From c8c3a5bf952cfbfc17f558202d71907d344200b5 Mon Sep 17 00:00:00 2001 From: Sebastian Serth Date: Wed, 24 Aug 2022 11:56:42 +0200 Subject: [PATCH] Fix external user statistics for tags --- app/controllers/external_users_controller.rb | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/app/controllers/external_users_controller.rb b/app/controllers/external_users_controller.rb index 95fa2634..7fdf9415 100644 --- a/app/controllers/external_users_controller.rb +++ b/app/controllers/external_users_controller.rb @@ -43,15 +43,15 @@ class ExternalUsersController < ApplicationController (created_at - lag(created_at) over (PARTITION BY user_id, exercise_id ORDER BY created_at)) AS working_time FROM submissions - WHERE user_id = #{@user.id} + WHERE #{ExternalUser.sanitize_sql(['user_id = ?', @user.id])} AND user_type = 'ExternalUser' - #{current_user.admin? ? '' : "AND study_group_id IN (#{current_user.study_groups.pluck(:id).join(', ')}) AND cause = 'submit'"} + #{current_user.admin? ? '' : "AND #{ExternalUser.sanitize_sql(['study_group_id IN (?)', current_user.study_groups.pluck(:id).join(', ')])}) AND cause = 'submit'"} GROUP BY exercise_id, user_id, id ) AS foo ) AS bar - #{tag.nil? ? '' : " JOIN exercise_tags et ON et.exercise_id = bar.exercise_id AND et.tag_id = #{tag} "} + #{tag.nil? ? '' : " JOIN exercise_tags et ON et.exercise_id = bar.exercise_id AND #{ExternalUser.sanitize_sql(['et.tag_id = ?', tag])}"} GROUP BY user_id, bar.exercise_id; " @@ -60,10 +60,14 @@ class ExternalUsersController < ApplicationController def statistics @user = ExternalUser.find(params[:id]) authorize! + if params[:tag].present? + tag = Tag.find(params[:tag]) + authorize(tag, :show?) + end statistics = {} - ApplicationRecord.connection.execute(working_time_query(params[:tag])).each do |tuple| + ApplicationRecord.connection.execute(working_time_query(tag&.id)).each do |tuple| statistics[tuple['exercise_id'].to_i] = tuple end