From ddf041ac053c7dd2dc350192b55bc27b6e49d395 Mon Sep 17 00:00:00 2001
From: Sebastian Serth <Sebastian.Serth@hpi.de>
Date: Tue, 21 Feb 2023 10:01:01 +0100
Subject: [PATCH] Check RfC visibility before redirecting users

---
 app/controllers/concerns/redirect_behavior.rb | 4 ++--
 app/models/submission.rb                      | 8 ++++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/app/controllers/concerns/redirect_behavior.rb b/app/controllers/concerns/redirect_behavior.rb
index afe53fa1..6ef92fa6 100644
--- a/app/controllers/concerns/redirect_behavior.rb
+++ b/app/controllers/concerns/redirect_behavior.rb
@@ -21,7 +21,7 @@ module RedirectBehavior
           return
         end
 
-        rfc = @submission.own_unsolved_rfc
+        rfc = @submission.own_unsolved_rfc(current_user)
         if rfc
           # set a message that informs the user that his own RFC should be closed.
           flash[:notice] = I18n.t('exercises.submit.full_score_redirect_to_own_rfc')
@@ -36,7 +36,7 @@ module RedirectBehavior
         end
 
         # else: show open rfc for same exercise if available
-        rfc = @submission.unsolved_rfc
+        rfc = @submission.unsolved_rfc(current_user)
         unless rfc.nil? || @embed_options[:disable_redirect_to_rfcs] || @embed_options[:disable_rfc]
           # set a message that informs the user that his score was perfect and help in RFC is greatly appreciated.
           flash[:notice] = I18n.t('exercises.submit.full_score_redirect_to_rfc')
diff --git a/app/models/submission.rb b/app/models/submission.rb
index e049a966..f55b0637 100644
--- a/app/models/submission.rb
+++ b/app/models/submission.rb
@@ -128,12 +128,12 @@ class Submission < ApplicationRecord
     (user_id + exercise.created_at.to_i) % 10 == 1
   end
 
-  def own_unsolved_rfc
-    RequestForComment.unsolved.find_by(exercise_id: exercise, user_id:)
+  def own_unsolved_rfc(user = self.user)
+    Pundit.policy_scope(user, RequestForComment).unsolved.find_by(exercise_id: exercise, user_id:)
   end
 
-  def unsolved_rfc
-    RequestForComment.unsolved.where(exercise_id: exercise).where.not(question: nil).where(created_at: OLDEST_RFC_TO_SHOW.ago..Time.current).order('RANDOM()').find do |rfc_element|
+  def unsolved_rfc(user = self.user)
+    Pundit.policy_scope(user, RequestForComment).unsolved.where(exercise_id: exercise).where.not(question: nil).where(created_at: OLDEST_RFC_TO_SHOW.ago..Time.current).order('RANDOM()').find do |rfc_element|
       ((rfc_element.comments_count < MAX_COMMENTS_ON_RECOMMENDED_RFC) && !rfc_element.question.empty?)
     end
   end