sander/rowsandall
Private
Public Access
1
0
Fork 0
Code Activity

bug fixing - bugs detected by manually poking around on the site

Browse Source 
need additional testing suite to systematically go through all
permissions
need additional permissions check at Model level - models.py
This commit is contained in:
Sander Roosendaal
2020-01-17 14:33:56 +01:00
parent c186895e7a
commit 1c9bdc24b5
6 changed files with 19 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
rowers/c2stuff.py
View File

@@ -14,7 +14,7 @@ import datetime
from requests import Request, Session from requests import Request, Session
import rowers.mytypes as mytypes import rowers.mytypes as mytypes
from rowers.mytypes import otwtypes from rowers.mytypes import otwtypes
from rowers.rower_rules import is_workout_user from rowers.rower_rules import is_workout_user,ispromember
from iso8601 import ParseError from iso8601 import ParseError
import numpy import numpy
@@ -156,7 +156,7 @@ def add_stroke_data(user,c2id,workoutid,startdatetime,csvfilename,
def get_c2_workouts(rower): def get_c2_workouts(rower):
if not isprorower(rower): if not ispromember(rower.user):
return 0 return 0
try: try:

8
rowers/rower_rules.py
View File

@@ -193,15 +193,15 @@ def can_add_session(user):
def can_plan(user): def can_plan(user):
return user.rower.rowerplan in ['plan','coach','freecoach'] return user.rower.rowerplan in ['plan','coach','freecoach']
# checks if rower is coach of user # checks if rower is coach of user (or is user himself)
@rules.predicate @rules.predicate
def is_coach_user(usercoach,userrower): def is_coach_user(usercoach,userrower):
if not is_coach(usercoach):
return False
if usercoach == userrower: if usercoach == userrower:
return True return True
if not is_coach(usercoach):
return False
r = userrower.rower r = userrower.rower
coaches = [] coaches = []

4
rowers/stravastuff.py
View File

@@ -18,7 +18,7 @@ queuehigh = django_rq.get_queue('low')
from rowers.dataprep import columndict from rowers.dataprep import columndict
from rowers.rower_rules import is_workout_user from rowers.rower_rules import is_workout_user,ispromember
import stravalib import stravalib
from stravalib.exc import ActivityUploadFailed,TimeoutExceeded from stravalib.exc import ActivityUploadFailed,TimeoutExceeded
@@ -125,7 +125,7 @@ def get_strava_workout_list(user,limit_n=0):
# gets all new Strava workouts for a rower # gets all new Strava workouts for a rower
def get_strava_workouts(rower): def get_strava_workouts(rower):
if not isprorower(rower): if not ispromember(rower.user):
return 0 return 0
try: try:

7
rowers/views/planviews.py
View File

@@ -2343,9 +2343,10 @@ def rower_trainingplan_execution_view(request,
) )
@user_passes_test(can_plan,login_url="/rowers/paidplans", #@user_passes_test(can_plan,login_url="/rowers/paidplans",
message="This functionality requires a Coach or Self-Coach plan", # message="This functionality requires a Coach or Self-Coach plan",
redirect_field_name=None) # redirect_field_name=None)
@login_required()
@permission_required('plan.view_plan',fn=get_plan_by_pk,raise_exception=True) @permission_required('plan.view_plan',fn=get_plan_by_pk,raise_exception=True)
def rower_trainingplan_view(request, def rower_trainingplan_view(request,
id=0, id=0,

2
rowers/views/statements.py
View File

@@ -429,7 +429,7 @@ def getrequestplanrower(request,rowerid=0,userid=0,notpermanent=False):
except Rower.DoesNotExist: except Rower.DoesNotExist:
raise Http404("Rower doesn't exist") raise Http404("Rower doesn't exist")
if not can_plan_user(request.user,r ): if r.user != request.user and not can_plan_user(request.user,r ):
request.session['rowerid'] = r.id request.session['rowerid'] = r.id
raise PermissionDenied("You have no access to this user") raise PermissionDenied("You have no access to this user")

12
rowers/views/workoutviews.py
View File

@@ -4775,22 +4775,22 @@ def workout_upload_view(request,
return response return response
else: else:
if not is_ajax: if not is_ajax:
if r.c2_auto_export and isprorower(r): if r.c2_auto_export and ispromember(r.user):
uploadoptions['upload_to_C2'] = True uploadoptions['upload_to_C2'] = True
if r.strava_auto_export and isprorower(r): if r.strava_auto_export and ispromember(r.user):
uploadoptions['upload_to_Strava'] = True uploadoptions['upload_to_Strava'] = True
if r.sporttracks_auto_export and isprorower(r): if r.sporttracks_auto_export and ispromember(r.user):
uploadoptions['upload_to_SportTracks'] = True uploadoptions['upload_to_SportTracks'] = True
if r.runkeeper_auto_export and isprorower(r): if r.runkeeper_auto_export and ispromember(r.user):
uploadoptions['upload_to_RunKeeper'] = True uploadoptions['upload_to_RunKeeper'] = True
if r.trainingpeaks_auto_export and isprorower(r): if r.trainingpeaks_auto_export and ispromember(r.user):
uploadoptions['upload_to_TrainingPeaks'] = True uploadoptions['upload_to_TrainingPeaks'] = True
if r.mapmyfitness_auto_export and isprorower(r): if r.mapmyfitness_auto_export and ispromember(r.user):
uploadoptions['upload_to_MapMyFitness'] = True uploadoptions['upload_to_MapMyFitness'] = True
form = DocumentsForm(initial=docformoptions) form = DocumentsForm(initial=docformoptions)