BE-241: Fix system account archiving for Invitation entities (#8190)

Author: TimDiekmann

libs/@local/graph/postgres-store/src/store/postgres/knowledge/entity/mod.rs

@@ -1849,32 +1849,34 @@ where
             ])
             .change_context(UpdateError)?;
 
-        match policy_set
-            .evaluate(
-                &Request {
-                    actor: policy_components.actor_id(),
-                    action: ActionName::UpdateEntity,
-                    resource: &ResourceId::Entity(params.entity_id.entity_uuid),
-                    context: RequestContext::default(),
-                },
-                policy_components.context(),
-            )
-            .change_context(UpdateError)?
-        {
-            Authorized::Always => {}
-            Authorized::Never => {
-                return Err(Report::new(UpdateError)
-                    .attach_opaque(StatusCode::PermissionDenied)
-                    .attach("The actor does not have permission to update the entity")
-                    .attach(
-                        previous_entity
-                            .metadata
-                            .entity_type_ids
-                            .iter()
-                            .map(VersionedUrl::to_string)
-                            .collect::<Vec<_>>()
-                            .join(", "),
-                    ));
+        if params.is_update() {
+            match policy_set
+                .evaluate(
+                    &Request {
+                        actor: policy_components.actor_id(),
+                        action: ActionName::UpdateEntity,
+                        resource: &ResourceId::Entity(params.entity_id.entity_uuid),
+                        context: RequestContext::default(),
+                    },
+                    policy_components.context(),
+                )
+                .change_context(UpdateError)?
+            {
+                Authorized::Always => {}
+                Authorized::Never => {
+                    return Err(Report::new(UpdateError)
+                        .attach_opaque(StatusCode::PermissionDenied)
+                        .attach("The actor does not have permission to update the entity")
+                        .attach(
+                            previous_entity
+                                .metadata
+                                .entity_type_ids
+                                .iter()
+                                .map(VersionedUrl::to_string)
+                                .collect::<Vec<_>>()
+                                .join(", "),
+                        ));
+                }
             }
         }
 

libs/@local/graph/store/src/entity/store.rs

@@ -457,6 +457,23 @@ pub struct PatchEntityParams {
     pub provenance: ProvidedEntityEditionProvenance,
 }
 
+impl PatchEntityParams {
+    /// Returns `true` if the parameters represents an update.
+    ///
+    /// An update is defined as any change to the entity's type IDs, properties, or draft status. If
+    /// only the confidence is updated without changing the archive-state, this is also considered
+    /// an update. On the counterary, if only the confidence is updated along with an archive-state
+    /// change, the confidence is used for the new entity edition.
+    // TODO(BE-224): Fix edge-case that the confidence could be updated by archiving/unarchiving.
+    #[must_use]
+    pub fn is_update(&self) -> bool {
+        !self.entity_type_ids.is_empty()
+            || !self.properties.is_empty()
+            || self.draft.is_some()
+            || (self.archived.is_none() && self.confidence.is_some())
+    }
+}
+
 #[derive(Debug, Deserialize)]
 #[cfg_attr(feature = "utoipa", derive(utoipa::ToSchema))]
 #[serde(rename_all = "camelCase", deny_unknown_fields)]