From 3f3eeb232428818e97a5a8f7d07caa82a9001b18 Mon Sep 17 00:00:00 2001
From: Matt Bevilacqua <thewatermethod@gmail.com>
Date: Mon, 1 Jul 2024 13:37:21 -0400
Subject: [PATCH 1/2] Update goal permissions to allow admins to delete goals

---
 src/policies/goals.js        | 6 +++++-
 src/routes/goals/handlers.js | 4 ++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/policies/goals.js b/src/policies/goals.js
index c66e858e5c..bf6099c097 100644
--- a/src/policies/goals.js
+++ b/src/policies/goals.js
@@ -52,7 +52,11 @@ export default class Goal {
         )
         && permission.regionId === region),
     );
-    return !isUndefined(permissions);
+
+    // eslint-disable-next-line max-len
+    const isAdmin = find(this.user.permissions, (permission) => permission.scopeId === SCOPES.ADMIN);
+
+    return isAdmin || !isUndefined(permissions);
   }
 
   // refactored to take a region id rather than directly check
diff --git a/src/routes/goals/handlers.js b/src/routes/goals/handlers.js
index 5be7201e6b..7a03bab250 100644
--- a/src/routes/goals/handlers.js
+++ b/src/routes/goals/handlers.js
@@ -200,14 +200,14 @@ export async function deleteGoal(req, res) {
     }));
 
     if (!permissions.every((permission) => permission)) {
-      res.sendStatus(401);
+      res.sendStatus(httpCodes.UNAUTHORIZED);
       return;
     }
 
     const deletedGoal = await destroyGoal(ids);
 
     if (!deletedGoal) {
-      res.sendStatus(404);
+      res.sendStatus(httpCodes.NOT_FOUND);
       return;
     }
 

From e17794ac91ea86434bf4d1df4c8f19cdd2d0cc6e Mon Sep 17 00:00:00 2001
From: Matt Bevilacqua <thewatermethod@gmail.com>
Date: Mon, 1 Jul 2024 13:40:24 -0400
Subject: [PATCH 2/2] Add test

---
 src/policies/goals.js      |  2 +-
 src/policies/goals.test.js | 19 ++++++++++++++++++-
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/src/policies/goals.js b/src/policies/goals.js
index bf6099c097..fad78a8f52 100644
--- a/src/policies/goals.js
+++ b/src/policies/goals.js
@@ -56,7 +56,7 @@ export default class Goal {
     // eslint-disable-next-line max-len
     const isAdmin = find(this.user.permissions, (permission) => permission.scopeId === SCOPES.ADMIN);
 
-    return isAdmin || !isUndefined(permissions);
+    return !isUndefined(isAdmin) || !isUndefined(permissions);
   }
 
   // refactored to take a region id rather than directly check
diff --git a/src/policies/goals.test.js b/src/policies/goals.test.js
index 91eeaf3b1c..6e960e4f1c 100644
--- a/src/policies/goals.test.js
+++ b/src/policies/goals.test.js
@@ -76,7 +76,6 @@ describe('Goals policies', () => {
       const goal = {
         objectives: [],
         grant: { regionId: 2 },
-
       };
       const user = {
         permissions: [
@@ -90,6 +89,24 @@ describe('Goals policies', () => {
       const policy = new Goal(user, goal);
       expect(policy.canDelete()).toBe(true);
     });
+
+    it('returns true if user is admin', async () => {
+      const goal = {
+        objectives: [],
+        grant: { regionId: 2 },
+      };
+      const user = {
+        permissions: [
+          {
+            regionId: 14,
+            scopeId: SCOPES.ADMIN,
+          },
+        ],
+      };
+
+      const policy = new Goal(user, goal);
+      expect(policy.canDelete()).toBe(true);
+    });
   });
 
   describe('canCreate', () => {