From c186895e7ac4140f19cb50f73a9ae37137953542 Mon Sep 17 00:00:00 2001
From: Sander Roosendaal <roosendaalsander@gmail.com>
Date: Thu, 16 Jan 2020 22:01:54 +0100
Subject: [PATCH] rules rules rules

---
 rowers/rower_rules.py            |  3 +--
 rowers/tests/test_permissions.py | 20 ++++++++++++++++++++
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/rowers/rower_rules.py b/rowers/rower_rules.py
index 795bdf21..ff9ef370 100644
--- a/rowers/rower_rules.py
+++ b/rowers/rower_rules.py
@@ -243,7 +243,7 @@ def can_add_workout_member(user,rower):
     if user == rower.user:
         return True
     # only below tested - need test user == rower.user
-    return isplanmember(user) and user.rower in rower.get_coaches()
+    return is_coach(user) and user.rower in rower.get_coaches()
 
 # check if user can plan for the rower
 @rules.predicate
@@ -324,7 +324,6 @@ def is_workout_user(user,workout):
 def can_view_workout(user,workout):
     if workout.privacy != 'private':
         return True
-    # below not tested
     return user.rower == workout.user
 
 can_change_workout = is_workout_user
diff --git a/rowers/tests/test_permissions.py b/rowers/tests/test_permissions.py
index 7dbcd4b5..c5576c89 100644
--- a/rowers/tests/test_permissions.py
+++ b/rowers/tests/test_permissions.py
@@ -609,6 +609,8 @@ class PermissionsViewTests(TestCase):
                                       rowerplan='basic')
 
         self.ubasic_workouts = WorkoutFactory.create_batch(5, user=self.rbasic)
+        self.ubasic_workouts[0].privacy == 'private'
+
         self.factory = RequestFactory()
         self.ubasicpassword = faker.word()
         self.ubasic.set_password(self.ubasicpassword)
@@ -634,6 +636,24 @@ class PermissionsViewTests(TestCase):
             manager=self.ucoach)
 
 
+    ## only ubasic can view ubasic_workouts[0] which is private
+    def test_view_workout(self):
+        login = self.c.login(username=self.ucoach.username, password=self.ucoachpassword)
+        self.assertTrue(login)
+
+        url = reverse('workout_view',
+                      kwargs={'id':self.ubasic_workouts[0].id})
+        response = self.c.get(url)
+        self.assertTrue(response.status_code,403)
+
+        login = self.c.login(username=self.ubasic.username, password=self.ubasicpassword)
+        self.assertTrue(login)
+
+        url = reverse('workout_view',
+                      kwargs={'id':self.ubasic_workouts[0].id})
+        response = self.c.get(url)
+        self.assertTrue(response.status_code,200)
+
     ## Coach can have any number of groups
     def test_coach_groups_create(self):
         login = self.c.login(username=self.ucoach.username, password=self.ucoachpassword)