From 0a469e81fe22537b741e6a533a10d5c4b893f5b0 Mon Sep 17 00:00:00 2001
From: Sander Roosendaal <roosendaalsander@gmail.com>
Date: Mon, 29 Oct 2018 11:08:49 +0100
Subject: [PATCH] better protection of private workouts

---
 rowers/interactiveplots.py | 25 ++++++++--------
 rowers/models.py           |  2 +-
 rowers/views.py            | 61 ++++++++++++++++++++++++++------------
 3 files changed, 55 insertions(+), 33 deletions(-)

diff --git a/rowers/interactiveplots.py b/rowers/interactiveplots.py
index 655e7f37..2da87b2d 100644
--- a/rowers/interactiveplots.py
+++ b/rowers/interactiveplots.py
@@ -247,19 +247,18 @@ def interactive_activitychart(workouts,startdate,enddate,stack='type'):
     durations = []
 
     for w in workouts:
-        if w.privacy == 'visible':
-            dd = w.date.strftime('%m/%d')
-            dd2 = w.date.strftime('%Y/%m/%d')
-            du = w.duration.hour*60+w.duration.minute
-            dates.append(dd)
-            dates_sorting.append(dd2)
-            durations.append(du)
-
-            types.append(w.workouttype)
-            try:
-                rowers.append(w.user.user.first_name[0]+w.user.user.last_name[0])
-            except IndexError:
-                rowers.append(str(w.user))
+        dd = w.date.strftime('%m/%d')
+        dd2 = w.date.strftime('%Y/%m/%d')
+        du = w.duration.hour*60+w.duration.minute
+        dates.append(dd)
+        dates_sorting.append(dd2)
+        durations.append(du)
+        
+        types.append(w.workouttype)
+        try:
+            rowers.append(w.user.user.first_name[0]+w.user.user.last_name[0])
+        except IndexError:
+            rowers.append(str(w.user))
 
     try:
         d = utc.localize(startdate)
diff --git a/rowers/models.py b/rowers/models.py
index f45fea10..67cb73c1 100644
--- a/rowers/models.py
+++ b/rowers/models.py
@@ -837,7 +837,7 @@ def checkworkoutuser(user,workout):
             return True
         elif teams:
             for team in teams:
-                if user == team.manager:
+                if user == team.manager and workout.privacy == 'visible':
                     return True
         else:
             return False
diff --git a/rowers/views.py b/rowers/views.py
index ddc52509..3c59cf5f 100644
--- a/rowers/views.py
+++ b/rowers/views.py
@@ -6692,29 +6692,52 @@ def workouts_view(request,message='',successmessage='',
             raise Http404("Team doesn't exist")
 
         if theteam.viewing == 'allmembers' or theteam.manager == request.user:
-            workouts = Workout.objects.filter(team=theteam,
-                                          startdatetime__gte=startdate,
-                                          startdatetime__lte=enddate).order_by("-date","-starttime")
-            g_workouts = Workout.objects.filter(team=theteam,
-                                                startdatetime__gte=activity_startdate,
-                                                startdatetime__lte=activity_enddate).order_by("-date", "-starttime")
+            workouts = Workout.objects.filter(
+                team=theteam,
+                startdatetime__gte=startdate,
+                startdatetime__lte=enddate,
+                privacy='visible').order_by("-date","-starttime")
+            g_workouts = Workout.objects.filter(
+                team=theteam,
+                startdatetime__gte=activity_startdate,
+                startdatetime__lte=activity_enddate,
+                privacy='visible').order_by("-date", "-starttime")
         elif theteam.viewing == 'coachonly':
-            workouts = Workout.objects.filter(team=theteam,user=r,
-                                              startdatetime__gte=startdate,
-                                              startdatetime__lte=enddate).order_by("-startdatetime")
-            g_workouts = Workout.objects.filter(team=theteam,user=r,
-                                                startdatetime__gte=activity_startdate,
-                                                enddatetime__lte=activity_enddate).order_by("-startdatetime")
+            workouts = Workout.objects.filter(
+                team=theteam,user=r,
+                startdatetime__gte=startdate,
+                startdatetime__lte=enddate,
+                privacy='visible').order_by("-startdatetime")
+            g_workouts = Workout.objects.filter(
+                team=theteam,user=r,
+                startdatetime__gte=activity_startdate,
+                enddatetime__lte=activity_enddate,
+                privacy='visible').order_by("-startdatetime")
 
 
-    else:
+    elif request.user != r.user:
+        
         theteam = None
-        workouts = Workout.objects.filter(user=r,
-                                      startdatetime__gte=startdate,
-                                      startdatetime__lte=enddate).order_by("-date", "-starttime")
-        g_workouts = Workout.objects.filter(user=r,
-                                            startdatetime__gte=activity_startdate,
-                                            startdatetime__lte=activity_enddate).order_by("-startdatetime")
+        workouts = Workout.objects.filter(
+            user=r,
+            startdatetime__gte=startdate,
+            startdatetime__lte=enddate,
+            privacy='visible').order_by("-date", "-starttime")
+        g_workouts = Workout.objects.filter(
+            user=r,
+            startdatetime__gte=activity_startdate,
+            startdatetime__lte=activity_enddate,
+            privacy='visible').order_by("-startdatetime")
+    else:        
+        theteam = None
+        workouts = Workout.objects.filter(
+            user=r,
+            startdatetime__gte=startdate,
+            startdatetime__lte=enddate).order_by("-date", "-starttime")
+        g_workouts = Workout.objects.filter(
+            user=r,
+            startdatetime__gte=activity_startdate,
+            startdatetime__lte=activity_enddate).order_by("-startdatetime")
 
     if rankingonly:
         workouts = [w for w in workouts if w.rankingpiece]