Fixed the destroy session logic.

1. an exercise_id is provided ==> only the LtiParameter object for the current user, consumer, and exercise is deleted.
2. no exercise_id is provided ==> external user and consumer are removed from the session, all LtiParameter objects for this user and consumer are deleted.

This enables users to have several tabs with exercises open and submitting the results to the tool consumer.
When an exercise has been submitted, the user cannot use the back button to get back to CodeOcean and work on the submitted or any other exercise.
For now a warning has been added to the info text to tell users not to do this. (As the LtiParameters have been deleted, the points can no more be submitted to the consumer.)
@TODO disable/redirect back button?

app/controllers/concerns/lti.rb

@@ -15,19 +15,20 @@ module Lti
   end
   private :build_tool_provider
 
+  # exercise_id.nil? ==> the user has logged out. All session data is to be destroyed
+  # exercise_id.exists? ==> the user has submitted the results of an exercise to the consumer.
+  # Only the lti_parameters are deleted.
   def clear_lti_session_data(exercise_id = nil)
     #Todo replace session with lti_parameter /done
-    #TODO decide if we need to remove all LtiParameters for user/consumer
     if (exercise_id.nil?)
       LtiParameter.destroy_all(consumers_id: session[:consumer_id], external_user_id: session[:external_user_external_id])
-    else #TODO: probably it does not make sense to keep the LtiParameters if the session is deleted
+      session.delete(:consumer_id)
+      session.delete(:external_user_id)
+    else
       LtiParameter.destroy_all(consumers_id: session[:consumer_id],
                                external_user_id: session[:external_user_external_id],
                                exercises_id: exercise_id)
     end
-    session.delete(:consumer_id)
-    session.delete(:external_user_id)
-    #session.delete(:lti_parameters)
   end
   private :clear_lti_session_data
 

app/controllers/sessions_controller.rb

@@ -38,7 +38,6 @@ class SessionsController < ApplicationController
   def destroy_through_lti
     @consumer = Consumer.find_by(id: params[:consumer_id])
     @submission = Submission.find(params[:submission_id])
-    #TODO decide if we need to remove all LtiParameters for user/consumer
     clear_lti_session_data(@submission.exercise_id)
   end
 

app/views/sessions/destroy_through_lti.html.slim

@@ -3,6 +3,7 @@ h1 = t('.headline')
 p
   == t(".success_#{params[:outcome] ? 'with' : 'without'}_outcome", consumer: @consumer)
   ==< t(".finished_#{@consumer ? 'with' : 'without'}_consumer", consumer: @consumer, url: params[:url])
+  ==< t(".do_not_use_backbutton", consumer: @consumer)
 
 h2 = t('shared.statistics')
 

config/locales/de.yml

@@ -386,6 +386,7 @@ de:
       score: Ihre Punktzahl
       success_with_outcome: 'Ihr Code wurde erfolgreich bewertet. Ihre Bewertung wurde an %{consumer} übermittelt.'
       success_without_outcome: Ihr Code wurde erfolgreich bewertet.
+      do_not_use_backbutton: Benutzen Sie nicht den "Zurück" Button des Browsers, um zu CodeOcean zurück zu kehren. Übungen müssen immer aus dem %{consumer} Kontext gestartet werden.
     new:
       forgot_password: Passwort vergessen?
       headline: Anmelden

config/locales/en.yml

@@ -407,6 +407,7 @@ en:
       score: Your Score
       success_with_outcome: 'Your code has been successfully assessed. Your grade has been transmitted to %{consumer}.'
       success_without_outcome: Your code has been successfully assessed.
+      do_not_use_backbutton: Never use the browser's "Back" button to get back to CodeOcean. Always start an exercise from within %{consumer}.
     new:
       forgot_password: Forgot password?
       headline: Sign In