..

app/controllers/application_controller.rb

@@ -23,6 +23,13 @@ class ApplicationController < ActionController::Base
 		EduSetting.get(name)
 	end
 
+	# 实训的访问权限
+	def shixun_access_allowed
+		if !current_user.shixun_permission(@shixun)
+			tip_exception(403, "..")
+		end
+	end
+
 	def user_course_identity
 		@user_course_identity = current_user.course_identity(@course)
 		if @user_course_identity > Course::STUDENT && @course.is_public == 0

app/controllers/challenges_controller.rb

@@ -5,8 +5,10 @@ class ChallengesController < ApplicationController
   before_action :find_challenge, only: [:edit, :show, :update, :create_choose_question, :index_down, :index_up,
                                         :edit_choose_question, :show_choose_question, :destroy_challenge_choose,
                                         :update_choose_question, :destroy, :crud_answer, :answer]
-  # 权限控制
-  before_action :allowed, except: [:index]
+  # 关卡更新和操作的权限控制
+  before_action :update_allowed, except: [:index]
+  # 关卡访问的权限控制
+  before_action :shixun_access_allowed
 
   include ShixunsHelper
   include ChallengesHelper
@@ -279,6 +281,9 @@ class ChallengesController < ApplicationController
 
   def find_shixun
     @shixun = Shixun.find_by_identifier(params[:shixun_identifier])
+    if !current_user.shixun_permission(@shixun)
+      tip_exception(403, "..")
+    end
   end
 
   # 通用接口
@@ -298,7 +303,7 @@ class ChallengesController < ApplicationController
                                              :standard_answer, :score, :difficult)
   end
 
-  def allowed
+  def update_allowed
     unless current_user.manager_of_shixun?(@shixun)
       raise Educoder::TipException.new(403, "..")
     end

app/controllers/shixuns_controller.rb

@@ -2,8 +2,9 @@ class ShixunsController < ApplicationController
 	before_action :require_login, except: [:download_file, :index, :menus]
 	before_action :check_auth, except: [:download_file, :index]
 
-	before_action :find_shixun, except: [:index, :new, :create, :menus, :get_recommend_shixuns, :propaedeutics,
-																			 :departments, :apply_shixun_mirror, :get_mirror_script, :download_file]
+	before_action :find_shixun, :shixun_access_allowed, except: [:index, :new, :create, :menus, :get_recommend_shixuns,
+																															 :propaedeutics, :departments, :apply_shixun_mirror,
+																															 :get_mirror_script, :download_file]
 	before_action :find_repo_name, only: [:repository, :commits, :file_content, :update_file, :shixun_exec, :copy]
 
 	before_action :allowed, only:  [:update, :close, :update_propaedeutics, :settings, :publish,
@@ -726,10 +727,6 @@ private
 			normal_status(404, "...")
 			return
 		end
-
-		if !current_user.shixun_permission(@shixun)
-			tip_exception(403, "..")
-		end
 	end
 
 	def find_repo_name

app/views/exercises/_user_exercise_info.json.jbuilder

@@ -54,7 +54,7 @@ json.exercise_questions do
       this_ques_status = all_question_status.detect {|f| f[:q_id] == q.id}
       json.answer_status this_ques_status[:stand_status]
     end
-    json.user_score user_ques_answers[:user_score].to_s
+    json.user_score user_ques_answers[:user_score].present? ? user_ques_answers[:user_score].to_s : nil
     json.partial! "exercise_questions/exercise_questions",
                   question: q,
                   ex_answerer: ex_answerer,