Fix permission check for archived tasks [SCI-5235]

app/controllers/api/v1/base_controller.rb

@@ -152,15 +152,15 @@ module Api
 
       def load_inventory(key = :inventory_id)
         @inventory = @team.repositories.find(params.require(key))
+        raise PermissionError.new(Repository, :read) unless can_read_repository?(@inventory)
       end
 
       def load_inventory_column(key = :column_id)
-        @inventory_column = @inventory.repository_columns
-                                      .find(params.require(key))
+        @inventory_column = @inventory.repository_columns.find(params.require(key))
       end
 
       def load_inventory_item(key = :item_id)
-        @inventory_item = @inventory.repository_rows.find(params[key].to_i)
+        @inventory_item = @inventory.repository_rows.find(params[key])
       end
 
       def load_project(key = :project_id)
@@ -175,6 +175,7 @@ module Api
 
       def load_task(key = :task_id)
         @task = @experiment.my_modules.find(params.require(key))
+        raise PermissionError.new(MyModule, :read) unless can_read_protocol_in_module?(@task.protocol)
       end
 
       def load_protocol(key = :protocol_id)

app/controllers/api/v1/workflow_statuses_controller.rb

@@ -3,9 +3,7 @@
 module Api
   module V1
     class WorkflowStatusesController < BaseController
-      before_action only: :index do
-        load_workflow(:workflow_id)
-      end
+      before_action :load_workflow
 
       def index
         statuses = @workflow.my_module_statuses

app/controllers/my_modules_controller.rb

@@ -313,11 +313,12 @@ class MyModulesController < ApplicationController
   end
 
   def check_view_permissions
-    render_403 unless can_read_experiment?(@my_module.experiment)
+    render_403 unless can_read_protocol_in_module?(@my_module.protocol)
   end
 
   def check_update_state_permissions
     return render_403 unless can_change_my_module_flow_status?(@my_module)
+
     render_404 unless @my_module.my_module_status
   end
 

app/permissions/my_module.rb

@@ -1,13 +1,16 @@
+# frozen_string_literal: true
+
 Canaid::Permissions.register_for(MyModule) do
   # Module, its experiment and its project must be active for all the specified
   # permissions
   %i(manage_module
+     archive_module
      manage_users_in_module
      assign_repository_rows_to_module
-     assign_sample_to_module
      create_comments_in_module
      create_my_module_repository_snapshot
-     manage_my_module_repository_snapshots)
+     manage_my_module_repository_snapshots
+     change_my_module_flow_status)
     .each do |perm|
     can perm do |_, my_module|
       my_module.active? &&
@@ -52,12 +55,6 @@ Canaid::Permissions.register_for(MyModule) do
     user.is_technician_or_higher_of_project?(my_module.experiment.project)
   end
 
-  # module: assign/unassign sample
-  # NOTE: Use 'module_page? &&' before calling this permission!
-  can :assign_sample_to_module do |user, my_module|
-    user.is_technician_or_higher_of_project?(my_module.experiment.project)
-  end
-
   # module: change_flow_status
   can :change_my_module_flow_status do |user, my_module|
     user.is_technician_or_higher_of_project?(my_module.experiment.project)

spec/requests/api/v1/workflow_statuses_controller_spec.rb

@@ -2,7 +2,7 @@
 
 require 'rails_helper'
 
-RSpec.describe 'Api::V1::WrokflowsController', type: :request do
+RSpec.describe 'Api::V1::WrokflowStatusesController', type: :request do
   before :all do
     @user = create(:user)
     @teams = create_list(:team, 2, created_by: @user)