Fixed "blank page when visiting alert details page with incorrect use…

…rs" (#223)
riparias · Jul 12, 2023 · cde8a46 · cde8a46
1 parent 3a33fec
commit cde8a46
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,7 @@
 # Current
 
 - A proper git tag name is shown as the version number in footer (if available, otherwise the commit hash is used as it was before)
+- Better response if a user tries to see the details of someone else's alert (https://github.com/riparias/pterois/issues/223)
 
 # v1.0.0  (2023-07-12)
 

diff --git a/dashboard/tests/views/test_pages.py b/dashboard/tests/views/test_pages.py
@@ -272,7 +272,7 @@ def test_otheruser_cant_access_alert_details(self):
             kwargs={"alert_id": self.alert.id},
         )
         response = self.client.get(page_url)
-        self.assertEqual(response.status_code, 403)
+        self.assertEqual(response.status_code, 404)
 
     def test_anonymous_cant_access_new_alert_page(self):
         """Anonymous users cannot access the create alert page"""

diff --git a/dashboard/views/pages.py b/dashboard/views/pages.py
@@ -103,12 +103,9 @@ def observation_details_page(request: HttpRequest, stable_id: str) -> HttpRespon
 def alert_details_page(
     request: AuthenticatedHttpRequest, alert_id: int
 ) -> HttpResponse:
-    alert = get_object_or_404(Alert, id=alert_id)
+    alert = get_object_or_404(Alert, id=alert_id, user=request.user)
 
-    if alert.user == request.user:
-        return render(request, "dashboard/alert_details.html", {"alert": alert})
-    else:
-        return HttpResponseForbidden()
+    return render(request, "dashboard/alert_details.html", {"alert": alert})
 
 
 @login_required