From 1182ce5da137cf74693789e4842555534e983343 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Zrim=C5=A1ek?= <mzrimsek@biosistemika.com>
Date: Mon, 5 Feb 2018 18:55:37 +0100
Subject: [PATCH] Fixed experiment level permission checks in the controllers.

---
 app/controllers/canvas_controller.rb    | 4 +---
 app/controllers/protocols_controller.rb | 4 ++--
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/app/controllers/canvas_controller.rb b/app/controllers/canvas_controller.rb
index d4ae61575..40168768a 100644
--- a/app/controllers/canvas_controller.rb
+++ b/app/controllers/canvas_controller.rb
@@ -218,9 +218,7 @@ class CanvasController < ApplicationController
   end
 
   def check_edit_canvas
-    unless can_edit_canvas(@experiment)
-      render_403 and return
-    end
+    render_403 and return unless can_manage_experiment?(@experiment)
   end
 
   def check_view_canvas
diff --git a/app/controllers/protocols_controller.rb b/app/controllers/protocols_controller.rb
index 151bd881f..0f110a58b 100644
--- a/app/controllers/protocols_controller.rb
+++ b/app/controllers/protocols_controller.rb
@@ -1122,8 +1122,8 @@ class ProtocolsController < ApplicationController
     @my_module = @protocol.my_module
 
     render_403 unless @my_module.present? &&
-                      (can_read_protocol_in_module?(protocol) ||
-                       can_create_protocols_in_repository?(protocol.team))
+                      (can_read_protocol_in_module?(@protocol) ||
+                       can_create_protocols_in_repository?(@protocol.team))
   end
 
   def check_make_private_permissions