From c4a0ebeadfbbd01ce02b3881305aa8b982dcee7a Mon Sep 17 00:00:00 2001
From: ajugo <andrej.jugovic7@gmail.com>
Date: Tue, 25 Apr 2023 16:00:20 +0200
Subject: [PATCH] Fix protocol dropdown options for private protocol [SCI-7983]
 (#5337)

---
 app/controllers/protocols_controller.rb | 14 +++++++++++---
 app/serializers/protocol_serializer.rb  |  6 ++++--
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/app/controllers/protocols_controller.rb b/app/controllers/protocols_controller.rb
index 553175c86..2a3dfc84d 100644
--- a/app/controllers/protocols_controller.rb
+++ b/app/controllers/protocols_controller.rb
@@ -27,8 +27,6 @@ class ProtocolsController < ApplicationController
     protocolsio_index
     datatable
   )
-  # For update_from_parent and update_from_parent_modal we don't need to check
-  # read permission for the parent protocol
   before_action :check_manage_permissions, only: %i(
     update_keywords
     update_description
@@ -37,11 +35,14 @@ class ProtocolsController < ApplicationController
     update_authors
     unlink
     unlink_modal
+    delete_steps
+  )
+
+  before_action :check_manage_with_read_protocol_permissions, only: %i(
     revert
     revert_modal
     update_from_parent
     update_from_parent_modal
-    delete_steps
   )
   before_action :check_restore_all_in_repository_permissions, only: :restore
   before_action :check_archive_all_in_repository_permissions, only: :archive
@@ -1010,6 +1011,13 @@ class ProtocolsController < ApplicationController
                        can_manage_protocol_draft_in_repository?(@protocol))
   end
 
+  def check_manage_with_read_protocol_permissions
+    @protocol = Protocol.find_by(id: params[:id])
+    render_403 unless @protocol.present? && @protocol.parent.present? &&
+                      (can_manage_protocol_in_module?(@protocol) &&
+                       can_read_protocol_in_repository?(@protocol.parent))
+  end
+
   def check_save_as_draft_permissions
     @protocol = Protocol.find_by(id: params[:id])
     render_403 unless @protocol.present? && can_save_protocol_version_as_draft?(@protocol)
diff --git a/app/serializers/protocol_serializer.rb b/app/serializers/protocol_serializer.rb
index b697dc23a..25c527af0 100644
--- a/app/serializers/protocol_serializer.rb
+++ b/app/serializers/protocol_serializer.rb
@@ -174,14 +174,16 @@ class ProtocolSerializer < ActiveModel::Serializer
 
   def revert_protocol_url
     return unless can_manage_protocol_in_module?(object) && object.linked? &&
-                  object.parent.active? && object.newer_than_parent?
+                  object.parent.active? && object.newer_than_parent? &&
+                  can_read_protocol_in_repository?(object.parent)
 
     revert_modal_protocol_path(object, format: :json)
   end
 
   def update_protocol_url
     return unless can_manage_protocol_in_module?(object) && object.linked? &&
-                  object.parent.active? && object.parent_newer?
+                  object.parent.active? && object.parent_newer? &&
+                  can_read_protocol_in_repository?(object.parent)
 
     update_from_parent_modal_protocol_path(object, format: :json)
   end