Allow journal admins to set some restricted parameters

app/controllers/stash_api/datasets_controller.rb

@@ -531,14 +531,28 @@ def check_status
  # some parameters would be locked down for only admins or superusers to set
  def lock_down_admin_only_params
  # all this bogus return false stuff is to prevent double render errors in some circumstances
- return if check_superuser_restricted_params == false
+ return if check_restricted_params == false
  return if check_may_set_user_id == false
 
  nil if check_may_set_payment_id == false
  end
 
- def check_superuser_restricted_params
- %w[skipDataciteUpdate skipEmails preserveCurationStatus loosenValidation].each do |attr|
+ def check_restricted_params
+ # admin restrictions
+ # rubocop:disable Style/Next
+ %w[skipEmails preserveCurationStatus].each do |attr|
+ unless @user.min_curator? ||
+ # or you admin the target journal
+ (params['dataset'].present? &&
+ @user.journals_as_admin.map(&:issn_array)&.flatten&.reject(&:blank?)&.include?(params['dataset']['publicationISSN']))
+ render json: { error: "Unauthorized: only curators, superusers, and journal administrators may set #{attr} to true" }.to_json, status: 401
+ return false
+ end
+ end
+ # rubocop:enable Style/Next
+
+ # superuser restrictions
+ %w[skipDataciteUpdate loosenValidation].each do |attr|
  item_value = params[attr]
  unless item_value.nil? || item_value.instance_of?(TrueClass) || item_value.instance_of?(FalseClass)
  render json: { error: "Bad Request: #{attr} must be true or false" }.to_json, status: 400

documentation/apis/dataset_metadata.md

@@ -106,22 +106,27 @@ behavior:
  requests to DataCite when registering the dataset. This is useful
  when the dataset already has a DOI, which is present in the
  `identifier` field.
+- `loosenValidation` - Defaults to false. Allows a dataset to be
+ processed even if author information is incomplete (e.g., missing
+ affiliations), or if the abstract is missing. It does still perform
+ some basic validation of the dataset. This should only be used when
+ datasets are being replicated from another system and it is not
+ feasible to provide complete metadata.
+
+Administrative users (including curators and journal administrators) have access to
+the following options:
 - `skipEmails` - Defaults to false. If true, prevents emails from
  being sent to users on submission. Prevents emails regardless of
  whether the submission is successful or an error. Also suppresses
  the emails that ask co-authors to register their ORCID. Does *not*
  stop the internal emails that are sent to Dryad admins if there is a
  submission error.
 - `preserveCurationStatus` - Defaults to false. If true, prevents
- Dryad from automatically setting the curation status to
- "submitted". This is useful when the dataset already has a curation
- status that will be set in a later API call.
-- `loosenValidation` - Defaults to false. Allows a dataset to be
- processed even if author information is incomplete (e.g., missing
- affiliations), or if the abstract is missing. It does still perform
- some basic validation of the dataset. This should only be used when
- datasets are being replicated from another system and it is not
- feasible to provide complete metadata.
+ Dryad from automatically setting the curation status when the datset is
+ processed. This is useful when the current version of the dataset has been 
+ explicitly given a curation status in a prior API call, or one will be set
+ in a later API call. Note: If a curation status is not explicitly set,
+ the resultant status is not defined.
 - `holdForPeerReview` - Defaults to false. Allows a dataset to be set in
  hold for peer review status when it is created