diff --git a/src/Project/Controllers/ProjectController.cs b/src/Project/Controllers/ProjectController.cs
index aeb220ee8f3d3d3cd888e84b21995c7ce9c08245..a9574a8bce8719054518071b94316eaecb9f00ce 100644
--- a/src/Project/Controllers/ProjectController.cs
+++ b/src/Project/Controllers/ProjectController.cs
@@ -193,7 +193,7 @@ namespace Coscine.Api.Project.Controllers
return NotFound($"Could not find project with id: {projectId}");
}
- if (!_projectModel.HasAccess(user, project, UserRoles.Owner))
+ if (!_projectModel.HasAccess(user, project, UserRoles.Member, UserRoles.Owner))
{
return Unauthorized("The user is not authorized to perform a get on the selected project!");
}
@@ -552,7 +552,7 @@ namespace Coscine.Api.Project.Controllers
var projectObject = ObjectFactory<ProjectObject>.DeserializeFromStream(Request.Body);
if (projectObject?.ParentId != new Guid()
- && !_projectModel.HasAccess(user, _projectModel.GetById(projectObject.ParentId), UserRoles.Owner))
+ && !_projectModel.HasAccess(user, _projectModel.GetById(projectObject.ParentId), UserRoles.Member, UserRoles.Owner))
{
return Unauthorized("User is not allowed to create SubProjects.");
}
@@ -560,8 +560,8 @@ namespace Coscine.Api.Project.Controllers
var project = _projectModel.StoreFromObject(projectObject, user, _rdfStoreConnector.GetQuotaDefault(user.Id.ToString()));
if (projectObject.ParentId != new Guid()
- // for now, only an owner can add subprojects to projects
- && _projectModel.HasAccess(user, _projectModel.GetById(projectObject.ParentId), UserRoles.Owner))
+ // Both an owner and a member can add subprojects to projects
+ && _projectModel.HasAccess(user, _projectModel.GetById(projectObject.ParentId), UserRoles.Member, UserRoles.Owner))
{
var subProjectModel = new SubProjectModel();
subProjectModel.LinkSubProject(projectObject.ParentId, project.Id);