Prevent 500 if internal teacher without study group accesses exercise statistics

2020-12-14 11:07:48 +01:00
parent 304f0ad469
commit bbea20172a
1 changed files with 6 additions and 1 deletions
--- a/app/controllers/exercises_controller.rb
+++ b/app/controllers/exercises_controller.rb
@ -469,6 +469,7 @@ class ExercisesController < ApplicationController

  def statistics
    if @external_user
+      # Render statistics page for one specific external user
      authorize(@external_user, :statistics?)
      if policy(@exercise).detailed_statistics?
        @submissions = Submission.where(user: @external_user, exercise_id: @exercise.id).in_study_group_of(current_user).order('created_at')
@ -493,11 +494,15 @@ class ExercisesController < ApplicationController
      end
      render 'exercises/external_users/statistics'
    else
+      # Show general statistic page for specific exercise
      user_statistics = {}
      additional_filter = if policy(@exercise).detailed_statistics?
                            ''
-                          else
+                          elsif ! policy(@exercise).detailed_statistics? && current_user.study_groups > 0
                            "AND study_group_id IN (#{current_user.study_groups.pluck(:id).join(', ')}) AND cause = 'submit'"
+                          else
+                            # e.g. internal user without any study groups, show no submissions
+                            "AND FALSE"
                          end
      query = "SELECT user_id, MAX(score) AS maximum_score, COUNT(id) AS runs
              FROM submissions WHERE exercise_id = #{@exercise.id} #{additional_filter} GROUP BY