From d55734e5012a19c71fc3b1d95281229415cd8225 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Zrim=C5=A1ek?= <mzrimsek@biosistemika.com>
Date: Fri, 9 Feb 2018 18:02:04 +0100
Subject: [PATCH] Added additional permission checks for moving tasks. Added
 forgotten enclosing tag in a view.

---
 app/controllers/canvas_controller.rb              | 5 ++++-
 app/views/canvas/edit/_my_module.html.erb         | 1 +
 app/views/canvas/edit/modal/_move_module.html.erb | 2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/app/controllers/canvas_controller.rb b/app/controllers/canvas_controller.rb
index 742786aaa..dc34ba77d 100644
--- a/app/controllers/canvas_controller.rb
+++ b/app/controllers/canvas_controller.rb
@@ -129,7 +129,10 @@ class CanvasController < ApplicationController
                  id.is_a?(String) &&
                  can_manage_module?(MyModule.find_by_id(id))
                end &&
-               to_move.values.all? { |k| k.is_a? String }
+               to_move.values.all? do |exp_id|
+                 exp_id.is_a?(String) &&
+                 can_manage_experiment?(Experiment.find_by_id(exp_id))
+               end
           return render_403
         end
       rescue
diff --git a/app/views/canvas/edit/_my_module.html.erb b/app/views/canvas/edit/_my_module.html.erb
index 9a4adefa5..6a8631ee8 100644
--- a/app/views/canvas/edit/_my_module.html.erb
+++ b/app/views/canvas/edit/_my_module.html.erb
@@ -33,6 +33,7 @@
           <li>
             <a class="move-module" href="" data-module-id="<%= my_module.id %>"><%=t "experiments.canvas.edit.move_module" %></a>
           </li>
+        <% end %>
         <% if my_module.my_module_group && my_module.my_module_group.my_modules.all? { |my_module| can_manage_module?(my_module) } %>
           <li>
             <a class="move-module-group" href="" data-module-id="<%= my_module.id %>"><%=t "experiments.canvas.edit.move_module_group" %></a>
diff --git a/app/views/canvas/edit/modal/_move_module.html.erb b/app/views/canvas/edit/modal/_move_module.html.erb
index d617b82c0..1ef56df02 100644
--- a/app/views/canvas/edit/modal/_move_module.html.erb
+++ b/app/views/canvas/edit/modal/_move_module.html.erb
@@ -10,7 +10,7 @@
         <% if experiments.count > 1 %>
           <%= bootstrap_form_tag do |f| %>
             <%= f.select :experiment_id, experiments
-                                        .select { |e| e != @experiment }
+                                        .select { |e| e != @experiment && can_manage_experiment?(e) }
                                         .collect { |e| [ e.name, e.id ] }, {},
                 {class: "form-control selectpicker", "data-role" => "clear"} %>
           <% end %>