Only return published blog entries.

blog/tests.py

@@ -187,6 +187,75 @@ def test_past_future_ordering(self):
 
 
 class ViewsTestCase(DateTimeMixin, TestCase):
+
+    def test_staff_with_write_permission_can_see_unpublished_detail_view(self):
+        """
+        staff users with write permission on BlogEntry can't see unpublished entries
+        in the list, but can view the detail page
+        """
+        e1 = Entry.objects.create(
+            pub_date=self.yesterday, is_active=False, headline="inactive", slug="a"
+        )
+        user = User.objects.create(username="staff", is_staff=True)
+        # Add blog entry change permission
+        from django.contrib.auth.models import Permission
+        from django.contrib.contenttypes.models import ContentType
+
+        content_type = ContentType.objects.get_for_model(Entry)
+        change_permission = Permission.objects.get(
+            content_type=content_type, codename="change_entry"
+        )
+        user.user_permissions.add(change_permission)
+        self.client.force_login(user)
+        self.assertEqual(Entry.objects.all().count(), 1)
+        response = self.client.get(reverse("weblog:index"))
+        self.assertEqual(response.status_code, 404)
+
+        response = self.client.get(
+            reverse(
+                "weblog:entry",
+                kwargs={
+                    "year": e1.pub_date.year,
+                    "month": e1.pub_date.strftime("%b").lower(),
+                    "day": e1.pub_date.day,
+                    "slug": e1.slug,
+                },
+            )
+        )
+        request = response.context["request"]
+        self.assertTrue(request.user.is_staff)
+        self.assertTrue(request.user.has_perm("blog.change_entry"))
+        self.assertEqual(response.status_code, 200)
+
+    def test_staff_without_write_permission_cannot_see_unpublished_detail_view(self):
+        """
+        staff users without write permission on BlogEntry can't see unpublished entries
+        """
+        e1 = Entry.objects.create(
+            pub_date=self.yesterday, is_active=False, headline="inactive", slug="a"
+        )
+        user = User.objects.create(username="staff-no-perm", is_staff=True)
+        # No permissions added
+        self.client.force_login(user)
+        self.assertEqual(Entry.objects.all().count(), 1)
+
+        # Test detail view for unpublished entry - should return 404
+        response = self.client.get(
+            reverse(
+                "weblog:entry",
+                kwargs={
+                    "year": e1.pub_date.year,
+                    "month": e1.pub_date.strftime("%b").lower(),
+                    "day": e1.pub_date.day,
+                    "slug": e1.slug,
+                },
+            )
+        )
+        request = response.context["request"]
+        self.assertTrue(request.user.is_staff)
+        self.assertFalse(request.user.has_perm("blog.change_entry"))
+        self.assertEqual(response.status_code, 404)
+
     def test_no_past_upcoming_events(self):
         """
         Make sure there are no past event in the "upcoming events" sidebar (#399)
@@ -232,6 +301,113 @@ def test_no_unpublished_future_events(self):
                 self.assertEqual(response.status_code, 200)
                 self.assertQuerySetEqual(response.context["events"], [])
 
+    def test_anonymous_user_cannot_see_unpublished_entries(self):
+        """
+        Anonymous users can't see unpublished entries at all (list or detail view)
+        """
+        # Create a published entry to ensure the list view works
+        published_entry = Entry.objects.create(
+            pub_date=self.yesterday,
+            is_active=True,
+            headline="published",
+            slug="published",
+        )
+
+        # Create an unpublished entry
+        unpublished_entry = Entry.objects.create(
+            pub_date=self.tomorrow,
+            is_active=True,
+            headline="unpublished",
+            slug="unpublished",
+        )
+
+        # Test list view - should return 200 but not include the unpublished entry
+        response = self.client.get(reverse("weblog:index"))
+        self.assertEqual(response.status_code, 200)
+        self.assertContains(response, "published")
+        self.assertNotContains(response, "unpublished")
+
+        # Test detail view for unpublished entry - should return 404
+        unpublished_url = reverse(
+            "weblog:entry",
+            kwargs={
+                "year": unpublished_entry.pub_date.year,
+                "month": unpublished_entry.pub_date.strftime("%b").lower(),
+                "day": unpublished_entry.pub_date.day,
+                "slug": unpublished_entry.slug,
+            },
+        )
+        response = self.client.get(unpublished_url)
+        self.assertEqual(response.status_code, 404)
+
+        # Test detail view for published entry - should return 200
+        published_url = reverse(
+            "weblog:entry",
+            kwargs={
+                "year": published_entry.pub_date.year,
+                "month": published_entry.pub_date.strftime("%b").lower(),
+                "day": published_entry.pub_date.day,
+                "slug": published_entry.slug,
+            },
+        )
+        response = self.client.get(published_url)
+        self.assertEqual(response.status_code, 200)
+
+    def test_user_cannot_see_unpublished_entries(self):
+        """
+        Non-staff users can't see unpublished entries at all (list or detail view)
+        """
+        user = User.objects.create(username="non-staff", is_staff=False)
+        self.client.force_login(user)
+
+        # Create a published entry to ensure the list view works
+        published_entry = Entry.objects.create(
+            pub_date=self.yesterday,
+            is_active=True,
+            headline="published",
+            slug="published",
+        )
+
+        # Create an unpublished entry
+        unpublished_entry = Entry.objects.create(
+            pub_date=self.tomorrow,
+            is_active=True,
+            headline="unpublished",
+            slug="unpublished",
+        )
+
+        # Test list view - should return 200 but not include the unpublished entry
+        response = self.client.get(reverse("weblog:index"))
+        self.assertEqual(response.status_code, 200)
+        self.assertContains(response, "published")
+        self.assertNotContains(response, "unpublished")
+
+        # Test detail view for unpublished entry - should return 404
+        unpublished_url = reverse(
+            "weblog:entry",
+            kwargs={
+                "year": unpublished_entry.pub_date.year,
+                "month": unpublished_entry.pub_date.strftime("%b").lower(),
+                "day": unpublished_entry.pub_date.day,
+                "slug": unpublished_entry.slug,
+            },
+        )
+        response = self.client.get(unpublished_url)
+        self.assertEqual(response.status_code, 404)
+
+        # Test detail view for published entry - should return 200
+        published_url = reverse(
+            "weblog:entry",
+            kwargs={
+                "year": published_entry.pub_date.year,
+                "month": published_entry.pub_date.strftime("%b").lower(),
+                "day": published_entry.pub_date.day,
+                "slug": published_entry.slug,
+            },
+        )
+        response = self.client.get(published_url)
+        self.assertEqual(response.status_code, 200)
+
 
 class SitemapTests(DateTimeMixin, TestCase):
     def test_sitemap(self):

blog/views.py

@@ -18,10 +18,7 @@ def get_allow_future(self):
         return self.request.user.is_staff
 
     def get_queryset(self):
-        if self.request.user.is_staff:
-            return Entry.objects.all()
-        else:
-            return Entry.objects.published()
+        return Entry.objects.published()
 
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
@@ -52,3 +49,12 @@ class BlogDayArchiveView(BlogViewMixin, DayArchiveView):
 
 class BlogDateDetailView(BlogViewMixin, DateDetailView):
     banner_is_title = False
+
+    def get_queryset(self):
+        """Allows staff users with blog write permission to view unpublished entries"""
+        if self.request.user.is_staff and self.request.user.has_perm(
+            "blog.change_entry"
+        ):
+            return Entry.objects.all()
+        else:
+            return Entry.objects.published()