passing a few more tests, fixed some permissions bugs
This commit is contained in:
Sander Roosendaal
@@ -4,6 +4,7 @@ from __future__ import print_function
|
|||||||
from __future__ import unicode_literals
|
from __future__ import unicode_literals
|
||||||
|
|
||||||
from django.contrib.auth.decorators import login_required,user_passes_test
|
from django.contrib.auth.decorators import login_required,user_passes_test
|
||||||
|
from django.urls import reverse
|
||||||
|
|
||||||
from django.http import HttpResponseRedirect
|
from django.http import HttpResponseRedirect
|
||||||
from django.core.exceptions import PermissionDenied
|
from django.core.exceptions import PermissionDenied
|
||||||
@@ -29,6 +30,9 @@ def user_passes_test(test_func, message=default_message,login_url=None,redirect_
|
|||||||
def decorator(view_func):
|
def decorator(view_func):
|
||||||
@wraps(view_func, assigned=available_attrs(view_func))
|
@wraps(view_func, assigned=available_attrs(view_func))
|
||||||
def _wrapped_view(request, *args, **kwargs):
|
def _wrapped_view(request, *args, **kwargs):
|
||||||
|
if request.user.is_anonymous:
|
||||||
|
url = reverse('login')+'?next='+request.path
|
||||||
|
return HttpResponseRedirect(url)
|
||||||
if not test_func(request.user):
|
if not test_func(request.user):
|
||||||
messages.error(request, message)
|
messages.error(request, message)
|
||||||
return HttpResponseRedirect(login_url)
|
return HttpResponseRedirect(login_url)
|
||||||
|
|||||||
@@ -319,6 +319,22 @@ def is_workout_user(user,workout):
|
|||||||
|
|
||||||
return is_coach_user(user,workout.user.user)
|
return is_coach_user(user,workout.user.user)
|
||||||
|
|
||||||
|
# check if user is in same team as owner of workout
|
||||||
|
@rules.predicate
|
||||||
|
def is_workout_team(user,workout):
|
||||||
|
if user.is_anonymous:
|
||||||
|
return False
|
||||||
|
|
||||||
|
try:
|
||||||
|
r = user.rower
|
||||||
|
except AttributeError:
|
||||||
|
return False
|
||||||
|
|
||||||
|
if workout.user == r:
|
||||||
|
return True
|
||||||
|
|
||||||
|
return is_rower_team_member(user,workout.user)
|
||||||
|
|
||||||
# check if user can see workout
|
# check if user can see workout
|
||||||
@rules.predicate
|
@rules.predicate
|
||||||
def can_view_workout(user,workout):
|
def can_view_workout(user,workout):
|
||||||
|
|||||||
1
rowers/tests/.~lock.viewnames.csv#
Normal file
1
rowers/tests/.~lock.viewnames.csv#
Normal file
@@ -0,0 +1 @@
|
|||||||
|
,sander,sander-pc,22.01.2020 22:27,file:///home/sander/.config/libreoffice/4;
|
||||||
@@ -393,7 +393,7 @@ class PermissionsViewTests(TestCase):
|
|||||||
if notuser:
|
if notuser:
|
||||||
falseurlstotest.append(url)
|
falseurlstotest.append(url)
|
||||||
elif permissions['userid']:
|
elif permissions['userid']:
|
||||||
url = reverse(view,kwargs={'userid':thisuser['user'].id})
|
url = reverse(view,kwargs={'userid':memberuser['user'].id})
|
||||||
urlstotest.append(url)
|
urlstotest.append(url)
|
||||||
|
|
||||||
url = reverse(view,kwargs={'userid':self.ustrange['user'].id})
|
url = reverse(view,kwargs={'userid':self.ustrange['user'].id})
|
||||||
|
|||||||
@@ -1,33 +1,33 @@
|
|||||||
,id,view,function,anonymous,anonymous_response,own,own_response,own_nonperm,member,member_response,member_nonperm,coachee,coachee_response,coachee_nonperm,is_staff,userid,workoutid,dotest
|
,id,view,function,anonymous,anonymous_response,own,own_response,own_nonperm,member,member_response,member_nonperm,coachee,coachee_response,coachee_nonperm,is_staff,userid,workoutid,dotest
|
||||||
0,0,workouts_summaries_email_view,sends summary excel with workouts list and links to data to user,TRUE,302,basic,200,302,FALSE,404,404,FALSE,404,404,FALSE,FALSE,FALSE,TRUE
|
0,0,workouts_summaries_email_view,sends summary excel with workouts list and links to data to user,TRUE,302,basic,200,302,FALSE,403,403,FALSE,403,403,FALSE,FALSE,FALSE,TRUE
|
||||||
1,1,rower_update_empower_view,updates old Empower Oarlock files (corrects Power bug),TRUE,302,basic,200,302,FALSE,200,302,FALSE,200,302,FALSE,FALSE,FALSE,TRUE
|
1,1,rower_update_empower_view,updates old Empower Oarlock files (corrects Power bug),TRUE,302,basic,200,302,FALSE,200,302,FALSE,200,302,FALSE,FALSE,FALSE,TRUE
|
||||||
2,2,agegroupcpview,needs age,TRUE,200,basic,200,302,basic,200,302,coach,200,302,FALSE,FALSE,FALSE,FALSE
|
2,2,agegroupcpview,needs age,TRUE,200,basic,200,302,basic,200,302,coach,200,302,FALSE,FALSE,FALSE,FALSE
|
||||||
3,4,ajax_agegrouprecords,gets age group records from C2 ,TRUE,200,basic,200,302,basic,200,302,coach,200,302,FALSE,FALSE,FALSE,FALSE
|
3,4,ajax_agegrouprecords,gets age group records from C2 ,TRUE,200,basic,200,302,basic,200,302,coach,200,302,FALSE,FALSE,FALSE,FALSE
|
||||||
4,5,fitness_metric_view,updates a person's fitness metric,TRUE,302,basic,302,302,FALSE,404,302,FALSE,404,404,FALSE,FALSE,FALSE,TRUE
|
4,5,fitness_metric_view,updates a person's fitness metric,TRUE,302,basic,302,302,FALSE,403,302,FALSE,403,403,FALSE,FALSE,FALSE,TRUE
|
||||||
5,6,agegrouprecordview,shows ergo age group records,TRUE,200,basic,200,302,FALSE,200,302,FALSE,200,302,FALSE,FALSE,FALSE,TRUE
|
5,6,agegrouprecordview,shows ergo age group records,TRUE,200,basic,200,302,FALSE,200,302,FALSE,200,302,FALSE,FALSE,FALSE,TRUE
|
||||||
6,7,workouts_view,workouts list,TRUE,302,basic,200,302,basic,200,404,coach,200,404,FALSE,TRUE,FALSE,TRUE
|
6,7,workouts_view,workouts list,TRUE,302,basic,200,302,basic,200,403,coach,200,403,FALSE,TRUE,FALSE,TRUE
|
||||||
7,8,virtualevents_view,virtual races list,TRUE,200,basic,200,302,FALSE,200,302,FALSE,200,302,FALSE,FALSE,FALSE,TRUE
|
7,8,virtualevents_view,virtual races list,TRUE,200,basic,200,302,FALSE,200,302,FALSE,200,302,FALSE,FALSE,FALSE,TRUE
|
||||||
8,9,virtualevent_create_view,create virtual event,TRUE,302,basic,200,302,FALSE,200,302,FALSE,200,302,FALSE,FALSE,FALSE,TRUE
|
8,9,virtualevent_create_view,create virtual event,TRUE,302,basic,200,302,FALSE,200,302,FALSE,200,302,FALSE,FALSE,FALSE,TRUE
|
||||||
9,10,indoorvirtualevent_create_view,create indoor virtual event,TRUE,302,basic,200,302,FALSE,200,302,FALSE,200,302,FALSE,FALSE,FALSE,TRUE
|
9,10,indoorvirtualevent_create_view,create indoor virtual event,TRUE,302,basic,200,302,FALSE,200,302,FALSE,200,302,FALSE,FALSE,FALSE,TRUE
|
||||||
10,11,virtualevent_toggle_email_view,toggle email notifications,TRUE,302,basic,200,302,FALSE,200,302,FALSE,200,302,FALSE,FALSE,FALSE,TRUE
|
10,11,virtualevent_toggle_email_view,toggle email notifications,TRUE,302,basic,200,302,FALSE,200,302,FALSE,200,302,FALSE,FALSE,FALSE,FALSE
|
||||||
11,12,indoorvirtualevent_toggle_email_view,toggle email notifications,TRUE,302,basic,200,302,FALSE,200,302,FALSE,200,302,FALSE,FALSE,FALSE,TRUE
|
11,12,indoorvirtualevent_toggle_email_view,toggle email notifications,TRUE,302,basic,200,302,FALSE,200,302,FALSE,200,302,FALSE,FALSE,FALSE,FALSE
|
||||||
12,13,virtualevent_view,view virtual race,TRUE,200,basic,200,302,FALSE,200,302,FALSE,200,302,FALSE,FALSE,FALSE,TRUE
|
12,13,virtualevent_view,view virtual race,TRUE,200,basic,200,302,FALSE,200,302,FALSE,200,302,FALSE,FALSE,FALSE,FALSE
|
||||||
13,14,virtualevent_ranking_view,view ranking,TRUE,200,basic,200,302,FALSE,200,302,FALSE,200,302,FALSE,FALSE,FALSE,TRUE
|
13,14,virtualevent_ranking_view,view ranking,TRUE,200,basic,200,302,FALSE,200,302,FALSE,200,302,FALSE,FALSE,FALSE,FALSE
|
||||||
14,15,virtualevent_edit_view,edit race,TRUE,302,basic,200,302,FALSE,200,302,FALSE,200,302,FALSE,FALSE,FALSE,TRUE
|
14,15,virtualevent_edit_view,edit race,TRUE,302,basic,200,302,FALSE,200,302,FALSE,200,302,FALSE,FALSE,FALSE,FALSE
|
||||||
15,16,indoorvirtualevent_edit_view,edit race,TRUE,303,basic,200,302,FALSE,200,302,FALSE,200,302,FALSE,FALSE,FALSE,TRUE
|
15,16,indoorvirtualevent_edit_view,edit race,TRUE,302,basic,200,302,FALSE,200,302,FALSE,200,302,FALSE,FALSE,FALSE,FALSE
|
||||||
16,17,virtualevent_register_view,,TRUE,200,basic,200,302,basic,200,302,coach,200,302,FALSE,FALSE,FALSE,FALSE
|
16,17,virtualevent_register_view,register for race,TRUE,302,basic,200,302,FALSE,200,302,FALSE,200,302,FALSE,FALSE,FALSE,FALSE
|
||||||
17,18,indoorvirtualevent_register_view,,TRUE,200,basic,200,302,basic,200,302,coach,200,302,FALSE,FALSE,FALSE,FALSE
|
17,18,indoorvirtualevent_register_view,register for race,TRUE,302,basic,200,302,FALSE,200,302,FALSE,200,302,FALSE,FALSE,FALSE,FALSE
|
||||||
18,19,virtualevent_addboat_view,,TRUE,200,basic,200,302,basic,200,302,coach,200,302,FALSE,FALSE,FALSE,FALSE
|
18,19,virtualevent_addboat_view,add a new boat type,TRUE,302,basic,200,302,FALSE,200,302,FALSE,200,302,FALSE,FALSE,FALSE,FALSE
|
||||||
19,20,virtualevent_withdraw_view,,TRUE,200,basic,200,302,basic,200,302,coach,200,302,FALSE,FALSE,FALSE,FALSE
|
19,20,virtualevent_withdraw_view,withdraw,TRUE,302,basic,200,302,FALSE,200,302,FALSE,200,302,FALSE,FALSE,FALSE,FALSE
|
||||||
20,21,virtualevent_submit_result_view,,TRUE,200,basic,200,302,basic,200,302,coach,200,302,FALSE,FALSE,TRUE,FALSE
|
20,21,virtualevent_submit_result_view,submit a result,TRUE,302,basic,200,302,FALSE,200,302,FALSE,200,302,FALSE,FALSE,TRUE,FALSE
|
||||||
21,22,virtualevent_disqualify_view,,TRUE,200,basic,200,302,basic,200,302,coach,200,302,FALSE,FALSE,FALSE,FALSE
|
21,22,virtualevent_disqualify_view,disqualify a racer,TRUE,302,basic,200,302,FALSE,200,302,FALSE,200,302,FALSE,FALSE,FALSE,FALSE
|
||||||
22,24,courses_view,,TRUE,200,basic,200,302,basic,200,302,coach,200,302,FALSE,FALSE,FALSE,FALSE
|
22,24,courses_view,see race courses,TRUE,200,FALSE,200,302,FALSE,200,302,FALSE,200,302,FALSE,FALSE,FALSE,TRUE
|
||||||
23,25,course_upload_view,,TRUE,200,basic,200,302,basic,200,302,coach,200,302,FALSE,FALSE,FALSE,FALSE
|
23,25,course_upload_view,upload a new course,TRUE,302,basic,200,302,FALSE,200,302,FALSE,200,302,FALSE,FALSE,FALSE,TRUE
|
||||||
24,26,addmanual_view,,TRUE,200,basic,200,302,basic,200,302,coach,200,302,FALSE,FALSE,FALSE,FALSE
|
24,26,addmanual_view,upload a manual workout,TRUE,302,basic,200,302,basic,200,302,coach,200,302,FALSE,FALSE,FALSE,TRUE
|
||||||
25,27,team_comparison_select,,TRUE,200,basic,200,302,basic,200,302,coach,200,302,FALSE,TRUE,TRUE,FALSE
|
25,27,team_comparison_select,compare with a team member workout,TRUE,302,pro,200,302,pro,200,302,coach,200,302,FALSE,TRUE,TRUE,TRUE
|
||||||
26,28,workouts_join_view,,TRUE,200,basic,200,302,basic,200,302,coach,200,302,FALSE,FALSE,FALSE,FALSE
|
26,28,workouts_join_view,join workouts,TRUE,302,pro,302,302,pro,403,403,coach,302,403,FALSE,TRUE,FALSE,TRUE
|
||||||
27,29,workouts_join_select,,TRUE,200,basic,200,302,basic,200,302,coach,200,302,FALSE,TRUE,FALSE,FALSE
|
27,29,workouts_join_select,select workouts to join,TRUE,403,pro,200,302,pro,403,403,coach,200,403,FALSE,TRUE,FALSE,TRUE
|
||||||
28,30,user_boxplot_select,,TRUE,200,basic,200,302,basic,200,302,coach,200,302,FALSE,TRUE,FALSE,FALSE
|
28,30,user_boxplot_select,select boxplots,TRUE,302,pro,200,302,pro,403,403,coach,200,302,FALSE,TRUE,FALSE,TRUE
|
||||||
29,31,analysis_new,,TRUE,200,basic,200,302,basic,200,302,coach,200,302,FALSE,TRUE,FALSE,FALSE
|
29,31,analysis_new,,TRUE,200,basic,200,302,basic,200,302,coach,200,302,FALSE,TRUE,FALSE,FALSE
|
||||||
30,32,user_multiflex_select,,TRUE,200,basic,200,302,basic,200,302,coach,200,302,FALSE,TRUE,FALSE,FALSE
|
30,32,user_multiflex_select,,TRUE,200,basic,200,302,basic,200,302,coach,200,302,FALSE,TRUE,FALSE,FALSE
|
||||||
31,33,session_jobs_view,,TRUE,200,basic,200,302,basic,200,302,coach,200,302,FALSE,FALSE,FALSE,FALSE
|
31,33,session_jobs_view,,TRUE,200,basic,200,302,basic,200,302,coach,200,302,FALSE,FALSE,FALSE,FALSE
|
||||||
|
|||||||
|
@@ -220,6 +220,7 @@ urlpatterns = [
|
|||||||
# re_path(r'^workouts-join-select/team/(?P<teamid>\d+)/(?P<startdatestring>\d+-\d+-\d+)/(?P<enddatestring>\d+-\d+-\d+)/$',views.workouts_join_select,
|
# re_path(r'^workouts-join-select/team/(?P<teamid>\d+)/(?P<startdatestring>\d+-\d+-\d+)/(?P<enddatestring>\d+-\d+-\d+)/$',views.workouts_join_select,
|
||||||
# name='workouts_join_select'),
|
# name='workouts_join_select'),
|
||||||
re_path(r'^workouts-join/$',views.workouts_join_view,name='workouts_join_view'),
|
re_path(r'^workouts-join/$',views.workouts_join_view,name='workouts_join_view'),
|
||||||
|
re_path(r'^workouts-join/user/(?P<userid>\d+)$',views.workouts_join_view,name='workouts_join_view'),
|
||||||
re_path(r'^workouts-join-select/team/(?P<teamid>\d+)/$',views.workouts_join_select,name='workouts_join_select'),
|
re_path(r'^workouts-join-select/team/(?P<teamid>\d+)/$',views.workouts_join_select,name='workouts_join_select'),
|
||||||
# re_path(r'^workouts-join-select/(?P<startdatestring>\d+-\d+-\d+)/(?P<enddatestring>\d+-\d+-\d+)/$',views.workouts_join_select,name='workouts_join_select'),
|
# re_path(r'^workouts-join-select/(?P<startdatestring>\d+-\d+-\d+)/(?P<enddatestring>\d+-\d+-\d+)/$',views.workouts_join_select,name='workouts_join_select'),
|
||||||
re_path(r'^workouts-join-select/$',views.workouts_join_select,name='workouts_join_select'),
|
re_path(r'^workouts-join-select/$',views.workouts_join_select,name='workouts_join_select'),
|
||||||
|
|||||||
@@ -7,7 +7,6 @@ from rowers.views.statements import *
|
|||||||
|
|
||||||
|
|
||||||
# List Courses
|
# List Courses
|
||||||
@login_required()
|
|
||||||
def courses_view(request):
|
def courses_view(request):
|
||||||
r = getrower(request.user)
|
r = getrower(request.user)
|
||||||
|
|
||||||
|
|||||||
@@ -45,7 +45,7 @@ from rowers.rower_rules import (
|
|||||||
can_view_plan,can_change_plan,can_delete_plan,
|
can_view_plan,can_change_plan,can_delete_plan,
|
||||||
can_view_cycle,can_change_cycle,can_delete_cycle,
|
can_view_cycle,can_change_cycle,can_delete_cycle,
|
||||||
can_add_workout_member,can_plan_user,is_paid_coach,
|
can_add_workout_member,can_plan_user,is_paid_coach,
|
||||||
can_start_trial, can_start_plantrial,can_plan
|
can_start_trial, can_start_plantrial,can_plan,is_workout_team
|
||||||
)
|
)
|
||||||
|
|
||||||
from django.shortcuts import render
|
from django.shortcuts import render
|
||||||
@@ -389,6 +389,7 @@ def getrequestrower(request,rowerid=0,userid=0,notpermanent=False):
|
|||||||
r = getrower(request.user)
|
r = getrower(request.user)
|
||||||
u = r.user
|
u = r.user
|
||||||
|
|
||||||
|
|
||||||
except Rower.DoesNotExist:
|
except Rower.DoesNotExist:
|
||||||
raise Http404("Rower doesn't exist")
|
raise Http404("Rower doesn't exist")
|
||||||
|
|
||||||
|
|||||||
@@ -797,8 +797,11 @@ def workout_recalcsummary_view(request,id=0):
|
|||||||
@user_passes_test(ispromember,login_url="/rowers/paidplans",
|
@user_passes_test(ispromember,login_url="/rowers/paidplans",
|
||||||
message="This functionality requires a Pro plan or higher. If you are already a Pro user, please log in to access this functionality. If you are already a Pro user, please log in to access this functionality",
|
message="This functionality requires a Pro plan or higher. If you are already a Pro user, please log in to access this functionality. If you are already a Pro user, please log in to access this functionality",
|
||||||
redirect_field_name=None)
|
redirect_field_name=None)
|
||||||
def workouts_join_view(request):
|
@permission_required('rower.is_coach',fn=get_user_by_userid,raise_exception=True)
|
||||||
|
def workouts_join_view(request,userid=0):
|
||||||
promember=0
|
promember=0
|
||||||
|
|
||||||
|
r = getrequestrower(request,userid=userid)
|
||||||
if not request.user.is_anonymous:
|
if not request.user.is_anonymous:
|
||||||
r = getrower(request.user)
|
r = getrower(request.user)
|
||||||
result = request.user.is_authenticated and ispromember(request.user)
|
result = request.user.is_authenticated and ispromember(request.user)
|
||||||
@@ -1039,6 +1042,7 @@ def video_selectworkout(request,userid=0,teamid=0):
|
|||||||
})
|
})
|
||||||
|
|
||||||
|
|
||||||
|
@permission_required('rower.is_coach',fn=get_user_by_userid,raise_exception=True)
|
||||||
@user_passes_test(ispromember,login_url="/rowers/paidplans",
|
@user_passes_test(ispromember,login_url="/rowers/paidplans",
|
||||||
message="This functionality requires a Pro plan or higher. If you are already a Pro user, please log in to access this functionality. If you are already a Pro user, please log in to access this functionality",
|
message="This functionality requires a Pro plan or higher. If you are already a Pro user, please log in to access this functionality. If you are already a Pro user, please log in to access this functionality",
|
||||||
redirect_field_name=None)
|
redirect_field_name=None)
|
||||||
@@ -1047,16 +1051,15 @@ def workouts_join_select(request,
|
|||||||
enddatestring="",
|
enddatestring="",
|
||||||
message='',
|
message='',
|
||||||
successmessage='',
|
successmessage='',
|
||||||
|
userid=0,
|
||||||
startdate=timezone.now()-datetime.timedelta(days=30),
|
startdate=timezone.now()-datetime.timedelta(days=30),
|
||||||
enddate=timezone.now()+datetime.timedelta(days=1),
|
enddate=timezone.now()+datetime.timedelta(days=1),
|
||||||
teamid=0):
|
teamid=0):
|
||||||
|
|
||||||
try:
|
|
||||||
r = getrower(request.user)
|
|
||||||
except Rower.DoesNotExist:
|
|
||||||
raise Http404("Rower doesn't exist")
|
|
||||||
|
|
||||||
|
|
||||||
|
r = getrequestrower(request,userid=userid)
|
||||||
|
|
||||||
if 'waterboattype' in request.session:
|
if 'waterboattype' in request.session:
|
||||||
waterboattype = request.session['waterboattype']
|
waterboattype = request.session['waterboattype']
|
||||||
else:
|
else:
|
||||||
@@ -1211,6 +1214,7 @@ def team_comparison_select(request,
|
|||||||
r = getrequestrower(request,userid=userid)
|
r = getrequestrower(request,userid=userid)
|
||||||
requestrower = getrower(request.user)
|
requestrower = getrower(request.user)
|
||||||
|
|
||||||
|
|
||||||
request.session.pop('ps',None)
|
request.session.pop('ps',None)
|
||||||
|
|
||||||
if 'waterboattype' in request.session:
|
if 'waterboattype' in request.session:
|
||||||
@@ -1338,7 +1342,8 @@ def team_comparison_select(request,
|
|||||||
|
|
||||||
if id:
|
if id:
|
||||||
firstworkout = get_workout(id)
|
firstworkout = get_workout(id)
|
||||||
if not is_workout_user(request.user,firstworkout):
|
if not is_workout_team(request.user,firstworkout):
|
||||||
|
|
||||||
raise PermissionDenied("You are not allowed to use this workout")
|
raise PermissionDenied("You are not allowed to use this workout")
|
||||||
|
|
||||||
firstworkoutquery = Workout.objects.filter(id=encoder.decode_hex(id))
|
firstworkoutquery = Workout.objects.filter(id=encoder.decode_hex(id))
|
||||||
|
|||||||
Reference in New Issue
Block a user