diff --git a/bookwyrm/tests/views/lists/test_lists.py b/bookwyrm/tests/views/lists/test_lists.py index c2263b933f..e55baae254 100644 --- a/bookwyrm/tests/views/lists/test_lists.py +++ b/bookwyrm/tests/views/lists/test_lists.py @@ -3,6 +3,7 @@ from unittest.mock import patch from django.contrib.auth.models import AnonymousUser +from django.core.exceptions import PermissionDenied from django.template.response import TemplateResponse from django.test import TestCase from django.test.client import RequestFactory @@ -28,6 +29,9 @@ def setUp(self): localname="mouse", remote_id="https://example.com/users/mouse", ) + self.another_user = models.User.objects.create_user( + "rat@local.com", "rat@rat.com", "ratword", local=True, localname="rat" + ) self.anonymous_user = AnonymousUser self.anonymous_user.is_authenticated = False @@ -167,3 +171,20 @@ def test_lists_create(self): self.assertEqual(new_list.description, "wow") self.assertEqual(new_list.privacy, "unlisted") self.assertEqual(new_list.curation, "open") + + def test_lists_create_permission_denied(self): + """create list view""" + view = views.Lists.as_view() + request = self.factory.post( + "", + { + "name": "A list", + "description": "wow", + "privacy": "unlisted", + "curation": "open", + "user": self.local_user.id, + }, + ) + request.user = self.another_user + with self.assertRaises(PermissionDenied): + view(request) diff --git a/bookwyrm/views/list/lists.py b/bookwyrm/views/list/lists.py index 253063f075..ee6ff08678 100644 --- a/bookwyrm/views/list/lists.py +++ b/bookwyrm/views/list/lists.py @@ -36,11 +36,13 @@ def post(self, request): form = forms.ListForm(request.POST) if not form.is_valid(): return redirect("lists") - book_list = form.save() + book_list = form.save(commit=False) + book_list.raise_not_editable(request.user) + # list should not have a group if it is not group curated if not book_list.curation == "group": book_list.group = None - book_list.save(broadcast=False) + book_list.save() return redirect(book_list.local_path)