Privilege issue with fetching managers, when creating an order (BE)

[MariusJulius]

There seems to be a privilege issue with fetching managers, when creating an order.

Endpoint: GET https://api.dev.tolkevarav.eki.ee/translation-order/api/institution-users Currently, I get error 403, if I have the create_project privilege and don’t have the manage_project privilege. Currently, this endpoint is used for fetching both the managers and the clients of a project, however from what I can see the privilege checks should be different for these. (project_role=manager/client)

For clients the “change_client” privilege is needed, but for managers it should be “create_order” OR “manage_order”.

Slack: https://pundar.slack.com/archives/C053FD55ATT/p1699783370231209

1. when creating the project then in general you need create_project, but user always needs the privilege change_client in order to edit the client field
2. when user is editing the project they need either change_client (edit only client field) OR manage_project (edit all other fields) privilege

Relates to reassigning as well: https://github.com/keeleinstituut/tv-tolkevarav/issues/454

To-do:

• Validating privileges for fetching managers in project creation

[MariusJulius]

Kaarel also mentioned it is duplicate of https://github.com/keeleinstituut/tv-tolkevarav/issues/242#issuecomment-1833357741 and #652

[plakitkelly]

Tested in 02.01 - It's OK