fix integrative specs

to access a path like /api/v3/work_packages/:id/foo you do not only need the permissions for foo, but also for the work package.

spec/requests/api/cost_entries/cost_entries_by_work_package_resource_spec.rb

@@ -36,8 +36,12 @@ describe 'API v3 Cost Entry resource' do
   let(:current_user) {
     FactoryGirl.create(:user, member_in_project: project, member_through_role: role)
   }
-  let(:role) { FactoryGirl.create(:role, permissions: permissions) }
-  let(:permissions) { [:view_cost_entries] }
+  let(:role) { FactoryGirl.create(:role, permissions: total_permissions) }
+  let(:total_permissions) {
+    # always include view WP, to ensure accessibility
+    [:view_work_packages] + cost_permissions
+  }
+  let(:cost_permissions) { [:view_cost_entries] }
   let(:project) { FactoryGirl.create(:project) }
   let(:work_package) { FactoryGirl.create(:work_package, project: project) }
   subject(:response) { last_response }
@@ -66,14 +70,14 @@ describe 'API v3 Cost Entry resource' do
     end
 
     context 'user can see own cost entries' do
-      let(:permissions) { [:view_own_cost_entries] }
+      let(:cost_permissions) { [:view_own_cost_entries] }
       it 'should return HTTP 200' do
         expect(response.status).to eql(200)
       end
     end
 
     context 'user has no cost entry permissions' do
-      let(:permissions) { [] }
+      let(:cost_permissions) { [] }
 
       it_behaves_like 'error response',
                       403,
@@ -92,14 +96,14 @@ describe 'API v3 Cost Entry resource' do
     end
 
     context 'user can see own cost entries' do
-      let(:permissions) { [:view_own_cost_entries] }
+      let(:cost_permissions) { [:view_own_cost_entries] }
       it 'should return HTTP 200' do
         expect(response.status).to eql(200)
       end
     end
 
     context 'user has no cost entry permissions' do
-      let(:permissions) { [] }
+      let(:cost_permissions) { [] }
 
       it_behaves_like 'error response',
                       403,