[#558] Add delete endpoint for lists with status 'new'

backend/src/openarchiefbeheer/destruction/api/permissions.py

@@ -57,9 +57,9 @@ def has_object_permission(self, request, view, destruction_list):
         return destruction_list.status == ListStatus.internally_reviewed
 
 
-class CanTriggerDeletion(permissions.BasePermission):
+class CanQueueDestruction(permissions.BasePermission):
     message = _(
-        "You are either not allowed to delete this destruction list or "
+        "You are either not allowed to queue the deletion of this destruction list or "
         "the destruction list can currently not be deleted."
     )
 
@@ -70,6 +70,19 @@ def has_object_permission(self, request, view, destruction_list):
         return destruction_list.status == ListStatus.ready_to_delete
 
 
+class CanDeleteList(permissions.BasePermission):
+    message = _(
+        "You are either not allowed to delete this destruction list or "
+        "the destruction list does not have the status '%(status)s'."
+    ) % {"status": ListStatus.new}
+
+    def has_permission(self, request, view):
+        return request.user.has_perm("accounts.can_start_destruction")
+
+    def has_object_permission(self, request, view, destruction_list):
+        return destruction_list.status == ListStatus.new
+
+
 class CanReassignDestructionList(permissions.BasePermission):
     message = _("You are not allowed to reassign the destruction list.")
 

backend/src/openarchiefbeheer/destruction/api/viewsets.py

@@ -47,12 +47,13 @@
 from .permissions import (
     CanAbortDestruction,
     CanCoReviewPermission,
+    CanDeleteList,
     CanMarkAsReadyToReview,
     CanMarkListAsFinal,
+    CanQueueDestruction,
     CanReassignDestructionList,
     CanReviewPermission,
     CanStartDestructionPermission,
-    CanTriggerDeletion,
     CanUpdateCoReviewers,
     CanUpdateDestructionList,
 )
@@ -168,6 +169,15 @@
         description=_("Retrieve details about a destruction list."),
         responses={200: DestructionListReadSerializer},
     ),
+    destroy=extend_schema(
+        tags=["Destruction list"],
+        summary=_("Delete destruction list"),
+        description=_(
+            "Delete a destruction list. Can only be used for lists with status 'new'."
+        ),
+        request=None,
+        responses={204: None},
+    ),
     queue_destruction=extend_schema(
         tags=["Destruction list"],
         summary=_("Queue destruction list destruction"),
@@ -238,8 +248,10 @@ def get_permissions(self):
             permission_classes = [IsAuthenticated & CanStartDestructionPermission]
         elif self.action == "update":
             permission_classes = [IsAuthenticated & CanUpdateDestructionList]
+        elif self.action == "destroy":
+            permission_classes = [IsAuthenticated & CanDeleteList]
         elif self.action == "queue_destruction":
-            permission_classes = [IsAuthenticated & CanTriggerDeletion]
+            permission_classes = [IsAuthenticated & CanQueueDestruction]
         elif self.action == "make_final":
             permission_classes = [IsAuthenticated & CanMarkListAsFinal]
         elif self.action == "reassign":

backend/src/openarchiefbeheer/destruction/tests/endpoints/test_destructionlist.py

@@ -0,0 +1,57 @@
+from rest_framework import status
+from rest_framework.reverse import reverse
+from rest_framework.test import APITestCase
+
+from openarchiefbeheer.accounts.tests.factories import UserFactory
+
+from ...constants import ListStatus
+from ...models import DestructionList
+from ..factories import DestructionListFactory
+
+
+class DestructionListViewsetTests(APITestCase):
+    def test_not_record_manager_cannot_delete(self):
+        user = UserFactory.create(post__can_start_destruction=False)
+
+        destruction_list = DestructionListFactory.create(status=ListStatus.new)
+
+        self.client.force_login(user)
+        response = self.client.delete(
+            reverse(
+                "api:destructionlist-detail", kwargs={"uuid": destruction_list.uuid}
+            )
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+    def test_list_not_new_cannot_be_deleted(self):
+        user = UserFactory.create(post__can_start_destruction=True)
+
+        destruction_list = DestructionListFactory.create(
+            status=ListStatus.ready_to_review
+        )
+
+        self.client.force_login(user)
+        response = self.client.delete(
+            reverse(
+                "api:destructionlist-detail", kwargs={"uuid": destruction_list.uuid}
+            )
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+    def test_record_manager_can_delete_new_list(self):
+        user = UserFactory.create(post__can_start_destruction=True)
+
+        destruction_list = DestructionListFactory.create(status=ListStatus.new)
+        list_uuid = destruction_list.uuid
+
+        self.client.force_login(user)
+        response = self.client.delete(
+            reverse(
+                "api:destructionlist-detail", kwargs={"uuid": destruction_list.uuid}
+            )
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
+        self.assertFalse(DestructionList.objects.filter(uuid=list_uuid).exists())