Prevent destruction of public project with remixes

The only use case for `Api::PublicProjectsController#destroy` is
currently to allow experience-cs admins to delete a project. Although
the `Project` model allows such a deletion, it's not obvious that it's
entirely sensible. And in any case, while the Learning Team is using
the experience-cs admin UI to create projects for the curriculum,
there's little danger that they will have remixes until they're
associated with lessons, etc. So this seems like a safer option for now.
We can always relax it later if it becomes a problem.

Author: floehopper

app/controllers/api/public_projects_controller.rb

@@ -6,6 +6,7 @@ class PublicProjectsController < ApiController
     before_action :restrict_project_type, only: %i[create]
     before_action :load_project, only: %i[update destroy]
     before_action :restrict_to_public_projects, only: %i[update destroy]
+    before_action :prevent_destruction_of_public_project_with_remixes, only: %i[destroy]
 
     def create
       authorize! :create, :public_project
@@ -69,5 +70,11 @@ def restrict_to_public_projects
 
       raise CanCan::AccessDenied.new('Cannot update non-public project', :update, :public_project)
     end
+
+    def prevent_destruction_of_public_project_with_remixes
+      return if @project.remixes.none?
+
+      raise CanCan::AccessDenied.new('Cannot destroy public project with remixes', :update, :public_project)
+    end
   end
 end

spec/features/public_project/destroying_a_public_project_spec.rb

@@ -45,6 +45,17 @@
     end
   end
 
+  context 'when project has one or more remixes' do
+    before do
+      project.remixes.create!(attributes_for(:project))
+    end
+
+    it 'responds 403 Forbidden' do
+      delete("/api/public_projects/#{project.identifier}?project_type=scratch", headers:)
+      expect(response).to have_http_status(:forbidden)
+    end
+  end
+
   it 'responds 404 Not Found when project is not found' do
     delete('/api/public_projects/another-identifier?project_type=scratch', headers:)
     expect(response).to have_http_status(:not_found)