Permissions

totem/circles/tests/test_views.py

@@ -120,7 +120,7 @@ def test_anon_subscribe(self):
     def test_anon_subscribe_wrong_token(self):
         url = reverse("circles:subscribe", args=[self.circle.slug])
         response = self.client.get(f"{url}?user={self.user.slug}&token=wrong-token")
-        assert response.status_code == 404
+        assert response.status_code == 403
         self.assertFalse(self.user in self.circle.subscribed.all())
 
     def test_anon_subscribe_no_token(self):

totem/circles/views.py

@@ -190,13 +190,13 @@ def _token_subscribe(request: HttpRequest, circle: Circle):
     sent_token = request.GET.get("token")
 
     if not user_slug or not sent_token:
-        raise Http404
+        raise PermissionDenied
 
     user = User.objects.get(slug=user_slug)
     token = circle.subscribe_token(user)
 
     if sent_token != token:
-        raise Http404
+        raise PermissionDenied
 
     if request.GET.get("action") == "unsubscribe":
         circle.unsubscribe(user)