Correct authorization for programming_group new & create

app/controllers/programming_groups_controller.rb

@@ -3,24 +3,24 @@
 class ProgrammingGroupsController < ApplicationController
   include CommonBehavior
 
-  before_action :set_exercise_and_authorize, only: %i[new create]
+  before_action :set_exercise_and_authorize, only: MEMBER_ACTIONS + %i[create]
   before_action :current_user_id_with_type, only: %i[new create]
 
   def authorize!
-    authorize(@exercise || @exercises)
+    authorize(@programming_group || @programming_groups)
   end
-
   private :authorize!
 
   def set_exercise_and_authorize
     @exercise = Exercise.find(params[:exercise_id])
-    authorize!
+    policy(@exercise).implement?
   end
-
   private :set_exercise_and_authorize
 
   def new
     @programming_group = ProgrammingGroup.new(exercise: @exercise)
+    authorize!
+    set_exercise_and_authorize
   end
 
   def create
@@ -29,6 +29,7 @@ def create
 
     unless programming_group_exists_for?(programming_partner_ids)
       @programming_group = ProgrammingGroup.new(exercise: @exercise, programming_partner_ids:)
+      authorize!
 
       unless programming_partner_ids.include? @current_user_id_with_type
         @programming_group.external_users << current_user
@@ -71,6 +72,8 @@ def programming_group_exists_for?(user_ids_with_type)
         flash.keep(:danger)
         redirect_to new_exercise_programming_group_path
         found_group = programming_group_id
+        @programming_group = ProgrammingGroup.find(found_group)
+        authorize!
         break
       end
       break if found_group

app/policies/programming_group_policy.rb

@@ -1,7 +1,11 @@
 # frozen_string_literal: true
 
 class ProgrammingGroupPolicy < AdminOrAuthorPolicy
-  def new
+  def new?
+    everyone
+  end
+
+  def create?
     everyone
   end
 end