checkDeleteAllowed & checkUpdateAllowed

src/actions/DeleteAction.php

@@ -37,6 +37,26 @@ class DeleteAction extends JsonApiAction
      */
     public $scenario = Model::SCENARIO_DEFAULT;
 
+    /**
+     * @var callable|null A PHP callable that will be called to determine
+     * whether the deletion of a model is allowed. If not set, no deletion
+     * check will be performed. The callable should have the following signature:
+     *
+     * @example
+     * ```php
+     * function ($action, $model) {
+     *     // $model is the model instance being deleted.
+     *
+     *     // If the deletion is not allowed, an error should be thrown. For example:
+     *     if ($model->status !== 'draft') {
+     *         throw new MethodNotAllowedHttpException('The model can only be deleted if its status is "draft".');
+     *     }
+     * }
+     * ```
+     */
+    public $checkDeleteAllowed;
+
+
     /**
      * @var callable|Closure Callback after save model with all relations
      * @example
@@ -80,6 +100,10 @@ public function run($id):void
             call_user_func($this->checkAccess, $this->id, $model);
         }
 
+        if ($this->checkDeleteAllowed) {
+            call_user_func($this->checkDeleteAllowed, $this->id, $model);
+        }
+
         if ($model->delete() === false) {
             throw new ServerErrorHttpException('Failed to delete the object for unknown reason.');
         }

src/actions/JsonApiAction.php

@@ -61,13 +61,20 @@ class JsonApiAction extends Action
     public $findModel;
 
     /**
-     * @var callable a PHP callable that will be called when running an action to determine
-     * if the current user has the permission to execute the action. If not set, the access
-     * check will not be performed. The signature of the callable should be as follows,
+     * @var callable|null A PHP callable that will be called when running an action to determine
+     * whether the current user has permission to execute the action. If not set, no access
+     * check will be performed. The callable should have the following signature:
+     *
+     * @example
      * ```php
      * function ($action, $model = null) {
      *     // $model is the requested model instance.
-     *     // If null, it means no specific model (e.g. IndexAction)
+     *     // If null, it indicates no specific model (e.g., IndexAction).
+     *
+     *     // If the user does not have the required permissions, an error should be thrown. For example:
+     *     if (!Yii::$app->user->can('admin')) {
+     *         throw new ForbiddenHttpException();
+     *     }
      * }
      * ```
      */

src/actions/UpdateAction.php

@@ -66,6 +66,26 @@ class UpdateAction extends JsonApiAction
      *  ```
      */
     public $scenario = Model::SCENARIO_DEFAULT;
+
+    /**
+     * @var callable|null A PHP callable that will be called to determine
+     * whether the update of a model is allowed. If not set, no update
+     * check will be performed. The callable should have the following signature:
+     *
+     * @example
+     * ```php
+     * function ($action, $model) {
+     *     // $model is the model instance being updated.
+     *
+     *     // If the update is not allowed, an error should be thrown. For example:
+     *     if ($model->status === 'archived') {
+     *         throw new MethodNotAllowedHttpException('The model cannot be updated when its status is "archived".');
+     *     }
+     * }
+     * ```
+     */
+    public $checkUpdateAllowed;
+
     /**
      * @var callable|Closure Callback after save model with all relations
      * @example
@@ -74,6 +94,7 @@ class UpdateAction extends JsonApiAction
      * }
      */
     public $afterSave = null;
+
     /**
      * @throws \yii\base\InvalidConfigException
      */
@@ -113,6 +134,10 @@ public function run($id):Item
             call_user_func($this->checkAccess, $this->id, $model);
         }
 
+        if ($this->checkUpdateAllowed) {
+            call_user_func($this->checkUpdateAllowed, $this->id, $model);
+        }
+
         $originalModel = clone $model;
         RelationshipManager::validateRelationships($model, $this->getResourceRelationships(), $this->allowedRelations);
         if (empty($this->getResourceAttributes()) && $this->hasResourceRelationships()) {