From e5d8db2796234bd9356d6122d6ae202783d320f8 Mon Sep 17 00:00:00 2001 From: Sebastian Serth Date: Sun, 4 Sep 2022 19:13:08 +0200 Subject: [PATCH] Return propper error for anonymous users in exercises_controller * not_authorized_for_exercise was not checking for a current_user Fixes CODEOCEAN-C4 --- app/controllers/exercises_controller.rb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/app/controllers/exercises_controller.rb b/app/controllers/exercises_controller.rb index e0c1fc58..321c6f67 100644 --- a/app/controllers/exercises_controller.rb +++ b/app/controllers/exercises_controller.rb @@ -435,7 +435,10 @@ class ExercisesController < ApplicationController end def not_authorized_for_exercise(_exception) - if %w[implement working_times intervention search reload].include?(action_name) && (current_user.admin? || current_user.teacher?) + return render_not_authorized unless current_user + return render_not_authorized unless %w[implement working_times intervention search reload].include?(action_name) + + if current_user.admin? || current_user.teacher? redirect_to(@exercise, alert: t('exercises.implement.unpublished')) if @exercise.unpublished? redirect_to(@exercise, alert: t('exercises.implement.no_files')) unless @exercise.files.visible.exists? else