 class NewListTest(TestCase):
    def test_can_save_a_POST_request(self):
-        self. client.post("/apps/dashboard/new_list", data={"text": "A new list item"})
+        self. client.post("/dashboard/new_list", data={"text": "A new list item"})
        self.assertEqual(Item.objects.count(), 1)
        new_item = Item.objects.get()
        self.assertEqual(new_item.text, "A new list item")

    def test_redirects_after_POST(self):
-        response = self.client.post("/apps/dashboard/new_list", data={"text": "A new list item"})
+        response = self.client.post("/dashboard/new_list", data={"text": "A new list item"})
        new_list = List.objects.get()
-        self.assertRedirects(response, f"/apps/dashboard/{new_list.id}/")
+        self.assertRedirects(response, f"/dashboard/{new_list.id}/")

    # Post invalid input helper
    def post_invalid_input(self):
-        return self.client.post("/apps/dashboard/new_list", data={"text": ""})
+        return self.client.post("/dashboard/new_list", data={"text": ""})

    def test_for_invalid_input_nothing_saved_to_db(self):
        self.post_invalid_input()
@@ -58,12 +58,12 @@ class NewListTest(TestCase):
 class ListViewTest(TestCase):
    def test_uses_list_template(self):
        mylist = List.objects.create()
-        response = self.client.get(f"/apps/dashboard/{mylist.id}/")
+        response = self.client.get(f"/dashboard/{mylist.id}/")
        self.assertTemplateUsed(response, "apps/dashboard/list.html")

    def test_renders_input_form(self):
        mylist = List.objects.create()
-        url = f"/apps/dashboard/{mylist.id}/"
+        url = f"/dashboard/{mylist.id}/"
        response = self.client.get(url)
        parsed = lxml.html.fromstring(response.content)
        forms = parsed.cssselect("form[method=POST]")
@@ -80,7 +80,7 @@ class ListViewTest(TestCase):
        other_list = List.objects.create()
        Item.objects.create(text="other list item", list=other_list)
        # When/Act
-        response = self.client.get(f"/apps/dashboard/{correct_list.id}/")
+        response = self.client.get(f"/dashboard/{correct_list.id}/")
        # Then/Assert
        self.assertContains(response, "itemey 1")
        self.assertContains(response, "itemey 2")
@@ -91,7 +91,7 @@ class ListViewTest(TestCase):
        correct_list = List.objects.create()

        self.client.post(
-            f"/apps/dashboard/{correct_list.id}/",
+            f"/dashboard/{correct_list.id}/",
            data={"text": "A new item for an existing list"},
        )

@@ -105,16 +105,16 @@ class ListViewTest(TestCase):
        correct_list = List.objects.create()

        response = self.client.post(
-            f"/apps/dashboard/{correct_list.id}/",
+            f"/dashboard/{correct_list.id}/",
            data={"text": "A new item for an existing list"},
        )

-        self.assertRedirects(response, f"/apps/dashboard/{correct_list.id}/")
+        self.assertRedirects(response, f"/dashboard/{correct_list.id}/")

    # Post invalid input helper
    def post_invalid_input(self):
        mylist = List.objects.create()
-        return self.client.post(f"/apps/dashboard/{mylist.id}/", data={"text": ""})
+        return self.client.post(f"/dashboard/{mylist.id}/", data={"text": ""})

    def test_for_invalid_input_nothing_saved_to_db(self):
        self.post_invalid_input()
@@ -140,7 +140,7 @@ class ListViewTest(TestCase):
        Item.objects.create(list=list1, text="lorem ipsum")

        response = self.client.post(
-            f"/apps/dashboard/{list1.id}/",
+            f"/dashboard/{list1.id}/",
            data={"text": "lorem ipsum"},
        )

@@ -153,26 +153,26 @@ class MyListsTest(TestCase):
    def test_my_lists_url_renders_my_lists_template(self):
        user = User.objects.create(email="a@b.cde")
        self.client.force_login(user)
-        response = self.client.get(f"/apps/dashboard/users/{user.id}/")
+        response = self.client.get(f"/dashboard/users/{user.id}/")
        self.assertTemplateUsed(response, "apps/dashboard/my_lists.html")

    def test_passes_correct_owner_to_template(self):
        User.objects.create(email="wrongowner@example.com")
        correct_user = User.objects.create(email="a@b.cde")
        self.client.force_login(correct_user)
-        response = self.client.get(f"/apps/dashboard/users/{correct_user.id}/")
+        response = self.client.get(f"/dashboard/users/{correct_user.id}/")
        self.assertEqual(response.context["owner"], correct_user)

    def test_list_owner_is_saved_if_user_is_authenticated(self):
        user = User.objects.create(email="a@b.cde")
        self.client.force_login(user)
-        self.client.post("/apps/dashboard/new_list", data={"text": "new item"})
+        self.client.post("/dashboard/new_list", data={"text": "new item"})
        new_list = List.objects.get()
        self.assertEqual(new_list.owner, user)

    def test_my_lists_redirects_if_not_logged_in(self):
        user  = User.objects.create(email="a@b.cde")
-        response = self.client.get(f"/apps/dashboard/users/{user.id}/")
+        response = self.client.get(f"/dashboard/users/{user.id}/")
        self.assertRedirects(response, "/")

    def test_my_lists_returns_403_for_wrong_user(self):
@@ -180,7 +180,7 @@ class MyListsTest(TestCase):
        user1 = User.objects.create(email="a@b.cde")
        user2 = User.objects.create(email="wrongowner@example.com")
        self.client.force_login(user2)
-        response = self.client.get(f"/apps/dashboard/users/{user1.id}/")
+        response = self.client.get(f"/dashboard/users/{user1.id}/")
        # assert 403
        self.assertEqual(response.status_code, 403)

@@ -189,16 +189,16 @@ class ShareListTest(TestCase):
        our_list = List.objects.create()
        alice = User.objects.create(email="alice@example.com")
        response = self.client.post(
-            f"/apps/dashboard/{our_list.id}/share_list",
+            f"/dashboard/{our_list.id}/share_list",
            data={"recipient": "alice@example.com"},
        )
-        self.assertRedirects(response, f"/apps/dashboard/{our_list.id}/")
+        self.assertRedirects(response, f"/dashboard/{our_list.id}/")

    def test_post_with_email_adds_user_to_shared_with(self):
        our_list = List.objects.create()
        alice = User.objects.create(email="alice@example.com")
        self.client.post(
-            f"/apps/dashboard/{our_list.id}/share_list",
+            f"/dashboard/{our_list.id}/share_list",
            data={"recipient": "alice@example.com"},
        )
        self.assertIn(alice, our_list.shared_with.all())
@@ -206,7 +206,37 @@ class ShareListTest(TestCase):
    def test_post_with_nonexistent_email_redirects_to_list(self):
        our_list = List.objects.create()
        response = self.client.post(
-            f"/apps/dashboard/{our_list.id}/share_list",
+            f"/dashboard/{our_list.id}/share_list",
            data={"recipient": "nobody@example.com"},
        )
-        self.assertRedirects(response, f"/apps/dashboard/{our_list.id}/")
+        self.assertRedirects(response, f"/dashboard/{our_list.id}/")
+
+    def test_share_list_does_not_add_owner_as_recipient(self):
+        owner = User.objects.create(email="owner@example.com")
+        our_list = List.objects.create(owner=owner)
+        self.client.force_login(owner)
+        self.client.post(reverse("share_list", args=[our_list.id]),
+                         data={"recipient": "owner@example.com"})
+        self.assertNotIn(owner, our_list.shared_with.all())
+
+class ViewAuthListTest(TestCase):
+    def setUp(self):
+        self.owner = User.objects.create(email="disco@example.com")
+        self.our_list = List.objects.create(owner=self.owner)
+
+    def test_anonymous_user_is_redirected(self):
+        response = self.client.get(reverse("view_list", args=[self.our_list.id]))
+        self.assertRedirects(response, "/")
+
+    def test_non_owner_non_shared_user_gets_403(self):
+        stranger = User.objects.create(email="stranger@example.com")
+        self.client.force_login(stranger)
+        response = self.client.get(reverse("view_list", args=[self.our_list.id]))
+        self.assertEqual(response.status_code, 403)
+
+    def test_shared_with_user_can_access_list(self):
+        guest = User.objects.create(email="guest@example.com")
+        self.our_list.shared_with.add(guest)
+        self.client.force_login(guest)
+        response = self.client.get(reverse("view_list", args=[self.our_list.id]))
+        self.assertEqual(response.status_code, 200)
--- a/src/apps/dashboard/views.py
+++ b/src/apps/dashboard/views.py
@@ -23,6 +23,13 @@ def new_list(request):

 def view_list(request, list_id):
    our_list = List.objects.get(id=list_id)
+
+    if our_list.owner:
+        if not request.user.is_authenticated:
+            return redirect("/")
+        if request.user != our_list.owner and request.user not in our_list.shared_with.all():
+            return HttpResponseForbidden()
+
    form = ExistingListItemForm(for_list=our_list)

    if request.method == "POST":
@@ -44,6 +51,8 @@ def share_list(request, list_id):
    our_list = List.objects.get(id=list_id)
    try:
        recipient = User.objects.get(email=request.POST["recipient"])
+        if recipient == request.user:
+            return redirect(our_list)
        our_list.shared_with.add(recipient)
    except User.DoesNotExist:
        pass
--- a/src/apps/lyric/tests/integrated/test_views.py
+++ b/src/apps/lyric/tests/integrated/test_views.py
@@ -9,13 +9,13 @@ from apps.lyric.models import Token
 class SendLoginEmailViewTest(TestCase):
    def test_redirects_to_home_page(self, mock_delay):
        response = self.client.post(
-            "/apps/lyric/send_login_email", data={"email": "discoman@example.com"}
+            "/lyric/send_login_email", data={"email": "discoman@example.com"}
        )
        self.assertRedirects(response, "/")

    def test_sends_mail_to_address_from_post(self, mock_delay):
        self.client.post(
-            "/apps/lyric/send_login_email", data={"email": "discoman@example.com"}
+            "/lyric/send_login_email", data={"email": "discoman@example.com"}
        )

        self.assertEqual(mock_delay.called, True)
@@ -23,7 +23,7 @@ class SendLoginEmailViewTest(TestCase):

    def test_adds_success_message(self, mock_delay):
        response = self.client.post(
-            "/apps/lyric/send_login_email",
+            "/lyric/send_login_email",
            data={"email": "discoman@example.com"},
            follow=True
        )
@@ -37,23 +37,23 @@ class SendLoginEmailViewTest(TestCase):

    def test_creates_token_associated_with_email(self, mock_delay):
        self.client.post(
-            "/apps/lyric/send_login_email", data={"email": "discoman@example.com"}
+            "/lyric/send_login_email", data={"email": "discoman@example.com"}
        )
        token = Token.objects.get()
        self.assertEqual(token.email, "discoman@example.com")
        
    def test_sends_link_to_login_using_token_uid(self, mock_delay):
        self.client.post(
-            "/apps/lyric/send_login_email", data={"email": "discoman@example.com"}
+            "/lyric/send_login_email", data={"email": "discoman@example.com"}
        )

        token = Token.objects.get()
-        expected_url = f"http://testserver/apps/lyric/login?token={token.uid}"
+        expected_url = f"http://testserver/lyric/login?token={token.uid}"
        self.assertEqual(mock_delay.call_args.args[1], expected_url)

 class LoginViewTest(TestCase):
    def test_redirects_to_home_page(self):
-        response = self.client.get("/apps/lyric/login?token=abc123")
+        response = self.client.get("/lyric/login?token=abc123")
        self.assertRedirects(response, "/")

    def test_logs_in_if_given_valid_token(self):
@@ -61,14 +61,14 @@ class LoginViewTest(TestCase):
        self.assertEqual(anon_user.is_authenticated, False)

        token = Token.objects.create(email="discoman@example.com")
-        self.client.get(f"/apps/lyric/login?token={token.uid}", follow=True)
+        self.client.get(f"/lyric/login?token={token.uid}", follow=True)

        user = auth.get_user(self.client)
        self.assertEqual(user.is_authenticated, True)
        self.assertEqual(user.email, "discoman@example.com")

    def test_shows_login_error_if_token_invalid(self):
-        response = self.client.get("/apps/lyric/login?token=invalid-token", follow=True)
+        response = self.client.get("/lyric/login?token=invalid-token", follow=True)
        user = auth.get_user(self.client)
        self.assertEqual(user.is_authenticated, False)
        message = list(response.context["messages"])[0]
@@ -80,7 +80,7 @@ class LoginViewTest(TestCase):

    @mock.patch("apps.lyric.views.auth")
    def test_calls_authenticate_with_uid_from_get_request(self, mock_auth):
-        self.client.get("/apps/lyric/login?token=abc123")
+        self.client.get("/lyric/login?token=abc123")
        self.assertEqual(
            mock_auth.authenticate.call_args,
            mock.call(uid="abc123")
--- a/src/core/urls.py
+++ b/src/core/urls.py
@@ -6,8 +6,8 @@ from apps.dashboard import views as dash_views
 urlpatterns = [
    path('admin/', admin.site.urls),
    path('', dash_views.home_page, name='home'),
-    path('apps/dashboard/', include('apps.dashboard.urls')),
-    path('apps/lyric/', include('apps.lyric.urls')),
+    path('dashboard/', include('apps.dashboard.urls')),
+    path('lyric/', include('apps.lyric.urls')),
    path('api/lists/', include('apps.api.urls')),
 ]

--- a/src/functional_tests/test_sharing.py
+++ b/src/functional_tests/test_sharing.py
@@ -1,5 +1,6 @@
 import os

+from django.conf import settings
 from selenium import webdriver
 from selenium.webdriver.common.by import By

@@ -57,3 +58,16 @@ class SharingTest(FunctionalTest):
        self.browser = disco_browser
        self.browser.refresh()
        list_page.wait_for_row_in_list_table("At your command, Disco King", 2)
+
+class ListAccessTest(FunctionalTest):
+    def test_stranger_cannot_access_owned_list(self):
+        self.create_pre_authenticated_session("disco@example.com")
+        self.browser.get(self.live_server_url)
+        list_page = ListPage(self).add_list_item("private eye")
+        list_url = self.browser.current_url
+
+        self.browser.delete_cookie(settings.SESSION_COOKIE_NAME)
+        self.browser.get(list_url)
+
+        self.assertNotEqual(self.browser.current_url, list_url)
+
--- a/src/functional_tests/test_simple_list_creation.py
+++ b/src/functional_tests/test_simple_list_creation.py
@@ -34,7 +34,7 @@ class NewVisitorTest(FunctionalTest):
        list_page.add_list_item("Buy peacock feathers")

        edith_dash_url = self.browser.current_url
-        self.assertRegex(edith_dash_url, '/apps/dashboard/.+')
+        self.assertRegex(edith_dash_url, '/dashboard/.+')

        self.browser.delete_all_cookies()

@@ -46,7 +46,7 @@ class NewVisitorTest(FunctionalTest):
        list_page.add_list_item("Buy milk")

        francis_dash_url = self.browser.current_url
-        self.assertRegex(francis_dash_url, '/apps/dashboard/.+')
+        self.assertRegex(francis_dash_url, '/dashboard/.+')
        self.assertNotEqual(francis_dash_url, edith_dash_url)

        page_text = self.browser.find_element(By.TAG_NAME, 'body').text
Author	SHA1	Message	Date
Disco DeDisco	94f3120add	refactored to green: all references in urlpatterns thruout project to apps/ dir now skip it & point directly to the app contained w.in (i.e., not apps/lyric/ or apps/dashboard/, but lyric/ or dashboard/ now All checks were successful ci/woodpecker/push/woodpecker Pipeline was successful Details	2026-02-22 22:08:34 -05:00
Disco DeDisco	a8c199b719	ensured in apps.dashboard.views, w. passing ITs in .tests.integrated.test_views & passing FT in functional_tests.test_sharing, passes only to recipients & owner	2026-02-22 21:50:25 -05:00
Disco DeDisco	17eb83c760	plugged share_list() FBV ability for user to share list w. self as recipient	2026-02-22 21:18:22 -05:00