From a56ba0ce1c594270113cefcd51203d955b1258aa Mon Sep 17 00:00:00 2001
From: Hugh Rundle <hugh@hughrundle.net>
Date: Sat, 18 Nov 2023 13:41:52 +1100
Subject: [PATCH] always return 403 to POST requests

- POST requests need to receive a 403 error code
- minor wording updates
---
 bookwyrm/templates/403.html         | 4 ++--
 bookwyrm/templatetags/utilities.py  | 2 +-
 bookwyrm/views/permission_denied.py | 7 +++++++
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/bookwyrm/templates/403.html b/bookwyrm/templates/403.html
index b7927da7e..64fd43536 100644
--- a/bookwyrm/templates/403.html
+++ b/bookwyrm/templates/403.html
@@ -8,8 +8,8 @@
 <div class="block">
     <h1 class="title">{% trans "Permission Denied" %}</h1>
     {% blocktrans trimmed with level=request.user|get_user_permission %}
-    <p class="content">You do not have permission to view this page. Your user permission level is <code>{{ level }}</code>.</p>
-    <p class="content">If you think you should have access to this page, please speak to your BookWyrm server administrator.</p>
+    <p class="content">You do not have permission to view this page or perform this action. Your user permission level is <code>{{ level }}</code>.</p>
+    <p class="content">If you think you should have access, please speak to your BookWyrm server administrator.</p>
     {% endblocktrans %}
 </div>
 {% endblock %}
diff --git a/bookwyrm/templatetags/utilities.py b/bookwyrm/templatetags/utilities.py
index 99575d85f..6df6d2183 100644
--- a/bookwyrm/templatetags/utilities.py
+++ b/bookwyrm/templatetags/utilities.py
@@ -131,4 +131,4 @@ def id_to_username(user_id):
 def get_user_permission(user):
     """given a user, return their permission level"""
 
-    return user.groups.first() if user.groups.first() else "User"
+    return user.groups.first() or "User"
diff --git a/bookwyrm/views/permission_denied.py b/bookwyrm/views/permission_denied.py
index b42ada4ab..9e62b0933 100644
--- a/bookwyrm/views/permission_denied.py
+++ b/bookwyrm/views/permission_denied.py
@@ -1,8 +1,15 @@
 """custom 403 handler to enable context processors"""
+
+from django.http import HttpResponse
 from django.template.response import TemplateResponse
 
+from .helpers import is_api_request
+
 
 def permission_denied(request, exception):  # pylint: disable=unused-argument
     """permission denied page"""
 
+    if request.method == "POST" or is_api_request(request):
+        return HttpResponse(status=403)
+
     return TemplateResponse(request, "403.html")