disable editing users when curator doesnt't have write access level

CHANGELOG

@@ -13,6 +13,8 @@ minerva (14.0.0~beta.0) unstable; urgency=low
   * Bug fix: privilege checking on updating privileges, data overlays were not 
     sufficient and could lead to access escalation
   * Bug fix: user without privileges had edit map input options enabled
+  * Bug fix: user without privileges had edit map input options for managing 
+    project users
   * Bug fix: alignment of tabs fixed for dialogs: "Add Project", "Edit Genome", 
     "Edit Project", "Edit User" (#881)
 

frontend-js/src/main/js/gui/admin/EditProjectDialog.js

@@ -781,12 +781,14 @@ EditProjectDialog.prototype.refreshMaps = function () {
  */
 EditProjectDialog.prototype.refreshUsers = function () {
   var self = this;
-  return self.getServerConnector().getLoggedUser().then(function (user) {
-    var curatorPrivilege = self.getConfiguration().getPrivilegeType(PrivilegeType.IS_CURATOR);
-    var adminPrivilege = self.getConfiguration().getPrivilegeType(PrivilegeType.IS_ADMIN);
+  return self.getServerConnector().getLoggedUser().then(function (loggedUser) {
+    var isAdmin = loggedUser.hasPrivilege(self.getConfiguration().getPrivilegeType(PrivilegeType.IS_ADMIN));
+    var isCurator = loggedUser.hasPrivilege(self.getConfiguration().getPrivilegeType(PrivilegeType.IS_CURATOR)) &&
+      loggedUser.hasPrivilege(self.getConfiguration().getPrivilegeType(PrivilegeType.WRITE_PROJECT), self.getProject().getProjectId());
+
     //we need to refresh users as well because of privileges
-    if (user.hasPrivilege(curatorPrivilege) || user.hasPrivilege(adminPrivilege)) {
-      return ServerConnector.getUsers(true).then(function (users) {
+    if (isAdmin || isCurator) {
+      return self.getServerConnector().getUsers(true).then(function (users) {
         return self.setUsers(users);
       });
     } else {