Allow a project member to leave the projected through the API

6dbcb880 · Zeger-Jan van de Weg · 734df1bb · 6dbcb880 · 6dbcb880 · 6dbcb880
Commit 6dbcb880 authored Apr 08, 2016 by Zeger-Jan van de Weg
4 changed files
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -37,6 +37,7 @@ v 8.7.0 (unreleased)
  - ClosingIssueExtractor regex now also works with colons. e.g. "Fixes: #1234" !3591
  - Update number of Todos in the sidebar when it's marked as "Done". !3600
  - API: Expose 'updated_at' for issue, snippet, and merge request notes (Robert Schilling)
+  - API: User can leave a project through the API when not master or owner. !3613
 v 8.6.5
  - Fix importing from GitHub Enterprise. !3529

--- a/doc/api/projects.md
+++ b/doc/api/projects.md
@@ -780,8 +780,10 @@ Parameters:
 - `id` (required) - The ID or NAMESPACE/PROJECT_NAME of a project
 - `user_id` (required) - The ID of a team member
-This method is idempotent and can be called multiple times with the same parameters.
+This method removes the project member if the user has the proper access rights to do so.
-Revoking team membership for a user who is not currently a team member is considered success.
+It returns a status code 403 if the member does not have the proper rights to perform this action.
+In all other cases this method is idempotent and revoking team membership for a user who is not
+currently a team member is considered success.
 Please note that the returned JSON currently differs slightly. Thus you should not
 rely on the returned JSON structure.

--- a/lib/api/project_members.rb
+++ b/lib/api/project_members.rb
@@ -93,12 +93,17 @@ module API
      # Example Request:
      #   DELETE /projects/:id/members/:user_id
      delete ":id/members/:user_id" do
-        authorize! :admin_project, user_project
        project_member = user_project.project_members.find_by(user_id: params[:user_id])
-        unless project_member.nil?
-          project_member.destroy
+        unless current_user.can?(:admin_project, user_project) ||
-        else
+                current_user.can?(:destroy_project_member, project_member)
+          forbidden!
+        end
+        if project_member.nil?
          { message: "Access revoked", id: params[:user_id].to_i }
+        else
+          project_member.destroy
        end
      end
    end

--- a/spec/requests/api/project_members_spec.rb
+++ b/spec/requests/api/project_members_spec.rb
@@ -118,8 +118,10 @@ describe API::API, api: true  do
  end
  describe "DELETE /projects/:id/members/:user_id" do
-    before { project_member }
+    before do
-    before { project_member2 }
+      project_member
+      project_member2
+    end
    it "should remove user from project team" do
      expect do
@@ -132,6 +134,7 @@ describe API::API, api: true  do
      expect do
        delete api("/projects/#{project.id}/members/#{user3.id}", user)
      end.to_not change { ProjectMember.count }
+      expect(response.status).to eq(200)
    end
    it "should return 200 if team member already removed" do
@@ -145,8 +148,19 @@ describe API::API, api: true  do
        delete api("/projects/#{project.id}/members/1000000", user)
      end.to change { ProjectMember.count }.by(0)
      expect(response.status).to eq(200)
-      expect(json_response['message']).to eq("Access revoked")
      expect(json_response['id']).to eq(1000000)
+      expect(json_response['message']).to eq('Access revoked')
+    end
+    context 'when the user is not an admin or owner' do
+      it 'can leave the project' do
+        expect do
+          delete api("/projects/#{project.id}/members/#{user3.id}", user3)
+        end.to change { ProjectMember.count }.by(-1)
+        expect(response.status).to eq(200)
+        expect(json_response['id']).to eq(project_member2.id)
+      end
    end
  end
 end