From a6768625566746a04b554a6dbcc27ff64f37f885 Mon Sep 17 00:00:00 2001
From: bseres99 <barnabas.seres@gmail.com>
Date: Tue, 15 Feb 2022 15:16:57 +0100
Subject: [PATCH] Fix stage and state modification permission (#4324)

Co-authored-by: Matyesz12 <turi.mate12@gmail.com>
---
 cvat/apps/engine/tests/test_rest_api.py | 6 +++---
 cvat/apps/iam/permissions.py            | 4 ++++
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/cvat/apps/engine/tests/test_rest_api.py b/cvat/apps/engine/tests/test_rest_api.py
index 8349cd8f..5dc5798f 100644
--- a/cvat/apps/engine/tests/test_rest_api.py
+++ b/cvat/apps/engine/tests/test_rest_api.py
@@ -357,7 +357,7 @@ class JobUpdateAPITestCase(APITestCase):
     def test_api_v2_jobs_id_annotator(self):
         data = {"stage": StageChoice.ANNOTATION, "assignee": self.annotator.id}
         response = self._run_api_v2_jobs_id(self.job.id, self.annotator, data)
-        self._check_request(response, data)
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
         response = self._run_api_v2_jobs_id(self.job.id + 10, self.annotator, data)
         self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
 
@@ -391,8 +391,8 @@ class JobPartialUpdateAPITestCase(JobUpdateAPITestCase):
 
     def test_api_v2_jobs_id_annotator_partial(self):
         data = {"stage": StageChoice.ANNOTATION}
-        response = self._run_api_v2_jobs_id(self.job.id, self.owner, data)
-        self._check_request(response, data)
+        response = self._run_api_v2_jobs_id(self.job.id, self.annotator, data)
+        self.assertEquals(response.status_code, status.HTTP_403_FORBIDDEN, response)
 
     def test_api_v2_jobs_id_admin_partial(self):
         data = {"assignee_id": self.user.id}
diff --git a/cvat/apps/iam/permissions.py b/cvat/apps/iam/permissions.py
index 1107db4a..b80a6de8 100644
--- a/cvat/apps/iam/permissions.py
+++ b/cvat/apps/iam/permissions.py
@@ -788,6 +788,10 @@ class JobPermission(OpenPolicyAgentPermission):
                 project_id = request.data.get('project_id') or request.data.get('project')
                 if project_id != getattr(obj.project, 'id', None):
                     scopes.append(scope + ':project')
+            if 'stage' in request.data:
+                scopes.append(scope + ':stage')
+            if 'state' in request.data:
+                scopes.append(scope + ':state')
 
             if any(k in request.data for k in ('name', 'labels', 'bug_tracker', 'subset')):
                 scopes.append(scope + ':desc')