From 09ae7cbe770c1d45d35054bbe21a0b3cd8cecdef Mon Sep 17 00:00:00 2001 From: Sander Roosendaal Date: Sun, 12 Jan 2020 22:10:20 +0100 Subject: [PATCH] passing tests - user / workouts permissions done --- rowers/rower_rules.py | 34 ++++++++-------------------------- rowers/tests/test_misc.py | 4 ++-- rowers/views/exportviews.py | 6 +++--- rowers/views/importviews.py | 14 +++++++------- rowers/views/planviews.py | 22 +++++++++++----------- rowers/views/statements.py | 7 ++++--- rowers/views/workoutviews.py | 9 +++++---- 7 files changed, 40 insertions(+), 56 deletions(-) diff --git a/rowers/rower_rules.py b/rowers/rower_rules.py index 258c86b3..1ad9d6f0 100644 --- a/rowers/rower_rules.py +++ b/rowers/rower_rules.py @@ -51,6 +51,7 @@ ispromember = is_promember | is_protrial def can_plan(user): return user.rower.rowerplan in ['plan','coach','freecoach'] +# checks if rower is coach of user @rules.predicate def is_coach_user(user,rower): try: @@ -67,7 +68,7 @@ def is_coach_user(user,rower): newcoaches = group.get_coaches() for coach in newcoaches: coaches.append(coach) - print(coaches) + for coach in coaches: if rower == coach: return True @@ -126,36 +127,16 @@ def is_workout_user(user,workout): if workout.user == r: return True - coaches = [] - for group in workout.user.coachinggroups.all(): - coach = group.coachingrole - coaches.append(coach) - for coach in coaches: - if r == coach and workout.privacy == 'visible': - return True - - return False + return is_coach_user(workout.user.user,user.rower) + @rules.predicate def can_view_workout(user,workout): - if user.is_anonymous: - if workout.privacy != 'private': - return True - return False - - try: - r = user.rower - except AttributeError: - return False - - teams = workout.user.team.all() - - for team in teams: - if team in r.team.all(): - return True - + if workout.privacy != 'private': + return True return False + rules.add_perm('workout.change_workout',is_workout_user) # replaces checkworkoutuser rules.add_perm('workout.view_workout',can_view_workout) # replaces checkworkoutuserview @@ -166,6 +147,7 @@ rules.add_perm('workout.view_workout',can_view_workout) # replaces checkworkoutu # PLANNING permissions # checkaccessplanuser (models.py) +# getrequestrower, getrequestplanrower # TEAM permissions diff --git a/rowers/tests/test_misc.py b/rowers/tests/test_misc.py index cf97672c..e2174bdf 100644 --- a/rowers/tests/test_misc.py +++ b/rowers/tests/test_misc.py @@ -8,7 +8,7 @@ from .statements import * nu = datetime.datetime.now() - +from rowers.rower_rules import is_workout_user #@pytest.mark.django_db class WorkoutTests(TestCase): @@ -28,7 +28,7 @@ class WorkoutTests(TestCase): duration="0:55:00",distance=8000) def test_checkworkoutuser(self): - self.assertEqual(checkworkoutuser(self.u,self.w),True) + self.assertEqual(is_workout_user(self.u,self.w),True) #@pytest.mark.django_db class C2Tests(TestCase): diff --git a/rowers/views/exportviews.py b/rowers/views/exportviews.py index 08f2e064..afdfc7c9 100644 --- a/rowers/views/exportviews.py +++ b/rowers/views/exportviews.py @@ -6,7 +6,7 @@ from rowers.views.statements import * # Export workout to TCX and send to user's email address -@permission_required('workout.change_workout',fn=objectgetter(Workout, 'id')) +@permission_required('workout.change_workout',fn=get_workout_by_opaqueid,raise_exception=True) def workout_tcxemail_view(request,id=0): r = getrower(request.user) w = get_workout(id) @@ -168,7 +168,7 @@ def course_kmldownload_view(request,id=0): # Export workout to GPX and send to user's email address -@permission_required('workout.change_workout',fn=objectgetter(Workout, 'id')) +@permission_required('workout.change_workout',fn=get_workout_by_opaqueid,raise_exception=True) def workout_gpxemail_view(request,id=0): r = getrower(request.user) w = get_workout(id) @@ -234,7 +234,7 @@ def workouts_summaries_email_view(request): # Get Workout CSV file and send it to user's email address -@permission_required('workout.change_workout',fn=objectgetter(Workout, 'id')) +@permission_required('workout.change_workout',fn=get_workout_by_opaqueid,raise_exception=True) def workout_csvemail_view(request,id=0): r = getrower(request.user) diff --git a/rowers/views/importviews.py b/rowers/views/importviews.py index 7b77b68b..a823c788 100644 --- a/rowers/views/importviews.py +++ b/rowers/views/importviews.py @@ -13,7 +13,7 @@ def default(o): # Send workout to TP -@permission_required('workout.change_workout',fn=objectgetter(Workout, 'id')) +@permission_required('workout.change_workout',fn=get_workout_by_opaqueid,raise_exception=True) def workout_tp_upload_view(request,id=0): message = "" @@ -25,7 +25,7 @@ def workout_tp_upload_view(request,id=0): return HttpResponseRedirect("/rowers/me/tpauthorize/") # ready to upload. Hurray - w = get_object_or_404(Workout,pk=id) + w = get_workout_by_opaqueid(request,id) r = w.user @@ -66,7 +66,7 @@ def workout_tp_upload_view(request,id=0): # Send workout to Strava # abundance of error logging here because there were/are some bugs -@permission_required('workout.change_workout',fn=objectgetter(Workout, 'id')) +@permission_required('workout.change_workout',fn=get_workout_by_opaqueid,raise_exception=True) def workout_strava_upload_view(request,id=0): message = "" r = getrower(request.user) @@ -202,7 +202,7 @@ def workout_c2_upload_view(request,id=0): return response # Upload workout to RunKeeper -@permission_required('workout.change_workout',fn=objectgetter(Workout, 'id')) +@permission_required('workout.change_workout',fn=get_workout_by_opaqueid,raise_exception=True) def workout_runkeeper_upload_view(request,id=0): message = "" w = get_workout(id) @@ -263,7 +263,7 @@ def workout_runkeeper_upload_view(request,id=0): return HttpResponseRedirect(url) # Upload workout to Underarmour -@permission_required('workout.change_workout',fn=objectgetter(Workout, 'id')) +@permission_required('workout.change_workout',fn=get_workout_by_opaqueid,raise_exception=True) def workout_underarmour_upload_view(request,id=0): message = "" w = get_workout(id) @@ -324,7 +324,7 @@ def workout_underarmour_upload_view(request,id=0): return HttpResponseRedirect(url) # Upload workout to SportTracks -@permission_required('workout.change_workout',fn=objectgetter(Workout, 'id')) +@permission_required('workout.change_workout',fn=get_workout_by_opaqueid) def workout_sporttracks_upload_view(request,id=0): message = "" # ready to upload. Hurray @@ -378,7 +378,7 @@ def workout_sporttracks_upload_view(request,id=0): s = response message = "Something went wrong in workout_sporttracks_upload_view: %s" % s.reason messages.error(request,message) - + url = reverse(r.defaultlandingpage, kwargs = { 'id':encoder.encode_hex(w.id), diff --git a/rowers/views/planviews.py b/rowers/views/planviews.py index 1b04f7ed..ae16fb94 100644 --- a/rowers/views/planviews.py +++ b/rowers/views/planviews.py @@ -1697,7 +1697,7 @@ def plannedsession_edit_view(request,id=0,userid=0): }) -@permission_required('workout.change_workout',fn=objectgetter(Workout, 'id')) +@permission_required('workout.change_workout',fn=get_workout_by_opaqueid,raise_exception=True) def plannedsession_detach_view(request,id=0,psid=0): r = getrequestrower(request) @@ -1959,7 +1959,7 @@ class PlannedSessionDelete(DeleteView): def get_object(self, *args, **kwargs): obj = super(PlannedSessionDelete, self).get_object(*args, **kwargs) m = Rower.objects.get(user=obj.manager) - if not is_coach_user(m,self.request.user.rower): + if not is_coach_user(m.user,self.request.user.rower): raise PermissionDenied('You are not allowed to delete this planned session') return obj @@ -2140,7 +2140,7 @@ class TrainingPlanDelete(DeleteView): def get_object(self, *args, **kwargs): obj = super(TrainingPlanDelete, self).get_object(*args, **kwargs) - if not is_coach_user(obj.manager.user,self.request.user): + if not is_coach_user(obj.manager.user,self.request.user.rower): raise PermissionDenied('You are not allowed to delete this training plan') return obj @@ -2206,7 +2206,7 @@ class MicroCycleDelete(DeleteView): def get_object(self, *args, **kwargs): obj = super(MicroCycleDelete, self).get_object(*args, **kwargs) - if not is_coach_user(obj.plan.plan.plan.manager.user,self.request.user): + if not is_coach_user(obj.plan.plan.plan.manager.user,self.request.user.rower): raise PermissionDenied('You are not allowed to delete this training plan cycle') return obj @@ -2268,7 +2268,7 @@ class MesoCycleDelete(DeleteView): def get_object(self, *args, **kwargs): obj = super(MesoCycleDelete, self).get_object(*args, **kwargs) - if not is_coach_user(obj.plan.plan.manager.user,self.request.user): + if not is_coach_user(obj.plan.plan.manager.user,self.request.user.rower): raise PermissionDenied('You are not allowed to delete this training plan cycle') return obj @@ -2322,7 +2322,7 @@ class MacroCycleDelete(DeleteView): def get_object(self, *args, **kwargs): obj = super(MacroCycleDelete, self).get_object(*args, **kwargs) - if not is_coach_user(obj.plan.manager.user,self.request.user): + if not is_coach_user(obj.plan.manager.user,self.request.user.rower): raise PermissionDenied('You are not allowed to delete this training plan cycle') return obj @@ -2345,7 +2345,7 @@ def rower_trainingplan_execution_view(request, plan = TrainingPlan.objects.get(id=id) except TrainingPlan.DoesNotExist: raise Http404("Training Plan Does Not Exist") - if not is_coach_user(plan.manager.user,request.user): + if not is_coach_user(plan.manager.user,request.user.rower): if request.user.rower not in plan.rowers.all(): raise PermissionDenied("Access denied") @@ -2439,7 +2439,7 @@ def rower_trainingplan_view(request, r = getrequestrower(request,userid=userid) - if not is_coach_user(plan.manager.user,request.user): + if not is_coach_user(plan.manager.user,request.user.rower): if request.user.rower not in plan.rowers.all(): raise PermissionDenied("Access denied") @@ -2568,7 +2568,7 @@ class TrainingMacroCycleUpdate(UpdateView): if obj.plan.manager is not None and self.request.user.rower != obj.plan.manager: raise PermissionDenied('You are not allowed to edit this training plan cycle') - if not is_coach_user(plan.manager.user,self.request.user): + if not is_coach_user(obj.plan.manager.user,self.request.user.rower): raise PermissionDenied('You are not allowed to edit this training plan cycle') else: obj.type = 'userdefined' @@ -2850,7 +2850,7 @@ def planmesocyclebyweek(request,id=0,userid=0): except TrainingMesoCycle.DoesNotExist: raise Http404("Training Cycle does not exist") - if not is_coach_user(cycle.plan.plan.manager.user,request.user): + if not is_coach_user(cycle.plan.plan.manager.user,request.user.rower): raise PermissionDenied("You are not allowed to do this") micros = TrainingMicroCycle.objects.filter(plan=cycle) @@ -2905,7 +2905,7 @@ def planmacrocyclebymonth(request,id=0,userid=0): except TrainingMacroCycle.DoesNotExist: raise Http404("Training Cycle does not exist") - if not is_coach_user(cycle.plan.manager.user,request.user): + if not is_coach_user(cycle.plan.manager.user,request.user.rower): raise PermissionDenied("You are not allowed to do this") mesos = TrainingMesoCycle.objects.filter(plan=cycle) diff --git a/rowers/views/statements.py b/rowers/views/statements.py index ac3867da..b4d4bbf9 100644 --- a/rowers/views/statements.py +++ b/rowers/views/statements.py @@ -313,16 +313,18 @@ def getrequestrower(request,rowerid=0,userid=0,notpermanent=False): if rowerid != 0: r = Rower.objects.get(id=rowerid) + u = r.user elif userid != 0: u = User.objects.get(id=userid) r = getrower(u) else: r = getrower(request.user) + u = r.user except Rower.DoesNotExist: raise Http404("Rower doesn't exist") - if userid != 0 and not is_coach_user(u,r): + if userid != 0 and not is_coach_user(u,request.user.rower): raise PermissionDenied("You have no access to this user") if notpermanent == False: @@ -355,7 +357,7 @@ def getrequestplanrower(request,rowerid=0,userid=0,notpermanent=False): except Rower.DoesNotExist: raise Http404("Rower doesn't exist") - if not is_coach_user(request.user,r): + if not is_coach_user(r.user,request.user.rower): raise PermissionDenied("You have no access to this user") if notpermanent == False: @@ -430,7 +432,6 @@ class SessionTaskListener(threading.Thread): for item in self.pubsub.listen(): if item['data'] == "KILL": self.pubsub.unsubscribe() - print(self, "unsubscribed and finished") break else: self.work(item) diff --git a/rowers/views/workoutviews.py b/rowers/views/workoutviews.py index 36332560..4d70bfa3 100644 --- a/rowers/views/workoutviews.py +++ b/rowers/views/workoutviews.py @@ -3023,7 +3023,7 @@ def workout_data_view(request, id=0): # Stats page -@permission_required('workout.change_workout',fn=get_workout_by_opaqueid,raise_exception=True) +@permission_required('workout.view_workout',fn=get_workout_by_opaqueid,raise_exception=True) def workout_stats_view(request,id=0,message="",successmessage=""): r = getrower(request.user) @@ -3299,7 +3299,7 @@ def workout_workflow_config2_view(request,userid=0): # Workflow View @login_required() -@permission_required('workout.change_workout',fn=get_workout_by_opaqueid,raise_exception=True) +@permission_required('workout.view_workout',fn=get_workout_by_opaqueid,raise_exception=True) def workout_workflow_view(request,id): request.session['referer'] = absolute(request)['PATH'] request.session['lastworkout'] = id @@ -5876,7 +5876,7 @@ class VideoDelete(DeleteView): def get_object(self, *args, **kwargs): obj = super(VideoDelete, self).get_object(*args, **kwargs) - if not checkaccessuser(self.request.user,obj.workout.user): + if not is_coach_user(obj.workout.user,self.request.user): raise PermissionDenied('You are not allowed to delete this analysis') return obj @@ -5929,7 +5929,8 @@ class GraphDelete(DeleteView): def get_object(self, *args, **kwargs): obj = super(GraphDelete, self).get_object(*args, **kwargs) - if not checkaccessuser(self.request.user,obj.workout.user): + + if not is_workout_user(self.request.user,obj.workout): raise PermissionDenied('You are not allowed to delete this chart') return obj