diff --git a/app/controllers/assets_controller.rb b/app/controllers/assets_controller.rb
index 919495540..e7abe9e37 100644
--- a/app/controllers/assets_controller.rb
+++ b/app/controllers/assets_controller.rb
@@ -17,8 +17,8 @@ class AssetsController < ApplicationController
   helper_method :wopi_file_edit_button_status
 
   before_action :load_vars, except: :create_wopi_file
-  before_action :check_read_permission, except: %i(edit destroy create_wopi_file)
-  before_action :check_edit_permission, only: %i(edit destroy)
+  before_action :check_read_permission, except: %i(edit destroy create_wopi_file toggle_view_mode)
+  before_action :check_edit_permission, only: %i(edit destroy toggle_view_mode)
 
   def file_preview
     render json: { html: render_to_string(
@@ -191,7 +191,7 @@ class AssetsController < ApplicationController
 
   def destroy
     if @asset.destroy
-      render json: { flash: I18n.t('assets.file_deleted', file_name: @asset.file_name ) }
+      render json: { flash: I18n.t('assets.file_deleted', file_name: @asset.file_name) }
     else
       render json: {}, status: :unprocessable_entity
     end
diff --git a/app/controllers/steps_controller.rb b/app/controllers/steps_controller.rb
index 7b71dd7fb..080946a91 100644
--- a/app/controllers/steps_controller.rb
+++ b/app/controllers/steps_controller.rb
@@ -9,8 +9,9 @@ class StepsController < ApplicationController
   before_action :load_vars_nested, only:  %i(new create)
   before_action :convert_table_contents_to_utf8, only: %i(create update)
 
-  before_action :check_view_permissions, only: %i(show update_view_state update_asset_view_mode)
-  before_action :check_manage_permissions, only: %i(new create edit update destroy move_up move_down)
+  before_action :check_view_permissions, only: :show
+  before_action :check_manage_permissions, only: %i(new create edit update destroy move_up move_down
+                                                    update_view_state update_asset_view_mode)
   before_action :check_complete_and_checkbox_permissions, only: %i(toggle_step_state checklistitem_state)
 
   def new
diff --git a/app/views/assets/_asset_context_menu.html.erb b/app/views/assets/_asset_context_menu.html.erb
index f7fef391a..6eaaedb27 100644
--- a/app/views/assets/_asset_context_menu.html.erb
+++ b/app/views/assets/_asset_context_menu.html.erb
@@ -1,70 +1,72 @@
-<div class="dropdown asset-context-menu">
-  <button class="btn btn-light dropdown-toggle icon-btn" type="button" id="dropdownAssetContextMenu" data-toggle="dropdown" aria-haspopup="true" aria-expanded="true">
-    <i class="fas fa-ellipsis-h"></i>
-  </button>
-  <ul class="dropdown-menu dropdown-menu-right"
-      aria-labelledby="dropdownAssetContextMenu"
-      data-asset-id="<%= asset.id %>"
-      data-toggle-view-url="<%= toggle_view_mode_path(asset) %>">
-    <% if can_manage_asset?(asset) && editable %>
-      <% if wopi_enabled? && wopi_file?(asset) %>
-        <li>
-          <% edit_supported, title = wopi_file_edit_button_status(asset) %>
-          <%= render partial: 'assets/wopi/file_wopi_controls.html.erb',
-            locals: {
-              asset: asset,
-              edit_supported: edit_supported,
-              title: title
-            } %>
-        </li>
-        <li role="separator" class="divider"></li>
-      <% elsif asset.file.metadata[:asset_type] == 'marvinjs' %>
-        <li>
-          <a class="btn btn-light marvinjs-edit-button"
-            data-sketch-id="<%= asset.id %>"
-            data-update-url="<%= marvin_js_asset_path(asset) %>"
-            data-sketch-start-edit-url="<%= start_editing_marvin_js_asset_path(asset) %>"
-            data-sketch-name="<%= asset.file.metadata[:name] %>"
-            data-sketch-description="<%= asset.file.metadata[:description] %>"
-          >
-            <span class="fas fa-pencil-alt"></span>
-            <%= t('assets.file_preview.edit_in_marvinjs') %>
-          </a>
-        </li>
-        <li role="separator" class="divider"></li>
-      <% elsif asset.editable_image? %>
-        <li>
-          <a class="btn btn-light image-edit-button"
-            data-image-id="<%= asset.id %>"
-            data-image-name="<%= asset.file_name %>"
-            data-image-url="<%= asset_file_url_path(asset) %>"
-            data-image-quality="<%= asset.file_image_quality || 80 %>"
-            data-image-mime-type="<%= asset.file.content_type %>"
-            data-image-start-edit-url="<%= start_edit_image_path(asset) %>"
-          >
-            <span class="fas fa-pencil-alt"></span>
-            <%= t('assets.file_preview.edit_in_scinote') %>
-          </a>
-        </li>
-        <li role="separator" class="divider"></li>
+<% if can_manage_asset?(asset) %>
+  <div class="dropdown asset-context-menu">
+    <button class="btn btn-light dropdown-toggle icon-btn" type="button" id="dropdownAssetContextMenu" data-toggle="dropdown" aria-haspopup="true" aria-expanded="true">
+      <i class="fas fa-ellipsis-h"></i>
+    </button>
+    <ul class="dropdown-menu dropdown-menu-right"
+        aria-labelledby="dropdownAssetContextMenu"
+        data-asset-id="<%= asset.id %>"
+        data-toggle-view-url="<%= toggle_view_mode_path(asset) %>">
+      <% if editable %>
+        <% if wopi_enabled? && wopi_file?(asset) %>
+          <li>
+            <% edit_supported, title = wopi_file_edit_button_status(asset) %>
+            <%= render partial: 'assets/wopi/file_wopi_controls.html.erb',
+              locals: {
+                asset: asset,
+                edit_supported: edit_supported,
+                title: title
+              } %>
+          </li>
+          <li role="separator" class="divider"></li>
+        <% elsif asset.file.metadata[:asset_type] == 'marvinjs' %>
+          <li>
+            <a class="btn btn-light marvinjs-edit-button"
+              data-sketch-id="<%= asset.id %>"
+              data-update-url="<%= marvin_js_asset_path(asset) %>"
+              data-sketch-start-edit-url="<%= start_editing_marvin_js_asset_path(asset) %>"
+              data-sketch-name="<%= asset.file.metadata[:name] %>"
+              data-sketch-description="<%= asset.file.metadata[:description] %>"
+            >
+              <span class="fas fa-pencil-alt"></span>
+              <%= t('assets.file_preview.edit_in_marvinjs') %>
+            </a>
+          </li>
+          <li role="separator" class="divider"></li>
+        <% elsif asset.editable_image? %>
+          <li>
+            <a class="btn btn-light image-edit-button"
+              data-image-id="<%= asset.id %>"
+              data-image-name="<%= asset.file_name %>"
+              data-image-url="<%= asset_file_url_path(asset) %>"
+              data-image-quality="<%= asset.file_image_quality || 80 %>"
+              data-image-mime-type="<%= asset.file.content_type %>"
+              data-image-start-edit-url="<%= start_edit_image_path(asset) %>"
+            >
+              <span class="fas fa-pencil-alt"></span>
+              <%= t('assets.file_preview.edit_in_scinote') %>
+            </a>
+          </li>
+          <li role="separator" class="divider"></li>
+        <% end %>
       <% end %>
-    <% end %>
-    <li class="divider-label"><%= t("assets.context_menu.set_view_size") %></li>
-    <% ['inline', 'thumbnail', 'list'].each do |view_mode| %>
-      <li>
-        <a class="change-preview-type <%= 'selected' if view_mode == asset.view_mode %>"  data-preview-type="<%= view_mode %>">
-          <%= t("assets.context_menu.#{view_mode}_html") %>
-        </a>
-      </li>
-    <% end %>
-    <% if can_manage_asset?(asset) && deletable %>
-      <li role="separator" class="divider"></li>
-      <li>
-        <a class="delete-asset" href="<%= asset_destroy_path(asset) %>" data-file-name="<%= asset.render_file_name %>">
-          <i class="fas fa-trash"></i>
-          <%= t("assets.context_menu.delete") %>
-        </a>
-      </li>
-    <% end %>
-  </ul>
-</div>
+      <li class="divider-label"><%= t("assets.context_menu.set_view_size") %></li>
+      <% ['inline', 'thumbnail', 'list'].each do |view_mode| %>
+        <li>
+          <a class="change-preview-type <%= 'selected' if view_mode == asset.view_mode %>"  data-preview-type="<%= view_mode %>">
+            <%= t("assets.context_menu.#{view_mode}_html") %>
+          </a>
+        </li>
+      <% end %>
+      <% if deletable %>
+        <li role="separator" class="divider"></li>
+        <li>
+          <a class="delete-asset" href="<%= asset_destroy_path(asset) %>" data-file-name="<%= asset.render_file_name %>">
+            <i class="fas fa-trash"></i>
+            <%= t("assets.context_menu.delete") %>
+          </a>
+        </li>
+      <% end %>
+    </ul>
+  </div>
+<% end %>
diff --git a/app/views/steps/attachments/_list.html.erb b/app/views/steps/attachments/_list.html.erb
index 8b661d393..9be91414b 100644
--- a/app/views/steps/attachments/_list.html.erb
+++ b/app/views/steps/attachments/_list.html.erb
@@ -10,7 +10,8 @@
       <%= t('protocols.steps.files', count: assets.length) %>
     </h4>
   </div>
-  <% unless preview %>
+  <% if !(preview) && (can_manage_protocol_in_module?(@protocol) ||
+                             can_manage_protocol_in_repository?(@protocol)) %>
     <div class="actions">
       <div class="dropdown sci-dropdown">
         <button class="btn btn-light dropdown-toggle" type="button" id="dropdownAttachmentsOptions" data-toggle="dropdown" aria-haspopup="true" aria-expanded="true">
@@ -22,19 +23,16 @@
             data-view-mode-url="<%= update_asset_view_mode_step_path(step) %>"
             data-step-id="<%= step.id %>"
             data-state-save-url="<%= update_view_state_step_path(step.id) %>">
-          <% if !(preview) && (can_manage_protocol_in_module?(@protocol) ||
-                             can_manage_protocol_in_repository?(@protocol)) %>
-            <li class="divider-label"><%= t("protocols.steps.attachments.add") %></li>
-            <li>
-              <%= render partial: '/assets/marvinjs/create_marvin_sketch_li.html.erb',
-                         locals: {  element_id: step.id, element_type: 'Step',  sketch_container: ".attachments[data-step-id=#{step.id}]" } %>
-            </li>
-            <li>
-              <%= render partial: '/assets/wopi/create_wopi_file_li.html.erb',
-                         locals: {  element_id: step.id, element_type: 'Step' } %>
-            </li>
-            <li role="separator" class="divider"></li>
-          <% end %>
+          <li class="divider-label"><%= t("protocols.steps.attachments.add") %></li>
+          <li>
+            <%= render partial: '/assets/marvinjs/create_marvin_sketch_li.html.erb',
+                       locals: {  element_id: step.id, element_type: 'Step',  sketch_container: ".attachments[data-step-id=#{step.id}]" } %>
+          </li>
+          <li>
+            <%= render partial: '/assets/wopi/create_wopi_file_li.html.erb',
+                       locals: {  element_id: step.id, element_type: 'Step' } %>
+          </li>
+          <li role="separator" class="divider"></li>
           <li class="divider-label"><%= t("protocols.steps.attachments.sort_by") %></li>
           <% ['new', 'old', 'atoz', 'ztoa'].each do |sort| %>
             <li>