Fixed experiment level permission checks in the controllers.

2025-03-05 04:03:45 +08:00 · 2018-02-05 18:55:37 +01:00 · 2018-02-05 18:55:37 +01:00 · 1182ce5da1
commit 1182ce5da1
parent 7938c2e036
2 changed files with 3 additions and 5 deletions
--- a/app/controllers/canvas_controller.rb
+++ b/app/controllers/canvas_controller.rb
@ -218,9 +218,7 @@ class CanvasController < ApplicationController
  end

  def check_edit_canvas
-    unless can_edit_canvas(@experiment)
-      render_403 and return
-    end
+    render_403 and return unless can_manage_experiment?(@experiment)
  end

  def check_view_canvas
--- a/app/controllers/protocols_controller.rb
+++ b/app/controllers/protocols_controller.rb
@ -1122,8 +1122,8 @@ class ProtocolsController < ApplicationController
    @my_module = @protocol.my_module

    render_403 unless @my_module.present? &&
-                      (can_read_protocol_in_module?(protocol) ||
-                       can_create_protocols_in_repository?(protocol.team))
+                      (can_read_protocol_in_module?(@protocol) ||
+                       can_create_protocols_in_repository?(@protocol.team))
  end

  def check_make_private_permissions