Ensure views only link to those actions allowed for current user

2018-11-30 13:29:04 +01:00
parent d3f67ab4c7
commit 2125fb1c1d
56 changed files with 128 additions and 264 deletions
--- a/app/views/external_users/statistics.html.slim
+++ b/app/views/external_users/statistics.html.slim
@@ -13,7 +13,7 @@ h1 = t('.title')
        - if statistics[exercise.id]
          - stats = statistics[exercise.id]
          tr
-            td = link_to exercise, controller: "exercises", action: "statistics", external_user_id: @user.id, id: exercise.id
+            td = link_to_if policy(exercise).show?, exercise, controller: "exercises", action: "statistics", external_user_id: @user.id, id: exercise.id
            td = stats["maximum_score"] or 0
            td = stats["runs"] or 0
            td = stats["working_time"] or 0