Changes in / [4226ce0:6edc367] in OpenWorkouts-current

Location:

ow

Files:

• models/user.py (modified) (2 diffs)
• models/workout.py (modified) (2 diffs)
• static/js/ow.js (modified) (2 diffs)
• tests/models/test_user.py (modified) (2 diffs)
• tests/models/test_workout.py (modified) (2 diffs)
• views/workout.py (modified) (8 diffs)

ow/models/user.py

@@ -6 +6 @@
 import bcrypt
 from repoze.folder import Folder
-from pyramid.security import Allow, Deny, Everyone, ALL_PERMISSIONS
+from pyramid.security import Allow
 
 from ow.catalog import get_catalog, reindex_object
@@ -18 +18 @@
     def __acl__(self):
         permissions = [
+            (Allow, str(self.uid), 'edit'),
             (Allow, str(self.uid), 'view'),
-            (Allow, str(self.uid), 'edit'),
-            (Deny, Everyone, ALL_PERMISSIONS),
         ]
         return permissions

ow/models/workout.py

@@ -6 +6 @@
 import gpxpy
 from repoze.folder import Folder
-from pyramid.security import Allow, Deny, Everyone, ALL_PERMISSIONS
+from pyramid.security import Allow, Everyone
 
 from ow.utilities import (
@@ -29 +29 @@
         it (for now). If not, everybody can view it, only admins can edit it.
         """
-        uid = self.__parent__.uid
+        # Default permissions
         permissions = [
-            (Allow, str(uid), 'view'),
-            (Allow, str(uid), 'edit'),
-            (Allow, str(uid), 'delete'),
-            (Deny, Everyone, ALL_PERMISSIONS)
+            (Allow, Everyone, 'view'),
+            (Allow, 'group:admins', 'edit')
         ]
+
+        uid = getattr(self.__parent__, 'uid', None)
+        if uid is not None:
+            # Change permissions in case this workout has an owner
+            permissions = [
+                (Allow, str(uid), 'view'),
+                (Allow, str(uid), 'edit'),
+            ]
         return permissions
 

ow/static/js/ow.js

@@ -162 +162 @@
             y = d3.scaleLinear().rangeRound([height, 0]);
 
-        d3.json(url, {credentials: "same-origin"}).then(function (data) {
+        d3.json(url).then(function (data) {
             x.domain(data.map(function (d) {
                 return d.name;
@@ -324 +324 @@
             y = d3.scaleLinear().rangeRound([height, 0]);
 
-        d3.json(urls[url], {credentials: "same-origin"}).then(function (data) {
+        d3.json(urls[url]).then(function (data) {
             x.domain(data.map(function (d) {
                 return get_name_for_x(d);

ow/tests/models/test_user.py

@@ -3 +3 @@
 
 import pytest
-from pyramid.security import Allow, Everyone, Deny, ALL_PERMISSIONS
+from pyramid.security import Allow
 
 from ow.models.root import OpenWorkouts
@@ -33 +33 @@
     def test__acl__(self, root):
         uid = str(root['john'].uid)
-        permissions = [
-            (Allow, uid, 'view'),
-            (Allow, uid, 'edit'),
-            (Deny, Everyone, ALL_PERMISSIONS),
-        ]
+        permissions = [(Allow, uid, 'edit'), (Allow, uid, 'view')]
         assert root['john'].__acl__() == permissions
 

ow/tests/models/test_workout.py

@@ -6 +6 @@
 
 import pytest
-from pyramid.security import Allow, Everyone, Deny, ALL_PERMISSIONS
+from pyramid.security import Allow, Everyone
 
 from ow.models.workout import Workout
@@ -33 +33 @@
     def test__acl__(self, root):
         # First check permissions for a workout without parent
-        workout = Workout()
-        with pytest.raises(AttributeError):
-            workout.__acl__()
+        permissions = [(Allow, Everyone, 'view'),
+                       (Allow, 'group:admins', 'edit')]
+        workout = Workout()
+        assert workout.__acl__() == permissions
+
         # Now permissions on a workout that has been added to a user
         uid = str(root['john'].uid)
-        workout = root['john']['1']
-        permissions = [
-            (Allow, uid, 'view'),
-            (Allow, uid, 'edit'),
-            (Allow, uid, 'delete'),
-            (Deny, Everyone, ALL_PERMISSIONS)
-        ]
-        assert workout.__acl__() == permissions
+        permissions = [(Allow, uid, 'view'), (Allow, uid, 'edit')]
+        assert root['john']['1'].__acl__() == permissions
 
     def test_runthrough(self, root):

ow/views/workout.py

@@ -23 +23 @@
 @view_config(
     context=User,
-    permission='edit',
     name='add-workout-manually',
     renderer='ow:templates/add_manual_workout.pt')
@@ -60 +59 @@
 @view_config(
     context=User,
-    permission='edit',
     name='add-workout',
     renderer='ow:templates/add_workout.pt')
@@ -95 +93 @@
 @view_config(
     context=Workout,
-    permission='edit',
     name='edit',
     renderer='ow:templates/edit_manual_workout.pt')
@@ -142 +139 @@
 @view_config(
     context=Workout,
-    permission='edit',
     name='update-from-file',
     renderer='ow:templates/update_workout_from_file.pt')
@@ -171 +167 @@
 @view_config(
     context=Workout,
-    permission='delete',
     name='delete',
     renderer='ow:templates/delete_workout.pt')
@@ -189 +184 @@
 @view_config(
     context=Workout,
-    permission='view',
     renderer='ow:templates/workout.pt')
 def workout(context, request):
@@ -218 +212 @@
     For now, simply return the gpx file if it has been attached to the
     workout.
-
-    This view requires no permission, as we access it from an non-authenticated
-    request in a separate job, to generate the static map screenshot.
     """
     if not context.has_gpx:
@@ -238 +229 @@
 def workout_map(context, request):
     """
-    Render a page that has only a map with tracking info.
-    This view requires no permission, as we access it from an non-authenticated
-    request in a separate job, to generate the static map screenshot.
+    Render a page that has only a map with tracking info
     """
     start_point = {}