Fix permissions + cleanup

lib/api/v3/work_packages/base_contract.rb

@@ -97,17 +97,11 @@ module API
           @can = WorkPackagePolicy.new(user)
         end
 
-        validate :user_allowed_to_edit
-
         extend Reform::Form::ActiveModel::ModelValidations
         copy_validations_from WorkPackage
 
         private
 
-        def user_allowed_to_edit
-          errors.add :error_unauthorized, '' unless @can.allowed?(model, :edit)
-        end
-
         def validate_people_visible(attribute, id_attribute, list)
           id = model[id_attribute]
 

lib/api/v3/work_packages/create_contract.rb

@@ -35,6 +35,16 @@ module API
         # Hence making them writable here is unproblematic.
         attribute :project_id
         attribute :author_id
+
+        validate :user_allowed_to_add
+
+        private
+
+        def user_allowed_to_add
+          unless @user.allowed_to?(:add_work_packages, model.project)
+            errors.add :error_unauthorized, ''
+          end
+        end
       end
     end
   end

lib/api/v3/work_packages/update_contract.rb

@@ -37,8 +37,14 @@ module API
 
         validate :user_allowed_to_access
 
+        validate :user_allowed_to_edit
+
         private
 
+        def user_allowed_to_edit
+          errors.add :error_unauthorized, '' unless @can.allowed?(model, :edit)
+        end
+
         # TODO: when someone every fixes the way errors are added in the contract:
         # find a solution to ensure that THIS validation supersedes others (i.e. show 404 if
         # there is no access allowed)