Ensure views only link to those actions allowed for current user

2018-11-30 13:29:04 +01:00
parent d3f67ab4c7
commit 2125fb1c1d
56 changed files with 128 additions and 264 deletions
--- a/app/views/exercises/feedback.html.slim
+++ b/app/views/exercises/feedback.html.slim
@@ -1,4 +1,4 @@
-h1 = link_to(@exercise, exercise_path(@exercise))
+h1 = link_to_if(policy(@exercise).show?, @exercise, exercise_path(@exercise))

 .feedback-page
  .header = t('activerecord.attributes.exercise.description')