added permissions in analysis views

rowers/rower_rules.py

@@ -212,6 +212,7 @@ def is_coach_user(usercoach,userrower):
             coaches.append(coach)
 
     for coach in coaches:
+        print(usercoach.rower,coach)
         if usercoach.rower == coach:
             return True
 

rowers/tests/test_permissions.py

@@ -841,6 +841,8 @@ class PermissionsViewTests(TestCase):
 
         self.assertEqual(response.status_code,200)
 
+
+
     @patch('rowers.dataprep.read_cols_df_sql', side_effect = mocked_read_df_cols_sql_multistats)
     def test_coach_edit_athlete_analysis_not(self,mocked_df):
         self.rbasic.team.add(self.teamcoach)
@@ -851,7 +853,7 @@ class PermissionsViewTests(TestCase):
 
         url = reverse('cumstats',
                       kwargs={
-                          'theuser':self.ubasic.id,
+                          'userid':self.ubasic.id,
                       }
         )
 
@@ -859,6 +861,24 @@ class PermissionsViewTests(TestCase):
 
         self.assertEqual(response.status_code,403)
 
+    @patch('rowers.dataprep.read_cols_df_sql', side_effect = mocked_read_df_cols_sql_multistats)
+    def test_coach_edit_athlete_analysis_not2(self,mocked_df):
+        self.rbasic.team.add(self.teamcoach)
+
+        login = self.c.login(username=self.ucoach.username, password=self.ucoachpassword)
+        self.assertTrue(login)
+
+
+        url = reverse('analysis_new',
+                  kwargs={
+                      'userid':self.ubasic.id,
+                  }
+                 )
+
+        response = self.c.get(url)
+
+        self.assertEqual(response.status_code,403)
+
 
     ## Coach can upload on behalf of athlete - if team allows
     @patch('rowers.dataprep.create_engine')

rowers/tests/test_plans.py

@@ -5,7 +5,8 @@ from __future__ import unicode_literals
 
 #from __future__ import print_function
 from .statements import *
-nu = datetime.datetime.now()self.ucoach = UserFactory()
+nu = datetime.datetime.now()
+self.ucoach = UserFactory()
 self.rcoach = Rower.objects.create(
     user=self.ucoach,
     birthdate=faker.profile()['birthdate'],

rowers/urls.py

@@ -274,7 +274,7 @@ urlpatterns = [
     re_path(r'^histodata/$',views.histo_data,name='histo_data'),
 #    re_path(r'^histo/user/(?P<theuser>\d+)/(?P<startdatestring>\d+-\d+-\d+)/(?P<enddatestring>\d+-\d+-\d+)/$',views.histo,name='histo'),
     re_path(r'^histo/$',views.histo,name='histo'),
-    re_path(r'^cumstats/user/(?P<theuser>\d+)/$',views.cumstats,name='cumstats'),
+    re_path(r'^cumstats/user/(?P<userid>\d+)/$',views.cumstats,name='cumstats'),
 #    re_path(r'^cumstats/(?P<startdatestring>\d+-\d+-\d+)/(?P<enddatestring>\d+-\d+-\d+)/$',views.cumstats,name='cumstats'),
 #    re_path(r'^cumstats/user/(?P<theuser>\d+)/(?P<startdatestring>\d+-\d+-\d+)/(?P<enddatestring>\d+-\d+-\d+)/$',views.cumstats,name='cumstats'),
 #    re_path(r'^cumstats/(?P<startdatestring>\d+-\d+-\d+)/(?P<enddatestring>\d+-\d+-\d+)/$',views.cumstats,name='cumstats'),

rowers/views/analysisviews.py

@@ -670,6 +670,7 @@ def boxplotdata(workouts,options):
 @user_passes_test(ispromember,login_url="/rowers/paidplans",
                   message="This functionality requires a Pro plan or higher. If you are already a Pro user, please log in to access this functionality",
                   redirect_field_name=None)
+@permission_required('rower.is_coach',fn=get_user_by_userid,raise_exception=True)
 def analysis_view_data(request,userid=0):
     if not request.is_ajax():
         url = reverse('analysis_new')
@@ -728,6 +729,7 @@ def analysis_view_data(request,userid=0):
 @user_passes_test(ispromember,login_url="/rowers/paidplans",
                   message="This functionality requires a Pro plan or higher. If you are already a Pro user, please log in to access this functionality",
                   redirect_field_name=None)
+@permission_required('rower.is_coach',fn=get_user_by_userid,raise_exception=True)
 def histo(request,theuser=0,
           startdate=timezone.now()-datetime.timedelta(days=365),
           enddate=timezone.now(),
@@ -1333,6 +1335,7 @@ def planrequired_view(request):
 @user_passes_test(isplanmember,login_url="/rowers/paidplans",
                   message="This functionality requires a Coach or Self-Coach plan",
                   redirect_field_name=None)
+@permission_required('rower.is_coach',fn=get_user_by_id,raise_exception=True)
 def fitnessmetric_view(request,id=0,mode='rower',
                        startdate=timezone.now()-timezone.timedelta(days=365),
                        enddate=timezone.now()):
@@ -2151,6 +2154,7 @@ def rankings_view2(request,theuser=0,
 @user_passes_test(ispromember,login_url="/rowers/paidplans",
                   message="This functionality requires a Pro plan or higher. If you are already a Pro user, please log in to access this functionality",
                   redirect_field_name=None)
+@permission_required('rower.is_coach',fn=get_user_by_userid,raise_exception=True)
 def otwrankings_view(request,theuser=0,
                      startdate=timezone.now()-datetime.timedelta(days=365),
                      enddate=timezone.now(),
@@ -2556,6 +2560,7 @@ def otwcp_toadmin_view(request,theuser=0,
 @user_passes_test(ispromember,login_url="/rowers/paidplans",
                   message="This functionality requires a Pro plan or higher. If you are already a Pro user, please log in to access this functionality",
                   redirect_field_name=None)
+@permission_required('rower.is_coach',fn=get_user_by_userid,raise_exception=True)
 def oterankings_view(request,theuser=0,
                      startdate=timezone.now()-datetime.timedelta(days=365),
                      enddate=timezone.now(),
@@ -2907,6 +2912,7 @@ def oterankings_view(request,theuser=0,
 @user_passes_test(ispromember,login_url="/rowers/paidplans",
                   message="This functionality requires a Pro plan or higher. If you are already a Pro user, please log in to access this functionality",
                   redirect_field_name=None)
+@permission_required('rower.is_coach',fn=get_user_by_userid,raise_exception=True)
 def user_multiflex_select(request,
                           startdatestring="",
                           enddatestring="",
@@ -3113,6 +3119,7 @@ def user_multiflex_select(request,
 @user_passes_test(ispromember,login_url="/rowers/paidplans",
                   message="This functionality requires a Pro plan or higher. If you are already a Pro user, please log in to access this functionality",
                   redirect_field_name=None)
+@permission_required('rower.is_coach',fn=get_user_by_userid,raise_exception=True)
 def multiflex_data(request,userid=0,
                  options={
                      'includereststrokes':False,
@@ -3366,6 +3373,7 @@ def multiflex_data(request,userid=0,
 @user_passes_test(ispromember,login_url="/rowers/paidplans",
                   message="This functionality requires a Pro plan or higher. If you are already a Pro user, please log in to access this functionality",
                   redirect_field_name=None)
+@permission_required('rower.is_coach',fn=get_user_by_userid,raise_exception=True)
 def multiflex_view(request,userid=0,
                  options={
                      'includereststrokes':False,
@@ -3533,6 +3541,7 @@ def multiflex_view(request,userid=0,
 @user_passes_test(ispromember,login_url="/rowers/paidplans",
                   message="This functionality requires a Pro plan or higher. If you are already a Pro user, please log in to access this functionality",
                   redirect_field_name=None)
+@permission_required('rower.is_coach',fn=get_user_by_userid,raise_exception=True)
 def user_boxplot_select(request,
                         startdatestring="",
                         enddatestring="",
@@ -3741,6 +3750,7 @@ def user_boxplot_select(request,
 @user_passes_test(ispromember,login_url="/rowers/paidplans",
                   message="This functionality requires a Pro plan or higher. If you are already a Pro user, please log in to access this functionality",
                   redirect_field_name=None)
+@permission_required('rower.is_coach',fn=get_user_by_userid,raise_exception=True)
 def boxplot_view_data(request,userid=0,
                  options={
                      'includereststrokes':False,
@@ -3858,6 +3868,7 @@ def boxplot_view_data(request,userid=0,
 @user_passes_test(ispromember,login_url="/rowers/paidplans",
                   message="This functionality requires a Pro plan or higher. If you are already a Pro user, please log in to access this functionality",
                   redirect_field_name=None)
+@permission_required('rower.is_coach',fn=get_user_by_userid,raise_exception=True)
 def boxplot_view(request,userid=0,
                  options={
                      'includereststrokes':False,
@@ -3976,7 +3987,8 @@ def boxplot_view(request,userid=0,
 
 # Cumulative stats page
 @user_passes_test(ispromember,login_url="/rowers/paidplans",message="This functionality requires a Pro plan or higher. If you are already a Pro user, please log in to access this functionality",redirect_field_name=None)
-def cumstats(request,theuser=0,
+@permission_required('rower.is_coach',fn=get_user_by_userid,raise_exception=True)
+def cumstats(request,userid=0,
              startdate=timezone.now()-datetime.timedelta(days=30),
              enddate=timezone.now(),
              deltadays=-1,
@@ -3989,7 +4001,7 @@ def cumstats(request,theuser=0,
                  'rankingonly':False,
              }):
 
-    r = getrequestrower(request,userid=theuser)
+    r = getrequestrower(request,userid=userid)
     theuser = r.user
 
     if 'waterboattype' in request.session:
@@ -4107,7 +4119,7 @@ def cumstats(request,theuser=0,
 
     options = {
         'modality': modality,
-        'theuser': theuser.id,
+        'userid': theuser.id,
         'waterboattype':waterboattype,
         'startdatestring':startdatestring,
         'enddatestring':enddatestring,
@@ -4361,6 +4373,7 @@ def alerts_view(request,userid=0):
 @user_passes_test(ispromember, login_url="/rowers/paidplans",
                   message="This functionality requires a Pro plan or higher. If you are already a Pro user, please log in to access this functionality",
                   redirect_field_name=None)
+@permission_required('rower.is_coach',fn=get_user_by_userid,raise_exception=True)
 def alert_create_view(request,userid=0):
     r = getrequestrower(request,userid=userid)
     FilterFormSet = formset_factory(ConditionEditForm, formset=BaseConditionFormSet,extra=1)
@@ -4439,6 +4452,7 @@ def alert_create_view(request,userid=0):
 
 # alert report view
 @login_required()
+@permission_required('rower.is_coach',fn=get_user_by_userid,raise_exception=True)
 def alert_report_view(request,id=0,userid=0,nperiod=0):
     r = getrequestrower(request,userid=userid)
     if userid == 0:
@@ -4496,6 +4510,7 @@ def alert_report_view(request,id=0,userid=0,nperiod=0):
 @user_passes_test(ispromember, login_url="/rowers/paidplans",
                   message="This functionality requires a Pro plan or higher. If you are already a Pro user, please log in to access this functionality",
                   redirect_field_name=None)
+@permission_required('rower.is_coach',fn=get_user_by_userid,raise_exception=True)
 def alert_edit_view(request,id=0,userid=0):
     r = getrequestrower(request,userid=userid)
 

rowers/views/statements.py

@@ -341,12 +341,15 @@ def get_workout_default_page(request,id):
             return reverse('workout_workflow_view',kwargs={'id':id})
 
 def get_user_by_userid(*args,**kwargs):
+    request = args[0]
+    print(kwargs,request.user.id,'get_user_by_id')
     try:
         id = kwargs['userid']
     except KeyError:
         id = request.user.id
 
-    return get_object_or_404(User,pk=id)
+    u = get_object_or_404(User,pk=id)
+    return u
 
 def get_user_by_id(*args,**kwargs):
     request = args[0]
@@ -360,7 +363,7 @@ def get_user_by_id(*args,**kwargs):
 
     return get_object_or_404(User,pk=id)
 
-def get_rower_by_userid(request,id):
+def get_rower_by_id(request,id):
     u = User.objects.get(id=id)
     return u.rower