diff --git a/app/controllers/api/v1/inventory_items_controller.rb b/app/controllers/api/v1/inventory_items_controller.rb index 5e85ec8ec..1eddecd3f 100644 --- a/app/controllers/api/v1/inventory_items_controller.rb +++ b/app/controllers/api/v1/inventory_items_controller.rb @@ -8,7 +8,8 @@ module Api before_action only: %i(show update destroy) do load_inventory_item(:id) end - before_action :check_manage_permissions, only: %i(create update destroy) + before_action :check_manage_permissions, only: %i(create update) + before_action :check_delete_permissions, only: :destroy def index items = @inventory.repository_rows @@ -77,6 +78,15 @@ module Api @inventory_item.attributes = update_inventory_item_params item_changed = true if @inventory_item.changed? if item_changed + if @inventory_item.archived_changed? + if @inventory_item.archived? + check_archive_permissions + @inventory_item.archived_by = current_user + else + check_restore_permissions + @inventory_item.restored_by = current_user + end + end @inventory_item.last_modified_by = current_user @inventory_item.save! render jsonapi: @inventory_item, @@ -98,12 +108,26 @@ module Api raise PermissionError.new(RepositoryItem, :manage) unless can_manage_repository_rows?(@inventory) end + def check_delete_permissions + unless can_delete_repository_rows?(@inventory) && @inventory_item.archived? + raise PermissionError.new(RepositoryItem, :delete) + end + end + + def check_archive_permissions + raise PermissionError.new(RepositoryItem, :archive) unless can_delete_repository_rows?(@inventory) + end + + def check_restore_permissions + raise PermissionError.new(RepositoryItem, :restore) unless can_delete_repository_rows?(@inventory) + end + def inventory_item_params unless params.require(:data).require(:type) == 'inventory_items' raise TypeError end params.require(:data).require(:attributes) - params.permit(data: { attributes: :name })[:data] + params.permit(data: { attributes: %i(name archived) })[:data] end def update_inventory_item_params