diff --git a/app/controllers/canvas_controller.rb b/app/controllers/canvas_controller.rb
index d4ae61575..40168768a 100644
--- a/app/controllers/canvas_controller.rb
+++ b/app/controllers/canvas_controller.rb
@@ -218,9 +218,7 @@ class CanvasController < ApplicationController
   end
 
   def check_edit_canvas
-    unless can_edit_canvas(@experiment)
-      render_403 and return
-    end
+    render_403 and return unless can_manage_experiment?(@experiment)
   end
 
   def check_view_canvas
diff --git a/app/controllers/protocols_controller.rb b/app/controllers/protocols_controller.rb
index 151bd881f..0f110a58b 100644
--- a/app/controllers/protocols_controller.rb
+++ b/app/controllers/protocols_controller.rb
@@ -1122,8 +1122,8 @@ class ProtocolsController < ApplicationController
     @my_module = @protocol.my_module
 
     render_403 unless @my_module.present? &&
-                      (can_read_protocol_in_module?(protocol) ||
-                       can_create_protocols_in_repository?(protocol.team))
+                      (can_read_protocol_in_module?(@protocol) ||
+                       can_create_protocols_in_repository?(@protocol.team))
   end
 
   def check_make_private_permissions