fix(api): raise 404 when creating policy on non-existing token

api/desecapi/tests/test_token_domain_policy.py

@@ -227,6 +227,12 @@ class TokenDomainPolicyTestCase(DomainOwnerTestCase):
         # Create
         ## default policy
         data = {"domain": None, "subname": None, "type": None, "perm_write": True}
+        # Other token gives 404
+        response = self.client.create_policy(
+            models.Token(), using=self.token_manage, data=data
+        )
+        self.assertStatus(response, status.HTTP_404_NOT_FOUND)
+        # Existing token works
         response = self.client.create_policy(
             self.token, using=self.token_manage, data=data
         )

api/desecapi/views/tokens.py

@@ -1,4 +1,5 @@
 import django.core.exceptions
+from django.http import Http404
 from rest_framework import viewsets
 from rest_framework.exceptions import ValidationError
 from rest_framework.generics import get_object_or_404, RetrieveAPIView
@@ -80,6 +81,12 @@ class TokenDomainPolicyViewSet(IdempotentDestroyMixin, viewsets.ModelViewSet):
             ret.append(permissions.HasManageTokensPermission)
         return ret
 
+    def create(self, request, *args, **kwargs):
+        try:
+            return super().create(request, *args, **kwargs)
+        except Token.DoesNotExist:
+            raise Http404
+
     def get_queryset(self):
         qs = Token.objects.filter(user=self.request.user)
         return get_object_or_404(qs, pk=self.kwargs["token_id"]).tokendomainpolicy_set