From 1e06ab3fa937db93419eb671c76b52af259a5da9 Mon Sep 17 00:00:00 2001
From: Sebastian Serth <Sebastian.Serth@hpi.de>
Date: Thu, 23 Nov 2023 01:11:00 +0100
Subject: [PATCH] Prevent cross access of PG for different exercise

Here, we are only checking the condition based on the URL if both parameters (exercise and programming group) are given. Otherwise, we skip the check.
---
 app/controllers/programming_groups_controller.rb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/app/controllers/programming_groups_controller.rb b/app/controllers/programming_groups_controller.rb
index 78494a99..d89642e7 100644
--- a/app/controllers/programming_groups_controller.rb
+++ b/app/controllers/programming_groups_controller.rb
@@ -94,6 +94,8 @@ class ProgrammingGroupsController < ApplicationController
   private
 
   def authorize!
+    raise Pundit::NotAuthorizedError if @programming_group.present? && @exercise.present? && @programming_group.exercise != @exercise
+
     authorize(@programming_group || @programming_groups)
   end