From bbea20172afd3ed27c09980408e4f20f3434d9c1 Mon Sep 17 00:00:00 2001
From: Sebastian Serth <Sebastian.Serth@hpi.de>
Date: Mon, 14 Dec 2020 11:07:48 +0100
Subject: [PATCH] Prevent 500 if internal teacher without study group accesses
 exercise statistics

---
 app/controllers/exercises_controller.rb | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/app/controllers/exercises_controller.rb b/app/controllers/exercises_controller.rb
index b6c94f5c..4e08366c 100644
--- a/app/controllers/exercises_controller.rb
+++ b/app/controllers/exercises_controller.rb
@@ -469,6 +469,7 @@ class ExercisesController < ApplicationController
 
   def statistics
     if @external_user
+      # Render statistics page for one specific external user
       authorize(@external_user, :statistics?)
       if policy(@exercise).detailed_statistics?
         @submissions = Submission.where(user: @external_user, exercise_id: @exercise.id).in_study_group_of(current_user).order('created_at')
@@ -493,11 +494,15 @@ class ExercisesController < ApplicationController
       end
       render 'exercises/external_users/statistics'
     else
+      # Show general statistic page for specific exercise
       user_statistics = {}
       additional_filter = if policy(@exercise).detailed_statistics?
                             ''
-                          else
+                          elsif ! policy(@exercise).detailed_statistics? && current_user.study_groups > 0
                             "AND study_group_id IN (#{current_user.study_groups.pluck(:id).join(', ')}) AND cause = 'submit'"
+                          else
+                            # e.g. internal user without any study groups, show no submissions
+                            "AND FALSE"
                           end
       query = "SELECT user_id, MAX(score) AS maximum_score, COUNT(id) AS runs
               FROM submissions WHERE exercise_id = #{@exercise.id} #{additional_filter} GROUP BY