[damned-lies] Fixes #249: hide auth_token to other users

[Guillaume Bernard <gbernard src gnome org>]

commit 85064acb94cda4d76d1c30f54f71fd80bfbe1d03
Author: Guillaume Bernard <associations guillaume-bernard fr>
Date:   Mon Aug 2 11:53:18 2021 +0200

    Fixes #249: hide auth_token to other users
    
    API Authentication tokens were visible to all users when viewing
    any user personal page.

 people/tests.py                       | 38 ++++++++++++++++++++++++++++++++++-
 templates/people/person_overview.html |  4 ++--
 2 files changed, 39 insertions(+), 3 deletions(-)
---
diff --git a/people/tests.py b/people/tests.py
index 7ece8daf..19ca6eac 100644
--- a/people/tests.py
+++ b/people/tests.py
@@ -5,7 +5,7 @@ from django.contrib import auth
 from django.contrib.staticfiles.finders import find
 from django.core import mail
 from django.core.exceptions import ValidationError
-from django.test import TestCase
+from django.test import TestCase, Client
 from django.urls import reverse
 from django.utils.safestring import SafeData
 from django.utils.translation import gettext as _
@@ -275,3 +275,39 @@ class PeopleTestCase(TestCase):
             all_languages.index(('fr', "français")),
             "français is not before Frisian"
         )
+
+
+class PeopleViewsTestCase(TestCase):
+
+    def setUp(self) -> None:
+        self.coordinator = Person.objects.create(
+            id=1, username="coordinator"
+        )
+        self.reviewer = Person.objects.create(
+            id=2, username="reviewer"
+        )
+        self.client = Client()
+
+    def test_auth_token_displayed_on_own_page(self):
+        self.client.force_login(self.coordinator)
+        auth_token = self.coordinator.auth_token = Person.generate_token()
+        self.coordinator.save()
+        response = self.client.get(reverse(
+            "person_detail_username", kwargs={"slug": self.coordinator.username}
+        ))
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.context["person"].auth_token, auth_token)
+        self.assertTrue(response.context["on_own_page"])
+        self.assertContains(response, 'id="person_auth_token"')
+
+    def test_auth_token_no_displayed_when_not_on_own_page(self):
+        self.client.force_login(self.reviewer)
+        auth_token = self.coordinator.auth_token = Person.generate_token()
+        self.coordinator.save()
+        response = self.client.get(reverse(
+            "person_detail_username", kwargs={"slug": self.coordinator.username}
+        ))
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.context["person"].auth_token, auth_token)
+        self.assertFalse(response.context["on_own_page"])
+        self.assertNotContains(response, 'id="person_auth_token"')
diff --git a/templates/people/person_overview.html b/templates/people/person_overview.html
index 788f3c88..88841a34 100644
--- a/templates/people/person_overview.html
+++ b/templates/people/person_overview.html
@@ -28,10 +28,10 @@
             <br>
         {% endif %}
 
-        {% if person.auth_token %}
+        {% if person.auth_token and on_own_page %}
             <form id="delete-token" method="post" action="{% url 'person_delete_token' %}">{% csrf_token %}
                 <strong>{% trans "Authentication token:" %}</strong>
-                {{ person.auth_token }}
+                <span id="person_auth_token">{{ person.auth_token }}</span>
                 <span class="hidden">
                     <button type="submit" class="icon_button">
                         <img src="{% static 'img/delete.svg' %}" width="20" title="{% trans 'Delete token' 
%}" alt="{% trans 'Delete token' %}">