Fix step deletion for API [SCI-6561] (#3914)

app/controllers/api/v1/steps_controller.rb

@@ -6,10 +6,11 @@ module Api
       include Api::V1::ExtraParams
 
       before_action :load_team, :load_project, :load_experiment, :load_task, :load_protocol
-      before_action only: :show do
+      before_action only: %i(show update destroy) do
         load_step(:id)
       end
-      before_action :load_step_for_managing, only: %i(update destroy)
+      before_action :check_manage_permissions, only: :update
+      before_action :check_delete_permissions, only: :destroy
 
       def index
         steps = @protocol.steps.page(params.dig(:page, :number)).per(params.dig(:page, :size))
@@ -75,15 +76,18 @@ module Api
         %w(tables assets checklists checklists.checklist_items comments user)
       end
 
-      def load_step_for_managing
+      def check_manage_permissions
-        @step = @protocol.steps.find(params.require(:id))
         if step_params.key?(:completed) && step_params.except(:completed).blank?
           raise PermissionError.new(Step, :toggle_completion) unless can_complete_or_checkbox_step?(@step.protocol)
         else
-          raise PermissionError.new(Protocol, :manage) unless can_manage_protocol_in_module?(@step.protocol)
+          raise PermissionError.new(Step, :manage) unless can_manage_step?(@step)
         end
       end
 
+      def check_delete_permissions
+        raise PermissionError.new(Step, :delete) unless can_manage_step?(@step)
+      end
+
       def log_activity(type_of, message_items = {})
         default_items = { step: @step.id, step_position: { id: @step.id, value_for: 'position_plus_one' } }
         message_items = default_items.merge(message_items)