From 002f61102bc061c3998d85d9d69f0c6e90ba39ec Mon Sep 17 00:00:00 2001
From: Sander Roosendaal <roosendaalsander@gmail.com>
Date: Fri, 13 Oct 2017 15:15:26 +0200
Subject: [PATCH] added check if workout is owned by requestor

---
 rowers/views.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/rowers/views.py b/rowers/views.py
index efc20124..3e7f3d38 100644
--- a/rowers/views.py
+++ b/rowers/views.py
@@ -5856,7 +5856,9 @@ def workout_workflow_view(request,id):
         row = Workout.objects.get(id=id)
     except Workout.DoesNotExist:
 	raise Http404("Workout doesn't exist")
-
+    if (checkworkoutuser(request.user,row)==False):
+        raise Http404("You are not allowed to edit this workout")
+    
     r = getrower(request.user)
     result = request.user.is_authenticated() and ispromember(request.user)
     if result: