Add restore asset permission [SCI-11169]

app/controllers/assets_controller.rb

@@ -18,7 +18,8 @@ class AssetsController < ApplicationController
 
   before_action :load_vars, except: :create_wopi_file
   before_action :check_read_permission, except: %i(edit destroy duplicate create_wopi_file toggle_view_mode)
-  before_action :check_manage_permission, only: %i(edit destroy duplicate rename toggle_view_mode restore_version)
+  before_action :check_manage_permission, only: %i(edit destroy duplicate rename toggle_view_mode)
+  before_action :check_restore_permission, only: :restore_version
 
   def file_preview
     editable = can_manage_asset?(@asset) && (@asset.repository_asset_value.blank? ||
@@ -475,6 +476,10 @@ class AssetsController < ApplicationController
     render_403 and return unless can_manage_asset?(@asset)
   end
 
+  def check_restore_permission
+    render_403 and return unless can_restore_asset?(@asset)
+  end
+
   def append_wd_params(url)
     exclude_params = %w(wdPreviousSession wdPreviousCorrelation)
     wd_params = params.as_json.select { |key, _value| key[/^wd.*/] && !(exclude_params.include? key) }.to_query

app/permissions/asset.rb

@@ -32,6 +32,10 @@ Canaid::Permissions.register_for(Asset) do
     end
   end
 
+  can :restore_asset do |user, asset|
+    VersionedAttachments.enabled? && can_manage_asset?(user, asset)
+  end
+
   can :open_asset_locally do |_user, asset|
     ENV['ASSET_SYNC_URL'].present?
   end

app/serializers/asset_serializer.rb

@@ -156,7 +156,7 @@ class AssetSerializer < ActiveModel::Serializer
       )
     end
 
-    urls[:restore_version] = asset_restore_version_path(object) if VersionedAttachments.enabled?
+    urls[:restore_version] = asset_restore_version_path(object) if can_restore_asset?(user, object)
     urls[:open_vector_editor_edit] = edit_gene_sequence_asset_path(object.id) if can_manage_asset?(user, object)
 
     if can_manage_asset?(user, object) && can_open_asset_locally?(user, object)