From f13e9f7fbaba50bdba12c27c3719a55b63bf78e7 Mon Sep 17 00:00:00 2001 From: Sander Roosendaal Date: Sat, 29 Feb 2020 17:27:42 +0100 Subject: [PATCH] fixed rights --- rowers/tests/.~lock.viewnames.csv# | 1 + rowers/tests/viewnames.csv | 2 +- rowers/views/statements.py | 11 +++++++ rowers/views/workoutviews.py | 48 ++++++++++++++---------------- 4 files changed, 36 insertions(+), 26 deletions(-) create mode 100644 rowers/tests/.~lock.viewnames.csv# diff --git a/rowers/tests/.~lock.viewnames.csv# b/rowers/tests/.~lock.viewnames.csv# new file mode 100644 index 00000000..ad550290 --- /dev/null +++ b/rowers/tests/.~lock.viewnames.csv# @@ -0,0 +1 @@ +,sander,sander-pc,29.02.2020 17:14,file:///home/sander/.config/libreoffice/4; \ No newline at end of file diff --git a/rowers/tests/viewnames.csv b/rowers/tests/viewnames.csv index bec2388f..853f9f90 100644 --- a/rowers/tests/viewnames.csv +++ b/rowers/tests/viewnames.csv @@ -62,7 +62,7 @@ 60,66,workout_gpxemail_view,download GPX file,TRUE,403,basic,200,302,basic,403,403,coach,200,403,FALSE,FALSE,TRUE,TRUE,TRUE, 61,67,workout_csvemail_view,download CSV file,TRUE,403,basic,200,302,basic,403,403,coach,200,403,FALSE,FALSE,TRUE,TRUE,TRUE, 62,68,workout_csvtoadmin_view,send CSV to admin,TRUE,403,basic,200,200,basic,200,200,coach,200,200,TRUE,FALSE,TRUE,TRUE,TRUE, -63,69,workout_edit_view,Edit Workout,TRUE,403,basic,200,403,basic,403,403,coach,200,403,FALSE,FALSE,TRUE,TRUE,TRUE, +63,69,workout_edit_view,Edit Workout,TRUE,302,basic,200,403,basic,403,403,coach,200,403,FALSE,FALSE,TRUE,TRUE,TRUE, 64,70,workout_map_view,View workout Map,TRUE,302,basic,200,302,basic,200,302,coach,200,302,FALSE,FALSE,TRUE,TRUE,TRUE, 65,71,workout_update_cp_view,Update CP data based on new workout,TRUE,403,pro,302,302,pro,403,403,coach,302,302,FALSE,FALSE,TRUE,TRUE,TRUE, 66,72,instroke_chart,View In-Stroke data chart,TRUE,302,pro,302,302,pro,403,403,coach,302,302,FALSE,FALSE,FALSE,FALSE,FALSE, diff --git a/rowers/views/statements.py b/rowers/views/statements.py index c3ba97d0..1e912a3a 100644 --- a/rowers/views/statements.py +++ b/rowers/views/statements.py @@ -474,6 +474,17 @@ def get_workout(id): return w +def get_workoutuser(id,request): + try: + id = encoder.decode_hex(id) + w = Workout.objects.get(id=id) + except Workout.DoesNotExist: + raise Http404("Workout doesn't exist") + + if not is_workout_user(request.user,w): + raise PermissionDenied + + return w def getvalue(data): perc = 0 diff --git a/rowers/views/workoutviews.py b/rowers/views/workoutviews.py index add94d58..b8b534a1 100644 --- a/rowers/views/workoutviews.py +++ b/rowers/views/workoutviews.py @@ -394,7 +394,7 @@ def workout_video_create_view(request,id=0): redirect_field_name=None) @permission_required('workout.change_workout',fn=get_workout_by_opaqueid,raise_exception=True) def workout_forcecurve_view(request,id=0,workstrokesonly=False): - row = get_workout(id) + row = get_workoutuser(id, request) promember=0 mayedit=0 @@ -462,7 +462,7 @@ def workout_forcecurve_view(request,id=0,workstrokesonly=False): # Switch from GPS to Impeller (only for SpeedCoach 2, if impeller data) @permission_required('workout.change_workout',fn=get_workout_by_opaqueid,raise_exception=True) def otw_use_impeller(request,id=0): - w = get_workout(id) + w = get_workoutuser(id, request) row = rdata(w.csvfilename) @@ -484,7 +484,7 @@ def otw_use_impeller(request,id=0): # Switch from Impeller to GPS (only for SpeedCoach 2, if impeller data) @permission_required('workout.change_workout',fn=get_workout_by_opaqueid,raise_exception=True) def otw_use_gps(request,id=0): - w = get_workout(id) + w = get_workoutuser(id, request) row = rdata(w.csvfilename) @@ -508,7 +508,7 @@ def otw_use_gps(request,id=0): @login_required() @permission_required('workout.change_workout',fn=get_workout_by_opaqueid,raise_exception=True) def workout_histo_view(request,id=0): - w = get_workout(id) + w = get_workoutuser(id, request) r = getrequestrower(request) promember = 1 @@ -747,7 +747,7 @@ def fitness_metric_view(request,mode='rower',days=42): message="This functionality requires a Pro plan or higher. If you are already a Pro user, please log in to access this functionality. If you are already a Pro user, please log in to access this functionality", redirect_field_name=None) def workout_update_cp_view(request,id=0): - row = get_workout(id) + row = get_workoutuser(id, request) row.rankingpiece = True row.save() @@ -767,7 +767,7 @@ def workout_update_cp_view(request,id=0): # Reload the workout and calculate the summary from the stroke data (lapIDx) @permission_required('workout.change_workout',fn=get_workout_by_opaqueid,raise_exception=True) def workout_recalcsummary_view(request,id=0): - row = get_workout(id) + row = get_workoutuser(id, request) filename = row.csvfilename rowdata = rdata(filename) @@ -2005,7 +2005,7 @@ def workout_fusion_list(request,id=0, if id: theid = encoder.decode_hex(id) - w = get_workout(id) + w = get_workoutuser(id, request) r = w.user workouts = Workout.objects.filter(user=r, @@ -2034,7 +2034,7 @@ def workout_fusion_list(request,id=0, workouts = paginator.page(1) except EmptyPage: workouts = paginator.page(paginator.num_pages) - row = get_workout(id) + row = get_workoutuser(id, request) breadcrumbs = [ @@ -2172,7 +2172,7 @@ def workout_view(request,id=0): def workout_undo_smoothenpace_view( request,id=0,message="",successmessage="" ): - row = get_workout(id) + row = get_workoutuser(id, request) r = getrower(request.user) filename = row.csvfilename @@ -2203,7 +2203,7 @@ def workout_undo_smoothenpace_view( message="This functionality requires a Pro plan or higher. If you are already a Pro user, please log in to access this functionality. If you are already a Pro user, please log in to access this functionality", redirect_field_name=None) def workout_smoothenpace_view(request,id=0,message="",successmessage=""): - row = get_workout(id) + row = get_workoutuser(id, request) previousurl = request.META.get('HTTP_REFERER') @@ -2263,7 +2263,7 @@ def workout_smoothenpace_view(request,id=0,message="",successmessage=""): message="This functionality requires a Pro plan or higher. If you are already a Pro user, please log in to access this functionality. If you are already a Pro user, please log in to access this functionality", redirect_field_name=None) def workout_crewnerd_summary_view(request,id=0,message="",successmessage=""): - row = get_workout(id) + row = get_workoutuser(id, request) r = getrower(request.user) breadcrumbs = [ { @@ -2343,7 +2343,7 @@ def workout_crewnerd_summary_view(request,id=0,message="",successmessage=""): def workout_downloadwind_view(request,id=0, airportcode=None, message="",successmessage=""): - row = get_workout(id) + row = get_workoutuser(id, request) f1 = row.csvfilename @@ -2411,7 +2411,7 @@ def workout_downloadwind_view(request,id=0, def workout_downloadmetar_view(request,id=0, airportcode=None, message="",successmessage=""): - row = get_workout(id) + row = get_workoutuser(id, request) f1 = row.csvfilename @@ -2480,7 +2480,7 @@ def workout_downloadmetar_view(request,id=0, @permission_required('workout.change_workout',fn=get_workout_by_opaqueid,raise_exception=True) @user_passes_test(ispromember,login_url="/rowers/paidplans",message="This functionality requires a Pro plan or higher. If you are already a Pro user, please log in to access this functionality",redirect_field_name=None) def workout_wind_view(request,id=0,message="",successmessage=""): - row = get_workout(id) + row = get_workoutuser(id, request) r = getrower(request.user) breadcrumbs = [ { @@ -2610,7 +2610,7 @@ def workout_wind_view(request,id=0,message="",successmessage=""): @permission_required('workout.change_workout',fn=get_workout_by_opaqueid,raise_exception=True) @user_passes_test(ispromember,login_url="/rowers/paidplans",message="This functionality requires a Pro plan or higher. If you are already a Pro user, please log in to access this functionality",redirect_field_name=None) def workout_stream_view(request,id=0,message="",successmessage=""): - row = get_workout(id) + row = get_workoutuser(id, request) r = getrower(request.user) @@ -2694,7 +2694,7 @@ def workout_stream_view(request,id=0,message="",successmessage=""): @permission_required('workout.change_workout',fn=get_workout_by_opaqueid,raise_exception=True) @user_passes_test(ispromember, login_url="/rowers/paidplans",redirect_field_name=None) def workout_otwsetpower_view(request,id=0,message="",successmessage=""): - w = get_workout(id) + w = get_workoutuser(id, request) r = getrower(request.user) mayedit = 1 @@ -2819,7 +2819,7 @@ def workout_otwsetpower_view(request,id=0,message="",successmessage=""): @permission_required('workout.change_workout',fn=get_workout_by_opaqueid,raise_exception=True) def instroke_view(request,id=0): - w = get_workout(id) + w = get_workoutuser(id, request) r = getrower(request.user) mayedit = 1 @@ -2868,7 +2868,7 @@ def instroke_view(request,id=0): # generate instroke chart @permission_required('workout.change_workout',fn=get_workout_by_opaqueid,raise_exception=True) def instroke_chart(request,id=0,metric=''): - w = get_workout(id) + w = get_workoutuser(id, request) @@ -2923,7 +2923,7 @@ def instroke_chart(request,id=0,metric=''): def workout_data_view(request, id=0): r = getrower(request.user) - w = get_workout(id) + w = get_workoutuser(id, request) breadcrumbs = [ @@ -3905,16 +3905,14 @@ def workout_comment_view(request,id=0): # The basic edit page +@login_required() @permission_required('workout.change_workout',fn=get_workout_by_opaqueid,raise_exception=True) def workout_edit_view(request,id=0,message="",successmessage=""): request.session[translation.LANGUAGE_SESSION_KEY] = USER_LANGUAGE request.session['referer'] = absolute(request)['PATH'] - row = get_workout(id) - - - + row = get_workoutuser(id,request) if request.user.rower.rowerplan == 'basic' and 'speedcoach2' in row.workoutsource: data = getsmallrowdata_db(['wash'],ids=[encoder.decode_hex(id)]) @@ -4230,7 +4228,7 @@ def workout_uploadimage_view(request,id): r = getrower(request.user) - w = get_workout(id) + w = get_workoutuser(id, request) breadcrumbs = [ { @@ -4329,7 +4327,7 @@ def workout_uploadimage_view(request,id): @permission_required('workout.change_workout',fn=get_workout_by_opaqueid,raise_exception=True) def workout_add_chart_view(request,id,plotnr=1): - w = get_workout(id) + w = get_workoutuser(id, request) r = getrower(request.user) plotnr = int(plotnr)