Edit goal

bookwyrm/views/goal.py

@@ -7,7 +7,7 @@ from django.utils.decorators import method_decorator
 from django.views import View
 
 from bookwyrm import forms, models
-from .helpers import get_user_from_username
+from .helpers import get_user_from_username, object_visible_to_user
 
 
 # pylint: disable= no-self-use
@@ -24,10 +24,8 @@ class Goal(View):
         if not goal and user != request.user:
             return redirect('/')
 
-        if goal and user != request.user:
-            if goal.privacy == 'direct' or \
-                    (goal.privacy == 'followers' and not follower):
-                return HttpResponseNotFound()
+        if goal and not object_visible_to_user(request.user, goal):
+            return HttpResponseNotFound()
 
         data = {
             'title': '%s\'s %d Reading' % (user.display_name, year),

bookwyrm/views/helpers.py

@@ -34,16 +34,17 @@ def is_bookworm_request(request):
     return True
 
 
-def status_visible_to_user(viewer, status):
-    ''' is a user authorized to view a status? '''
-    if viewer == status.user or status.privacy in ['public', 'unlisted']:
+def object_visible_to_user(viewer, obj):
+    ''' is a user authorized to view an object? '''
+    if viewer == obj.user or obj.privacy in ['public', 'unlisted']:
         return True
-    if status.privacy == 'followers' and \
-            status.user.followers.filter(id=viewer.id).first():
-        return True
-    if status.privacy == 'direct' and \
-            status.mention_users.filter(id=viewer.id).first():
+    if obj.privacy == 'followers' and \
+            obj.user.followers.filter(id=viewer.id).first():
         return True
+    if isinstance(obj, models.Status):
+        if obj.privacy == 'direct' and \
+                obj.mention_users.filter(id=viewer.id).first():
+            return True
     return False
 
 def get_activity_feed(

bookwyrm/views/status.py

@@ -16,7 +16,7 @@ from bookwyrm.settings import DOMAIN
 from bookwyrm.status import create_notification, delete_status
 from bookwyrm.utils import regex
 from .helpers import get_user_from_username, handle_remote_webfinger
-from .helpers import is_api_request, is_bookworm_request, status_visible_to_user
+from .helpers import is_api_request, is_bookworm_request, object_visible_to_user
 
 
 # pylint: disable= no-self-use
@@ -35,7 +35,7 @@ class Status(View):
             return HttpResponseNotFound()
 
         # make sure the user is authorized to see the status
-        if not status_visible_to_user(request.user, status):
+        if not object_visible_to_user(request.user, status):
             return HttpResponseNotFound()
 
         if is_api_request(request):

bookwyrm/views/user.py

@@ -9,6 +9,7 @@ from django.core.paginator import Paginator
 from django.http import HttpResponseNotFound
 from django.shortcuts import redirect
 from django.template.response import TemplateResponse
+from django.utils import timezone
 from django.utils.decorators import method_decorator
 from django.views import View
 
@@ -17,6 +18,7 @@ from bookwyrm.activitypub import ActivitypubResponse
 from bookwyrm.broadcast import broadcast
 from bookwyrm.settings import PAGE_LENGTH
 from .helpers import get_activity_feed, get_user_from_username, is_api_request
+from .helpers import object_visible_to_user
 
 
 # pylint: disable= no-self-use
@@ -70,6 +72,10 @@ class User(View):
             queryset=models.Status.objects.filter(user=user)
         )
         paginated = Paginator(activities, PAGE_LENGTH)
+        goal = models.AnnualGoal.objects.filter(
+            user=user, year=timezone.now().year).first()
+        if not object_visible_to_user(request.user, goal):
+            goal = None
         data = {
             'title': user.name,
             'user': user,
@@ -77,6 +83,7 @@ class User(View):
             'shelves': shelf_preview,
             'shelf_count': shelves.count(),
             'activities': paginated.page(page),
+            'goal': goal,
         }
 
         return TemplateResponse(request, 'user.html', data)