From fb7d0eafe86ef5be527f5013554cc5bb76303f3a Mon Sep 17 00:00:00 2001
From: Sebastian Serth <Sebastian.Serth@hpi.de>
Date: Tue, 12 May 2020 13:41:20 +0200
Subject: [PATCH] Fix permission check for exercises

---
 app/policies/application_policy.rb | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/app/policies/application_policy.rb b/app/policies/application_policy.rb
index a162c368..28f33b7c 100644
--- a/app/policies/application_policy.rb
+++ b/app/policies/application_policy.rb
@@ -26,16 +26,17 @@ class ApplicationPolicy
   private :no_one
 
   def everyone_in_study_group
+    # !! Order is important !!
     if @record.respond_to? :study_group # e.g. submission
       study_group = @record.study_group
       return false if study_group.blank?
 
       users_in_same_study_group = study_group.users
-    elsif @record.respond_to? :users # e.g. study_group
-      users_in_same_study_group = @record.users
     elsif @record.respond_to? :user # e.g. exercise
       study_groups = @record.user.study_groups
       users_in_same_study_group = study_groups.collect(&:users).flatten
+    elsif @record.respond_to? :users # e.g. study_group
+      users_in_same_study_group = @record.users
     elsif @record.respond_to? :study_groups # e.g. user
       study_groups = @record.study_groups
       users_in_same_study_group = study_groups.collect(&:users).flatten