From 6efa5b7900dcbcb7d1462404102d68f1b44308bd Mon Sep 17 00:00:00 2001
From: j <j@mailb.org>
Date: Wed, 16 Aug 2023 17:40:42 +0200
Subject: [PATCH] future items should not be public

---
 app/item/views.py | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/app/item/views.py b/app/item/views.py
index 029257e..8944b55 100644
--- a/app/item/views.py
+++ b/app/item/views.py
@@ -8,7 +8,7 @@ from django.shortcuts import render
 from django.db.models import Q
 from django.utils.html import mark_safe
 from django.conf import settings
-from django.http import HttpResponse
+from django.http import HttpResponse, Http404
 
 from . import models
 from . import tasks
@@ -19,6 +19,10 @@ from ..utils import default_context
 TS_FORMAT = "%Y-%m-%dT%H:%M:%S"
 
 
+def get_now():
+    return timezone.make_aware(datetime.now(), timezone.get_default_timezone())
+
+
 def index(request):
     context = default_context(request)
     now = request.GET.get("now")
@@ -26,7 +30,7 @@ def index(request):
         now = datetime.strptime(now, TS_FORMAT)
         now = timezone.make_aware(now, timezone.get_default_timezone())
     elif request.user.is_staff:
-        now = timezone.make_aware(datetime.now(), timezone.get_default_timezone())
+        now = get_now()
     else:
         now = None
     week, archive = models.Item.public(now)
@@ -50,6 +54,10 @@ def archive(request):
 def item(request, id):
     context = default_context(request)
     item = models.Item.objects.get(id=id)
+    if not request.user.is_staff and (
+        not item.published or item.published >= get_now()
+    ):
+        raise Http404
     context['item'] = item
     qs = item.comments.order_by('created')
     if not request.user.is_staff:
@@ -82,7 +90,7 @@ def comment(request):
     if request.user.is_authenticated:
         comment.user = request.user
         if comment.user.has_perm('app.item.can_post_comment'):
-            comment.published = timezone.now()
+            comment.published = get_now()
     else:
         comment.name = data['name']
         comment.email = data['email']
@@ -100,7 +108,7 @@ def publish_comment(request):
     data = json.loads(request.body)
     if request.user.is_staff:
         comment = models.Comment.objects.get(id=data['comment'])
-        comment.published = timezone.now()
+        comment.published = get_now()
         comment.save()
         if comment.data.get("moderator_ts"):
             account = settings.SIGNAL_ACCOUNT