Merge pull request #243 from openHPI/add_roles_via_LTI

Add roles via LTI
2018-12-19 13:50:32 +01:00
parent ebd8b56ebf d95cf1cffb
commit c906b3240a
90 changed files with 243 additions and 590 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -33,6 +33,7 @@ class ApplicationController < ActionController::Base
  private :set_locale
  def welcome
    # Show root page
  end
  def allow_iframe_requests
--- a/app/controllers/comments_controller.rb
+++ b/app/controllers/comments_controller.rb
@ -9,7 +9,6 @@ class CommentsController < ApplicationController
  end
  private :authorize!
  # GET /comments
  # GET /comments.json
  def index
    file = CodeOcean::File.find(params[:file_id])
@ -29,24 +28,11 @@ class CommentsController < ApplicationController
    authorize!
  end
  # GET /comments/1
  # GET /comments/1.json
  def show
    authorize!
  end
  # GET /comments/new
  def new
    @comment = Comment.new
    authorize!
  end
  # GET /comments/1/edit
  def edit
    authorize!
  end
  # POST /comments
  # POST /comments.json
  def create
    @comment = Comment.new(comment_params_without_request_id)
@ -59,40 +45,31 @@ class CommentsController < ApplicationController
          send_mail_to_subscribers @comment, request_for_comment
        end
-        format.html { redirect_to @comment, notice: 'Comment was successfully created.' }
+        render :show, status: :created, location: @comment
        format.json { render :show, status: :created, location: @comment }
      else
-        format.html { render :new }
+        render json: @comment.errors, status: :unprocessable_entity
        format.json { render json: @comment.errors, status: :unprocessable_entity }
      end
    end
    authorize!
  end
  # PATCH/PUT /comments/1
  # PATCH/PUT /comments/1.json
  def update
    respond_to do |format|
      if @comment.update(comment_params_without_request_id)
-        format.html { head :no_content, notice: 'Comment was successfully updated.' }
+        render :show, status: :ok, location: @comment
        format.json { render :show, status: :ok, location: @comment }
      else
-        format.html { render :edit }
+        render json: @comment.errors, status: :unprocessable_entity
        format.json { render json: @comment.errors, status: :unprocessable_entity }
      end
    end
    authorize!
  end
  # DELETE /comments/1
  # DELETE /comments/1.json
  def destroy
    authorize!
    @comment.destroy
-    respond_to do |format|
+    head :no_content
      format.html { head :no_content, notice: 'Comment was successfully destroyed.' }
      format.json { head :no_content }
    end
  end
  private
--- a/app/controllers/concerns/lti.rb
+++ b/app/controllers/concerns/lti.rb
@ -53,6 +53,22 @@ module Lti
  end
  private :external_user_name
  def external_user_role(provider)
    result = 'learner'
    provider.roles.each do |role|
      case role.downcase!
      when 'administrator'
        # We don't want anyone to get admin privileges through LTI
        result = 'teacher' if result == 'learner'
      when 'instructor'
        result = 'teacher' if result == 'learner'
      else # 'learner'
        next
      end
    end unless provider.roles.blank?
    result
  end
  def mooc_course
    # All Xikolo platforms set the custom_course to the course code
   params[:custom_course]
@ -135,7 +151,11 @@ module Lti
  def set_current_user
    @current_user = ExternalUser.find_or_create_by(consumer_id: @consumer.id, external_id: @provider.user_id)
-    @current_user.update(email: external_user_email(@provider), name: external_user_name(@provider))
+    external_role = external_user_role(@provider)
    internal_role = @current_user.role
    internal_role != 'admin' ? desired_role = external_role : desired_role = internal_role
    # Update user with new information but change the role only if he is no admin user
    @current_user.update(email: external_user_email(@provider), name: external_user_name(@provider), role: desired_role)
  end
  private :set_current_user
--- a/app/controllers/exercises_controller.rb
+++ b/app/controllers/exercises_controller.rb
@ -7,8 +7,8 @@ class ExercisesController < ApplicationController
  before_action :handle_file_uploads, only: [:create, :update]
  before_action :set_execution_environments, only: [:create, :edit, :new, :update]
-  before_action :set_exercise, only: MEMBER_ACTIONS + [:clone, :implement, :working_times, :intervention, :search, :run, :statistics, :submit, :reload, :feedback]
+  before_action :set_exercise_and_authorize, only: MEMBER_ACTIONS + [:clone, :implement, :working_times, :intervention, :search, :run, :statistics, :submit, :reload, :feedback]
-  before_action :set_external_user, only: [:statistics]
+  before_action :set_external_user_and_authorize, only: [:statistics]
  before_action :set_file_types, only: [:create, :edit, :new, :update]
  before_action :set_course_token, only: [:implement]
@ -299,19 +299,19 @@ class ExercisesController < ApplicationController
  end
  private :set_execution_environments
-  def set_exercise
+  def set_exercise_and_authorize
    @exercise = Exercise.find(params[:id])
    authorize!
  end
-  private :set_exercise
+  private :set_exercise_and_authorize
-  def set_external_user
+  def set_external_user_and_authorize
    if params[:external_user_id]
      @external_user = ExternalUser.find(params[:external_user_id])
      authorize!
    end
  end
-  private :set_exercise
+  private :set_external_user_and_authorize
  def set_file_types
    @file_types = FileType.all.order(:name)
@ -329,10 +329,11 @@ class ExercisesController < ApplicationController
  private :collect_set_and_unset_exercise_tags
  def show
    # Show exercise details for teachers and admins
  end
  #we might want to think about auth here
  def reload
    # Returns JSON with original file content
  end
  def statistics
--- a/app/controllers/interventions_controller.rb
+++ b/app/controllers/interventions_controller.rb
@ -1,55 +0,0 @@
 class InterventionsController < ApplicationController
  include CommonBehavior
  before_action :set_intervention, only: MEMBER_ACTIONS
  def authorize!
    authorize(@intervention || @interventions)
  end
  private :authorize!
  def create
    #@intervention = Intervention.new(intervention_params)
    #authorize!
    #create_and_respond(object: @intervention)
  end
  def destroy
    destroy_and_respond(object: @intervention)
  end
  def edit
  end
  def intervention_params
    params[:intervention].permit(:name) if params[:intervention].present?
  end
  private :intervention_params
  def index
    @interventions = Intervention.all.paginate(page: params[:page])
    authorize!
  end
  def new
    #@intervention = Intervention.new
    #authorize!
  end
  def set_intervention
    @intervention = Intervention.find(params[:id])
    authorize!
  end
  private :set_intervention
  def show
  end
  def update
    update_and_respond(object: @intervention, params: intervention_params)
  end
  def to_s
    name
  end
 end
--- a/app/controllers/proxy_exercises_controller.rb
+++ b/app/controllers/proxy_exercises_controller.rb
@ -1,7 +1,7 @@
 class ProxyExercisesController < ApplicationController
  include CommonBehavior
-  before_action :set_exercise, only: MEMBER_ACTIONS + [:clone, :reload]
+  before_action :set_exercise_and_authorize, only: MEMBER_ACTIONS + [:clone, :reload]
  def authorize!
    authorize(@proxy_exercise || @proxy_exercises)
@ -56,11 +56,11 @@ class ProxyExercisesController < ApplicationController
    authorize!
  end
-  def set_exercise
+  def set_exercise_and_authorize
    @proxy_exercise = ProxyExercise.find(params[:id])
    authorize!
  end
-  private :set_exercise
+  private :set_exercise_and_authorize
  def show
    @search = @proxy_exercise.exercises.search
--- a/app/controllers/user_exercise_feedbacks_controller.rb
+++ b/app/controllers/user_exercise_feedbacks_controller.rb
@ -19,16 +19,6 @@ class UserExerciseFeedbacksController < ApplicationController
     [4,t('user_exercise_feedback.estimated_time_more_30')]]
  end
  def index
    @search = UserExerciseFeedback.all.search params[:q]
    @uefs = @search.result.includes(:execution_environment).order(:id).paginate(page: params[:page])
    authorize!
  end
  def show
    authorize!
  end
  def create
    @exercise = Exercise.find(uef_params[:exercise_id])
    rfc = RequestForComment.unsolved.where(exercise_id: @exercise.id, user_id: current_user.id).first
--- a/app/mailers/user_mailer.rb
+++ b/app/mailers/user_mailer.rb
@ -45,6 +45,7 @@ class UserMailer < ActionMailer::Base
  end
  def exercise_anomaly_detected(exercise_collection, anomalies)
    @user = exercise_collection.user
    @receiver_displayname = exercise_collection.user.displayname
    @collection = exercise_collection
    @anomalies = anomalies
--- a/app/policies/admin_or_author_policy.rb
+++ b/app/policies/admin_or_author_policy.rb
@ -1,6 +1,6 @@
 class AdminOrAuthorPolicy < ApplicationPolicy
  [:create?, :index?, :new?].each do |action|
-    define_method(action) { @user.internal_user? }
+    define_method(action) { admin? || teacher? }
  end
  [:destroy?, :edit?, :show?, :update?].each do |action|
--- a/app/policies/application_policy.rb
+++ b/app/policies/application_policy.rb
@ -9,22 +9,28 @@ class ApplicationPolicy
  end
  private :teacher?
  def author?
    @user == @record.author
  end
  private :author?
  def everyone
    # As the ApplicationController forces to have any authorization, `everyone` here means `every user logged in`
    true
  end
  private :everyone
  def no_one
    false
  end
  private :no_one
  def initialize(user, record)
    @user = user
    @record = record
    require_user!
  end
  def no_one
    false
  end
  private :no_one
  def require_user!
    fail Pundit::NotAuthorizedError unless @user
  end
--- a/app/policies/code_ocean/file_policy.rb
+++ b/app/policies/code_ocean/file_policy.rb
@ -4,6 +4,14 @@ module CodeOcean
      @user == @record.context.author
    end
    def show?
      if @record.context.is_a?(Exercise)
        admin? || author? || !@record.hidden
      else
        admin? || author?
      end
    end
    def create?
      if @record.context.is_a?(Exercise)
        admin? || author?
--- a/app/policies/comment_policy.rb
+++ b/app/policies/comment_policy.rb
@ -1,9 +1,4 @@
 class CommentPolicy < ApplicationPolicy
  def author?
    @user == @record.author
  end
  private :author?
  def create?
    everyone
  end
--- a/app/policies/consumer_policy.rb
+++ b/app/policies/consumer_policy.rb
@ -1,5 +1,3 @@
 class ConsumerPolicy < AdminOnlyPolicy
-  def show?
+
    super || @user.consumer == @record
  end
 end
--- a/app/policies/execution_environment_policy.rb
+++ b/app/policies/execution_environment_policy.rb
@ -1,14 +1,9 @@
 class ExecutionEnvironmentPolicy < AdminOnlyPolicy
-  def author?
+  [:execute_command?, :shell?, :statistics?, :show?].each do |action|
    @user == @record.author
  end
  private :author?
  [:execute_command?, :shell?, :statistics?].each do |action|
    define_method(action) { admin? || author? }
  end
-  [:create?, :index?, :new?].each do |action|
+  [:index?].each do |action|
    define_method(action) { admin? || teacher? }
  end
 end
--- a/app/policies/exercise_policy.rb
+++ b/app/policies/exercise_policy.rb
@ -1,19 +1,14 @@
 class ExercisePolicy < AdminOrAuthorPolicy
  def author?
    @user == @record.author
  end
  private :author?
  def batch_update?
    admin?
  end
  def show?
-    @user.internal_user?
+    admin? || teacher?
  end
  [:clone?, :destroy?, :edit?, :statistics?, :update?, :feedback?].each do |action|
-    define_method(action) { admin? || author?}
+    define_method(action) { admin? || author? }
  end
  [:implement?, :working_times?, :intervention?, :search?, :submit?, :reload?].each do |action|
@ -24,7 +19,7 @@ class ExercisePolicy < AdminOrAuthorPolicy
    def resolve
      if @user.admin?
        @scope.all
-      elsif @user.internal_user?
+      elsif @user.teacher?
        @scope.where('user_id = ? OR public = TRUE', @user.id)
      else
        @scope.none
--- a/app/policies/file_template_policy.rb
+++ b/app/policies/file_template_policy.rb
@ -1,9 +1,5 @@
 class FileTemplatePolicy < AdminOnlyPolicy
  def show?
    everyone
  end
  def by_file_type?
    everyone
  end
--- a/app/policies/file_type_policy.rb
+++ b/app/policies/file_type_policy.rb
@ -1,11 +1,3 @@
 class FileTypePolicy < AdminOnlyPolicy
  def author?
    @user == @record.author
  end
  private :author?
  [:create?, :index?, :new?].each do |action|
    define_method(action) { admin? || teacher? }
  end
 end
--- a/app/policies/intervention_policy.rb
+++ b/app/policies/intervention_policy.rb
@ -1,34 +0,0 @@
 class InterventionPolicy < AdminOrAuthorPolicy
  def author?
    @user == @record.author
  end
  private :author?
  def batch_update?
    admin?
  end
  def show?
    @user.internal_user?
  end
  [:clone?, :destroy?, :edit?, :update?].each do |action|
    define_method(action) { admin? || author?}
  end
  [:reload?].each do |action|
    define_method(action) { everyone }
  end
  class Scope < Scope
    def resolve
      if @user.admin?
        @scope.all
      elsif @user.internal_user?
        @scope.where('user_id = ? OR public = TRUE', @user.id)
      else
        @scope.none
      end
    end
  end
 end
--- a/app/policies/proxy_exercise_policy.rb
+++ b/app/policies/proxy_exercise_policy.rb
@ -1,15 +1,10 @@
 class ProxyExercisePolicy < AdminOrAuthorPolicy
  def author?
    @user == @record.author
  end
  private :author?
  def batch_update?
    admin?
  end
  def show?
-    @user.internal_user?
+    admin? || teacher?
  end
  [:clone?, :destroy?, :edit?, :update?].each do |action|
@ -24,7 +19,7 @@ class ProxyExercisePolicy < AdminOrAuthorPolicy
    def resolve
      if @user.admin?
        @scope.all
-      elsif @user.internal_user?
+      elsif @user.teacher?
        @scope.where('user_id = ? OR public = TRUE', @user.id)
      else
        @scope.none
--- a/app/policies/request_for_comment_policy.rb
+++ b/app/policies/request_for_comment_policy.rb
@ -1,9 +1,4 @@
 class RequestForCommentPolicy < ApplicationPolicy
  def author?
    @user == @record.author
  end
  private :author?
  def create?
    everyone
  end
@ -16,8 +11,8 @@ class RequestForCommentPolicy < ApplicationPolicy
    everyone
  end
-  [:destroy?].each do |action|
+  def destroy?
-    define_method(action) { admin? }
+    admin?
  end
  def mark_as_solved?
--- a/app/policies/search_policy.rb
+++ b/app/policies/search_policy.rb
@ -1,15 +1,10 @@
 class SearchPolicy < AdminOrAuthorPolicy
  def author?
    @user == @record.author
  end
  private :author?
  def batch_update?
    admin?
  end
  def show?
-    @user.internal_user?
+    admin? || teacher?
  end
  [:clone?, :destroy?, :edit?, :update?].each do |action|
@ -24,7 +19,7 @@ class SearchPolicy < AdminOrAuthorPolicy
    def resolve
      if @user.admin?
        @scope.all
-      elsif @user.internal_user?
+      elsif @user.teacher?
        @scope.where('user_id = ? OR public = TRUE', @user.id)
      else
        @scope.none
--- a/app/policies/submission_policy.rb
+++ b/app/policies/submission_policy.rb
@ -1,9 +1,4 @@
 class SubmissionPolicy < ApplicationPolicy
  def author?
    @user == @record.author
  end
  private :author?
  def create?
    everyone
  end
@ -16,4 +11,15 @@ class SubmissionPolicy < ApplicationPolicy
  def index?
    admin?
  end
  def everyone_in_study_group
    users_in_same_study_group = @record.study_groups.users
    users_in_same_study_group.include? @user
  end
  private :everyone_in_study_group
  def teacher_in_study_group
    teacher? && everyone_in_study_group
  end
  private :teacher_in_study_group
 end
--- a/app/policies/subscription_policy.rb
+++ b/app/policies/subscription_policy.rb
@ -7,10 +7,6 @@ class SubscriptionPolicy < ApplicationPolicy
    author? || admin?
  end
  def show_error?
    everyone
  end
  def author?
    @user == @record.user
  end
--- a/app/policies/tag_policy.rb
+++ b/app/policies/tag_policy.rb
@ -1,34 +1,13 @@
-class TagPolicy < AdminOrAuthorPolicy
+class TagPolicy < AdminOnlyPolicy
  def author?
    @user == @record.author
  end
  private :author?
  def batch_update?
    admin?
  end
  def show?
    @user.internal_user?
  end
  [:clone?, :destroy?, :edit?, :update?].each do |action|
    define_method(action) { admin? || author?}
  end
  [:reload?].each do |action|
    define_method(action) { everyone }
  end
  class Scope < Scope
    def resolve
-      if @user.admin?
+      if @user.admin? || @user.teacher?
        @scope.all
      elsif @user.internal_user?
        @scope.where('user_id = ? OR public = TRUE', @user.id)
      else
        @scope.none
      end
    end
  end
 end
--- a/app/views/admin/dashboard/show.html.slim
+++ b/app/views/admin/dashboard/show.html.slim
@ -30,7 +30,7 @@ h2 Docker
      tbody
        - ExecutionEnvironment.order(:name).each do |execution_environment|
          tr data-id=execution_environment.id
-            td.name = link_to(execution_environment, execution_environment)
+            td.name = link_to_if(policy(execution_environment).show?, execution_environment, execution_environment)
            td.pool-size
            td.quantity = progress_bar(0)
  h3 = t('.history')
--- a/app/views/application/_breadcrumbs.html.slim
+++ b/app/views/application/_breadcrumbs.html.slim
@ -1,4 +1,4 @@
- if current_user.try(:internal_user?)
+- if current_user.try(:admin?) or current_user.try(:teacher?)
  .container
    ul.breadcrumb
      - if model = Kernel.const_get(controller_path.classify) rescue nil
@ -8,9 +8,9 @@
          - if object
            li.breadcrumb-item = object
        - else
-          li.breadcrumb-item = link_to(model.model_name.human(count: 2), send(:"#{model.model_name.collection}_path"))
+          li.breadcrumb-item = link_to_if(policy(model).show?, model.model_name.human(count: 2), send(:"#{model.model_name.collection}_path"))
          - if object
-            li.breadcrumb-item = link_to(object, send(:"#{model.model_name.singular}_path", object))
+            li.breadcrumb-item = link_to_if(policy(object).show?, object, send(:"#{model.model_name.singular}_path", object))
        li.breadcrumb-item.active
          - if I18n.translation_present?("shared.#{params[:action]}")
            = t("shared.#{params[:action]}")
--- a/app/views/application/_navigation.html.slim
+++ b/app/views/application/_navigation.html.slim
@ -1,4 +1,4 @@
- if current_user.try(:internal_user?)
+- if current_user.try(:admin?) or current_user.try(:teacher?)
  ul.nav.navbar-nav
    li.nav-item.dropdown
      a.nav-link.dropdown-toggle.mx-3 data-toggle='dropdown' href='#'
@ -6,8 +6,8 @@
        span.caret
      ul.dropdown-menu.p-0.mt-1 role='menu'
        - if current_user.admin?
-          li = link_to(t('breadcrumbs.dashboard.show'), admin_dashboard_path, class: 'dropdown-item', 'data-turbolinks' => "false")
+          li = link_to(t('breadcrumbs.dashboard.show'), admin_dashboard_path, class: 'dropdown-item', 'data-turbolinks' => "false") if policy([:admin, :dashboard]).show?
-          li = link_to(t('breadcrumbs.statistics.show'), statistics_path, class: 'dropdown-item')
+          li = link_to(t('breadcrumbs.statistics.show'), statistics_path, class: 'dropdown-item') if policy(:statistics).show?
          li.dropdown-divider role='separator'
        = render('navigation_submenu', title: t('activerecord.models.exercise.other'),
                models: [Exercise, ExerciseCollection, ProxyExercise, Tag, Submission], link: exercises_path, cached: true)
--- a/app/views/application/_navigation_submenu.html.slim
+++ b/app/views/application/_navigation_submenu.html.slim
@ -1,4 +1,5 @@
-li.dropdown-submenu
+- if models.any? { |model| policy(model).index? }
  li.dropdown-submenu
    - link = link.nil? ? "#" : link
    a.dropdown-item.dropdown-toggle href=link data-toggle="dropdown" = title
    ul.dropdown-menu.p-0
--- a/app/views/application/_session.html.slim
+++ b/app/views/application/_session.html.slim
@ -5,10 +5,10 @@
      = current_user
      span.caret
    ul.dropdown-menu.p-0.mt-1 role='menu'
-      - if current_user.internal_user?
+      - if current_user.try(:admin?) or current_user.try(:teacher?)
-        li = link_to(t('consumers.show.link'), current_user.consumer, class: 'dropdown-item') if current_user.consumer
+        li = link_to(t('consumers.show.link'), current_user.consumer, class: 'dropdown-item') if current_user.consumer and policy(current_user.consumer).show?
-        li = link_to(t('internal_users.show.link'), current_user, class: 'dropdown-item')
+        li = link_to(t('internal_users.show.link'), current_user, class: 'dropdown-item') if policy(current_user).show?
-        li = link_to(t('request_for_comments.index.all'), request_for_comments_path, class: 'dropdown-item')
+        li = link_to(t('request_for_comments.index.all'), request_for_comments_path, class: 'dropdown-item') if policy(:request_for_comment).index?
        li = link_to(t('request_for_comments.index.get_my_rfc_activity'), my_rfc_activity_path, class: 'dropdown-item')
      li = link_to(t('request_for_comments.index.get_my_comment_requests'), my_request_for_comments_path, class: 'dropdown-item')
      - if current_user.internal_user?
--- a/app/views/application/welcome.html.slim
+++ b/app/views/application/welcome.html.slim
@ -1,8 +1,8 @@
 h1 = t('.title', application_name: application_name)
- if current_user.try(:external_user?)
+- if current_user.try(:admin?) or current_user.try(:teacher?)
  p = t('.text_signed_in_as_external_user', application_name: application_name)
 - elsif current_user.try(:internal_user?)
  p = t('.text_signed_in_as_internal_user', user_name: current_user.displayname)
 - elsif current_user.try(:external_user?)
  p = t('.text_signed_in_as_external_user', application_name: application_name)
 - else
  p == t('.text_signed_out', application_name: application_name, sign_in_path: sign_in_path)
--- a/app/views/code_harbor_links/index.html.slim
+++ b/app/views/code_harbor_links/index.html.slim
@ -9,10 +9,10 @@ h1 = CodeHarborLink.model_name.human(count: 2)
    tbody
      - @code_harbor_links.each do |code_harbor_link|
        tr
-          td = link_to(code_harbor_link.oauth2token, code_harbor_link)
+          td = link_to_if(policy(code_harbor_link).show?, code_harbor_link.oauth2token, code_harbor_link)
-          td = link_to(t('shared.show'), code_harbor_link)
+          td = link_to(t('shared.show'), code_harbor_link) if policy(code_harbor_link).show?
-          td = link_to(t('shared.edit'), edit_code_harbor_link_path(code_harbor_link))
+          td = link_to(t('shared.edit'), edit_code_harbor_link_path(code_harbor_link)) if policy(code_harbor_link).edit?
-          td = link_to(t('shared.destroy'), code_harbor_link, data: {confirm: t('shared.confirm_destroy')}, method: :delete)
+          td = link_to(t('shared.destroy'), code_harbor_link, data: {confirm: t('shared.confirm_destroy')}, method: :delete) if policy(code_harbor_link).destroy?
 = render('shared/pagination', collection: @code_harbor_links)
 p = render('shared/new_button', model: CodeHarborLink)
--- a/app/views/code_harbor_links/show.html.slim
+++ b/app/views/code_harbor_links/show.html.slim
@ -1,6 +1,6 @@
 h1
  = @code_harbor_link
-  = render('shared/edit_button', object: @code_harbor_link) if policy(@code_harbor_link).edit?
+  = render('shared/edit_button', object: @code_harbor_link)
 - %w[oauth2token].each do |attribute|
  = row(label: "code_harbor_link.#{attribute}") do
--- a/app/views/comments/_form.html.slim
+++ b/app/views/comments/_form.html.slim
@ -1,33 +0,0 @@
 = form_for(@comment) do |f|
  - if @comment.errors.any?
    #error_explanation
      h2
        = pluralize(@comment.errors.count, "error")
        | prohibited this comment from being saved:
      ul
        - @comment.errors.full_messages.each do |message|
          li= message
  .field
    = f.label :user_id
    br/
    = f.text_field :user_id
  .field
    = f.label :file_id
    br/
    = f.text_field :file_id
  .field
    = f.label :row
    br/
    = f.number_field :row
  .field
    = f.label :column
    br/
    = f.number_field :column
  .field
    = f.label :text
    br/
    = f.text_field :text
  .actions
    = f.submit
--- a/app/views/comments/edit.html.slim
+++ b/app/views/comments/edit.html.slim
@ -1,7 +0,0 @@
 h1 Editing comment
 = render 'form'
 = link_to 'Show', @comment
 | |
 = link_to 'Back', comments_path
--- a/app/views/comments/index.html.slim
+++ b/app/views/comments/index.html.slim
@ -1,24 +0,0 @@
 h1 Listing comments
 table
  thead
    tr
      th User
      th File
      th Row
      th Column
      th Text
      th colspan="3" 
  tbody
    - @comments.each do |comment|
      tr
        td= comment.user
        td= comment.file
        td= comment.row
        td= comment.column
        td= comment.text
        td= link_to 'Show', comment
        td= link_to 'Edit', edit_comment_path(comment)
        td= link_to 'Destroy', comment, method: :delete, data: confirm: 'Are you sure?'
 br/
 = link_to 'New Comment', new_comment_path
--- a/app/views/comments/new.html.slim
+++ b/app/views/comments/new.html.slim
@ -1,5 +0,0 @@
 h1 New comment
 = render 'form'
 = link_to 'Back', comments_path
--- a/app/views/comments/show.html.slim
+++ b/app/views/comments/show.html.slim
@ -1,25 +0,0 @@
 p#notice= notice
 p
  strong User:
  = @comment.user
 p
  strong File:
  = @comment.file
 p
  strong Row:
  = @comment.row
 p
  strong Column:
  = @comment.column
 p
  strong Text:
  = @comment.text
 = link_to 'Edit', edit_comment_path(@comment)
 | |
 = link_to 'Back', comments_path
--- a/app/views/consumers/index.html.slim
+++ b/app/views/consumers/index.html.slim
@ -9,10 +9,10 @@ h1 = Consumer.model_name.human(count: 2)
    tbody
      - @consumers.each do |consumer|
        tr
-          td = link_to(consumer.name, consumer)
+          td = link_to_if(policy(consumer).show?, consumer.name, consumer)
-          td = link_to(t('shared.show'), consumer)
+          td = link_to(t('shared.show'), consumer) if policy(consumer).show?
-          td = link_to(t('shared.edit'), edit_consumer_path(consumer))
+          td = link_to(t('shared.edit'), edit_consumer_path(consumer)) if policy(consumer).edit?
-          td = link_to(t('shared.destroy'), consumer, data: {confirm: t('shared.confirm_destroy')}, method: :delete)
+          td = link_to(t('shared.destroy'), consumer, data: {confirm: t('shared.confirm_destroy')}, method: :delete) if policy(consumer).destroy?
 = render('shared/pagination', collection: @consumers)
 p = render('shared/new_button', model: Consumer)
--- a/app/views/consumers/show.html.slim
+++ b/app/views/consumers/show.html.slim
@ -1,6 +1,6 @@
 h1
  = @consumer
-  = render('shared/edit_button', object: @consumer) if policy(@consumer).edit?
+  = render('shared/edit_button', object: @consumer)
 = row(label: 'consumer.name', value: @consumer.name)
 - %w[oauth_key oauth_secret].each do |attribute|
--- a/app/views/error_template_attributes/index.html.slim
+++ b/app/views/error_template_attributes/index.html.slim
@ -8,7 +8,7 @@ h1 = ErrorTemplateAttribute.model_name.human(count: 2)
        th = t('activerecord.attributes.error_template_attribute.key')
        th = t('activerecord.attributes.error_template_attribute.description')
        th = t('activerecord.attributes.error_template_attribute.regex')
-        th colspan=5 = t('shared.actions')
+        th colspan=3 = t('shared.actions')
    tbody
      - @error_template_attributes.each do |error_template_attribute|
        tr
@ -17,13 +17,13 @@ h1 = ErrorTemplateAttribute.model_name.human(count: 2)
              span class="fa fa-star" aria-hidden="true"
            - else
              span class="fa fa-star-o" aria-hidden="true"
-          td = link_to(error_template_attribute.key, error_template_attribute)
+          td = link_to_if(policy(error_template_attribute).show?, error_template_attribute.key, error_template_attribute)
          td = error_template_attribute.description
          td
            code = error_template_attribute.regex
-          td = link_to(t('shared.show'), error_template_attribute)
+          td = link_to(t('shared.show'), error_template_attribute) if policy(error_template_attribute).show?
-          td = link_to(t('shared.edit'), edit_error_template_attribute_path(error_template_attribute))
+          td = link_to(t('shared.edit'), edit_error_template_attribute_path(error_template_attribute)) if policy(error_template_attribute).edit?
-          td = link_to(t('shared.destroy'), error_template_attribute, data: {confirm: t('shared.confirm_destroy')}, method: :delete)
+          td = link_to(t('shared.destroy'), error_template_attribute, data: {confirm: t('shared.confirm_destroy')}, method: :delete) if policy(error_template_attribute).destroy?
 = render('shared/pagination', collection: @error_template_attributes)
 p = render('shared/new_button', model: ErrorTemplateAttribute)
--- a/app/views/error_templates/index.html.slim
+++ b/app/views/error_templates/index.html.slim
@ -11,12 +11,12 @@ h1 = ErrorTemplate.model_name.human(count: 2)
    tbody
      - @error_templates.each do |error_template|
        tr
-          td = link_to(error_template.name, error_template)
+          td = link_to_if(policy(error_template).show?, error_template.name, error_template)
          td = error_template.description
          td = link_to(error_template.execution_environment)
-          td = link_to(t('shared.show'), error_template)
+          td = link_to(t('shared.show'), error_template) if policy(error_template).show?
-          td = link_to(t('shared.edit'), edit_error_template_path(error_template))
+          td = link_to(t('shared.edit'), edit_error_template_path(error_template)) if policy(error_template).edit?
-          td = link_to(t('shared.destroy'), error_template, data: {confirm: t('shared.confirm_destroy')}, method: :delete)
+          td = link_to(t('shared.destroy'), error_template, data: {confirm: t('shared.confirm_destroy')}, method: :delete) if policy(error_template).destroy?
 = render('shared/pagination', collection: @error_templates)
 p = render('shared/new_button', model: ErrorTemplate)
--- a/app/views/error_templates/show.html.slim
+++ b/app/views/error_templates/show.html.slim
@ -3,7 +3,7 @@ h1
  = render('shared/edit_button', object: @error_template)
 = row(label: 'error_template.name', value: @error_template.name)
-= row(label: 'exercise.execution_environment', value: link_to(@error_template.execution_environment))
+= row(label: 'exercise.execution_environment', value: link_to_if(policy(@error_template.execution_environment).show?, @error_template.execution_environment))
 = row(label: "error_template.signature") do
  code = @error_template.signature
 - [:description, :hint].each do |attribute|
@ -29,12 +29,13 @@ h2.mt-4
              span class="fa fa-star" aria-hidden="true"
            - else
              span class="fa fa-star-o" aria-hidden="true"
-          td = link_to(attribute.key, attribute)
+          td = link_to_if(policy(attribute).show?, attribute.key, attribute)
          td = attribute.description
          td
            code = attribute.regex
-          td = link_to(t('shared.show'), attribute)
+          td = link_to(t('shared.show'), attribute) if policy(attribute).show?
-          td = link_to(t('shared.destroy'), attribute_error_template_url(:error_template_attribute_id => attribute.id), :method => :delete)
+          td = link_to(t('shared.edit'), edit_error_template_attribute_path(attribute)) if policy(attribute).edit?
          td = link_to(t('shared.destroy'), attribute_error_template_url(:error_template_attribute_id => attribute.id), :method => :delete) if policy(attribute).destroy?
 #add-attribute
  = collection_select({}, :error_template_attribute_id,
--- a/app/views/execution_environments/index.html.slim
+++ b/app/views/execution_environments/index.html.slim
@ -14,17 +14,17 @@ h1 = ExecutionEnvironment.model_name.human(count: 2)
    tbody
      - @execution_environments.each do |execution_environment|
        tr
-          td = link_to(execution_environment.name, execution_environment)
+          td = link_to_if(policy(execution_environment).show?, execution_environment.name, execution_environment)
-          td = link_to(execution_environment.author, execution_environment.author)
+          td = link_to_if(policy(execution_environment.author).show?, execution_environment.author, execution_environment.author)
          td = execution_environment.pool_size
          td = execution_environment.memory_limit
          td = symbol_for(execution_environment.network_enabled)
          td = execution_environment.permitted_execution_time
-          td = link_to(t('shared.show'), execution_environment)
+          td = link_to(t('shared.show'), execution_environment) if policy(execution_environment).show?
-          td = link_to(t('shared.edit'), edit_execution_environment_path(execution_environment))
+          td = link_to(t('shared.edit'), edit_execution_environment_path(execution_environment)) if policy(execution_environment).edit?
-          td = link_to(t('shared.destroy'), execution_environment, data: {confirm: t('shared.confirm_destroy')}, method: :delete)
+          td = link_to(t('shared.destroy'), execution_environment, data: {confirm: t('shared.confirm_destroy')}, method: :delete) if policy(execution_environment).destroy?
-          td = link_to(t('.shell'), shell_execution_environment_path(execution_environment))
+          td = link_to(t('.shell'), shell_execution_environment_path(execution_environment)) if policy(execution_environment).shell?
-          td = link_to(t('shared.statistics'), statistics_execution_environment_path(execution_environment))
+          td = link_to(t('shared.statistics'), statistics_execution_environment_path(execution_environment)) if policy(execution_environment).statistics?
 = render('shared/pagination', collection: @execution_environments)
 p = render('shared/new_button', model: ExecutionEnvironment)
--- a/app/views/execution_environments/show.html.slim
+++ b/app/views/execution_environments/show.html.slim
@ -3,7 +3,7 @@ h1
  = render('shared/edit_button', object: @execution_environment)
 = row(label: 'execution_environment.name', value: @execution_environment.name)
-= row(label: 'execution_environment.user', value: link_to(@execution_environment.author, @execution_environment.author))
+= row(label: 'execution_environment.user', value: link_to_if(policy(@execution_environment.author).show?, @execution_environment.author, @execution_environment.author))
 = row(label: 'execution_environment.file_type', value: @execution_environment.file_type.present? ? link_to(@execution_environment.file_type, @execution_environment.file_type) : nil)
 - [:docker_image, :exposed_ports, :memory_limit, :network_enabled, :permitted_execution_time, :pool_size].each do |attribute|
  = row(label: "execution_environment.#{attribute}", value: @execution_environment.send(attribute))
--- a/app/views/execution_environments/statistics.html.slim
+++ b/app/views/execution_environments/statistics.html.slim
@ -14,7 +14,7 @@ h1 = @execution_environment
        - if wts then average_time = wts["average_time"] else 0
        - if wts then stddev_time = wts["stddev_time"] else 0
        tr
-          td = link_to exercise.title, controller: "exercises", action: "statistics", id: exercise.id, 'data-turbolinks' => "false"
+          td = link_to_if policy(exercise).statistics?, exercise.title, controller: "exercises", action: "statistics", id: exercise.id, 'data-turbolinks' => "false"
          td = us["users"]
          td = us["average_score"].to_f.round(4)
          td = us["maximum_score"].to_f.round(2)
--- a/app/views/exercise_collections/index.html.slim
+++ b/app/views/exercise_collections/index.html.slim
@ -13,13 +13,13 @@ h1 = ExerciseCollection.model_name.human(count: 2)
      - @exercise_collections.each do |collection|
        tr
          td = collection.id
-          td = link_to(collection.name, collection)
+          td = link_to_if(policy(collection).show?, collection.name, collection)
          td = collection.updated_at
          td = collection.exercises.size
-          td = link_to(t('shared.show'), collection)
+          td = link_to(t('shared.show'), collection) if policy(collection).show?
-          td = link_to(t('shared.edit'), edit_exercise_collection_path(collection))
+          td = link_to(t('shared.edit'), edit_exercise_collection_path(collection)) if policy(collection).edit?
-          td = link_to(t('shared.statistics'), statistics_exercise_collection_path(collection))
+          td = link_to(t('shared.statistics'), statistics_exercise_collection_path(collection)) if policy(collection).statistics?
-          td = link_to(t('shared.destroy'), collection, data: {confirm: t('shared.confirm_destroy')}, method: :delete)
+          td = link_to(t('shared.destroy'), collection, data: {confirm: t('shared.confirm_destroy')}, method: :delete) if policy(collection).destroy?
 = render('shared/pagination', collection: @exercise_collections)
 p = render('shared/new_button', model: ExerciseCollection)
--- a/app/views/exercise_collections/show.html.slim
+++ b/app/views/exercise_collections/show.html.slim
@ -3,7 +3,7 @@ h1
  = render('shared/edit_button', object: @exercise_collection)
 = row(label: 'exercise_collections.name', value: @exercise_collection.name)
-= row(label: 'exercise_collections.user', value: link_to(@exercise_collection.user.displayname, @exercise_collection.user)) unless @exercise_collection.user.nil?
+= row(label: 'exercise_collections.user', value: link_to_if(policy(@exercise_collection.user).show?, @exercise_collection.user.displayname, @exercise_collection.user)) unless @exercise_collection.user.nil?
 = row(label: 'exercise_collections.use_anomaly_detection', value: @exercise_collection.use_anomaly_detection)
 = row(label: 'exercise_collections.updated_at', value: @exercise_collection.updated_at)
@ -22,7 +22,7 @@ h4.mt-4 = t('activerecord.attributes.exercise_collections.exercises')
        - exercise = exercise_collection_item.exercise
        tr
          td = exercise_collection_item.position
-          td = link_to(exercise.title, exercise)
+          td = link_to_if(policy(exercise).show?, exercise.title, exercise)
          td = link_to_if(exercise.execution_environment && policy(exercise.execution_environment).show?, exercise.execution_environment, exercise.execution_environment)
          td = link_to_if(exercise.user && policy(exercise.user).show?, exercise.user.displayname, exercise.user)
-          td = link_to(t('shared.statistics'), statistics_exercise_path(exercise), 'data-turbolinks' => "false")
+          td = link_to(t('shared.statistics'), statistics_exercise_path(exercise), 'data-turbolinks' => "false") if policy(exercise).statistics?
--- a/app/views/exercises/feedback.html.slim
+++ b/app/views/exercises/feedback.html.slim
@ -1,4 +1,4 @@
-h1 = link_to(@exercise, exercise_path(@exercise))
+h1 = link_to_if(policy(@exercise).show?, @exercise, exercise_path(@exercise))
 .feedback-page
  .header = t('activerecord.attributes.exercise.description')
--- a/app/views/exercises/index.html.slim
+++ b/app/views/exercises/index.html.slim
@ -27,7 +27,7 @@ h1 = Exercise.model_name.human(count: 2)
    tbody
      - @exercises.each do |exercise|
        tr data-id=exercise.id
-          td.p-1.pt-2 = link_to(exercise.title, exercise, 'data-turbolinks' => "false") if policy(exercise).show?
+          td.p-1.pt-2 = link_to_if(policy(exercise).show?, exercise.title, exercise, 'data-turbolinks' => "false")
          td.p-1.pt-2 = link_to_if(exercise.execution_environment && policy(exercise.execution_environment).show?, exercise.execution_environment, exercise.execution_environment)
          td.p-1.pt-2 = exercise.files.teacher_defined_tests.count
          td.p-1.pt-2 = exercise.maximum_score
--- a/app/views/exercises/show.html.slim
+++ b/app/views/exercises/show.html.slim
@ -7,7 +7,6 @@
 h1
  = @exercise
  - if policy(@exercise).edit?
  = render('shared/edit_button', object: @exercise)
 = row(label: 'exercise.title', value: @exercise.title)
--- a/app/views/exercises/statistics.html.slim
+++ b/app/views/exercises/statistics.html.slim
@ -49,7 +49,7 @@ h1 = @exercise
          - if user_statistics[user.id] then us = user_statistics[user.id] else us = {"maximum_score" => nil, "runs" => nil}
          - label = "#{user.displayname}"
          tr
-            td = link_to_if symbol==:external_users, label, {controller: "exercises", action: "statistics", external_user_id: user.id, id: @exercise.id}
+            td = link_to_if symbol==:external_users && policy(user).statistics?, label, {controller: "exercises", action: "statistics", external_user_id: user.id, id: @exercise.id}
            td = us['maximum_score'] or 0
            td = us['runs']
            td = @exercise.average_working_time_for(user.id) or 0
--- a/app/views/external_users/index.html.slim
+++ b/app/views/external_users/index.html.slim
@ -10,8 +10,8 @@ h1 = ExternalUser.model_name.human(count: 2)
    tbody
      - @users.each do |user|
        tr
-          td = user.displayname
+          td = link_to_if(policy(user).show?, user.displayname)
-          td = link_to(user.consumer, user.consumer)
+          td = link_to_if(policy(user.consumer).show?, user.consumer, user.consumer)
-          td = link_to(t('shared.show'), user)
+          td = link_to(t('shared.show'), user) if policy(user).show?
 = render('shared/pagination', collection: @users)
--- a/app/views/external_users/show.html.slim
+++ b/app/views/external_users/show.html.slim
@ -3,8 +3,9 @@ h1 = @user.displayname
 = row(label: 'external_user.name', value: @user.name)
 //= row(label: 'external_user.email', value: @user.email)
 = row(label: 'external_user.consumer', value: link_to(@user.consumer, @user.consumer))
 = row(label: 'external_user.role', value: t("users.roles.#{@user.role}"))
-h4.mt-4 = link_to(t('.exercise_statistics'), statistics_external_user_path(@user))
+h4.mt-4 = link_to(t('.exercise_statistics'), statistics_external_user_path(@user)) if policy(@user).statistics?
 h4.mt-4 = t('.tag_statistics')
 #loading
--- a/app/views/external_users/statistics.html.slim
+++ b/app/views/external_users/statistics.html.slim
@ -13,7 +13,7 @@ h1 = t('.title')
        - if statistics[exercise.id]
          - stats = statistics[exercise.id]
          tr
-            td = link_to exercise, controller: "exercises", action: "statistics", external_user_id: @user.id, id: exercise.id
+            td = link_to_if policy(exercise).show?, exercise, controller: "exercises", action: "statistics", external_user_id: @user.id, id: exercise.id
            td = stats["maximum_score"] or 0
            td = stats["runs"] or 0
            td = stats["working_time"] or 0
--- a/app/views/file_templates/index.html.slim
+++ b/app/views/file_templates/index.html.slim
@ -10,11 +10,11 @@ h1 = FileTemplate.model_name.human(count: 2)
    tbody
      - @file_templates.each do |file_template|
        tr
-          td = link_to(file_template.name, file_template)
+          td = link_to_if(policy(file_template).show?, file_template.name, file_template)
-          td = link_to(file_template.file_type, file_type_path(file_template.file_type))
+          td = link_to_if(policy(file_template.file_type).show?, file_template.file_type, file_type_path(file_template.file_type))
-          td = link_to(t('shared.show'), file_template)
+          td = link_to(t('shared.show'), file_template) if policy(file_template).show?
-          td = link_to(t('shared.edit'), edit_file_template_path(file_template))
+          td = link_to(t('shared.edit'), edit_file_template_path(file_template)) if policy(file_template).edit?
-          td = link_to(t('shared.destroy'), file_template, data: {confirm: t('shared.confirm_destroy')}, method: :delete)
+          td = link_to(t('shared.destroy'), file_template, data: {confirm: t('shared.confirm_destroy')}, method: :delete) if policy(file_template).destroy?
 = render('shared/pagination', collection: @file_templates)
 p = render('shared/new_button', model: FileTemplate)
--- a/app/views/file_templates/show.html.slim
+++ b/app/views/file_templates/show.html.slim
@ -3,5 +3,5 @@ h1
  = render('shared/edit_button', object: @file_template)
 = row(label: 'file_template.name', value: @file_template.name)
-= row(label: 'file_template.file_type', value: link_to(@file_template.file_type, file_type_path(@file_template.file_type)))
+= row(label: 'file_template.file_type', value: link_to_if(policy(@file_template.file_type).show?, @file_template.file_type, file_type_path(@file_template.file_type)))
 = row(label: 'file_template.content', value: @file_template.content)
--- a/app/views/file_types/index.html.slim
+++ b/app/views/file_types/index.html.slim
@ -11,12 +11,12 @@ h1 = FileType.model_name.human(count: 2)
    tbody
      - @file_types.each do |file_type|
        tr
-          td = link_to(file_type.name, file_type)
+          td = link_to_if(policy(file_type).show?, file_type.name, file_type)
-          td = link_to(file_type.author, file_type.author)
+          td = link_to_if(policy(file_type.author).show?, file_type.author, file_type.author)
          td = file_type.file_extension
-          td = link_to(t('shared.show'), file_type)
+          td = link_to(t('shared.show'), file_type) if policy(file_type).show?
-          td = link_to(t('shared.edit'), edit_file_type_path(file_type))
+          td = link_to(t('shared.edit'), edit_file_type_path(file_type)) if policy(file_type).edit?
-          td = link_to(t('shared.destroy'), file_type, data: {confirm: t('shared.confirm_destroy')}, method: :delete)
+          td = link_to(t('shared.destroy'), file_type, data: {confirm: t('shared.confirm_destroy')}, method: :delete) if policy(file_type).destroy?
 = render('shared/pagination', collection: @file_types)
 p = render('shared/new_button', model: FileType)
--- a/app/views/file_types/show.html.slim
+++ b/app/views/file_types/show.html.slim
@ -3,6 +3,6 @@ h1
  = render('shared/edit_button', object: @file_type)
 = row(label: 'file_type.name', value: @file_type.name)
-= row(label: 'file_type.user', value: link_to(@file_type.author, @file_type.author))
+= row(label: 'file_type.user', value: link_to_if(policy(@file_type.author).show?, @file_type.author, @file_type.author))
 - [:editor_mode, :file_extension, :indent_size, :binary, :executable, :renderable].each do |attribute|
  = row(label: "file_type.#{attribute}", value: @file_type.send(attribute))
--- a/app/views/internal_users/index.html.slim
+++ b/app/views/internal_users/index.html.slim
@ -22,14 +22,12 @@ h1 = InternalUser.model_name.human(count: 2)
    tbody
      - @users.each do |user|
        tr
-          td = user.name
+          td = link_to_if(policy(user).show?, user.name)
-          td = user.consumer ? link_to(user.consumer, user.consumer) : empty
+          td = user.consumer ? link_to_if(policy(user.consumer).show?, user.consumer, user.consumer) : empty
          td = t("users.roles.#{user.role}")
-          td = link_to(t('shared.show'), user)
+          td = link_to(t('shared.show'), user) if policy(user).show?
-          td = link_to(t('shared.edit'), edit_internal_user_path(user))
+          td = link_to(t('shared.edit'), edit_internal_user_path(user)) if policy(user).edit?
-          td
+          td = link_to(t('shared.destroy'), user, data: {confirm: t('shared.confirm_destroy')}, method: :delete) if policy(user).destroy?
            - if policy(user).destroy?
              = link_to(t('shared.destroy'), user, data: {confirm: t('shared.confirm_destroy')}, method: :delete)
 = render('shared/pagination', collection: @users)
 p = render('shared/new_button', model: InternalUser)
--- a/app/views/internal_users/show.html.slim
+++ b/app/views/internal_users/show.html.slim
@ -1,10 +1,9 @@
 h1
  = @user
  - if policy(@user).edit?
  = render('shared/edit_button', object: @user)
 = row(label: 'internal_user.email', value: @user.email)
 = row(label: 'internal_user.name', value: @user.name)
-= row(label: 'internal_user.consumer', value: @user.consumer ? link_to(@user.consumer, @user.consumer) : nil)
+= row(label: 'internal_user.consumer', value: @user.consumer ? link_to_if(policy(@user.consumer).show?, @user.consumer, @user.consumer) : nil)
 = row(label: 'internal_user.role', value: t("users.roles.#{@user.role}"))
 = row(label: 'internal_user.activated', value: @user.activated?)
--- a/app/views/interventions/_form.html.slim
+++ b/app/views/interventions/_form.html.slim
@ -1,6 +0,0 @@
 = form_for(@intervention) do |f|
  = render('shared/form_errors', object: @intervention)
  .form-group
    = f.label(:name)
    = f.text_field(:name, class: 'form-control', required: true)
  .actions = render('shared/submit_button', f: f, object: @intervention)
--- a/app/views/interventions/index.html.slim
+++ b/app/views/interventions/index.html.slim
@ -1,14 +0,0 @@
 h1 = Intervention.model_name.human(count: 2)
 .table-responsive
  table.table
    thead
      tr
        th = t('activerecord.attributes.intervention.name')
    tbody
      - @interventions.each do |intervention|
        tr
          td = intervention.name
          td = link_to(t('shared.show'), intervention)
 = render('shared/pagination', collection: @interventions)
--- a/app/views/interventions/show.html.slim
+++ b/app/views/interventions/show.html.slim
@ -1,4 +0,0 @@
 h1
  = @intervention.name
 = row(label: 'intervention.name', value: @intervention.name)
--- a/app/views/layouts/application.html.slim
+++ b/app/views/layouts/application.html.slim
@ -29,7 +29,7 @@ html lang='en'
              = render('session')
    div data-controller=controller_name
      = render('flash')
-      = render('breadcrumbs') if current_user.try(:internal_user?) && !@embed_options[:hide_navbar]
+      = render('breadcrumbs') if (current_user.try(:admin?) or current_user.try(:teacher?)) && !@embed_options[:hide_navbar]
    - if (controller_name == "exercises" && action_name == "implement")
      .container-fluid
        = yield
--- a/app/views/proxy_exercises/_form.html.slim
+++ b/app/views/proxy_exercises/_form.html.slim
@ -22,7 +22,7 @@
      = collection_check_boxes :proxy_exercise, :exercise_ids, @exercises, :id, :title do |b|
        tr
          td = b.check_box
-          td = link_to(b.object, b.object)
+          td = link_to_if(policy(b.object).show?, b.object, b.object)
          td = l(b.object.created_at, format: :short)
  .actions = render('shared/submit_button', f: f, object: @proxy_exercise)
--- a/app/views/proxy_exercises/index.html.slim
+++ b/app/views/proxy_exercises/index.html.slim
@ -13,11 +13,11 @@ h1 = ProxyExercise.model_name.human(count: 2)
        th.p-1 = t('activerecord.attributes.exercise.token')
        th.p-1 = t('activerecord.attributes.exercise.public')
        th.p-1 = t('activerecord.attributes.proxy_exercise.files_count')
-        th.p-1 colspan=6 = t('shared.actions')
+        th.p-1 colspan=2 = t('shared.actions')
    tbody
      - @proxy_exercises.each do |proxy_exercise|
        tr data-id=proxy_exercise.id
-          td.p-1.pt-2 = link_to(proxy_exercise.title,proxy_exercise)
+          td.p-1.pt-2 = link_to_if(policy(proxy_exercise).show?, proxy_exercise.title, proxy_exercise)
          td.p-1.pt-2
            code
              = proxy_exercise.token
--- a/app/views/proxy_exercises/show.html.slim
+++ b/app/views/proxy_exercises/show.html.slim
@ -7,7 +7,6 @@
 h1
  = @proxy_exercise.title
  - if policy(@proxy_exercise).edit?
  = render('shared/edit_button', object: @proxy_exercise)
 = row(label: 'exercise.title', value: @proxy_exercise.title)
@ -27,5 +26,5 @@ h2.mt-4 Exercises
        th = sort_link(@search, :created_at, t('shared.created_at'))
    - @proxy_exercise.exercises.each do |exercise|
      tr
-        td = link_to(exercise.title, exercise)
+        td = link_to_if(policy(exercise).show?, exercise.title, exercise)
        td = l(exercise.created_at, format: :short)
--- a/app/views/request_for_comments/_admin_menu.html.slim
+++ b/app/views/request_for_comments/_admin_menu.html.slim
@ -1,8 +1,8 @@
 hr
 h5.mt-4 Admin Menu
 ul.text
-  li = link_to "User's current status of this exercise", statistics_external_user_exercise_path(id: @request_for_comment.exercise_id, external_user_id: @request_for_comment.user_id)
+  li = link_to "User's current status of this exercise", statistics_external_user_exercise_path(id: @request_for_comment.exercise_id, external_user_id: @request_for_comment.user_id) if policy(@request_for_comment.exercise).statistics?
-  li = link_to "All exercises of this user", statistics_external_user_path(id: @request_for_comment.user_id)
+  li = link_to "All exercises of this user", statistics_external_user_path(id: @request_for_comment.user_id) if policy(@request_for_comment.user).statistics?
 ul.text
-  li = link_to "Implement the exercise yourself", implement_exercise_path(id: @request_for_comment.exercise_id)
+  li = link_to "Implement the exercise yourself", implement_exercise_path(id: @request_for_comment.exercise_id) if policy(@request_for_comment.exercise).implement?
-  li = link_to "Show the exercise", exercise_path(id: @request_for_comment.exercise_id)
+  li = link_to "Show the exercise", exercise_path(id: @request_for_comment.exercise_id) if policy(@request_for_comment.exercise).show?
--- a/app/views/request_for_comments/_form.html.slim
+++ b/app/views/request_for_comments/_form.html.slim
@ -1,28 +0,0 @@
 = form_for(@request_for_comment) do |f|
  - if @request_for_comment.errors.any?
    #error_explanation
      h2
        = pluralize(@request_for_comment.errors.count, "error")
        | prohibited this request_for_comment from being saved:
      ul
        - @request_for_comment.errors.full_messages.each do |message|
          li= message
  .field
    = f.label :user_id
    br/
    = f.number_field :user_id
  .field
    = f.label :exercise_id
    br/
    = f.number_field :exercise_id
  .field
    = f.label :file_id
    br/
    = f.number_field :file_id
  .field
    = f.label :user_type
    br/
    = f.text_field :user_type
  .actions
    = f.submit
--- a/app/views/request_for_comments/index.html.slim
+++ b/app/views/request_for_comments/index.html.slim
@ -32,8 +32,8 @@ h1 = RequestForComment.model_name.human(count: 2)
              span class="fa fa-check" style="color:darkgrey" aria-hidden="true"
          - else
            td = ''
-          td = link_to(request_for_comment.exercise.title, request_for_comment)
+          td = link_to_if(policy(request_for_comment.exercise).show?, request_for_comment.exercise.title, request_for_comment)
-          - if request_for_comment.has_attribute?(:question) && request_for_comment.question
+          - if request_for_comment.has_attribute?(:question) && request_for_comment.question.present?
            td = truncate(request_for_comment.question, length: 200)
          - else
            td = '-'
--- a/app/views/request_for_comments/show.html.slim
+++ b/app/views/request_for_comments/show.html.slim
@ -2,12 +2,12 @@
  h4#exercise_caption.list-group-item-heading data-comment-exercise-url=create_comment_exercise_request_for_comment_path data-exercise-id="#{@request_for_comment.exercise.id}" data-rfc-id="#{@request_for_comment.id}"
    - if @request_for_comment.solved?
      span.fa.fa-check aria-hidden="true"
-    = link_to(@request_for_comment.exercise.title, [:implement, @request_for_comment.exercise])
+    = link_to_if(policy(@request_for_comment.exercise).show?, @request_for_comment.exercise.title, [:implement, @request_for_comment.exercise])
  p.list-group-item-text
    - user = @request_for_comment.user
    - submission =  @request_for_comment.submission
    - testruns = Testrun.where(:submission_id => @request_for_comment.submission)
-    = user.displayname
+    = link_to_if(policy(user).show?, user.displayname, user)
    | | #{@request_for_comment.created_at.localtime}
  .rfc
    .description
@ -22,7 +22,7 @@
        = t('activerecord.attributes.request_for_comments.question')
      .text
        - question = @request_for_comment.question
-        = question.nil? or question.empty? ? t('request_for_comments.no_question') : question
+        = question.blank? ? t('request_for_comments.no_question') : question
    - if policy(@request_for_comment).mark_as_solved? and not @request_for_comment.solved?
      = render('mark_as_solved')
--- a/app/views/shared/_edit_button.html.slim
+++ b/app/views/shared/_edit_button.html.slim
@ -1,3 +1,4 @@
-// default value for fetch will always be evaluated even if it is not returned
+- if policy(object).edit?
- link_target = local_assigns.fetch(:path, false) || send(:"edit_#{object.class.name.underscore}_path", object)
+  // default value for fetch will always be evaluated even if it is not returned
-= link_to(t('shared.edit'), link_target, class: 'btn btn-secondary float-right')
+  - link_target = local_assigns.fetch(:path, false) || send(:"edit_#{object.class.name.underscore}_path", object)
  = link_to(t('shared.edit'), link_target, class: 'btn btn-secondary float-right')
--- a/app/views/shared/_file.html.slim
+++ b/app/views/shared/_file.html.slim
@ -7,4 +7,4 @@
 - if file.teacher_defined_test?
  = row(label: 'file.feedback_message', value: render_markdown(file.feedback_message), class: 'm-0')
  = row(label: 'file.weight', value: file.weight)
-= row(label: 'file.content', value: file.native_file? ? link_to(file.native_file.file.filename, file.native_file.url) : code_tag(file.content))
+= row(label: 'file.content', value: file.native_file? ? link_to_if(policy(file).show?, file.native_file.file.filename, file.native_file.url) : code_tag(file.content))
--- a/app/views/submissions/index.html.slim
+++ b/app/views/submissions/index.html.slim
@ -21,12 +21,12 @@ h1 = Submission.model_name.human(count: 2)
    tbody
      - @submissions.each do |submission|
        tr
-          td = link_to(submission.exercise, submission.exercise)
+          td = link_to_if(policy(submission.exercise).show?, submission.exercise, submission.exercise)
-          td = link_to(submission.user, submission.user)
+          td = link_to_if(policy(submission.user).show?, submission.user, submission.user)
          td = t("submissions.causes.#{submission.cause}")
          td = submission.score
          td = l(submission.created_at, format: :short)
-          td = link_to(t('shared.show'), submission)
+          td = link_to(t('shared.show'), submission) if policy(submission).show?
-          td = link_to(t('shared.statistics'), statistics_submission_path(submission))
+          td = link_to(t('shared.statistics'), statistics_submission_path(submission)) if policy(submission).statistics?
 = render('shared/pagination', collection: @submissions)
--- a/app/views/submissions/show.html.slim
+++ b/app/views/submissions/show.html.slim
@ -7,8 +7,8 @@
 h1 = @submission
-= row(label: 'submission.exercise', value: link_to(@submission.exercise, @submission.exercise))
+= row(label: 'submission.exercise', value: link_to_if(policy(@submission.exercise).show?, @submission.exercise, @submission.exercise))
-= row(label: 'submission.user', value: link_to(@submission.user, @submission.user))
+= row(label: 'submission.user', value: link_to_if(policy(@submission.user).show?, @submission.user, @submission.user))
 = row(label: 'submission.cause', value: t("submissions.causes.#{@submission.cause}"))
 = row(label: 'submission.score', value: @submission.score)
--- a/app/views/submissions/statistics.html.slim
+++ b/app/views/submissions/statistics.html.slim
@ -23,4 +23,4 @@ h2.mt-4 = t('.history')
            td = l(submission.created_at, format: :short)
            td = submission.score
            td = progress_bar(submission.percentage)
-            td = link_to(t('shared.show'), submission)
+            td = link_to(t('shared.show'), submission) if policy(submission).show?
--- a/app/views/tags/index.html.slim
+++ b/app/views/tags/index.html.slim
@ -9,10 +9,10 @@ h1 = Tag.model_name.human(count: 2)
    tbody
      - @tags.each do |tag|
        tr
-          td = tag.name
+          td = link_to_if(policy(tag).show?, tag.name, tag)
-          td = link_to(t('shared.show'), tag)
+          td = link_to(t('shared.show'), tag) if policy(tag).show?
-          td = link_to(t('shared.edit'), edit_tag_path(tag))
+          td = link_to(t('shared.edit'), edit_tag_path(tag)) if policy(tag).edit?
-          td = link_to(t('shared.destroy'), tag, data: {confirm: t('shared.confirm_destroy')}, method: :delete) if tag.can_be_destroyed?
+          td = link_to(t('shared.destroy'), tag, data: {confirm: t('shared.confirm_destroy')}, method: :delete) if tag.can_be_destroyed? &&  policy(tag).destroy?
 = render('shared/pagination', collection: @tags)
 p = render('shared/new_button', model: Tag, path: new_tag_path)
--- a/app/views/user_exercise_feedbacks/index.html.slim
+++ b/app/views/user_exercise_feedbacks/index.html.slim
@ -1,27 +0,0 @@
 h1 = UserExerciseFeedback.model_name.human(count: 2)
 = render(layout: 'shared/form_filters') do |f|
  .form-group
    = f.label(:execution_environment_id_eq, t('activerecord.attributes.exercise.execution_environment'), class: 'sr-only')
    = f.collection_select(:execution_environment_id_eq, ExecutionEnvironment.with_exercises, :id, :name, class: 'form-control', prompt: t('activerecord.attributes.exercise.execution_environment'))
  .form-group
    = f.label(:exercise_title_cont, t('activerecord.attributes.request_for_comments.exercise'), class: 'sr-only')
    = f.search_field(:exercise_title_cont, class: 'form-control', placeholder: t('activerecord.attributes.request_for_comments.exercise'))
 .table-responsive
  table.table
    thead
      tr
        th colspan=2 = t('activerecord.attributes.user_exercise_feedback.user')
        th = t('activerecord.attributes.user_exercise_feedback.exercise')
        th colspan=2 = t('shared.actions')
    tbody
      - @uefs.each do |uef|
        tr
          td = uef.user.id
          td = uef.user.displayname
          td = link_to(uef.exercise.title, uef.exercise)
          td = link_to(t('shared.show'), uef)
          td = link_to(t('shared.destroy'), uef, data: {confirm: t('shared.confirm_destroy')}, method: :delete)
 = render('shared/pagination', collection: @uefs)
--- a/app/views/user_exercise_feedbacks/show.html.slim
+++ b/app/views/user_exercise_feedbacks/show.html.slim
@ -1,7 +0,0 @@
 h2 = @uef
 = row(label: 'activerecord.attributes.user_exercise_feedback.exercise', value: link_to(@uef.exercise.title, @uef.exercise))
 = row(label: 'user_exercise_feedback.user', value: @uef.user)
 = row(label: 'activerecord.attributes.user_exercise_feedback.feedback_text', value: @uef.feedback_text)
 = row(label: 'user_exercise_feedback.difficulty', value: @uef.difficulty)
 = row(label: 'user_exercise_feedback.working_time', value: @uef.user_estimated_worktime)
--- a/app/views/user_mailer/exercise_anomaly_detected.html.slim
+++ b/app/views/user_mailer/exercise_anomaly_detected.html.slim
@ -12,9 +12,9 @@ table(border=1)
    - @anomalies.keys.each do | id |
      - exercise = Exercise.find(id)
      tr
-        td = link_to(exercise.title, exercise_path(exercise))
+        td = link_to_if(policy(@user, exercise).show?, exercise.title, exercise_path(exercise))
        td = @anomalies[id]
-        td = link_to(t('shared.statistics', locale: :de), statistics_exercise_path(exercise))
+        td = link_to_if(policy(@user, exercise).statistics?, t('shared.statistics', locale: :de), statistics_exercise_path(exercise))
 == t('mailers.user_mailer.exercise_anomaly_detected.body2',
@ -31,8 +31,8 @@ table(border=1)
    - @anomalies.keys.each do | id |
      - exercise = Exercise.find(id)
      tr
-        td = link_to(exercise.title, exercise_path(exercise))
+        td = link_to_if(policy(@user, exercise).show?, exercise.title, exercise_path(exercise))
        td = @anomalies[id]
-        td = link_to(t('shared.statistics', locale: :en), statistics_exercise_path(exercise))
+        td = link_to_if(policy(@user, exercise).statistics?, t('shared.statistics', locale: :en), statistics_exercise_path(exercise))
 == t('mailers.user_mailer.exercise_anomaly_detected.body3')
--- a/app/views/user_mailer/got_new_comment.slim
+++ b/app/views/user_mailer/got_new_comment.slim
@ -1 +1,7 @@
-== t('mailers.user_mailer.got_new_comment.body', receiver_displayname: @receiver_displayname, link_to_comment: link_to(@rfc_link, @rfc_link), commenting_user_displayname: @commenting_user_displayname, comment_text: @comment_text, link_my_comments: link_to(t('request_for_comments.index.get_my_comment_requests'), my_request_for_comments_url), link_all_comments: link_to(t('request_for_comments.index.all'), request_for_comments_url) )
+== t('mailers.user_mailer.got_new_comment.body',
        receiver_displayname: @receiver_displayname,
        link_to_comment: link_to(@rfc_link, @rfc_link),
        commenting_user_displayname: @commenting_user_displayname,
        comment_text: @comment_text,
        link_my_comments: link_to(t('request_for_comments.index.get_my_comment_requests'), my_request_for_comments_url),
        link_all_comments: link_to(t('request_for_comments.index.all'), request_for_comments_url) )
--- a/app/views/user_mailer/send_thank_you_note.slim
+++ b/app/views/user_mailer/send_thank_you_note.slim
@ -1 +1,5 @@
-== t('mailers.user_mailer.send_thank_you_note.body', receiver_displayname: @receiver_displayname, link_to_comment: link_to(@rfc_link, @rfc_link), author: @author.displayname, thank_you_note: @thank_you_note )
+== t('mailers.user_mailer.send_thank_you_note.body',
        receiver_displayname: @receiver_displayname,
        link_to_comment: link_to(@rfc_link, @rfc_link),
        author: @author.displayname,
        thank_you_note: @thank_you_note )
--- a/config/locales/de.yml
+++ b/config/locales/de.yml
@ -47,6 +47,7 @@ de:
        consumer: Konsument
        email: E-Mail
        name: Name
        role: Rolle
      file:
        content: Inhalt
        feedback_message: Feedback-Nachricht
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@ -47,6 +47,7 @@ en:
        consumer: Consumer
        email: Email
        name: Name
        role: Role
      file:
        content: Content
        feedback_message: Feedback Message
--- a/config/routes.rb
+++ b/config/routes.rb
@ -16,12 +16,12 @@ Rails.application.routes.draw do
  resources :code_harbor_links
  resources :request_for_comments do
    member do
-      get :mark_as_solved
+      get :mark_as_solved, defaults: { format: :json }
-      post :create_comment_exercise
+      post :create_comment_exercise, defaults: { format: :json }
-      post :set_thank_you_note
+      post :set_thank_you_note, defaults: { format: :json }
    end
  end
-  resources :comments
+  resources :comments, defaults: { format: :json }
  get '/my_request_for_comments', as: 'my_request_for_comments', to: 'request_for_comments#get_my_comment_requests'
  get '/my_rfc_activity', as: 'my_rfc_activity', to: 'request_for_comments#get_rfcs_with_my_comments'
@ -96,32 +96,12 @@ Rails.application.routes.draw do
    member do
      post :clone
      get :reload
      post :submit
    end
  end
-  resources :tags do
+  resources :tags
    member do
      post :clone
      get :reload
      post :submit
    end
  end
-  resources :user_exercise_feedbacks do
+  resources :user_exercise_feedbacks, except: [:show, :index]
    member do
      get :reload
      post :submit
    end
  end
  resources :interventions do
    member do
      post :clone
      get :reload
      post :submit
    end
  end
  resources :external_users, only: [:index, :show], concerns: :statistics do
    resources :exercises, concerns: :statistics
--- a/db/migrate/20181116143743_add_role_to_external_users.rb
+++ b/db/migrate/20181116143743_add_role_to_external_users.rb
@ -0,0 +1,5 @@
 class AddRoleToExternalUsers < ActiveRecord::Migration[5.2]
  def change
    add_column :external_users, :role, :string, default: 'learner', null: false
  end
 end
--- a/db/schema.rb
+++ b/db/schema.rb
@ -169,6 +169,7 @@ ActiveRecord::Schema.define(version: 2018_11_29_093207) do
    t.string "name", limit: 255
    t.datetime "created_at"
    t.datetime "updated_at"
    t.string "role", default: "learner", null: false
  end
  create_table "file_templates", force: :cascade do |t|
--- a/spec/features/authorization_spec.rb
+++ b/spec/features/authorization_spec.rb
@ -23,11 +23,11 @@ describe 'Authorization' do
    let(:user) { FactoryBot.create(:teacher) }
    before(:each) { allow_any_instance_of(ApplicationController).to receive(:current_user).and_return(user) }
-    [Consumer, InternalUser].each do |model|
+    [Consumer, InternalUser, ExecutionEnvironment, FileType].each do |model|
      expect_forbidden_path(:"new_#{model.model_name.singular}_path")
    end
-    [ExecutionEnvironment, Exercise, FileType].each do |model|
+    [Exercise].each do |model|
      expect_permitted_path(:"new_#{model.model_name.singular}_path")
    end
  end
--- a/spec/policies/execution_environment_policy_spec.rb
+++ b/spec/policies/execution_environment_policy_spec.rb
@ -5,7 +5,7 @@ describe ExecutionEnvironmentPolicy do
  let(:execution_environment) { FactoryBot.build(:ruby) }
-  [:create?, :index?, :new?].each do |action|
+  [:index?].each do |action|
    permissions(action) do
      it 'grants access to admins' do
        expect(subject).to permit(FactoryBot.build(:admin), execution_environment)
@ -21,7 +21,7 @@ describe ExecutionEnvironmentPolicy do
    end
  end
-  [:execute_command?, :shell?, :statistics?].each do |action|
+  [:execute_command?, :shell?, :statistics?, :show?].each do |action|
    permissions(action) do
      it 'grants access to admins' do
        expect(subject).to permit(FactoryBot.build(:admin), execution_environment)
@ -39,7 +39,7 @@ describe ExecutionEnvironmentPolicy do
    end
  end
-  [:destroy?, :edit?, :show?, :update?].each do |action|
+  [:destroy?, :edit?, :update?, :new?, :create?].each do |action|
    permissions(action) do
      it 'grants access to admins' do
        expect(subject).to permit(FactoryBot.build(:admin), execution_environment)
--- a/spec/policies/file_type_policy_spec.rb
+++ b/spec/policies/file_type_policy_spec.rb
@ -5,23 +5,7 @@ describe FileTypePolicy do
  let(:file_type) { FactoryBot.build(:dot_rb) }
-  [:create?, :index?, :new?].each do |action|
+  [:destroy?, :edit?, :update?, :new?, :create?, :index?, :show?].each do |action|
    permissions(action) do
      it 'grants access to admins' do
        expect(subject).to permit(FactoryBot.build(:admin), file_type)
      end
      it 'grants access to teachers' do
        expect(subject).to permit(FactoryBot.build(:teacher), file_type)
      end
      it 'does not grant access to external users' do
        expect(subject).not_to permit(FactoryBot.build(:external_user), file_type)
      end
    end
  end
  [:destroy?, :edit?, :show?, :update?].each do |action|
    permissions(action) do
      it 'grants access to admins' do
        expect(subject).to permit(FactoryBot.build(:admin), file_type)