diff --git a/app/controllers/canvas_controller.rb b/app/controllers/canvas_controller.rb
index 742786aaa..dc34ba77d 100644
--- a/app/controllers/canvas_controller.rb
+++ b/app/controllers/canvas_controller.rb
@@ -129,7 +129,10 @@ class CanvasController < ApplicationController
id.is_a?(String) &&
can_manage_module?(MyModule.find_by_id(id))
end &&
- to_move.values.all? { |k| k.is_a? String }
+ to_move.values.all? do |exp_id|
+ exp_id.is_a?(String) &&
+ can_manage_experiment?(Experiment.find_by_id(exp_id))
+ end
return render_403
end
rescue
diff --git a/app/views/canvas/edit/_my_module.html.erb b/app/views/canvas/edit/_my_module.html.erb
index 9a4adefa5..6a8631ee8 100644
--- a/app/views/canvas/edit/_my_module.html.erb
+++ b/app/views/canvas/edit/_my_module.html.erb
@@ -33,6 +33,7 @@
<%=t "experiments.canvas.edit.move_module" %>
+ <% end %>
<% if my_module.my_module_group && my_module.my_module_group.my_modules.all? { |my_module| can_manage_module?(my_module) } %>
<%=t "experiments.canvas.edit.move_module_group" %>
diff --git a/app/views/canvas/edit/modal/_move_module.html.erb b/app/views/canvas/edit/modal/_move_module.html.erb
index d617b82c0..1ef56df02 100644
--- a/app/views/canvas/edit/modal/_move_module.html.erb
+++ b/app/views/canvas/edit/modal/_move_module.html.erb
@@ -10,7 +10,7 @@
<% if experiments.count > 1 %>
<%= bootstrap_form_tag do |f| %>
<%= f.select :experiment_id, experiments
- .select { |e| e != @experiment }
+ .select { |e| e != @experiment && can_manage_experiment?(e) }
.collect { |e| [ e.name, e.id ] }, {},
{class: "form-control selectpicker", "data-role" => "clear"} %>
<% end %>