attachment_controller.rb

class V1::LearningObjects::AttachmentController < ApplicationController
  before_action :set_objects
  before_action :authorize!

  # DELETE /learning_objects/:learning_object_id/attachments/:id
  def destroy
    return render status: :not_found if @learning_object.nil? || @attachment.nil?

    DeleteBitstreamWorker.perform_async(@attachment.id)
    @attachment.destroy

    render status: :ok
  end

  private

  def attachment_params
    params.permit(:learning_object_id, :id)
  end

  def set_objects
    @learning_object = LearningObject.find(attachment_params[:learning_object_id])
    @attachment = LearningObject::Attachment.find(attachment_params[:id])
  end

  def authorize!
    return render status: :unauthorized unless @learning_object.attachments.include? @attachment

    authorize(@learning_object, :destroy?)
  end
end