diff --git a/rowers/rower_rules.py b/rowers/rower_rules.py index 795bdf21..2f4c06d1 100644 --- a/rowers/rower_rules.py +++ b/rowers/rower_rules.py @@ -212,6 +212,7 @@ def is_coach_user(usercoach,userrower): coaches.append(coach) for coach in coaches: + print(usercoach.rower,coach) if usercoach.rower == coach: return True diff --git a/rowers/tests/test_permissions.py b/rowers/tests/test_permissions.py index 0f013d70..9ceea306 100644 --- a/rowers/tests/test_permissions.py +++ b/rowers/tests/test_permissions.py @@ -841,6 +841,8 @@ class PermissionsViewTests(TestCase): self.assertEqual(response.status_code,200) + + @patch('rowers.dataprep.read_cols_df_sql', side_effect = mocked_read_df_cols_sql_multistats) def test_coach_edit_athlete_analysis_not(self,mocked_df): self.rbasic.team.add(self.teamcoach) @@ -851,7 +853,7 @@ class PermissionsViewTests(TestCase): url = reverse('cumstats', kwargs={ - 'theuser':self.ubasic.id, + 'userid':self.ubasic.id, } ) @@ -859,6 +861,24 @@ class PermissionsViewTests(TestCase): self.assertEqual(response.status_code,403) + @patch('rowers.dataprep.read_cols_df_sql', side_effect = mocked_read_df_cols_sql_multistats) + def test_coach_edit_athlete_analysis_not2(self,mocked_df): + self.rbasic.team.add(self.teamcoach) + + login = self.c.login(username=self.ucoach.username, password=self.ucoachpassword) + self.assertTrue(login) + + + url = reverse('analysis_new', + kwargs={ + 'userid':self.ubasic.id, + } + ) + + response = self.c.get(url) + + self.assertEqual(response.status_code,403) + ## Coach can upload on behalf of athlete - if team allows @patch('rowers.dataprep.create_engine') diff --git a/rowers/tests/test_plans.py b/rowers/tests/test_plans.py index b593a8d7..e367c509 100644 --- a/rowers/tests/test_plans.py +++ b/rowers/tests/test_plans.py @@ -5,7 +5,8 @@ from __future__ import unicode_literals #from __future__ import print_function from .statements import * -nu = datetime.datetime.now()self.ucoach = UserFactory() +nu = datetime.datetime.now() +self.ucoach = UserFactory() self.rcoach = Rower.objects.create( user=self.ucoach, birthdate=faker.profile()['birthdate'], diff --git a/rowers/urls.py b/rowers/urls.py index 50b095a1..91614718 100644 --- a/rowers/urls.py +++ b/rowers/urls.py @@ -274,7 +274,7 @@ urlpatterns = [ re_path(r'^histodata/$',views.histo_data,name='histo_data'), # re_path(r'^histo/user/(?P\d+)/(?P\d+-\d+-\d+)/(?P\d+-\d+-\d+)/$',views.histo,name='histo'), re_path(r'^histo/$',views.histo,name='histo'), - re_path(r'^cumstats/user/(?P\d+)/$',views.cumstats,name='cumstats'), + re_path(r'^cumstats/user/(?P\d+)/$',views.cumstats,name='cumstats'), # re_path(r'^cumstats/(?P\d+-\d+-\d+)/(?P\d+-\d+-\d+)/$',views.cumstats,name='cumstats'), # re_path(r'^cumstats/user/(?P\d+)/(?P\d+-\d+-\d+)/(?P\d+-\d+-\d+)/$',views.cumstats,name='cumstats'), # re_path(r'^cumstats/(?P\d+-\d+-\d+)/(?P\d+-\d+-\d+)/$',views.cumstats,name='cumstats'), diff --git a/rowers/views/analysisviews.py b/rowers/views/analysisviews.py index 10f5672f..be1190da 100644 --- a/rowers/views/analysisviews.py +++ b/rowers/views/analysisviews.py @@ -670,6 +670,7 @@ def boxplotdata(workouts,options): @user_passes_test(ispromember,login_url="/rowers/paidplans", message="This functionality requires a Pro plan or higher. If you are already a Pro user, please log in to access this functionality", redirect_field_name=None) +@permission_required('rower.is_coach',fn=get_user_by_userid,raise_exception=True) def analysis_view_data(request,userid=0): if not request.is_ajax(): url = reverse('analysis_new') @@ -728,6 +729,7 @@ def analysis_view_data(request,userid=0): @user_passes_test(ispromember,login_url="/rowers/paidplans", message="This functionality requires a Pro plan or higher. If you are already a Pro user, please log in to access this functionality", redirect_field_name=None) +@permission_required('rower.is_coach',fn=get_user_by_userid,raise_exception=True) def histo(request,theuser=0, startdate=timezone.now()-datetime.timedelta(days=365), enddate=timezone.now(), @@ -1333,6 +1335,7 @@ def planrequired_view(request): @user_passes_test(isplanmember,login_url="/rowers/paidplans", message="This functionality requires a Coach or Self-Coach plan", redirect_field_name=None) +@permission_required('rower.is_coach',fn=get_user_by_id,raise_exception=True) def fitnessmetric_view(request,id=0,mode='rower', startdate=timezone.now()-timezone.timedelta(days=365), enddate=timezone.now()): @@ -2151,6 +2154,7 @@ def rankings_view2(request,theuser=0, @user_passes_test(ispromember,login_url="/rowers/paidplans", message="This functionality requires a Pro plan or higher. If you are already a Pro user, please log in to access this functionality", redirect_field_name=None) +@permission_required('rower.is_coach',fn=get_user_by_userid,raise_exception=True) def otwrankings_view(request,theuser=0, startdate=timezone.now()-datetime.timedelta(days=365), enddate=timezone.now(), @@ -2556,6 +2560,7 @@ def otwcp_toadmin_view(request,theuser=0, @user_passes_test(ispromember,login_url="/rowers/paidplans", message="This functionality requires a Pro plan or higher. If you are already a Pro user, please log in to access this functionality", redirect_field_name=None) +@permission_required('rower.is_coach',fn=get_user_by_userid,raise_exception=True) def oterankings_view(request,theuser=0, startdate=timezone.now()-datetime.timedelta(days=365), enddate=timezone.now(), @@ -2907,6 +2912,7 @@ def oterankings_view(request,theuser=0, @user_passes_test(ispromember,login_url="/rowers/paidplans", message="This functionality requires a Pro plan or higher. If you are already a Pro user, please log in to access this functionality", redirect_field_name=None) +@permission_required('rower.is_coach',fn=get_user_by_userid,raise_exception=True) def user_multiflex_select(request, startdatestring="", enddatestring="", @@ -3113,6 +3119,7 @@ def user_multiflex_select(request, @user_passes_test(ispromember,login_url="/rowers/paidplans", message="This functionality requires a Pro plan or higher. If you are already a Pro user, please log in to access this functionality", redirect_field_name=None) +@permission_required('rower.is_coach',fn=get_user_by_userid,raise_exception=True) def multiflex_data(request,userid=0, options={ 'includereststrokes':False, @@ -3366,6 +3373,7 @@ def multiflex_data(request,userid=0, @user_passes_test(ispromember,login_url="/rowers/paidplans", message="This functionality requires a Pro plan or higher. If you are already a Pro user, please log in to access this functionality", redirect_field_name=None) +@permission_required('rower.is_coach',fn=get_user_by_userid,raise_exception=True) def multiflex_view(request,userid=0, options={ 'includereststrokes':False, @@ -3533,6 +3541,7 @@ def multiflex_view(request,userid=0, @user_passes_test(ispromember,login_url="/rowers/paidplans", message="This functionality requires a Pro plan or higher. If you are already a Pro user, please log in to access this functionality", redirect_field_name=None) +@permission_required('rower.is_coach',fn=get_user_by_userid,raise_exception=True) def user_boxplot_select(request, startdatestring="", enddatestring="", @@ -3741,6 +3750,7 @@ def user_boxplot_select(request, @user_passes_test(ispromember,login_url="/rowers/paidplans", message="This functionality requires a Pro plan or higher. If you are already a Pro user, please log in to access this functionality", redirect_field_name=None) +@permission_required('rower.is_coach',fn=get_user_by_userid,raise_exception=True) def boxplot_view_data(request,userid=0, options={ 'includereststrokes':False, @@ -3858,6 +3868,7 @@ def boxplot_view_data(request,userid=0, @user_passes_test(ispromember,login_url="/rowers/paidplans", message="This functionality requires a Pro plan or higher. If you are already a Pro user, please log in to access this functionality", redirect_field_name=None) +@permission_required('rower.is_coach',fn=get_user_by_userid,raise_exception=True) def boxplot_view(request,userid=0, options={ 'includereststrokes':False, @@ -3976,7 +3987,8 @@ def boxplot_view(request,userid=0, # Cumulative stats page @user_passes_test(ispromember,login_url="/rowers/paidplans",message="This functionality requires a Pro plan or higher. If you are already a Pro user, please log in to access this functionality",redirect_field_name=None) -def cumstats(request,theuser=0, +@permission_required('rower.is_coach',fn=get_user_by_userid,raise_exception=True) +def cumstats(request,userid=0, startdate=timezone.now()-datetime.timedelta(days=30), enddate=timezone.now(), deltadays=-1, @@ -3989,7 +4001,7 @@ def cumstats(request,theuser=0, 'rankingonly':False, }): - r = getrequestrower(request,userid=theuser) + r = getrequestrower(request,userid=userid) theuser = r.user if 'waterboattype' in request.session: @@ -4107,7 +4119,7 @@ def cumstats(request,theuser=0, options = { 'modality': modality, - 'theuser': theuser.id, + 'userid': theuser.id, 'waterboattype':waterboattype, 'startdatestring':startdatestring, 'enddatestring':enddatestring, @@ -4361,6 +4373,7 @@ def alerts_view(request,userid=0): @user_passes_test(ispromember, login_url="/rowers/paidplans", message="This functionality requires a Pro plan or higher. If you are already a Pro user, please log in to access this functionality", redirect_field_name=None) +@permission_required('rower.is_coach',fn=get_user_by_userid,raise_exception=True) def alert_create_view(request,userid=0): r = getrequestrower(request,userid=userid) FilterFormSet = formset_factory(ConditionEditForm, formset=BaseConditionFormSet,extra=1) @@ -4439,6 +4452,7 @@ def alert_create_view(request,userid=0): # alert report view @login_required() +@permission_required('rower.is_coach',fn=get_user_by_userid,raise_exception=True) def alert_report_view(request,id=0,userid=0,nperiod=0): r = getrequestrower(request,userid=userid) if userid == 0: @@ -4496,6 +4510,7 @@ def alert_report_view(request,id=0,userid=0,nperiod=0): @user_passes_test(ispromember, login_url="/rowers/paidplans", message="This functionality requires a Pro plan or higher. If you are already a Pro user, please log in to access this functionality", redirect_field_name=None) +@permission_required('rower.is_coach',fn=get_user_by_userid,raise_exception=True) def alert_edit_view(request,id=0,userid=0): r = getrequestrower(request,userid=userid) diff --git a/rowers/views/statements.py b/rowers/views/statements.py index e1a1f627..4fd3128d 100644 --- a/rowers/views/statements.py +++ b/rowers/views/statements.py @@ -341,12 +341,15 @@ def get_workout_default_page(request,id): return reverse('workout_workflow_view',kwargs={'id':id}) def get_user_by_userid(*args,**kwargs): + request = args[0] + print(kwargs,request.user.id,'get_user_by_id') try: id = kwargs['userid'] except KeyError: id = request.user.id - return get_object_or_404(User,pk=id) + u = get_object_or_404(User,pk=id) + return u def get_user_by_id(*args,**kwargs): request = args[0] @@ -360,7 +363,7 @@ def get_user_by_id(*args,**kwargs): return get_object_or_404(User,pk=id) -def get_rower_by_userid(request,id): +def get_rower_by_id(request,id): u = User.objects.get(id=id) return u.rower