Fix stage and state modification permission (#4324)

Co-authored-by: NMatyesz12 <turi.mate12@gmail.com>

cvat/apps/engine/tests/test_rest_api.py

@@ -357,7 +357,7 @@ class JobUpdateAPITestCase(APITestCase):
     def test_api_v2_jobs_id_annotator(self):
         data = {"stage": StageChoice.ANNOTATION, "assignee": self.annotator.id}
         response = self._run_api_v2_jobs_id(self.job.id, self.annotator, data)
-        self._check_request(response, data)
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
         response = self._run_api_v2_jobs_id(self.job.id + 10, self.annotator, data)
         self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
 
@@ -391,8 +391,8 @@ class JobPartialUpdateAPITestCase(JobUpdateAPITestCase):
 
     def test_api_v2_jobs_id_annotator_partial(self):
         data = {"stage": StageChoice.ANNOTATION}
-        response = self._run_api_v2_jobs_id(self.job.id, self.owner, data)
-        self._check_request(response, data)
+        response = self._run_api_v2_jobs_id(self.job.id, self.annotator, data)
+        self.assertEquals(response.status_code, status.HTTP_403_FORBIDDEN, response)
 
     def test_api_v2_jobs_id_admin_partial(self):
         data = {"assignee_id": self.user.id}

cvat/apps/iam/permissions.py

@@ -788,6 +788,10 @@ class JobPermission(OpenPolicyAgentPermission):
                 project_id = request.data.get('project_id') or request.data.get('project')
                 if project_id != getattr(obj.project, 'id', None):
                     scopes.append(scope + ':project')
+            if 'stage' in request.data:
+                scopes.append(scope + ':stage')
+            if 'state' in request.data:
+                scopes.append(scope + ':state')
 
             if any(k in request.data for k in ('name', 'labels', 'bug_tracker', 'subset')):
                 scopes.append(scope + ':desc')