From 489271317c7061979c68b1ae95b20ce0db786b19 Mon Sep 17 00:00:00 2001
From: Sander Roosendaal <roosendaalsander@gmail.com>
Date: Mon, 13 Jan 2020 19:40:22 +0100
Subject: [PATCH] passing tests

---
 rowers/rower_rules.py            | 15 ++++++---------
 rowers/tests/test_permissions.py |  1 +
 rowers/urls.py                   |  2 +-
 rowers/views/planviews.py        | 24 ++++++++++++------------
 rowers/views/statements.py       | 12 +++++++++---
 5 files changed, 29 insertions(+), 25 deletions(-)

diff --git a/rowers/rower_rules.py b/rowers/rower_rules.py
index bac7b6ed..d60b3682 100644
--- a/rowers/rower_rules.py
+++ b/rowers/rower_rules.py
@@ -103,15 +103,12 @@ def can_plan(user):
 
 # checks if rower is coach of user
 @rules.predicate
-def is_coach_user(user,rower):
-    try:
-        r = user.rower
-    except AttributeError:
-        return False
-
-    if rower == r:
+def is_coach_user(usercoach,userrower):
+    if usercoach == userrower:
         return True
 
+    r = userrower.rower
+
     coaches = []
 
     for group in r.coachinggroups.all():
@@ -120,7 +117,7 @@ def is_coach_user(user,rower):
             coaches.append(coach)
 
     for coach in coaches:
-        if rower == coach:
+        if usercoach.rower == coach:
             return True
 
     return False
@@ -199,7 +196,7 @@ def is_workout_user(user,workout):
     if workout.user == r:
         return True
 
-    return is_coach_user(workout.user.user,user.rower)
+    return is_coach_user(user,workout.user.user)
 
 # check if user can see workout
 @rules.predicate
diff --git a/rowers/tests/test_permissions.py b/rowers/tests/test_permissions.py
index ad2d745e..1671d82d 100644
--- a/rowers/tests/test_permissions.py
+++ b/rowers/tests/test_permissions.py
@@ -13,6 +13,7 @@ from django.db import transaction
 
 import rowers.teams as teams
 import rowers.plannedsessions as plannedsessions
+from rowers.rower_rules import is_coach_user
 
 @override_settings(TESTING=True)
 class PermissionsFreeCoach(TestCase):
diff --git a/rowers/urls.py b/rowers/urls.py
index de413d87..b8924a1a 100644
--- a/rowers/urls.py
+++ b/rowers/urls.py
@@ -518,7 +518,7 @@ urlpatterns = [
     re_path(r'^me/tprefresh/$',views.rower_tp_token_refresh,name='rower_tp_token_refresh'),
     re_path(r'^me/c2refresh/$',views.rower_c2_token_refresh,name='rower_c2_token_refresh'),
     re_path(r'^me/favoritecharts/$',views.rower_favoritecharts_view,name='rower_favoritecharts_view'),
-    re_path(r'^me/favoritecharts/user/(?P<userid>\d+)/$',views.rower_favoritecharts_view,name='rower_favoritecharts_view'),
+    re_path(r'^me/favoritecharts/user/(?P<id>\d+)/$',views.rower_favoritecharts_view,name='rower_favoritecharts_view'),
 #    re_path(r'^me/workflowconfig/$',views.workout_workflow_config_view),
     re_path(r'^me/workflowconfig2/$',views.workout_workflow_config2_view,name='workout_workflow_config2_view'),
     re_path(r'^me/workflowconfig2/user/(?P<userid>\d+)/$',views.workout_workflow_config2_view,name='workout_workflow_config2_view'),
diff --git a/rowers/views/planviews.py b/rowers/views/planviews.py
index ae16fb94..5b7b76d1 100644
--- a/rowers/views/planviews.py
+++ b/rowers/views/planviews.py
@@ -1959,7 +1959,7 @@ class PlannedSessionDelete(DeleteView):
     def get_object(self, *args, **kwargs):
         obj = super(PlannedSessionDelete, self).get_object(*args, **kwargs)
         m = Rower.objects.get(user=obj.manager)
-        if not is_coach_user(m.user,self.request.user.rower):
+        if not is_coach_user(self.request.user,m.user):
             raise PermissionDenied('You are not allowed to delete this planned session')
 
         return obj
@@ -2103,7 +2103,7 @@ def rower_delete_trainingtarget(request,id=0):
     except TrainingPlan.DoesNotExist:
         raise Http404("Training Plan Does Not Exist")
 
-    if is_coach_user(target.manager,request.user.rower):
+    if is_coach_user(request.user,target.manager):
         target.delete()
         messages.info(request,"We have deleted the training target")
     else:
@@ -2123,7 +2123,7 @@ def rower_delete_trainingplan(request,id=0):
     except TrainingPlan.DoesNotExist:
         raise Http404("Training Plan Does Not Exist")
 
-    if is_coach_user(plan.manager.user,request.user.rower):
+    if is_coach_user(request.user,plan.manager.user):
         plan.delete()
         messages.info(request,"We have deleted the training plan")
     else:
@@ -2140,7 +2140,7 @@ class TrainingPlanDelete(DeleteView):
 
     def get_object(self, *args, **kwargs):
         obj = super(TrainingPlanDelete, self).get_object(*args, **kwargs)
-        if not is_coach_user(obj.manager.user,self.request.user.rower):
+        if not is_coach_user(self.request.user,obj.manager.user):
             raise PermissionDenied('You are not allowed to delete this training plan')
 
         return obj
@@ -2206,7 +2206,7 @@ class MicroCycleDelete(DeleteView):
 
     def get_object(self, *args, **kwargs):
         obj = super(MicroCycleDelete, self).get_object(*args, **kwargs)
-        if not is_coach_user(obj.plan.plan.plan.manager.user,self.request.user.rower):
+        if not is_coach_user(self.request.user,obj.plan.plan.plan.manager.user):
             raise PermissionDenied('You are not allowed to delete this training plan cycle')
         return obj
 
@@ -2268,7 +2268,7 @@ class MesoCycleDelete(DeleteView):
     def get_object(self, *args, **kwargs):
         obj = super(MesoCycleDelete, self).get_object(*args, **kwargs)
 
-        if not is_coach_user(obj.plan.plan.manager.user,self.request.user.rower):
+        if not is_coach_user(self.request.user,obj.plan.plan.manager.user):
             raise PermissionDenied('You are not allowed to delete this training plan cycle')
 
         return obj
@@ -2322,7 +2322,7 @@ class MacroCycleDelete(DeleteView):
 
     def get_object(self, *args, **kwargs):
         obj = super(MacroCycleDelete, self).get_object(*args, **kwargs)
-        if not is_coach_user(obj.plan.manager.user,self.request.user.rower):
+        if not is_coach_user(self.request.user,obj.plan.manager.user):
             raise PermissionDenied('You are not allowed to delete this training plan cycle')
 
         return obj
@@ -2345,7 +2345,7 @@ def rower_trainingplan_execution_view(request,
             plan = TrainingPlan.objects.get(id=id)
         except TrainingPlan.DoesNotExist:
             raise Http404("Training Plan Does Not Exist")
-        if not is_coach_user(plan.manager.user,request.user.rower):
+        if not is_coach_user(request.user,plan.manager.user):
             if request.user.rower not in plan.rowers.all():
                 raise PermissionDenied("Access denied")
 
@@ -2439,7 +2439,7 @@ def rower_trainingplan_view(request,
 
     r = getrequestrower(request,userid=userid)
 
-    if not is_coach_user(plan.manager.user,request.user.rower):
+    if not is_coach_user(request.user,plan.manager.user):
         if request.user.rower not in plan.rowers.all():
             raise PermissionDenied("Access denied")
 
@@ -2568,7 +2568,7 @@ class TrainingMacroCycleUpdate(UpdateView):
         if obj.plan.manager is not None and self.request.user.rower != obj.plan.manager:
             raise PermissionDenied('You are not allowed to edit this training plan cycle')
 
-        if not is_coach_user(obj.plan.manager.user,self.request.user.rower):
+        if not is_coach_user(self.request.user,obj.plan.manager.user):
             raise PermissionDenied('You are not allowed to edit this training plan cycle')
         else:
             obj.type = 'userdefined'
@@ -2850,7 +2850,7 @@ def planmesocyclebyweek(request,id=0,userid=0):
     except TrainingMesoCycle.DoesNotExist:
         raise Http404("Training Cycle does not exist")
 
-    if not is_coach_user(cycle.plan.plan.manager.user,request.user.rower):
+    if not is_coach_user(request.user,cycle.plan.plan.manager.user):
         raise PermissionDenied("You are not allowed to do this")
 
     micros = TrainingMicroCycle.objects.filter(plan=cycle)
@@ -2905,7 +2905,7 @@ def planmacrocyclebymonth(request,id=0,userid=0):
     except TrainingMacroCycle.DoesNotExist:
         raise Http404("Training Cycle does not exist")
 
-    if not is_coach_user(cycle.plan.manager.user,request.user.rower):
+    if not is_coach_user(request.user,cycle.plan.manager.user):
         raise PermissionDenied("You are not allowed to do this")
 
     mesos = TrainingMesoCycle.objects.filter(plan=cycle)
diff --git a/rowers/views/statements.py b/rowers/views/statements.py
index b3820bca..b61f1d20 100644
--- a/rowers/views/statements.py
+++ b/rowers/views/statements.py
@@ -297,7 +297,13 @@ def get_workout_default_page(request,id):
         else:
             return reverse('workout_workflow_view',kwargs={'id':id})
 
-def get_user_by_id(request,id):
+def get_user_by_id(*args,**kwargs):
+    request = args[0]
+    try:
+        id = args[1]
+    except IndexError:
+        id = request.user.id
+
     return get_object_or_404(User,pk=id)
 
 def getrequestrower(request,rowerid=0,userid=0,notpermanent=False):
@@ -327,7 +333,7 @@ def getrequestrower(request,rowerid=0,userid=0,notpermanent=False):
     except Rower.DoesNotExist:
         raise Http404("Rower doesn't exist")
 
-    if userid != 0 and not is_coach_user(u,request.user.rower):
+    if userid != 0 and not is_coach_user(request.user,u):
         raise PermissionDenied("You have no access to this user")
 
     if notpermanent == False:
@@ -360,7 +366,7 @@ def getrequestplanrower(request,rowerid=0,userid=0,notpermanent=False):
     except Rower.DoesNotExist:
         raise Http404("Rower doesn't exist")
 
-    if not is_coach_user(r.user,request.user.rower):
+    if not is_coach_user(request.user,r.user):
         raise PermissionDenied("You have no access to this user")
 
     if notpermanent == False: