Merge branch 'main' into re-add-index-to-user-model

.github/workflows/dev_deploy.yml

@@ -10,7 +10,7 @@ env:
   GITHUB_TOKEN: ${{ github.token }}
   WORKSPACE_NAME: hushline-dev-${{ github.head_ref }}
   TF_PROJECT_HUSH_LINE_DEV: prj-iEruEQFmaNTCRAtA
-  DEV_TF_PATH: terraform/dev
+  DEV_TF_PATH: hushline-dev-env
   DO_APP_NAME: dev-${{ github.head_ref }}
   HUSHLINE_INFRA_REPO: scidsg/hushline-infra
   HUSHLINE_INFRA_REF: main

README.md

@@ -2,7 +2,7 @@
 
 [Hush Line](https://hushline.app) is the first managed, open-source whistleblower management platform for lawyers, journalists, educators, business leaders and more. We take care of the tech so you can focus on the mission, not the machines.
 
-![repo](https://github.com/user-attachments/assets/cb383ceb-b363-44e5-9118-9de1397274c2)
+<img width="1200" alt="social" src="https://github.com/user-attachments/assets/3f4af638-416c-47c1-bb64-edfd876c1c7b">
 
 ## Hush Line Features
 

hushline/routes.py

@@ -301,9 +301,7 @@ def delete_message(message_id: int) -> Response:
             db.delete(Message).where(
                 Message.id == message_id,
                 Message.username_id.in_(
-                    db.select(Username.user_id)
-                    .select_from(Username)
-                    .filter(Username.user_id == user.id)
+                    db.select(Username.id).select_from(Username).filter(Username.user_id == user.id)
                 ),
             )
         ).rowcount

hushline/static/css/style.css

@@ -1469,7 +1469,7 @@ img.upgrade {
   overflow-y: hidden;
   -ms-overflow-style: none;
   scrollbar-width: none;
-  gap: 1rem;
+  gap: 1.25rem;
 }
 
 .tab-list li {
@@ -2440,7 +2440,7 @@ p.bio + .extra-fields {
     display: flex;
     flex-direction: row;
     padding-top: 0.5rem;
-    gap: 1rem;
+    gap: 1.25rem;
   }
 
   .settings-main .settings-content .settings-tabs + div {

tests/test_inbox.py

@@ -0,0 +1,53 @@
+import pytest
+from flask import url_for
+from flask.testing import FlaskClient
+
+from hushline.db import db
+from hushline.model import Message, User, Username
+
+
+@pytest.mark.usefixtures("_authenticated_user")
+def test_delete_own_message(client: FlaskClient, user: User) -> None:
+    # Create a message for the authenticated user
+    message = Message(content="User's own message", username_id=user.primary_username.id)
+    db.session.add(message)
+    db.session.commit()
+
+    # Attempt to delete the user's own message
+    response = client.post(
+        url_for("delete_message", message_id=message.id),
+        follow_redirects=True,
+    )
+    assert response.status_code == 200
+    assert "Message deleted successfully" in response.text
+    assert db.session.get(Message, message.id) is None  # Ensure message was deleted
+
+
+@pytest.mark.usefixtures("_authenticated_user")
+def test_cannot_delete_other_user_message(
+    client: FlaskClient, user: User, user_password: str
+) -> None:
+    # Create another user within the test
+    other_user = User(password=user_password)
+    db.session.add(other_user)
+    db.session.flush()
+
+    other_username = Username(user_id=other_user.id, _username="otheruser", is_primary=True)
+    db.session.add(other_username)
+    db.session.commit()
+
+    # Create a message for the other user
+    other_user_message = Message(content="Another user's message", username_id=other_username.id)
+    db.session.add(other_user_message)
+    db.session.commit()
+
+    # Attempt to delete the other user's message
+    response = client.post(
+        url_for("delete_message", message_id=other_user_message.id),
+        follow_redirects=True,
+    )
+    assert response.status_code == 200
+    assert "Message not found" in response.text
+    assert (
+        db.session.get(Message, other_user_message.id) is not None
+    )  # Ensure message was not deleted