From deaa522a14032c22f4f1107b30d30cff14b0e12e Mon Sep 17 00:00:00 2001
From: Sebastian Serth <Sebastian.Serth@student.hpi.de>
Date: Mon, 2 Dec 2019 12:02:34 +0100
Subject: [PATCH] Disallow external user statistics for teachers

---
 app/controllers/exercises_controller.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/app/controllers/exercises_controller.rb b/app/controllers/exercises_controller.rb
index 96762e2b..49cf46ff 100644
--- a/app/controllers/exercises_controller.rb
+++ b/app/controllers/exercises_controller.rb
@@ -353,6 +353,7 @@ class ExercisesController < ApplicationController
 
   def statistics
     if(@external_user)
+      authorize(@external_user, :statistics?)
       @submissions = Submission.where("user_id = ?  AND exercise_id = ?", @external_user.id, @exercise.id).order("created_at")
       interventions = UserExerciseIntervention.where("user_id = ?  AND exercise_id = ?", @external_user.id, @exercise.id)
       @all_events = (@submissions + interventions).sort_by { |a| a.created_at }