From c17f7eefde2beec6c125e1e462293c49676f151c Mon Sep 17 00:00:00 2001
From: Eliot Berriot <contact@eliotberriot.com>
Date: Tue, 17 Apr 2018 23:08:15 +0200
Subject: [PATCH] Ensure follower is approved to access library

---
 api/funkwhale_api/federation/permissions.py |  3 ++-
 api/tests/federation/test_permissions.py    | 17 ++++++++++++++++-
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/api/funkwhale_api/federation/permissions.py b/api/funkwhale_api/federation/permissions.py
index 370328eaa..c6f0660b1 100644
--- a/api/funkwhale_api/federation/permissions.py
+++ b/api/funkwhale_api/federation/permissions.py
@@ -16,4 +16,5 @@ class LibraryFollower(BasePermission):
             return False
 
         library = actors.SYSTEM_ACTORS['library'].get_actor_instance()
-        return library.followers.filter(url=actor.url).exists()
+        return library.received_follows.filter(
+            approved=True, actor=actor).exists()
diff --git a/api/tests/federation/test_permissions.py b/api/tests/federation/test_permissions.py
index 1a6977542..9b8683210 100644
--- a/api/tests/federation/test_permissions.py
+++ b/api/tests/federation/test_permissions.py
@@ -30,11 +30,26 @@ def test_library_follower_actor_non_follower(
     assert check is False
 
 
+def test_library_follower_actor_follower_not_approved(
+        factories, api_request, anonymous_user, settings):
+    settings.FEDERATION_MUSIC_NEEDS_APPROVAL = True
+    library = actors.SYSTEM_ACTORS['library'].get_actor_instance()
+    follow = factories['federation.Follow'](target=library, approved=False)
+    view = APIView.as_view()
+    permission = permissions.LibraryFollower()
+    request = api_request.get('/')
+    setattr(request, 'user', anonymous_user)
+    setattr(request, 'actor', follow.actor)
+    check = permission.has_permission(request, view)
+
+    assert check is False
+
+
 def test_library_follower_actor_follower(
         factories, api_request, anonymous_user, settings):
     settings.FEDERATION_MUSIC_NEEDS_APPROVAL = True
     library = actors.SYSTEM_ACTORS['library'].get_actor_instance()
-    follow = factories['federation.Follow'](target=library)
+    follow = factories['federation.Follow'](target=library, approved=True)
     view = APIView.as_view()
     permission = permissions.LibraryFollower()
     request = api_request.get('/')
-- 
GitLab