Rethink permissions in CodeOcean for usage in schools and adopt views

app/policies/application_policy.rb

@@ -9,22 +9,28 @@ class ApplicationPolicy
   end
   private :teacher?
 
+  def author?
+    @user == @record.author
+  end
+  private :author?
+
   def everyone
+    # As the ApplicationController forces to have any authorization, `everyone` here means `every user logged in`
     true
   end
   private :everyone
 
+  def no_one
+    false
+  end
+  private :no_one
+
   def initialize(user, record)
     @user = user
     @record = record
     require_user!
   end
 
-  def no_one
-    false
-  end
-  private :no_one
-
   def require_user!
     fail Pundit::NotAuthorizedError unless @user
   end

app/policies/comment_policy.rb

@@ -1,9 +1,4 @@
 class CommentPolicy < ApplicationPolicy
-  def author?
-    @user == @record.author
-  end
-  private :author?
-
   def create?
     everyone
   end

app/policies/consumer_policy.rb

@@ -1,5 +1,3 @@
 class ConsumerPolicy < AdminOnlyPolicy
-  def show?
-    super || @user.consumer == @record
-  end
+
 end

app/policies/execution_environment_policy.rb

@@ -1,14 +1,9 @@
 class ExecutionEnvironmentPolicy < AdminOnlyPolicy
-  def author?
-    @user == @record.author
-  end
-  private :author?
-
   [:execute_command?, :shell?, :statistics?].each do |action|
     define_method(action) { admin? || author? }
   end
 
-  [:create?, :index?, :new?].each do |action|
+  [:show?, :index?, :new?].each do |action|
     define_method(action) { admin? || teacher? }
   end
 end

app/policies/exercise_policy.rb

@@ -1,9 +1,4 @@
 class ExercisePolicy < AdminOrAuthorPolicy
-  def author?
-    @user == @record.author
-  end
-  private :author?
-
   def batch_update?
     admin?
   end

app/policies/file_template_policy.rb

@@ -1,7 +1,11 @@
 class FileTemplatePolicy < AdminOnlyPolicy
 
+  def index?
+    admin? || teacher?
+  end
+
   def show?
-    everyone
+    admin? || teacher?
   end
 
   def by_file_type?

app/policies/file_type_policy.rb

@@ -1,10 +1,5 @@
 class FileTypePolicy < AdminOnlyPolicy
-  def author?
-    @user == @record.author
-  end
-  private :author?
-
-  [:create?, :index?, :new?].each do |action|
+  [:index?, :show?].each do |action|
     define_method(action) { admin? || teacher? }
   end
 

app/policies/intervention_policy.rb

@@ -1,9 +1,4 @@
 class InterventionPolicy < AdminOrAuthorPolicy
-  def author?
-    @user == @record.author
-  end
-  private :author?
-
   def batch_update?
     admin?
   end

app/policies/proxy_exercise_policy.rb

@@ -1,9 +1,4 @@
 class ProxyExercisePolicy < AdminOrAuthorPolicy
-  def author?
-    @user == @record.author
-  end
-  private :author?
-
   def batch_update?
     admin?
   end

app/policies/request_for_comment_policy.rb

@@ -1,9 +1,4 @@
 class RequestForCommentPolicy < ApplicationPolicy
-  def author?
-    @user == @record.author
-  end
-  private :author?
-
   def create?
     everyone
   end

app/policies/search_policy.rb

@@ -1,9 +1,4 @@
 class SearchPolicy < AdminOrAuthorPolicy
-  def author?
-    @user == @record.author
-  end
-  private :author?
-
   def batch_update?
     admin?
   end

app/policies/submission_policy.rb

@@ -1,9 +1,4 @@
 class SubmissionPolicy < ApplicationPolicy
-  def author?
-    @user == @record.author
-  end
-  private :author?
-
   def create?
     everyone
   end
@@ -16,4 +11,15 @@ class SubmissionPolicy < ApplicationPolicy
   def index?
     admin?
   end
+
+  def everyone_in_study_group
+    users_in_same_study_group = @record.study_groups.users
+    users_in_same_study_group.include? @user
+  end
+  private :everyone_in_study_group
+
+  def teacher_in_study_group
+    teacher? && everyone_in_study_group
+  end
+  private :teacher_in_study_group
 end

app/policies/tag_policy.rb

@@ -1,9 +1,4 @@
 class TagPolicy < AdminOrAuthorPolicy
-  def author?
-    @user == @record.author
-  end
-  private :author?
-
   def batch_update?
     admin?
   end