From 1c9bdc24b55fb6b9ccb1c9524fee0dea2a70a9c1 Mon Sep 17 00:00:00 2001 From: Sander Roosendaal Date: Fri, 17 Jan 2020 14:33:56 +0100 Subject: [PATCH] bug fixing - bugs detected by manually poking around on the site need additional testing suite to systematically go through all permissions need additional permissions check at Model level - models.py --- rowers/c2stuff.py | 4 ++-- rowers/rower_rules.py | 8 ++++---- rowers/stravastuff.py | 4 ++-- rowers/views/planviews.py | 7 ++++--- rowers/views/statements.py | 2 +- rowers/views/workoutviews.py | 12 ++++++------ 6 files changed, 19 insertions(+), 18 deletions(-) diff --git a/rowers/c2stuff.py b/rowers/c2stuff.py index 432b5634..83d18ae7 100644 --- a/rowers/c2stuff.py +++ b/rowers/c2stuff.py @@ -14,7 +14,7 @@ import datetime from requests import Request, Session import rowers.mytypes as mytypes from rowers.mytypes import otwtypes -from rowers.rower_rules import is_workout_user +from rowers.rower_rules import is_workout_user,ispromember from iso8601 import ParseError import numpy @@ -156,7 +156,7 @@ def add_stroke_data(user,c2id,workoutid,startdatetime,csvfilename, def get_c2_workouts(rower): - if not isprorower(rower): + if not ispromember(rower.user): return 0 try: diff --git a/rowers/rower_rules.py b/rowers/rower_rules.py index ff9ef370..dd78d76b 100644 --- a/rowers/rower_rules.py +++ b/rowers/rower_rules.py @@ -193,15 +193,15 @@ def can_add_session(user): def can_plan(user): return user.rower.rowerplan in ['plan','coach','freecoach'] -# checks if rower is coach of user +# checks if rower is coach of user (or is user himself) @rules.predicate def is_coach_user(usercoach,userrower): - if not is_coach(usercoach): - return False - if usercoach == userrower: return True + if not is_coach(usercoach): + return False + r = userrower.rower coaches = [] diff --git a/rowers/stravastuff.py b/rowers/stravastuff.py index 37e33dbc..30e8ab61 100644 --- a/rowers/stravastuff.py +++ b/rowers/stravastuff.py @@ -18,7 +18,7 @@ queuehigh = django_rq.get_queue('low') from rowers.dataprep import columndict -from rowers.rower_rules import is_workout_user +from rowers.rower_rules import is_workout_user,ispromember import stravalib from stravalib.exc import ActivityUploadFailed,TimeoutExceeded @@ -125,7 +125,7 @@ def get_strava_workout_list(user,limit_n=0): # gets all new Strava workouts for a rower def get_strava_workouts(rower): - if not isprorower(rower): + if not ispromember(rower.user): return 0 try: diff --git a/rowers/views/planviews.py b/rowers/views/planviews.py index c36af4ec..2548c41f 100644 --- a/rowers/views/planviews.py +++ b/rowers/views/planviews.py @@ -2343,9 +2343,10 @@ def rower_trainingplan_execution_view(request, ) -@user_passes_test(can_plan,login_url="/rowers/paidplans", - message="This functionality requires a Coach or Self-Coach plan", - redirect_field_name=None) +#@user_passes_test(can_plan,login_url="/rowers/paidplans", +# message="This functionality requires a Coach or Self-Coach plan", +# redirect_field_name=None) +@login_required() @permission_required('plan.view_plan',fn=get_plan_by_pk,raise_exception=True) def rower_trainingplan_view(request, id=0, diff --git a/rowers/views/statements.py b/rowers/views/statements.py index c260d3bc..e6b43cb3 100644 --- a/rowers/views/statements.py +++ b/rowers/views/statements.py @@ -429,7 +429,7 @@ def getrequestplanrower(request,rowerid=0,userid=0,notpermanent=False): except Rower.DoesNotExist: raise Http404("Rower doesn't exist") - if not can_plan_user(request.user,r ): + if r.user != request.user and not can_plan_user(request.user,r ): request.session['rowerid'] = r.id raise PermissionDenied("You have no access to this user") diff --git a/rowers/views/workoutviews.py b/rowers/views/workoutviews.py index 628163b4..c4ac32c5 100644 --- a/rowers/views/workoutviews.py +++ b/rowers/views/workoutviews.py @@ -4775,22 +4775,22 @@ def workout_upload_view(request, return response else: if not is_ajax: - if r.c2_auto_export and isprorower(r): + if r.c2_auto_export and ispromember(r.user): uploadoptions['upload_to_C2'] = True - if r.strava_auto_export and isprorower(r): + if r.strava_auto_export and ispromember(r.user): uploadoptions['upload_to_Strava'] = True - if r.sporttracks_auto_export and isprorower(r): + if r.sporttracks_auto_export and ispromember(r.user): uploadoptions['upload_to_SportTracks'] = True - if r.runkeeper_auto_export and isprorower(r): + if r.runkeeper_auto_export and ispromember(r.user): uploadoptions['upload_to_RunKeeper'] = True - if r.trainingpeaks_auto_export and isprorower(r): + if r.trainingpeaks_auto_export and ispromember(r.user): uploadoptions['upload_to_TrainingPeaks'] = True - if r.mapmyfitness_auto_export and isprorower(r): + if r.mapmyfitness_auto_export and ispromember(r.user): uploadoptions['upload_to_MapMyFitness'] = True form = DocumentsForm(initial=docformoptions)