Throws 401 if user doesn't have permissions to change course settings

fixes CNVS-22168

Test Plan:
* Create a course and multiple grading schemes
* Attempt to change the course's grading scheme via API (course[grading_standard_id]) as an account user with "Edit Grades" permission disabled
* You should receive a HTTP 401 (Unauthorized) response
* If "Edit Grades" permissions is enabled, the grading scheme should change without issue.

Change-Id: I685166062636170b69906457c0c46a74ee6d9500
Reviewed-on: https://gerrit.instructure.com/59933
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
Tested-by: Jenkins
QA-Review: Jahnavi Yetukuri <jyetukuri@instructure.com>
Product-Review: Dan Minkevitch <dan@instructure.com>

app/controllers/courses_controller.rb

@@ -1972,20 +1972,22 @@ class CoursesController < ApplicationController
 
       if params[:course].has_key? :grading_standard_id
         standard_id = params[:course].delete :grading_standard_id
-        if @course.grants_right?(@current_user, session, :manage_grades)
+        if authorized_action?(@course, @current_user, :manage_grades)
           if standard_id.present?
             grading_standard = GradingStandard.for(@course).where(id: standard_id).first
             @course.grading_standard = grading_standard if grading_standard
           else
             @course.grading_standard = nil
           end
+        else
+          return
         end
       end
       unless @course.account.grants_right? @current_user, session, :manage_storage_quotas
         params[:course].delete :storage_quota
         params[:course].delete :storage_quota_mb
       end
-      if !@course.account.grants_right?(@current_user, session, :manage_courses)
+      unless @course.account.grants_right?(@current_user, session, :manage_courses)
         if @course.root_account.settings[:prevent_course_renaming_by_teachers]
           params[:course].delete :name
           params[:course].delete :course_code