Update/implement permission checks in the _my_modules_tags_ controller [SCI-6062]

app/controllers/my_module_tags_controller.rb

@@ -2,7 +2,7 @@ class MyModuleTagsController < ApplicationController
   include InputSanitizeHelper
 
   before_action :load_vars, except: :canvas_index
-  before_action :check_view_permissions, only: %i(index index_edit)
+  before_action :check_view_permissions, except: %i(canvas_index create destroy destroy_by_tag_id)
   before_action :check_manage_permissions, only: %i(create destroy destroy_by_tag_id)
 
   def index_edit
@@ -38,7 +38,8 @@ class MyModuleTagsController < ApplicationController
 
   def canvas_index
     experiment = Experiment.find(params[:id])
-    render_403 unless can_read_experiment?(experiment)
+    return render_403 unless can_read_experiment?(experiment)
+
     res = []
     experiment.my_modules.active.each do |my_module|
       res << {
@@ -157,17 +158,15 @@ class MyModuleTagsController < ApplicationController
   def load_vars
     @my_module = MyModule.find_by_id(params[:my_module_id])
 
-    unless @my_module
+    render_404 if @my_module.blank?
-      render_404
-    end
   end
 
   def check_view_permissions
-    render_403 unless can_read_experiment?(@my_module.experiment)
+    render_403 unless can_read_my_module?(@my_module)
   end
 
   def check_manage_permissions
-    render_403 unless can_manage_my_module?(@my_module)
+    render_403 unless can_manage_my_module_tags?(@my_module)
   end
 
   def mt_params

spec/permissions/controllers/my_module_tags_controller_spec.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe MyModuleTagsController, type: :controller do
+  include PermissionExtends
+
+  it_behaves_like "a controller with authentication", {
+    index_edit: { my_module_id: 1 },
+    index: { my_module_id: 1 },
+    canvas_index: { id: 1 },
+    create: { my_module_id: 1 },
+    destroy: { my_module_id: 1, id: 1 },
+    search_tags: { my_module_id: 1 },
+    destroy_by_tag_id: { my_module_id: 1, id: 1 }
+  }, []
+
+  login_user
+
+  describe 'permissions checking' do
+    include_context 'reference_project_structure', {
+      team_role: :normal_user,
+      tag: true
+    }
+
+    it_behaves_like "a controller action with permissions checking", :get, :index_edit do
+      let(:testable) { my_module }
+      let(:permissions) { [MyModulePermissions::READ] }
+      let(:action_params) { { my_module_id: my_module.id } }
+    end
+
+    it_behaves_like "a controller action with permissions checking", :get, :index do
+      let(:testable) { my_module }
+      let(:permissions) { [MyModulePermissions::READ] }
+      let(:action_params) { { my_module_id: my_module.id } }
+    end
+
+    it_behaves_like "a controller action with permissions checking", :get, :canvas_index do
+      let(:testable) { experiment }
+      let(:permissions) { [ExperimentPermissions::READ] }
+      let(:action_params) { { id: experiment.id } }
+    end
+
+    it_behaves_like "a controller action with permissions checking", :post, :create do
+      let(:testable) { my_module }
+      let(:permissions) { [MyModulePermissions::TAGS_MANAGE] }
+      let(:action_params) { { my_module_id: my_module.id } }
+    end
+
+    it_behaves_like "a controller action with permissions checking", :post, :destroy do
+      let(:testable) { my_module }
+      let(:permissions) { [MyModulePermissions::TAGS_MANAGE] }
+      let(:action_params) { { my_module_id: my_module.id, id: tag.id } }
+    end
+
+    it_behaves_like "a controller action with permissions checking", :get, :search_tags do
+      let(:testable) { my_module }
+      let(:permissions) { [MyModulePermissions::READ] }
+      let(:action_params) { { my_module_id: my_module.id } }
+    end
+
+    it_behaves_like "a controller action with permissions checking", :post, :destroy_by_tag_id do
+      let(:testable) { my_module }
+      let(:permissions) { [MyModulePermissions::TAGS_MANAGE] }
+      let(:action_params) { { my_module_id: my_module.id, id: tag.id } }
+    end
+  end
+end