From 110efee1bea6f934f936f51250a9d77adb44849f Mon Sep 17 00:00:00 2001
From: Oskar Sharipov <oskargit@riseup.net>
Date: Thu, 2 Nov 2023 00:03:50 +0800
Subject: [PATCH] fix: raise Http404 on inaccessible posts

Closes: #1152
---
 posts/api.py              |  2 +-
 posts/tests/test_api.py   | 13 +++++++++++++
 posts/tests/test_views.py |  9 +++++++++
 posts/views/posts.py      |  2 +-
 4 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/posts/api.py b/posts/api.py
index 2c12bdf9d..8032aa49d 100644
--- a/posts/api.py
+++ b/posts/api.py
@@ -25,7 +25,7 @@ def md_show_post(request, post_type, post_slug):
     if not post.is_public:
         access_denied = check_user_permissions(request, post=post)
         if access_denied:
-            raise ApiAuthRequired()
+            raise Http404()
 
     post_markdown = f"""# {post.title}\n\n{post.text}"""
 
diff --git a/posts/tests/test_api.py b/posts/tests/test_api.py
index 56cdd443e..c53645926 100644
--- a/posts/tests/test_api.py
+++ b/posts/tests/test_api.py
@@ -37,3 +37,16 @@ def test_content_text_is_not_none(self):
         )
         converted_post = post.to_dict()
         self.assertIsNotNone(converted_post["content_text"])
+
+    def test_404_on_hidden_post(self):
+        post = self.creator.create_post(
+            is_visible=True,
+            is_public=False,
+        )
+        client = self._authorized_client(None)
+        response = client.get(self._post_md_url(post))
+        self.assertContains(response=response, text='', status_code=404)
+
+    @staticmethod
+    def _post_md_url(post) -> str:
+        return reverse('md_show_post', args=(post.type, post.slug))
diff --git a/posts/tests/test_views.py b/posts/tests/test_views.py
index 589e06fa8..1c04ce840 100644
--- a/posts/tests/test_views.py
+++ b/posts/tests/test_views.py
@@ -49,6 +49,15 @@ def test_show_post(self):
 
             self.assertContains(response=response, text='', status_code=200)
 
+    def test_404_on_hidden_post(self):
+        post = self.creator.create_post(
+            is_visible=True,
+            is_public=False,
+        )
+        client = self._authorized_client(None)
+        response = client.get(self._post_url(post))
+        self.assertContains(response=response, text='', status_code=404)
+
     def test_show_draft_post(self):
         '''
         Is regression test for #545.
diff --git a/posts/views/posts.py b/posts/views/posts.py
index a4ecc9f24..59e0805d4 100644
--- a/posts/views/posts.py
+++ b/posts/views/posts.py
@@ -33,7 +33,7 @@ def show_post(request, post_type, post_slug):
     if not post.is_public:
         access_denied = check_user_permissions(request, post=post)
         if access_denied:
-            return access_denied
+            raise Http404()
 
     # record a new view
     last_view_at = None