Merge pull request #2228 from bookwyrm-social/status-perms

Check permissions when creating a status

bookwyrm/tests/views/test_status.py

@@ -10,12 +10,13 @@
 from bookwyrm.tests.validate_html import validate_html
 
 
-# pylint: disable=invalid-name
 @patch("bookwyrm.suggested_users.rerank_suggestions_task.delay")
 @patch("bookwyrm.activitystreams.populate_stream_task.delay")
 @patch("bookwyrm.lists_stream.populate_lists_task.delay")
 @patch("bookwyrm.activitystreams.remove_status_task.delay")
 @patch("bookwyrm.models.activitypub_mixin.broadcast_task.apply_async")
+# pylint: disable=invalid-name
+# pylint: disable=too-many-public-methods
 class StatusViews(TestCase):
     """viewing and creating statuses"""
 
@@ -75,6 +76,22 @@ def test_create_status_comment(self, *_):
         self.assertEqual(status.book, self.book)
         self.assertIsNone(status.edited_date)
 
+    def test_create_status_wrong_user(self, *_):
+        """You can't compose statuses for someone else"""
+        view = views.CreateStatus.as_view()
+        form = forms.CommentForm(
+            {
+                "content": "hi",
+                "user": self.remote_user.id,
+                "book": self.book.id,
+                "privacy": "public",
+            }
+        )
+        request = self.factory.post("", form.data)
+        request.user = self.local_user
+        with self.assertRaises(PermissionDenied):
+            view(request, "comment")
+
     def test_create_status_reply(self, *_):
         """create a status in reply to an existing status"""
         view = views.CreateStatus.as_view()

bookwyrm/views/status.py

@@ -85,6 +85,7 @@ def post(self, request, status_type, existing_status_id=None):
             return redirect("/")
 
         status = form.save(commit=False)
+        status.raise_not_editable(request.user)
         # save the plain, unformatted version of the status for future editing
         status.raw_content = status.content
         if hasattr(status, "quote"):