diff --git a/rowers/rower_rules.py b/rowers/rower_rules.py index f8edd93f..795bdf21 100644 --- a/rowers/rower_rules.py +++ b/rowers/rower_rules.py @@ -263,9 +263,6 @@ def can_plan_user(user,rower): if rower in t.rower.all(): return True - - return user in team_managers - # paying coach can plan for all kinds of rowers if is_paid_coach(user): for t in teams: diff --git a/rowers/tests/test_permissions.py b/rowers/tests/test_permissions.py index fafe1e8b..0f013d70 100644 --- a/rowers/tests/test_permissions.py +++ b/rowers/tests/test_permissions.py @@ -967,8 +967,6 @@ class PermissionsViewTests(TestCase): ## Coach can see list of workouts of athlete def test_coach_athlete_workout_list(self): self.rbasic.team.add(self.teamcoach) - print(self.rbasic.team.all()) - print(self.teamcoach) login = self.c.login(username=self.ucoach.username, password=self.ucoachpassword) self.assertTrue(login) @@ -979,20 +977,17 @@ class PermissionsViewTests(TestCase): response = self.c.get(url) - print(url,response.status_code) self.assertEqual(response.status_code,200) url = reverse('workouts_view', kwargs={'userid':self.ubasic.id}) response = self.c.get(url) - print(url,response.status_code) self.assertEqual(response.status_code,200) url = reverse('workouts_view') response = self.c.get(url) - print(url,response.status_code) self.assertEqual(response.status_code,200) ## Self coach can create one group diff --git a/rowers/views/planviews.py b/rowers/views/planviews.py index 5db07f62..c36af4ec 100644 --- a/rowers/views/planviews.py +++ b/rowers/views/planviews.py @@ -155,7 +155,7 @@ def plannedsession_comment_view(request,id=0,userid=0): }) # Cloning sessions -@user_passes_test(isplanmember,login_url="/rowers/paidplans/", +@user_passes_test(can_plan,login_url="/rowers/paidplans/", message="This functionality requires a Coach or Self-Coach plan", redirect_field_name=None) def plannedsession_multiclone_view( @@ -306,7 +306,7 @@ def plannedsession_multiclone_view( ) # Individual user creates training for himself -@user_passes_test(isplanmember,login_url="/rowers/paidplans/", +@user_passes_test(can_plan,login_url="/rowers/paidplans/", message="This functionality requires a Coach or Self-Coach plan", redirect_field_name=None) def plannedsession_create_view(request, @@ -316,9 +316,6 @@ def plannedsession_create_view(request, r = getrequestplanrower(request,userid=userid) - - - startdate,enddate = get_dates_timeperiod(request,startdatestring=startdatestring, enddatestring=enddatestring) @@ -461,7 +458,7 @@ def plannedsession_create_view(request, 'timeperiod':timeperiod, }) -@user_passes_test(isplanmember,login_url="/rowers/paidplans/", +@user_passes_test(can_plan,login_url="/rowers/paidplans/", message="This functionality requires a Coach or Self-Coach plan", redirect_field_name=None) def plannedsession_multicreate_view(request, @@ -597,7 +594,7 @@ def plannedsession_multicreate_view(request, return render(request,'plannedsession_multicreate.html',context) # Manager creates sessions for entire team -@user_passes_test(isplanmember,login_url="/rowers/paidplans/", +@user_passes_test(can_plan,login_url="/rowers/paidplans/", message="This functionality requires a Coach or Self-Coach plan", redirect_field_name=None) def plannedsession_teamcreate_view(request, @@ -770,7 +767,7 @@ def plannedsession_teamcreate_view(request, }) # Manager edits sessions for entire team -@user_passes_test(isplanmember,login_url="/rowers/paidplans/", +@user_passes_test(can_plan,login_url="/rowers/paidplans/", message="This functionality requires a Coach or Self-Coach plan", redirect_field_name=None) @permission_required('plannedsession.change_session',fn=get_session_by_pk,raise_exception=True) @@ -1382,7 +1379,7 @@ def plannedsessions_manage_view(request,userid=0, # Clone an existing planned session # need clarity on cloning behavior time shift @permission_required('plannedsession.change_session',fn=get_session_by_pk,raise_exception=True) -@user_passes_test(isplanmember,login_url="/rowers/paidplans/", +@user_passes_test(can_plan,login_url="/rowers/paidplans/", message="This functionality requires a Coach or Self-Coach plan", redirect_field_name=None) def plannedsession_clone_view(request,id=0,userid=0): @@ -1445,7 +1442,7 @@ def plannedsession_clone_view(request,id=0,userid=0): # Clone an existing planned session # need clarity on cloning behavior time shift @permission_required('plannedsession.change_session',fn=get_session_by_pk,raise_exception=True) -@user_passes_test(isplanmember,login_url="/rowers/paidplans/", +@user_passes_test(can_plan,login_url="/rowers/paidplans/", message="This functionality requires a Coach or Self-Coach plan", redirect_field_name=None) def plannedsession_teamclone_view(request,id=0): @@ -1504,7 +1501,7 @@ def plannedsession_teamclone_view(request,id=0): return HttpResponseRedirect(url) @permission_required('plannedsession.change_session',fn=get_session_by_pk,raise_exception=True) -@user_passes_test(isplanmember, login_url="/rowers/paidplans/", +@user_passes_test(can_plan, login_url="/rowers/paidplans/", message="This functionality requires a Coach or Self-Coach plan", redirect_field_name=None) def plannedsession_totemplate_view(request,id=0): @@ -1532,7 +1529,7 @@ def plannedsession_totemplate_view(request,id=0): # Edit an existing planned session @permission_required('plannedsession.change_session',fn=get_session_by_pk,raise_exception=True) -@user_passes_test(isplanmember,login_url="/rowers/paidplans/", +@user_passes_test(can_plan,login_url="/rowers/paidplans/", message="This functionality requires a Coach or Self-Coach plan", redirect_field_name=None) def plannedsession_edit_view(request,id=0,userid=0): @@ -1906,7 +1903,7 @@ class PlannedSessionDelete(DeleteView): return obj -@user_passes_test(isplanmember,login_url="/rowers/paidplans", +@user_passes_test(can_plan,login_url="/rowers/paidplans", message="This functionality requires a Coach or Self-Coach plan", redirect_field_name=None) def rower_create_trainingplan(request,id=0): @@ -2035,7 +2032,7 @@ def rower_create_trainingplan(request,id=0): 'old_targets':old_targets, }) -@user_passes_test(isplanmember,login_url="/rowers/paidplans", +@user_passes_test(can_plan,login_url="/rowers/paidplans", message="This functionality requires a Coach or Self-Coach plan", redirect_field_name=None) @permission_required('target.delete_target',fn=get_target_by_pk,raise_exception=True) @@ -2049,7 +2046,7 @@ def rower_delete_trainingtarget(request,id=0): return HttpResponseRedirect(url) -@user_passes_test(isplanmember,login_url="/rowers/paidplans", +@user_passes_test(can_plan,login_url="/rowers/paidplans", message="This functionality requires a Coach or Self-Coach plan", redirect_field_name=None) @permission_required('target.delete_plan',fn=get_plan_by_pk,raise_exception=True) @@ -2256,7 +2253,7 @@ class MacroCycleDelete(DeleteView): return obj -@user_passes_test(isplanmember,login_url="/rowers/paidplans", +@user_passes_test(can_plan,login_url="/rowers/paidplans", message="This functionality requires a Coach or Self-Coach plan", redirect_field_name=None) def rower_trainingplan_execution_view(request, @@ -2346,7 +2343,7 @@ def rower_trainingplan_execution_view(request, ) -@user_passes_test(isplanmember,login_url="/rowers/paidplans", +@user_passes_test(can_plan,login_url="/rowers/paidplans", message="This functionality requires a Coach or Self-Coach plan", redirect_field_name=None) @permission_required('plan.view_plan',fn=get_plan_by_pk,raise_exception=True) @@ -2756,7 +2753,7 @@ class TrainingTargetUpdate(UpdateView): from rowers.utils import allsundays -@user_passes_test(isplanmember,login_url="/rowers/paidplans", +@user_passes_test(can_plan,login_url="/rowers/paidplans", message="This functionality requires a Coach or Self-Coach plan", redirect_field_name=None) @permission_required('cycle.change_cycle',fn=get_meso_by_pk,raise_exception=True) @@ -2806,7 +2803,7 @@ def planmesocyclebyweek(request,id=0,userid=0): from rowers.utils import allmonths -@user_passes_test(isplanmember,login_url="/rowers/paidplans", +@user_passes_test(can_plan,login_url="/rowers/paidplans", message="This functionality requires a Coach or Self-Coach plan", redirect_field_name=None) @permission_required('cycle.change_cycle',fn=get_macro_by_pk,raise_exception=True) diff --git a/rowers/views/statements.py b/rowers/views/statements.py index 1e0f8639..1ea3b63b 100644 --- a/rowers/views/statements.py +++ b/rowers/views/statements.py @@ -45,7 +45,7 @@ from rowers.rower_rules import ( can_view_plan,can_change_plan,can_delete_plan, can_view_cycle,can_change_cycle,can_delete_cycle, can_add_workout_member,can_plan_user,is_paid_coach, - can_start_trial, can_start_plantrial + can_start_trial, can_start_plantrial,can_plan ) from django.shortcuts import render @@ -345,7 +345,10 @@ def get_user_by_id(*args,**kwargs): try: id = args[1] except IndexError: - id = request.user.id + try: + id = kwargs['id'] + except KeyError: + id = request.user.id return get_object_or_404(User,pk=id) @@ -354,7 +357,6 @@ def get_rower_by_userid(request,id): return u.rower def getrequestrower(request,rowerid=0,userid=0,notpermanent=False): - userid = int(userid) rowerid = int(rowerid) @@ -380,7 +382,10 @@ def getrequestrower(request,rowerid=0,userid=0,notpermanent=False): except Rower.DoesNotExist: raise Http404("Rower doesn't exist") - if userid != 0 and not is_coach_user(request.user,u): + if r.user == request.user: + return r + + if userid != 0 and not is_rower_team_member(request.user,u.rower): request.session['rowerid'] = request.user.rower.id raise PermissionDenied("You have no access to this user") @@ -414,7 +419,7 @@ def getrequestplanrower(request,rowerid=0,userid=0,notpermanent=False): except Rower.DoesNotExist: raise Http404("Rower doesn't exist") - if not is_coach_user(request.user,r.user): + if not can_plan_user(request.user,r ): request.session['rowerid'] = r.id raise PermissionDenied("You have no access to this user") diff --git a/rowers/views/workoutviews.py b/rowers/views/workoutviews.py index 7d6d681e..628163b4 100644 --- a/rowers/views/workoutviews.py +++ b/rowers/views/workoutviews.py @@ -1757,7 +1757,6 @@ def workouts_view(request,message='',successmessage='', request.session['referer'] = absolute(request)['PATH'] r = getrequestrower(request,rowerid=rowerid,userid=userid) - # check if access is allowed if not is_rower_team_member(request.user,r): request.session['rowerid'] = request.user.rower.id