From 85dce81b6ac5b707d01e2567f32127b8015a5ec0 Mon Sep 17 00:00:00 2001
From: Mouse Reeve <mousereeve@riseup.net>
Date: Thu, 28 Jul 2022 11:42:05 -0700
Subject: [PATCH 1/2] Adds unit test or list create perms

---
 bookwyrm/tests/views/lists/test_lists.py | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/bookwyrm/tests/views/lists/test_lists.py b/bookwyrm/tests/views/lists/test_lists.py
index c2263b933f..e55baae254 100644
--- a/bookwyrm/tests/views/lists/test_lists.py
+++ b/bookwyrm/tests/views/lists/test_lists.py
@@ -3,6 +3,7 @@
 from unittest.mock import patch
 
 from django.contrib.auth.models import AnonymousUser
+from django.core.exceptions import PermissionDenied
 from django.template.response import TemplateResponse
 from django.test import TestCase
 from django.test.client import RequestFactory
@@ -28,6 +29,9 @@ def setUp(self):
                 localname="mouse",
                 remote_id="https://example.com/users/mouse",
             )
+            self.another_user = models.User.objects.create_user(
+                "rat@local.com", "rat@rat.com", "ratword", local=True, localname="rat"
+            )
         self.anonymous_user = AnonymousUser
         self.anonymous_user.is_authenticated = False
 
@@ -167,3 +171,20 @@ def test_lists_create(self):
         self.assertEqual(new_list.description, "wow")
         self.assertEqual(new_list.privacy, "unlisted")
         self.assertEqual(new_list.curation, "open")
+
+    def test_lists_create_permission_denied(self):
+        """create list view"""
+        view = views.Lists.as_view()
+        request = self.factory.post(
+            "",
+            {
+                "name": "A list",
+                "description": "wow",
+                "privacy": "unlisted",
+                "curation": "open",
+                "user": self.local_user.id,
+            },
+        )
+        request.user = self.another_user
+        with self.assertRaises(PermissionDenied):
+            view(request)

From 2837d0148f36104c6f797d69913464947c5f96b2 Mon Sep 17 00:00:00 2001
From: Mouse Reeve <mousereeve@riseup.net>
Date: Thu, 28 Jul 2022 11:44:04 -0700
Subject: [PATCH 2/2] Checks permissions when saving a list

---
 bookwyrm/views/list/lists.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/bookwyrm/views/list/lists.py b/bookwyrm/views/list/lists.py
index 253063f075..ee6ff08678 100644
--- a/bookwyrm/views/list/lists.py
+++ b/bookwyrm/views/list/lists.py
@@ -36,11 +36,13 @@ def post(self, request):
         form = forms.ListForm(request.POST)
         if not form.is_valid():
             return redirect("lists")
-        book_list = form.save()
+        book_list = form.save(commit=False)
+        book_list.raise_not_editable(request.user)
+
         # list should not have a group if it is not group curated
         if not book_list.curation == "group":
             book_list.group = None
-            book_list.save(broadcast=False)
+        book_list.save()
 
         return redirect(book_list.local_path)