diff --git a/app/controllers/assets_controller.rb b/app/controllers/assets_controller.rb
index 9671bfa87..c56cacdd9 100644
--- a/app/controllers/assets_controller.rb
+++ b/app/controllers/assets_controller.rb
@@ -1,6 +1,7 @@
 class AssetsController < ApplicationController
   before_action :load_vars, except: [:signature]
   before_action :check_read_permission, except: [:signature, :file_present]
+  before_action :check_edit_permission, only: [ :edit ]
 
   # Validates asset and then generates S3 upload posts, because
   # otherwise untracked files could be uploaded to S3
@@ -107,6 +108,18 @@ class AssetsController < ApplicationController
     end
   end
 
+  def check_edit_permission
+    if @assoc.class == Step
+      unless can_edit_step_in_protocol(@protocol)
+        render_403 and return
+      end
+    elsif @assoc.class == Result
+      unless can_edit_result_asset_in_module(@my_module)
+        render_403 and return
+      end
+    end
+  end
+
   def generate_upload_posts(asset)
     posts = []
     s3_post = S3_BUCKET.presigned_post(
diff --git a/app/views/steps/_step.html.erb b/app/views/steps/_step.html.erb
index 26a24e6ae..2dc3a5e68 100644
--- a/app/views/steps/_step.html.erb
+++ b/app/views/steps/_step.html.erb
@@ -76,7 +76,8 @@
                         <% if asset.can_perform_action("view") %>
                           <%= link_to "View", view_asset_url(id: asset) %>
                         <% end %>
-                        <% if asset.can_perform_action("edit") %>
+                        <% if can_edit_step_in_protocol(@protocol) &&
+                              asset.can_perform_action("edit") %>
                           <%= link_to "Edit", edit_asset_url(id: asset) %>
                         <% end %>
                       <% else %>