There's a requirement to protect invoice approve and pay actions with separate assignable folio permissions.
- Define a new permissions invoice.item.approve and invoice.item.pay
- Add these permissions as "permissionDesired" for the PUT /invoice/invoices/<id> endpoint.
- In the implementation for that endpoint, validate the permission if the invoice is being approved or paid (via inspecting X-Okapi-Permissions).
- Return an appropriate error message/code if the required permission is missing.
See the OKAPI guide for a description of "permissionDesired"
- ModuleDescriptor is updated
- Implementation is updated
- Unit tests are updated (Since we're enforcing permissions in this case we can actually test this in unit tests)
- API tests are updated