sander/rowsandall
Private
Public Access
1
0
Fork 0
Code Activity

passing tests - user / workouts permissions done

Browse Source
This commit is contained in:
Sander Roosendaal
2020-01-12 22:10:20 +01:00
parent 9cbeb3fc2d
commit 09ae7cbe77
7 changed files with 40 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
rowers/rower_rules.py
View File

@@ -51,6 +51,7 @@ ispromember = is_promember | is_protrial
def can_plan(user):
return user.rower.rowerplan in ['plan','coach','freecoach']
# checks if rower is coach of user
@rules.predicate
def is_coach_user(user,rower):
try:
@@ -67,7 +68,7 @@ def is_coach_user(user,rower):
newcoaches = group.get_coaches()
for coach in newcoaches:
coaches.append(coach)
print(coaches)
for coach in coaches:
if rower == coach:
return True
@@ -126,36 +127,16 @@ def is_workout_user(user,workout):
if workout.user == r:
return True
coaches = []
for group in workout.user.coachinggroups.all():
coach = group.coachingrole
coaches.append(coach)
for coach in coaches:
if r == coach and workout.privacy == 'visible':
return True
return False
return is_coach_user(workout.user.user,user.rower)
@rules.predicate
def can_view_workout(user,workout):
if user.is_anonymous:
if workout.privacy != 'private':
return True
return False
try:
r = user.rower
except AttributeError:
return False
teams = workout.user.team.all()
for team in teams:
if team in r.team.all():
return True
if workout.privacy != 'private':
return True
return False
rules.add_perm('workout.change_workout',is_workout_user) # replaces checkworkoutuser
rules.add_perm('workout.view_workout',can_view_workout) # replaces checkworkoutuserview
@@ -166,6 +147,7 @@ rules.add_perm('workout.view_workout',can_view_workout) # replaces checkworkoutu
# PLANNING permissions
# checkaccessplanuser (models.py)
# getrequestrower, getrequestplanrower
# TEAM permissions

4
rowers/tests/test_misc.py
View File

@@ -8,7 +8,7 @@ from .statements import *
nu = datetime.datetime.now()
from rowers.rower_rules import is_workout_user
#@pytest.mark.django_db
class WorkoutTests(TestCase):
@@ -28,7 +28,7 @@ class WorkoutTests(TestCase):
duration="0:55:00",distance=8000)
def test_checkworkoutuser(self):
self.assertEqual(checkworkoutuser(self.u,self.w),True)
self.assertEqual(is_workout_user(self.u,self.w),True)
#@pytest.mark.django_db
class C2Tests(TestCase):

6
rowers/views/exportviews.py
View File

@@ -6,7 +6,7 @@ from rowers.views.statements import *
# Export workout to TCX and send to user's email address
@permission_required('workout.change_workout',fn=objectgetter(Workout, 'id'))
@permission_required('workout.change_workout',fn=get_workout_by_opaqueid,raise_exception=True)
def workout_tcxemail_view(request,id=0):
r = getrower(request.user)
w = get_workout(id)
@@ -168,7 +168,7 @@ def course_kmldownload_view(request,id=0):
# Export workout to GPX and send to user's email address
@permission_required('workout.change_workout',fn=objectgetter(Workout, 'id'))
@permission_required('workout.change_workout',fn=get_workout_by_opaqueid,raise_exception=True)
def workout_gpxemail_view(request,id=0):
r = getrower(request.user)
w = get_workout(id)
@@ -234,7 +234,7 @@ def workouts_summaries_email_view(request):
# Get Workout CSV file and send it to user's email address
@permission_required('workout.change_workout',fn=objectgetter(Workout, 'id'))
@permission_required('workout.change_workout',fn=get_workout_by_opaqueid,raise_exception=True)
def workout_csvemail_view(request,id=0):
r = getrower(request.user)

14
rowers/views/importviews.py
View File

@@ -13,7 +13,7 @@ def default(o):
# Send workout to TP
@permission_required('workout.change_workout',fn=objectgetter(Workout, 'id'))
@permission_required('workout.change_workout',fn=get_workout_by_opaqueid,raise_exception=True)
def workout_tp_upload_view(request,id=0):
message = ""
@@ -25,7 +25,7 @@ def workout_tp_upload_view(request,id=0):
return HttpResponseRedirect("/rowers/me/tpauthorize/")
# ready to upload. Hurray
w = get_object_or_404(Workout,pk=id)
w = get_workout_by_opaqueid(request,id)
r = w.user
@@ -66,7 +66,7 @@ def workout_tp_upload_view(request,id=0):
# Send workout to Strava
# abundance of error logging here because there were/are some bugs
@permission_required('workout.change_workout',fn=objectgetter(Workout, 'id'))
@permission_required('workout.change_workout',fn=get_workout_by_opaqueid,raise_exception=True)
def workout_strava_upload_view(request,id=0):
message = ""
r = getrower(request.user)
@@ -202,7 +202,7 @@ def workout_c2_upload_view(request,id=0):
return response
# Upload workout to RunKeeper
@permission_required('workout.change_workout',fn=objectgetter(Workout, 'id'))
@permission_required('workout.change_workout',fn=get_workout_by_opaqueid,raise_exception=True)
def workout_runkeeper_upload_view(request,id=0):
message = ""
w = get_workout(id)
@@ -263,7 +263,7 @@ def workout_runkeeper_upload_view(request,id=0):
return HttpResponseRedirect(url)
# Upload workout to Underarmour
@permission_required('workout.change_workout',fn=objectgetter(Workout, 'id'))
@permission_required('workout.change_workout',fn=get_workout_by_opaqueid,raise_exception=True)
def workout_underarmour_upload_view(request,id=0):
message = ""
w = get_workout(id)
@@ -324,7 +324,7 @@ def workout_underarmour_upload_view(request,id=0):
return HttpResponseRedirect(url)
# Upload workout to SportTracks
@permission_required('workout.change_workout',fn=objectgetter(Workout, 'id'))
@permission_required('workout.change_workout',fn=get_workout_by_opaqueid)
def workout_sporttracks_upload_view(request,id=0):
message = ""
# ready to upload. Hurray
@@ -378,7 +378,7 @@ def workout_sporttracks_upload_view(request,id=0):
s = response
message = "Something went wrong in workout_sporttracks_upload_view: %s" % s.reason
messages.error(request,message)
url = reverse(r.defaultlandingpage,
kwargs = {
'id':encoder.encode_hex(w.id),

22
rowers/views/planviews.py
View File

@@ -1697,7 +1697,7 @@ def plannedsession_edit_view(request,id=0,userid=0):
})
@permission_required('workout.change_workout',fn=objectgetter(Workout, 'id'))
@permission_required('workout.change_workout',fn=get_workout_by_opaqueid,raise_exception=True)
def plannedsession_detach_view(request,id=0,psid=0):
r = getrequestrower(request)
@@ -1959,7 +1959,7 @@ class PlannedSessionDelete(DeleteView):
def get_object(self, *args, **kwargs):
obj = super(PlannedSessionDelete, self).get_object(*args, **kwargs)
m = Rower.objects.get(user=obj.manager)
if not is_coach_user(m,self.request.user.rower):
if not is_coach_user(m.user,self.request.user.rower):
raise PermissionDenied('You are not allowed to delete this planned session')
return obj
@@ -2140,7 +2140,7 @@ class TrainingPlanDelete(DeleteView):
def get_object(self, *args, **kwargs):
obj = super(TrainingPlanDelete, self).get_object(*args, **kwargs)
if not is_coach_user(obj.manager.user,self.request.user):
if not is_coach_user(obj.manager.user,self.request.user.rower):
raise PermissionDenied('You are not allowed to delete this training plan')
return obj
@@ -2206,7 +2206,7 @@ class MicroCycleDelete(DeleteView):
def get_object(self, *args, **kwargs):
obj = super(MicroCycleDelete, self).get_object(*args, **kwargs)
if not is_coach_user(obj.plan.plan.plan.manager.user,self.request.user):
if not is_coach_user(obj.plan.plan.plan.manager.user,self.request.user.rower):
raise PermissionDenied('You are not allowed to delete this training plan cycle')
return obj
@@ -2268,7 +2268,7 @@ class MesoCycleDelete(DeleteView):
def get_object(self, *args, **kwargs):
obj = super(MesoCycleDelete, self).get_object(*args, **kwargs)
if not is_coach_user(obj.plan.plan.manager.user,self.request.user):
if not is_coach_user(obj.plan.plan.manager.user,self.request.user.rower):
raise PermissionDenied('You are not allowed to delete this training plan cycle')
return obj
@@ -2322,7 +2322,7 @@ class MacroCycleDelete(DeleteView):
def get_object(self, *args, **kwargs):
obj = super(MacroCycleDelete, self).get_object(*args, **kwargs)
if not is_coach_user(obj.plan.manager.user,self.request.user):
if not is_coach_user(obj.plan.manager.user,self.request.user.rower):
raise PermissionDenied('You are not allowed to delete this training plan cycle')
return obj
@@ -2345,7 +2345,7 @@ def rower_trainingplan_execution_view(request,
plan = TrainingPlan.objects.get(id=id)
except TrainingPlan.DoesNotExist:
raise Http404("Training Plan Does Not Exist")
if not is_coach_user(plan.manager.user,request.user):
if not is_coach_user(plan.manager.user,request.user.rower):
if request.user.rower not in plan.rowers.all():
raise PermissionDenied("Access denied")
@@ -2439,7 +2439,7 @@ def rower_trainingplan_view(request,
r = getrequestrower(request,userid=userid)
if not is_coach_user(plan.manager.user,request.user):
if not is_coach_user(plan.manager.user,request.user.rower):
if request.user.rower not in plan.rowers.all():
raise PermissionDenied("Access denied")
@@ -2568,7 +2568,7 @@ class TrainingMacroCycleUpdate(UpdateView):
if obj.plan.manager is not None and self.request.user.rower != obj.plan.manager:
raise PermissionDenied('You are not allowed to edit this training plan cycle')
if not is_coach_user(plan.manager.user,self.request.user):
if not is_coach_user(obj.plan.manager.user,self.request.user.rower):
raise PermissionDenied('You are not allowed to edit this training plan cycle')
else:
obj.type = 'userdefined'
@@ -2850,7 +2850,7 @@ def planmesocyclebyweek(request,id=0,userid=0):
except TrainingMesoCycle.DoesNotExist:
raise Http404("Training Cycle does not exist")
if not is_coach_user(cycle.plan.plan.manager.user,request.user):
if not is_coach_user(cycle.plan.plan.manager.user,request.user.rower):
raise PermissionDenied("You are not allowed to do this")
micros = TrainingMicroCycle.objects.filter(plan=cycle)
@@ -2905,7 +2905,7 @@ def planmacrocyclebymonth(request,id=0,userid=0):
except TrainingMacroCycle.DoesNotExist:
raise Http404("Training Cycle does not exist")
if not is_coach_user(cycle.plan.manager.user,request.user):
if not is_coach_user(cycle.plan.manager.user,request.user.rower):
raise PermissionDenied("You are not allowed to do this")
mesos = TrainingMesoCycle.objects.filter(plan=cycle)

7
rowers/views/statements.py
View File

@@ -313,16 +313,18 @@ def getrequestrower(request,rowerid=0,userid=0,notpermanent=False):
if rowerid != 0:
r = Rower.objects.get(id=rowerid)
u = r.user
elif userid != 0:
u = User.objects.get(id=userid)
r = getrower(u)
else:
r = getrower(request.user)
u = r.user
except Rower.DoesNotExist:
raise Http404("Rower doesn't exist")
if userid != 0 and not is_coach_user(u,r):
if userid != 0 and not is_coach_user(u,request.user.rower):
raise PermissionDenied("You have no access to this user")
if notpermanent == False:
@@ -355,7 +357,7 @@ def getrequestplanrower(request,rowerid=0,userid=0,notpermanent=False):
except Rower.DoesNotExist:
raise Http404("Rower doesn't exist")
if not is_coach_user(request.user,r):
if not is_coach_user(r.user,request.user.rower):
raise PermissionDenied("You have no access to this user")
if notpermanent == False:
@@ -430,7 +432,6 @@ class SessionTaskListener(threading.Thread):
for item in self.pubsub.listen():
if item['data'] == "KILL":
self.pubsub.unsubscribe()
print(self, "unsubscribed and finished")
break
else:
self.work(item)

9
rowers/views/workoutviews.py
View File

@@ -3023,7 +3023,7 @@ def workout_data_view(request, id=0):
# Stats page
@permission_required('workout.change_workout',fn=get_workout_by_opaqueid,raise_exception=True)
@permission_required('workout.view_workout',fn=get_workout_by_opaqueid,raise_exception=True)
def workout_stats_view(request,id=0,message="",successmessage=""):
r = getrower(request.user)
@@ -3299,7 +3299,7 @@ def workout_workflow_config2_view(request,userid=0):
# Workflow View
@login_required()
@permission_required('workout.change_workout',fn=get_workout_by_opaqueid,raise_exception=True)
@permission_required('workout.view_workout',fn=get_workout_by_opaqueid,raise_exception=True)
def workout_workflow_view(request,id):
request.session['referer'] = absolute(request)['PATH']
request.session['lastworkout'] = id
@@ -5876,7 +5876,7 @@ class VideoDelete(DeleteView):
def get_object(self, *args, **kwargs):
obj = super(VideoDelete, self).get_object(*args, **kwargs)
if not checkaccessuser(self.request.user,obj.workout.user):
if not is_coach_user(obj.workout.user,self.request.user):
raise PermissionDenied('You are not allowed to delete this analysis')
return obj
@@ -5929,7 +5929,8 @@ class GraphDelete(DeleteView):
def get_object(self, *args, **kwargs):
obj = super(GraphDelete, self).get_object(*args, **kwargs)
if not checkaccessuser(self.request.user,obj.workout.user):
if not is_workout_user(self.request.user,obj.workout):
raise PermissionDenied('You are not allowed to delete this chart')
return obj