fixed wrong permission setting

rowers/templates/403.html

@@ -9,7 +9,8 @@
 <div class="grid_12">
 <h1>Forbidden</h1>
 <p>
-  Access forbidden. You probably tried to access functionality on a workout
+  Access forbidden. You probably tried to access functionality on a workout,
+  planned session 
   or chart that is not owned by you. 
 </p>
 </div>

rowers/views.py

@@ -518,7 +518,7 @@ def get_thumbnails(request,id):
     except Workout.DoesNotExist:
 	raise Http404("Workout doesn't exist")
     if (checkworkoutuser(request.user,row)==False):
-        raise Http404("You are not allowed to edit this workout")
+        raise PermissionDenied("Access denied")
     
     r = getrower(request.user)
     result = request.user.is_authenticated() and ispromember(request.user)
@@ -562,7 +562,7 @@ def get_testscript(request,id):
     except Workout.DoesNotExist:
 	raise Http404("Workout doesn't exist")
     if (checkworkoutuser(request.user,row)==False):
-        raise Http404("You are not allowed to edit this workout")
+        raise PermissionDenied("Access denied")
     
     r = getrower(request.user)
 
@@ -4931,7 +4931,7 @@ def workouts_join_select(request,
         theteam = 0
         
     if r.rowerplan == 'basic' and theteam==0:
-        raise Http404("Not allowed")
+        raise PermissionDenied("Access denied")
 
     if theteam and (theteam.viewing == 'allmembers' or theteam.manager == request.user):
         workouts = Workout.objects.filter(team=theteam,
@@ -5091,7 +5091,7 @@ def team_comparison_select(request,
         
     if r.rowerplan == 'basic' and theteam==0:
         if r.protrialexpires is None or r.protrialexpires<datetime.date.today():
-            raise Http404("Not allowed")
+            raise PermissionDenied("Access denied")
 
     if theteam and (theteam.viewing == 'allmembers' or theteam.manager == request.user):
         workouts = Workout.objects.filter(team=theteam,
@@ -6102,7 +6102,7 @@ def workouts_view(request,message='',successmessage='',
 
     # check if access is allowed
     if not checkaccessuser(request.user,r):
-        raise Http404("You are not allowed access to these data")
+        raise PermissionDenied("Access denied")
 
     if request.method == 'POST':
         dateform = DateRangeForm(request.POST)
@@ -6407,7 +6407,7 @@ def workout_view(request,id=0):
 
 
         if row.privacy == 'private':
-            raise Http404("Not allowed to view this workout")
+            raise PermissionDenied("Access denied")
         
 	g = GraphImage.objects.filter(workout=row).order_by("-creationdatetime")
         for i in g:
@@ -7914,7 +7914,7 @@ def workout_workflow_view(request,id):
     except Workout.DoesNotExist:
 	raise Http404("Workout doesn't exist")
     if (checkworkoutuser(request.user,row)==False):
-        raise Http404("You are not allowed to edit this workout")
+        raise PermissionDenied("Access denied")
     
     r = getrower(request.user)
     result = request.user.is_authenticated() and ispromember(request.user)
@@ -8622,7 +8622,7 @@ def workout_edit_view(request,id=0,message="",successmessage=""):
     aantalcomments = len(comments)
 
     if (checkworkoutuser(request.user,row)==False):
-        raise Http404("You are not allowed to edit this workout")
+        raise PermissionDenied("Access denied")
 
     # create interactive plot
     f1 = row.csvfilename
@@ -8852,7 +8852,7 @@ def workout_edit_view_navionics(request,id=0,message="",successmessage=""):
     aantalcomments = len(comments)
 
     if (checkworkoutuser(request.user,row)==False):
-        raise Http404("You are not allowed to edit this workout")
+        raise PermissionDenied("Access denied")
 
     # create interactive plot
     f1 = row.csvfilename
@@ -11752,7 +11752,7 @@ def plannedsession_create_view(request,timeperiod='thisweek',rowerid=0):
         except Rower.DoesNotExist:
             raise Http404("This rower doesn't exist")
         if not checkaccessuser(request.user,r):
-            raise Http404("You don't have access to this plan")
+            raise PermissionDenied("You don't have access to this plan")
         
     if request.method == 'POST':
         sessioncreateform = PlannedSessionForm(request.POST)
@@ -11908,7 +11908,7 @@ def plannedsession_teamedit_view(request,timeperiod='thisweek',
     except PlannedSession.DoesNotExist:
         raise Http404("This session doesn't exist")
     if not ps.manager == request.user:
-        raise Http404("You are not the manager of this session")
+        raise PermissionDenied("You are not the manager of this session")
         
     teams = Team.objects.filter(manager=request.user)
     teamchoices = [(team.id, team.name) for team in teams]
@@ -12023,7 +12023,7 @@ def plannedsessions_view(request,timeperiod='thisweek',rowerid=0):
         except Rower.DoesNotExist:
             raise Http404("This rower doesn't exist")
         if not checkaccessuser(request.user,r):
-            raise Http404("You don't have access to this plan")
+            raise PermissionDenied("You don't have access to this plan")
 
     startdate,enddate = get_dates_timeperiod(timeperiod)
         
@@ -12077,7 +12077,7 @@ def plannedsessions_manage_view(request,timeperiod='thisweek',rowerid=0,
         except Rower.DoesNotExist:
             raise Http404("This rower doesn't exist")
         if not checkaccessuser(request.user,r):
-            raise Http404("You don't have access to this plan")
+            raise PermissionDenied("You don't have access to this plan")
 
     startdate,enddate = get_dates_timeperiod(timeperiod)
                 
@@ -12197,7 +12197,7 @@ def plannedsession_clone_view(request,id=0,rowerid=0,
         except Rower.DoesNotExist:
             raise Http404("This rower doesn't exist")
         if not checkaccessuser(request.user,r):
-            raise Http404("You don't have access to this plan")
+            raise PermissionDenied("You don't have access to this plan")
 
     startdate,enddate = get_dates_timeperiod(timeperiod)
 
@@ -12207,7 +12207,7 @@ def plannedsession_clone_view(request,id=0,rowerid=0,
         raise Http404("Planned Session does not exist")
         
     if ps.manager != request.user:
-        raise Http404("You are not allowed to clone this planned session")
+        raise PermissionDenied("You are not allowed to clone this planned session")
 
     rowers = ps.rower.all()
     teams = ps.team.all()
@@ -12251,7 +12251,7 @@ def plannedsession_edit_view(request,id=0,timeperiod='thisweek',rowerid=0):
         except Rower.DoesNotExist:
             raise Http404("This rower doesn't exist")
         if not checkaccessuser(request.user,r):
-            raise Http404("You don't have access to this plan")
+            raise PermissionDenied("You don't have access to this plan")
 
     startdate,enddate = get_dates_timeperiod(timeperiod)
 
@@ -12262,7 +12262,7 @@ def plannedsession_edit_view(request,id=0,timeperiod='thisweek',rowerid=0):
         raise Http404("Planned Session does not exist")
         
     if ps.manager != request.user:
-        raise Http404("You are not allowed to edit this planned session")
+        raise PermissionDenied("You are not allowed to edit this planned session")
 
     if ps.team.all() or len(ps.rower.all())>1:
         url = reverse(plannedsession_teamedit_view,
@@ -12330,8 +12330,8 @@ def plannedsession_view(request,id=0,rowerid=0):
         raise Http404("Planned Session does not exist")
 
 
-    if ps.manager != request.user:
+    if ps.manager != request.user and r not in ps.rower.all():
-        raise Http404("You are not allowed to delete this planned session")
+        raise PermissionDenied("You do not have access to this session")
 
     
     psdict = my_dict_from_instance(ps,PlannedSession)
@@ -12368,7 +12368,7 @@ def plannedsession_delete_view(request,id=0):
 
 
     if ps.manager != request.user:
-        raise Http404("You are not allowed to delete this planned session")
+        raise PermissionDenied("You are not allowed to delete this planned session")
 
     ws = Workout.objects.filter(plannedsession=ps)
     for w in ws:
@@ -12393,7 +12393,7 @@ def plannedsession_deleteconfirm_view(request,id=0):
 
 
     if ps.manager != request.user:
-        raise Http404("You are not allowed to delete this planned session")
+        raise PermissionDenied("You are not allowed to delete this planned session")
 
     
     psdict = my_dict_from_instance(ps,PlannedSession)