From 3f10ae248abd1caba3a9456a289ddbc424dd7b46 Mon Sep 17 00:00:00 2001
From: Mouse Reeve <mousereeve@riseup.net>
Date: Mon, 27 Sep 2021 15:54:58 -0700
Subject: [PATCH] Changes visiblity function to raise

---
 bookwyrm/models/base_model.py            | 19 +++++++-------
 bookwyrm/tests/models/test_base_model.py | 32 ++++++++++++++----------
 2 files changed, 29 insertions(+), 22 deletions(-)

diff --git a/bookwyrm/models/base_model.py b/bookwyrm/models/base_model.py
index afec2271..dcb92f1f 100644
--- a/bookwyrm/models/base_model.py
+++ b/bookwyrm/models/base_model.py
@@ -5,6 +5,7 @@ from Crypto import Random
 from django.core.exceptions import PermissionDenied
 from django.db import models
 from django.dispatch import receiver
+from django.http import Http404
 from django.utils.translation import gettext_lazy as _
 
 from bookwyrm.settings import DOMAIN
@@ -50,26 +51,26 @@ class BookWyrmModel(models.Model):
         """how to link to this object in the local app"""
         return self.get_remote_id().replace(f"https://{DOMAIN}", "")
 
-    def visible_to_user(self, viewer):
+    def raise_visible_to_user(self, viewer):
         """is a user authorized to view an object?"""
         # make sure this is an object with privacy owned by a user
         if not hasattr(self, "user") or not hasattr(self, "privacy"):
-            return None
+            return
 
         # viewer can't see it if the object's owner blocked them
         if viewer in self.user.blocks.all():
-            return False
+            raise Http404()
 
         # you can see your own posts and any public or unlisted posts
         if viewer == self.user or self.privacy in ["public", "unlisted"]:
-            return True
+            return
 
         # you can see the followers only posts of people you follow
         if (
             self.privacy == "followers"
             and self.user.followers.filter(id=viewer.id).first()
         ):
-            return True
+            return
 
         # you can see dms you are tagged in
         if hasattr(self, "mention_users"):
@@ -77,8 +78,8 @@ class BookWyrmModel(models.Model):
                 self.privacy == "direct"
                 and self.mention_users.filter(id=viewer.id).first()
             ):
-                return True
-        return False
+                return
+        raise Http404()
 
     def raise_not_editable(self, viewer):
         """does this user have permission to edit this object? liable to be overwritten
@@ -90,7 +91,7 @@ class BookWyrmModel(models.Model):
         if self.user == viewer:
             return
 
-        raise PermissionDenied
+        raise PermissionDenied()
 
     def raise_not_deletable(self, viewer):
         """does this user have permission to delete this object? liable to be
@@ -102,7 +103,7 @@ class BookWyrmModel(models.Model):
         if self.user == viewer or viewer.has_perm("moderate_post"):
             return
 
-        raise PermissionDenied
+        raise PermissionDenied()
 
 
 
diff --git a/bookwyrm/tests/models/test_base_model.py b/bookwyrm/tests/models/test_base_model.py
index 28564740..dc857a04 100644
--- a/bookwyrm/tests/models/test_base_model.py
+++ b/bookwyrm/tests/models/test_base_model.py
@@ -1,5 +1,6 @@
 """ testing models """
 from unittest.mock import patch
+from django.http import Http404
 from django.test import TestCase
 
 from bookwyrm import models
@@ -39,14 +40,14 @@ class BaseModel(TestCase):
         """these should be generated"""
         self.test_model.id = 1
         expected = self.test_model.get_remote_id()
-        self.assertEqual(expected, "https://%s/bookwyrmtestmodel/1" % DOMAIN)
+        self.assertEqual(expected, f"https://{DOMAIN}/bookwyrmtestmodel/1")
 
     def test_remote_id_with_user(self):
         """format of remote id when there's a user object"""
         self.test_model.user = self.local_user
         self.test_model.id = 1
         expected = self.test_model.get_remote_id()
-        self.assertEqual(expected, "https://%s/user/mouse/bookwyrmtestmodel/1" % DOMAIN)
+        self.assertEqual(expected, f"https://{DOMAIN}/user/mouse/bookwyrmtestmodel/1")
 
     def test_set_remote_id(self):
         """this function sets remote ids after creation"""
@@ -56,7 +57,7 @@ class BaseModel(TestCase):
         instance.remote_id = None
         base_model.set_remote_id(None, instance, True)
         self.assertEqual(
-            instance.remote_id, "https://%s/book/%d" % (DOMAIN, instance.id)
+            instance.remote_id, f"https://{DOMAIN}/book/{instance.id}"
         )
 
         # shouldn't set remote_id if it's not created
@@ -70,28 +71,30 @@ class BaseModel(TestCase):
         obj = models.Status.objects.create(
             content="hi", user=self.remote_user, privacy="public"
         )
-        self.assertTrue(obj.visible_to_user(self.local_user))
+        self.assertIsNone(obj.raise_visible_to_user(self.local_user))
 
         obj = models.Shelf.objects.create(
             name="test", user=self.remote_user, privacy="unlisted"
         )
-        self.assertTrue(obj.visible_to_user(self.local_user))
+        self.assertIsNone(obj.raise_visible_to_user(self.local_user))
 
         obj = models.Status.objects.create(
             content="hi", user=self.remote_user, privacy="followers"
         )
-        self.assertFalse(obj.visible_to_user(self.local_user))
+        with self.assertRaise(Http404):
+            obj.raise_visible_to_user(self.local_user)
 
         obj = models.Status.objects.create(
             content="hi", user=self.remote_user, privacy="direct"
         )
-        self.assertFalse(obj.visible_to_user(self.local_user))
+        with self.assertRaise(Http404):
+            obj.raise_visible_to_user(self.local_user)
 
         obj = models.Status.objects.create(
             content="hi", user=self.remote_user, privacy="direct"
         )
         obj.mention_users.add(self.local_user)
-        self.assertTrue(obj.visible_to_user(self.local_user))
+        self.assertIsNone(obj.raise_visible_to_user(self.local_user))
 
     @patch("bookwyrm.activitystreams.add_status_task.delay")
     def test_object_visible_to_user_follower(self, _):
@@ -100,18 +103,19 @@ class BaseModel(TestCase):
         obj = models.Status.objects.create(
             content="hi", user=self.remote_user, privacy="followers"
         )
-        self.assertTrue(obj.visible_to_user(self.local_user))
+        self.assertIsNone(obj.raise_visible_to_user(self.local_user))
 
         obj = models.Status.objects.create(
             content="hi", user=self.remote_user, privacy="direct"
         )
-        self.assertFalse(obj.visible_to_user(self.local_user))
+        with self.assertRaise(Http404):
+            obj.raise_visible_to_user(self.local_user)
 
         obj = models.Status.objects.create(
             content="hi", user=self.remote_user, privacy="direct"
         )
         obj.mention_users.add(self.local_user)
-        self.assertTrue(obj.visible_to_user(self.local_user))
+        self.assertIsNone(obj.raise_visible_to_user(self.local_user))
 
     @patch("bookwyrm.activitystreams.add_status_task.delay")
     def test_object_visible_to_user_blocked(self, _):
@@ -120,9 +124,11 @@ class BaseModel(TestCase):
         obj = models.Status.objects.create(
             content="hi", user=self.remote_user, privacy="public"
         )
-        self.assertFalse(obj.visible_to_user(self.local_user))
+        with self.assertRaise(Http404):
+            obj.raise_visible_to_user(self.local_user)
 
         obj = models.Shelf.objects.create(
             name="test", user=self.remote_user, privacy="unlisted"
         )
-        self.assertFalse(obj.visible_to_user(self.local_user))
+        with self.assertRaise(Http404):
+            obj.raise_visible_to_user(self.local_user)