diff --git a/rowers/models.py b/rowers/models.py
index 93dcfa58..ac7b00d1 100644
--- a/rowers/models.py
+++ b/rowers/models.py
@@ -1024,6 +1024,25 @@ def checkworkoutuser(user,workout):
except Rower.DoesNotExist:
return False
+# Check if workout may be viewed by this user
+def checkworkoutuserview(user,workout):
+ if user.is_anonymous():
+ return False
+ try:
+ r = Rower.objects.get(user=user)
+ if workout.user == r:
+ return True
+ teams = workout.user.team.all()
+
+ for team in teams:
+ if team in r.team.all():
+ return True
+ return False
+ except Rower.DoesNotExist:
+ return False
+
+ return False
+
def checkviewworkouts(user,rower):
try:
r = user.rower
diff --git a/rowers/plannedsessions.py b/rowers/plannedsessions.py
index 756cf751..c8a2e2a8 100644
--- a/rowers/plannedsessions.py
+++ b/rowers/plannedsessions.py
@@ -473,13 +473,14 @@ def remove_rower_session(r,ps):
return 1
-def get_dates_timeperiod(request,startdatestring='',enddatestring=''):
+def get_dates_timeperiod(request,startdatestring='',enddatestring='',
+ defaulttimeperiod='thisweek'):
# set start end date according timeperiod
timeperiod = request.GET.get('when')
if not timeperiod:
- timeperiod = 'thisweek'
+ timeperiod = defaulttimeperiod
startdatestring = request.GET.get('startdate')
enddatestring = request.GET.get('enddate')
@@ -536,6 +537,10 @@ def get_dates_timeperiod(request,startdatestring='',enddatestring=''):
enddate = startdate+timezone.timedelta(days=32)
enddate = enddate.replace(day=1)
enddate = enddate-timezone.timedelta(days=1)
+ elif timeperiod=='lastyear':
+ today = date.today()
+ startdate = today-timezone.timedelta(days=365)
+ enddate = today+timezone.timedelta(days=1)
elif daterangetester.match(timeperiod):
tstartdatestring = daterangetester.match(timeperiod).group(1)
tenddatestring = daterangetester.match(timeperiod).group(2)
diff --git a/rowers/templates/list_workouts.html b/rowers/templates/list_workouts.html
index bfac39a8..b4066432 100644
--- a/rowers/templates/list_workouts.html
+++ b/rowers/templates/list_workouts.html
@@ -129,7 +129,7 @@
{% if workouts.has_next %}
{% if request.GET.q %}
-
+
{% else %}
-
+
@@ -216,7 +216,7 @@
{% if team %}
|
{% if workout|may_edit:request %}
-
+
{{ workout.user.user.first_name }}
{{ workout.user.user.last_name }}
@@ -245,18 +245,14 @@
|
- {% if workout|may_edit:request %}
- {% else %}
-
- {% endif %}
|
- {% if workout.user.user == user or user == team.manager %}
+ {% if workout|may_edit:request %}
diff --git a/rowers/templatetags/rowerfilters.py b/rowers/templatetags/rowerfilters.py
index 83269444..a51203ad 100644
--- a/rowers/templatetags/rowerfilters.py
+++ b/rowers/templatetags/rowerfilters.py
@@ -470,7 +470,7 @@ def userurl(path,member):
userstring = 'user/%s/' % member.id
# remove team
- tpattern = re.compile('\/team\/\d+/')
+ tpattern = re.compile('team\/\d+/')
if tpattern.search(path) is not None:
path = tpattern.sub('',path)
@@ -478,7 +478,7 @@ def userurl(path,member):
replaced = pattern.sub(userstring,path)
else:
replaced = path+userstring
-
+
return replaced
@register.filter
@@ -497,6 +497,7 @@ def teamurl(path,team):
else:
replaced = path+teamstring
+
return replaced
@register.filter
diff --git a/rowers/tests/test_permissions.py b/rowers/tests/test_permissions.py
index a902d2fb..76ee8dab 100644
--- a/rowers/tests/test_permissions.py
+++ b/rowers/tests/test_permissions.py
@@ -958,6 +958,40 @@ class PermissionsViewTests(TestCase):
response = self.c.get(url)
self.assertEqual(response.status_code,200)
+
+ # stats
+ url = reverse('workout_view',
+ kwargs={'id':encoder.encode_hex(self.uplan2_workouts[0].id)}
+ )
+
+ response = self.c.get(url)
+ self.assertEqual(response.status_code,200)
+
+ # workflow
+ url = reverse('workout_workflow_view',
+ kwargs={'id':encoder.encode_hex(self.uplan2_workouts[0].id)}
+ )
+
+ response = self.c.get(url)
+ self.assertEqual(response.status_code,200)
+
+ # stats
+ url = reverse('workout_stats_view',
+ kwargs={'id':encoder.encode_hex(self.uplan2_workouts[0].id)}
+ )
+
+ response = self.c.get(url)
+ self.assertEqual(response.status_code,200)
+
+ # compare
+ url = reverse('team_comparison_select',
+ kwargs={'id':encoder.encode_hex(self.uplan2_workouts[0].id)}
+ )
+
+ response = self.c.get(url)
+ self.assertEqual(response.status_code,200)
+
+
## Pro users (and higher) can join group led by other Pro (or higher) user
def test_team_member_request_pro_pro(self):
@@ -1416,8 +1450,7 @@ class PermissionsCoachingTests(TestCase):
## Basic users can subscribe to any race
-# group related
-## group members can see but not edit each other's workouts and charts
+###
## group members can see but not edit each other's plans
diff --git a/rowers/views/statements.py b/rowers/views/statements.py
index e7e2305e..3f1ec013 100644
--- a/rowers/views/statements.py
+++ b/rowers/views/statements.py
@@ -367,6 +367,14 @@ def get_workout_permitted(user,id):
return w
+def get_workout_permittedview(user,id):
+ w = get_workout(id)
+
+ if (checkworkoutuserview(user,w)==False):
+ raise PermissionDenied("Access denied")
+
+ return w
+
def getvalue(data):
perc = 0
total = 1
@@ -944,7 +952,9 @@ from rowers.utils import (
import rowers.datautils as datautils
-from rowers.models import checkworkoutuser,checkaccessuser,checkviewworkouts
+from rowers.models import (
+ checkworkoutuser,checkaccessuser,checkviewworkouts,checkworkoutuserview
+ )
# Check if a user is a Coach member
def iscoachmember(user):
diff --git a/rowers/views/workoutviews.py b/rowers/views/workoutviews.py
index b49af87d..ff8f6acc 100644
--- a/rowers/views/workoutviews.py
+++ b/rowers/views/workoutviews.py
@@ -737,8 +737,8 @@ def team_comparison_select(request,
if id:
firstworkout = get_workout(id)
- if not checkworkoutuser(request.user,firstworkout):
- raise PermissionDenied("You are not allowed to sue this workout")
+ if not checkworkoutuserview(request.user,firstworkout):
+ raise PermissionDenied("You are not allowed to use this workout")
firstworkoutquery = Workout.objects.filter(id=encoder.decode_hex(id))
workouts = firstworkoutquery | workouts
@@ -1160,10 +1160,9 @@ def multi_compare_view(request,id=0,userid=0):
# List Workouts
@login_required()
def workouts_view(request,message='',successmessage='',
- startdatestring='',
- enddatestring='',
teamid=0,rankingonly=False,rowerid=0,userid=0):
+ startdate,enddate = get_dates_timeperiod(request,defaulttimeperiod='lastyear')
request.session['referer'] = absolute(request)['PATH']
r = getrequestrower(request,rowerid=rowerid,userid=userid)
@@ -1171,15 +1170,6 @@ def workouts_view(request,message='',successmessage='',
if not checkviewworkouts(request.user,r):
raise PermissionDenied("Access denied")
- if startdatestring:
- startdate = iso8601.parse_date(startdatestring)
- else:
- startdate = datetime.date.today()-datetime.timedelta(days=365)
-
- if enddatestring:
- enddate = iso8601.parse_date(enddatestring)
- else:
- enddate = datetime.date.today()
startdate = datetime.datetime.combine(startdate,datetime.time())
@@ -1352,7 +1342,7 @@ def workouts_view(request,message='',successmessage='',
'name':'Workouts'
},
]
-
+ timeperiod = startdate.strftime('%Y-%m-%d')+'/'+enddate.strftime('%Y-%m-%d')
return render(request, 'list_workouts.html',
{'workouts': workouts,
'active': 'nav-workouts',
@@ -1368,6 +1358,7 @@ def workouts_view(request,message='',successmessage='',
'teams':get_my_teams(request.user),
'interactiveplot':script,
'the_div':div,
+ 'timeperiod':timeperiod,
})
@@ -2489,7 +2480,7 @@ def workout_stats_view(request,id=0,message="",successmessage=""):
# prepare data frame
datadf,row = dataprep.getrowdata_db(id=encoder.decode_hex(id))
- if (checkworkoutuser(request.user,row)==False):
+ if (checkworkoutuserview(request.user,row)==False):
raise PermissionDenied('Access Denied')
datadf = dataprep.clean_df_stats(datadf,workstrokesonly=workstrokesonly)
@@ -2725,7 +2716,7 @@ def workout_workflow_view(request,id):
request.session['referer'] = absolute(request)['PATH']
request.session['lastworkout'] = id
request.session[translation.LANGUAGE_SESSION_KEY] = USER_LANGUAGE
- row = get_workout_permitted(request.user,id)
+ row = get_workout_permittedview(request.user,id)
r = getrower(request.user)
result = request.user.is_authenticated() and ispromember(request.user)
|