implemented changes in planviews - not tested
This commit is contained in:
Sander Roosendaal
@@ -240,11 +240,107 @@ rules.add_perm('workout.view_workout',can_view_workout) # replaces checkworkoutu
|
|||||||
|
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
# Training Target rules
|
||||||
|
@rules.predicate
|
||||||
|
def can_view_target(user,target):
|
||||||
|
if user.is_anonymous:
|
||||||
|
return False
|
||||||
|
if user == target.manager.user:
|
||||||
|
return True
|
||||||
|
|
||||||
|
# a target's coach can view as well
|
||||||
|
if is_coach_user(user,target.manager.user):
|
||||||
|
return True
|
||||||
|
|
||||||
|
# the object can view as well
|
||||||
|
if user.rower in target.rowers.all():
|
||||||
|
return True
|
||||||
|
|
||||||
|
@rules.predicate
|
||||||
|
def can_change_target(user,target):
|
||||||
|
if user.is_anonymous:
|
||||||
|
return False
|
||||||
|
return user == target.manager.user
|
||||||
|
|
||||||
|
@rules.predicate
|
||||||
|
def can_delete_target(user,target):
|
||||||
|
if user.is_anonymous:
|
||||||
|
return False
|
||||||
|
return user == target.manager.user
|
||||||
|
|
||||||
|
rules.add_perm('target.view_target',can_view_target)
|
||||||
|
rules.add_perm('target.change_target',can_change_target)
|
||||||
|
rules.add_perm('target.delete_target',can_delete_target)
|
||||||
|
|
||||||
|
@rules.predicate
|
||||||
|
def can_view_plan(user,plan):
|
||||||
|
if user.is_anonymous:
|
||||||
|
return False
|
||||||
|
if user == plan.manager.user:
|
||||||
|
return True
|
||||||
|
|
||||||
|
# a plan's coach can view as well
|
||||||
|
if is_coach_user(user,plan.manager.user):
|
||||||
|
return True
|
||||||
|
|
||||||
|
# the object can view as well
|
||||||
|
if user.rower in plan.rowers.all():
|
||||||
|
return True
|
||||||
|
|
||||||
|
@rules.predicate
|
||||||
|
def can_change_plan(user,plan):
|
||||||
|
if user.is_anonymous:
|
||||||
|
return False
|
||||||
|
return user == plan.manager.user
|
||||||
|
|
||||||
|
@rules.predicate
|
||||||
|
def can_delete_plan(user,plan):
|
||||||
|
if user.is_anonymous:
|
||||||
|
return False
|
||||||
|
return user == plan.manager.user
|
||||||
|
|
||||||
|
rules.add_perm('plan.view_plan',can_view_plan)
|
||||||
|
rules.add_perm('plan.change_plan',can_change_plan)
|
||||||
|
rules.add_perm('plan.delete_plan',can_delete_plan)
|
||||||
|
|
||||||
|
@rules.predicate
|
||||||
|
def can_view_cycle(user,cycle):
|
||||||
|
try:
|
||||||
|
return can_view_cycle(user,cycle.plan)
|
||||||
|
except AttributeError:
|
||||||
|
return can_view_plan(user,cycle.plan)
|
||||||
|
|
||||||
|
return False
|
||||||
|
|
||||||
|
@rules.predicate
|
||||||
|
def can_change_cycle(user,cycle):
|
||||||
|
try:
|
||||||
|
return can_change_cycle(user,cycle.plan)
|
||||||
|
except AttributeError:
|
||||||
|
return can_change_plan(user,cycle.plan)
|
||||||
|
|
||||||
|
return False
|
||||||
|
|
||||||
|
@rules.predicate
|
||||||
|
def can_delete_cycle(user,cycle):
|
||||||
|
try:
|
||||||
|
return can_delete_cycle(user,cycle.plan)
|
||||||
|
except AttributeError:
|
||||||
|
return can_delete_plan(user,cycle.plan)
|
||||||
|
|
||||||
|
return False
|
||||||
|
|
||||||
|
|
||||||
|
rules.add_perm('cycle.view_cycle',can_view_cycle)
|
||||||
|
rules.add_perm('cycle.change_cycle',can_change_cycle)
|
||||||
|
rules.add_perm('cycle.delete_cycle',can_delete_cycle)
|
||||||
|
|
||||||
|
|
||||||
# check if user has view access to session
|
# check if user has view access to session
|
||||||
@rules.predicate
|
@rules.predicate
|
||||||
def can_view_session(user,session):
|
def can_view_session(user,session):
|
||||||
if session.sessiontype in ['race','indoorrace']:
|
if session.sessiontype in ['race','indoorrace']:
|
||||||
return True
|
return True
|
||||||
if user.is_anonymous:
|
if user.is_anonymous:
|
||||||
return False
|
return False
|
||||||
# session manager can view session
|
# session manager can view session
|
||||||
@@ -274,8 +370,24 @@ def can_change_session(user,session):
|
|||||||
|
|
||||||
return False
|
return False
|
||||||
|
|
||||||
|
@rules.predicate
|
||||||
|
def can_delete_session(user,session):
|
||||||
|
if user.is_anonymous:
|
||||||
|
return False
|
||||||
|
|
||||||
|
if session.sessiontype in ['race','indoorrace']:
|
||||||
|
return False
|
||||||
|
|
||||||
|
if user == session.manager:
|
||||||
|
return True
|
||||||
|
|
||||||
|
return False
|
||||||
|
|
||||||
rules.add_perm('plannedsession.view_session',can_view_session)
|
rules.add_perm('plannedsession.view_session',can_view_session)
|
||||||
rules.add_perm('plannedsession.change_session',can_change_session)
|
rules.add_perm('plannedsession.change_session',can_change_session)
|
||||||
|
rules.add_perm('plannedsession.delete_session',can_delete_session)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# checkaccessplanuser (models.py)
|
# checkaccessplanuser (models.py)
|
||||||
# getrequestrower, getrequestplanrower
|
# getrequestrower, getrequestplanrower
|
||||||
|
|||||||
@@ -1900,8 +1900,7 @@ class PlannedSessionDelete(DeleteView):
|
|||||||
|
|
||||||
def get_object(self, *args, **kwargs):
|
def get_object(self, *args, **kwargs):
|
||||||
obj = super(PlannedSessionDelete, self).get_object(*args, **kwargs)
|
obj = super(PlannedSessionDelete, self).get_object(*args, **kwargs)
|
||||||
m = Rower.objects.get(user=obj.manager)
|
if not can_delete_session(self.request.user,obj):
|
||||||
if not is_coach_user(self.request.user,m.user):
|
|
||||||
raise PermissionDenied('You are not allowed to delete this planned session')
|
raise PermissionDenied('You are not allowed to delete this planned session')
|
||||||
|
|
||||||
return obj
|
return obj
|
||||||
@@ -2039,17 +2038,11 @@ def rower_create_trainingplan(request,userid=0):
|
|||||||
@user_passes_test(isplanmember,login_url="/rowers/paidplans",
|
@user_passes_test(isplanmember,login_url="/rowers/paidplans",
|
||||||
message="This functionality requires a Coach or Self-Coach plan",
|
message="This functionality requires a Coach or Self-Coach plan",
|
||||||
redirect_field_name=None)
|
redirect_field_name=None)
|
||||||
|
@permission_required('target.delete_target',fn=get_target_by_pk,raise_exception=True)
|
||||||
def rower_delete_trainingtarget(request,id=0):
|
def rower_delete_trainingtarget(request,id=0):
|
||||||
try:
|
|
||||||
target = TrainingTarget.objects.get(id=id)
|
|
||||||
except TrainingPlan.DoesNotExist:
|
|
||||||
raise Http404("Training Plan Does Not Exist")
|
|
||||||
|
|
||||||
if is_coach_user(request.user,target.manager):
|
target = get_object_or_404(TrainingTarget,pk=id)
|
||||||
target.delete()
|
target.delete()
|
||||||
messages.info(request,"We have deleted the training target")
|
|
||||||
else:
|
|
||||||
raise PermissionDenied("Access denied")
|
|
||||||
|
|
||||||
url = reverse(rower_create_trainingplan)
|
url = reverse(rower_create_trainingplan)
|
||||||
|
|
||||||
@@ -2059,17 +2052,10 @@ def rower_delete_trainingtarget(request,id=0):
|
|||||||
@user_passes_test(isplanmember,login_url="/rowers/paidplans",
|
@user_passes_test(isplanmember,login_url="/rowers/paidplans",
|
||||||
message="This functionality requires a Coach or Self-Coach plan",
|
message="This functionality requires a Coach or Self-Coach plan",
|
||||||
redirect_field_name=None)
|
redirect_field_name=None)
|
||||||
|
@permission_required('target.delete_plan',fn=get_plan_by_pk,raise_exception=True)
|
||||||
def rower_delete_trainingplan(request,id=0):
|
def rower_delete_trainingplan(request,id=0):
|
||||||
try:
|
plan = get_object_or_404(TrainingPlan,pk=id)
|
||||||
plan = TrainingPlan.objects.get(id=id)
|
plan.delete()
|
||||||
except TrainingPlan.DoesNotExist:
|
|
||||||
raise Http404("Training Plan Does Not Exist")
|
|
||||||
|
|
||||||
if is_coach_user(request.user,plan.manager.user):
|
|
||||||
plan.delete()
|
|
||||||
messages.info(request,"We have deleted the training plan")
|
|
||||||
else:
|
|
||||||
raise PermissionDenied("Access denied")
|
|
||||||
|
|
||||||
url = reverse(rower_create_trainingplan)
|
url = reverse(rower_create_trainingplan)
|
||||||
|
|
||||||
@@ -2082,7 +2068,7 @@ class TrainingPlanDelete(DeleteView):
|
|||||||
|
|
||||||
def get_object(self, *args, **kwargs):
|
def get_object(self, *args, **kwargs):
|
||||||
obj = super(TrainingPlanDelete, self).get_object(*args, **kwargs)
|
obj = super(TrainingPlanDelete, self).get_object(*args, **kwargs)
|
||||||
if not is_coach_user(self.request.user,obj.manager.user):
|
if not can_delete_plan(self.request.user,obj):
|
||||||
raise PermissionDenied('You are not allowed to delete this training plan')
|
raise PermissionDenied('You are not allowed to delete this training plan')
|
||||||
|
|
||||||
return obj
|
return obj
|
||||||
@@ -2148,7 +2134,7 @@ class MicroCycleDelete(DeleteView):
|
|||||||
|
|
||||||
def get_object(self, *args, **kwargs):
|
def get_object(self, *args, **kwargs):
|
||||||
obj = super(MicroCycleDelete, self).get_object(*args, **kwargs)
|
obj = super(MicroCycleDelete, self).get_object(*args, **kwargs)
|
||||||
if not is_coach_user(self.request.user,obj.plan.plan.plan.manager.user):
|
if not can_delete_cycle(self.request.user,obj):
|
||||||
raise PermissionDenied('You are not allowed to delete this training plan cycle')
|
raise PermissionDenied('You are not allowed to delete this training plan cycle')
|
||||||
return obj
|
return obj
|
||||||
|
|
||||||
@@ -2210,7 +2196,7 @@ class MesoCycleDelete(DeleteView):
|
|||||||
def get_object(self, *args, **kwargs):
|
def get_object(self, *args, **kwargs):
|
||||||
obj = super(MesoCycleDelete, self).get_object(*args, **kwargs)
|
obj = super(MesoCycleDelete, self).get_object(*args, **kwargs)
|
||||||
|
|
||||||
if not is_coach_user(self.request.user,obj.plan.plan.manager.user):
|
if not can_delete_cycle(self.request.user,obj):
|
||||||
raise PermissionDenied('You are not allowed to delete this training plan cycle')
|
raise PermissionDenied('You are not allowed to delete this training plan cycle')
|
||||||
|
|
||||||
return obj
|
return obj
|
||||||
@@ -2264,7 +2250,7 @@ class MacroCycleDelete(DeleteView):
|
|||||||
|
|
||||||
def get_object(self, *args, **kwargs):
|
def get_object(self, *args, **kwargs):
|
||||||
obj = super(MacroCycleDelete, self).get_object(*args, **kwargs)
|
obj = super(MacroCycleDelete, self).get_object(*args, **kwargs)
|
||||||
if not is_coach_user(self.request.user,obj.plan.manager.user):
|
if not can_delete_cycle(self.request.user,obj):
|
||||||
raise PermissionDenied('You are not allowed to delete this training plan cycle')
|
raise PermissionDenied('You are not allowed to delete this training plan cycle')
|
||||||
|
|
||||||
return obj
|
return obj
|
||||||
@@ -2363,6 +2349,7 @@ def rower_trainingplan_execution_view(request,
|
|||||||
@user_passes_test(isplanmember,login_url="/rowers/paidplans",
|
@user_passes_test(isplanmember,login_url="/rowers/paidplans",
|
||||||
message="This functionality requires a Coach or Self-Coach plan",
|
message="This functionality requires a Coach or Self-Coach plan",
|
||||||
redirect_field_name=None)
|
redirect_field_name=None)
|
||||||
|
@permission_required('plan.can_view',fn=get_plan_by_pk,raise_exception=True)
|
||||||
def rower_trainingplan_view(request,
|
def rower_trainingplan_view(request,
|
||||||
id=0,
|
id=0,
|
||||||
userid=0,
|
userid=0,
|
||||||
@@ -2373,17 +2360,7 @@ def rower_trainingplan_view(request,
|
|||||||
|
|
||||||
startdate,enddate = get_dates_timeperiod(request)
|
startdate,enddate = get_dates_timeperiod(request)
|
||||||
|
|
||||||
|
plan = get_object_or_404(TrainingPlan,pk=id)
|
||||||
try:
|
|
||||||
plan = TrainingPlan.objects.get(id=id)
|
|
||||||
except TrainingPlan.DoesNotExist:
|
|
||||||
raise Http404("Training Plan Does Not Exist")
|
|
||||||
|
|
||||||
r = getrequestrower(request,userid=userid)
|
|
||||||
|
|
||||||
if not is_coach_user(request.user,plan.manager.user):
|
|
||||||
if request.user.rower not in plan.rowers.all():
|
|
||||||
raise PermissionDenied("Access denied")
|
|
||||||
|
|
||||||
createmacrofillers(plan)
|
createmacrofillers(plan)
|
||||||
macrocycles = TrainingMacroCycle.objects.filter(
|
macrocycles = TrainingMacroCycle.objects.filter(
|
||||||
@@ -2507,10 +2484,7 @@ class TrainingMacroCycleUpdate(UpdateView):
|
|||||||
|
|
||||||
def get_object(self, *args, **kwargs):
|
def get_object(self, *args, **kwargs):
|
||||||
obj = super(TrainingMacroCycleUpdate, self).get_object(*args, **kwargs)
|
obj = super(TrainingMacroCycleUpdate, self).get_object(*args, **kwargs)
|
||||||
if obj.plan.manager is not None and self.request.user.rower != obj.plan.manager:
|
if not can_change_cycle(self.request.user,obj):
|
||||||
raise PermissionDenied('You are not allowed to edit this training plan cycle')
|
|
||||||
|
|
||||||
if not is_coach_user(self.request.user,obj.plan.manager.user):
|
|
||||||
raise PermissionDenied('You are not allowed to edit this training plan cycle')
|
raise PermissionDenied('You are not allowed to edit this training plan cycle')
|
||||||
else:
|
else:
|
||||||
obj.type = 'userdefined'
|
obj.type = 'userdefined'
|
||||||
@@ -2581,7 +2555,7 @@ class TrainingMesoCycleUpdate(UpdateView):
|
|||||||
|
|
||||||
def get_object(self, *args, **kwargs):
|
def get_object(self, *args, **kwargs):
|
||||||
obj = super(TrainingMesoCycleUpdate, self).get_object(*args, **kwargs)
|
obj = super(TrainingMesoCycleUpdate, self).get_object(*args, **kwargs)
|
||||||
if obj.plan.plan.manager is not None and self.request.user.rower != obj.plan.plan.manager:
|
if not can_change_cycle(self.request.user,obj):
|
||||||
raise PermissionDenied('You are not allowed to edit this training plan cycle')
|
raise PermissionDenied('You are not allowed to edit this training plan cycle')
|
||||||
|
|
||||||
else:
|
else:
|
||||||
@@ -2659,7 +2633,7 @@ class TrainingMicroCycleUpdate(UpdateView):
|
|||||||
|
|
||||||
def get_object(self, *args, **kwargs):
|
def get_object(self, *args, **kwargs):
|
||||||
obj = super(TrainingMicroCycleUpdate, self).get_object(*args, **kwargs)
|
obj = super(TrainingMicroCycleUpdate, self).get_object(*args, **kwargs)
|
||||||
if obj.plan.plan.plan.manager is not None and self.request.user.rower != obj.plan.plan.plan.manager:
|
if not can_change_cycle(self.request.user,obj):
|
||||||
raise PermissionDenied('You are not allowed to edit this training plan cycle')
|
raise PermissionDenied('You are not allowed to edit this training plan cycle')
|
||||||
|
|
||||||
|
|
||||||
@@ -2724,10 +2698,8 @@ class TrainingPlanUpdate(UpdateView):
|
|||||||
|
|
||||||
def get_object(self, *args, **kwargs):
|
def get_object(self, *args, **kwargs):
|
||||||
obj = super(TrainingPlanUpdate, self).get_object(*args, **kwargs)
|
obj = super(TrainingPlanUpdate, self).get_object(*args, **kwargs)
|
||||||
if obj.manager is not None and self.request.user.rower != obj.manager:
|
if not can_change_plan(self.request.user,obj):
|
||||||
raise PermissionDenied('You are not allowed to edit this training plan cycle')
|
raise PermissionDenied('You are not allowed to edit this training plan cycle')
|
||||||
if obj.manager.rowerplan not in ['coach','freecoach','plan']:
|
|
||||||
raise PermissionDenied('You are not allowed to edit this training plan')
|
|
||||||
|
|
||||||
return obj
|
return obj
|
||||||
|
|
||||||
@@ -2776,7 +2748,7 @@ class TrainingTargetUpdate(UpdateView):
|
|||||||
|
|
||||||
def get_object(self, *args, **kwargs):
|
def get_object(self, *args, **kwargs):
|
||||||
obj = super(TrainingTargetUpdate, self).get_object(*args, **kwargs)
|
obj = super(TrainingTargetUpdate, self).get_object(*args, **kwargs)
|
||||||
if obj.manager is not None and self.request.user.rower != obj.manager:
|
if not can_change_target(self.request.user,obj):
|
||||||
raise PermissionDenied('You are not allowed to edit this training plan cycle')
|
raise PermissionDenied('You are not allowed to edit this training plan cycle')
|
||||||
|
|
||||||
return obj
|
return obj
|
||||||
@@ -2786,14 +2758,9 @@ from rowers.utils import allsundays
|
|||||||
@user_passes_test(isplanmember,login_url="/rowers/paidplans",
|
@user_passes_test(isplanmember,login_url="/rowers/paidplans",
|
||||||
message="This functionality requires a Coach or Self-Coach plan",
|
message="This functionality requires a Coach or Self-Coach plan",
|
||||||
redirect_field_name=None)
|
redirect_field_name=None)
|
||||||
|
@permission_required('cycle.change_cycle',fn=get_meso_by_pk,raise_exception=True)
|
||||||
def planmesocyclebyweek(request,id=0,userid=0):
|
def planmesocyclebyweek(request,id=0,userid=0):
|
||||||
try:
|
cycle = get_object_or_404(TrainingMesoCycle,pk=id)
|
||||||
cycle = TrainingMesoCycle.objects.get(id=id)
|
|
||||||
except TrainingMesoCycle.DoesNotExist:
|
|
||||||
raise Http404("Training Cycle does not exist")
|
|
||||||
|
|
||||||
if not is_coach_user(request.user,cycle.plan.plan.manager.user):
|
|
||||||
raise PermissionDenied("You are not allowed to do this")
|
|
||||||
|
|
||||||
micros = TrainingMicroCycle.objects.filter(plan=cycle)
|
micros = TrainingMicroCycle.objects.filter(plan=cycle)
|
||||||
for m in micros:
|
for m in micros:
|
||||||
@@ -2841,14 +2808,9 @@ from rowers.utils import allmonths
|
|||||||
@user_passes_test(isplanmember,login_url="/rowers/paidplans",
|
@user_passes_test(isplanmember,login_url="/rowers/paidplans",
|
||||||
message="This functionality requires a Coach or Self-Coach plan",
|
message="This functionality requires a Coach or Self-Coach plan",
|
||||||
redirect_field_name=None)
|
redirect_field_name=None)
|
||||||
|
@permission_required('cycle.change_cycle',fn=get_macro_by_pk,raise_exception=True)
|
||||||
def planmacrocyclebymonth(request,id=0,userid=0):
|
def planmacrocyclebymonth(request,id=0,userid=0):
|
||||||
try:
|
cycle = get_object_or_404(TrainingMacroCycle,pk=id)
|
||||||
cycle = TrainingMacroCycle.objects.get(id=id)
|
|
||||||
except TrainingMacroCycle.DoesNotExist:
|
|
||||||
raise Http404("Training Cycle does not exist")
|
|
||||||
|
|
||||||
if not is_coach_user(request.user,cycle.plan.manager.user):
|
|
||||||
raise PermissionDenied("You are not allowed to do this")
|
|
||||||
|
|
||||||
mesos = TrainingMesoCycle.objects.filter(plan=cycle)
|
mesos = TrainingMesoCycle.objects.filter(plan=cycle)
|
||||||
for m in mesos:
|
for m in mesos:
|
||||||
|
|||||||
@@ -40,7 +40,9 @@ from rowers.opaque import encoder
|
|||||||
|
|
||||||
from rowers.rower_rules import (
|
from rowers.rower_rules import (
|
||||||
ispromember,is_coach_user,is_team_member,is_rower_team_member,
|
ispromember,is_coach_user,is_team_member,is_rower_team_member,
|
||||||
is_workout_user,isplanmember,
|
is_workout_user,isplanmember,can_delete_session,
|
||||||
|
can_view_target,can_change_target,can_delete_target,
|
||||||
|
can_view_plan,can_change_plan,can_delete_plan,
|
||||||
)
|
)
|
||||||
|
|
||||||
from django.shortcuts import render
|
from django.shortcuts import render
|
||||||
@@ -289,9 +291,30 @@ def get_workout_by_opaqueid(request,id,**kwargs):
|
|||||||
pk = encoder.decode_hex(id)
|
pk = encoder.decode_hex(id)
|
||||||
return get_object_or_404(Workout,pk=pk)
|
return get_object_or_404(Workout,pk=pk)
|
||||||
|
|
||||||
def get_session_by_pk(request,id):
|
def get_session_by_pk(request,*args,**kwargs):
|
||||||
|
id = kwargs['id']
|
||||||
return get_object_or_404(PlannedSession,pk=id)
|
return get_object_or_404(PlannedSession,pk=id)
|
||||||
|
|
||||||
|
def get_target_by_pk(request,*args,**kwargs):
|
||||||
|
id = kwargs['id']
|
||||||
|
return get_object_or_404(TrainingTarget,pk=id)
|
||||||
|
|
||||||
|
def get_plan_by_pk(request,*args,**kwargs):
|
||||||
|
id = kwargs['id']
|
||||||
|
return get_object_or_404(TrainingPlan,pk=id)
|
||||||
|
|
||||||
|
def get_macro_by_pk(request,*args,**kwargs):
|
||||||
|
id = kwargs['id']
|
||||||
|
return get_object_or_404(TrainingMacroCycle,pk=id)
|
||||||
|
|
||||||
|
def get_meso_by_pk(request,*args,**kwargs):
|
||||||
|
id = kwargs['id']
|
||||||
|
return get_object_or_404(TrainingMesoCycle,pk=id)
|
||||||
|
|
||||||
|
def get_micro_by_pk(request,*args,**kwargs):
|
||||||
|
id = kwargs['id']
|
||||||
|
return get_object_or_404(TrainingMicroCycle,pk=id)
|
||||||
|
|
||||||
def get_workout_default_page(request,id):
|
def get_workout_default_page(request,id):
|
||||||
if request.user.is_anonymous:
|
if request.user.is_anonymous:
|
||||||
return reverse('workout_view',kwargs={'id':id})
|
return reverse('workout_view',kwargs={'id':id})
|
||||||
|
|||||||
Reference in New Issue
Block a user