module Groups
  class VariablesController < Groups::ApplicationController
    before_action :authorize_admin_build!

    skip_cross_project_access_check :show, :update

    def show
      respond_to do |format|
        format.json do
          render status: :ok, json: { variables: GroupVariableSerializer.new.represent(@group.variables) }
        end
      end
    end

    def update
      if @group.update(group_variables_params)
        respond_to do |format|
          format.json { render_group_variables }
        end
      else
        respond_to do |format|
          format.json { render_error }
        end
      end
    end

    private

    def render_group_variables
      render status: :ok, json: { variables: GroupVariableSerializer.new.represent(@group.variables) }
    end

    def render_error
      render status: :bad_request, json: @group.errors.full_messages
    end

    def group_variables_params
      params.permit(variables_attributes: [*variable_params_attributes])
    end

    def variable_params_attributes
      %i[id key secret_value protected _destroy]
    end

    def authorize_admin_build!
      return render_404 unless can?(current_user, :admin_build, group)
    end
  end
end