Remove branch permissions for users who have left the project.

- When a user leaves a project, any access levels that they were granted specifically are destroyed. - When a user is removed from a project, any access levels that they were granted specifically are destroyed.

Remove branch permissions for users who have left the project.
- When a user leaves a project, any access levels that they were granted specifically are destroyed. - When a user is removed from a project, any access levels that they were granted specifically are destroyed.
205581c5 · Timothy Andrew · Alfredo Sumaran · 454c88ae · 205581c5 · 205581c5
Commit 205581c5 authored Aug 04, 2016 by Timothy Andrew Committed by Alfredo Sumaran Aug 19, 2016
3 changed files
--- a/app/models/members/project_member.rb
+++ b/app/models/members/project_member.rb
@@ -14,6 +14,7 @@ class ProjectMember < Member
  scope :in_project, ->(project) { where(source_id: project.id) }

  before_destroy :delete_member_todos
+  before_destroy :delete_member_branch_protection

  class << self
    # Add users to project teams with passed access option
@@ -105,6 +106,21 @@ class ProjectMember < Member
    user.todos.where(project_id: source_id).destroy_all if user
  end

+  def delete_member_branch_protection
+    if user.present? && project.present?
+      push_access_levels = ProtectedBranch::PushAccessLevel.joins(:protected_branch).
+                           where('protected_branches.project_id' => self.project.id,
+                                 'protected_branch_push_access_levels.user_id' => self.user.id)
+
+      merge_access_levels = ProtectedBranch::MergeAccessLevel.joins(:protected_branch).
+                            where('protected_branches.project_id' => self.project.id,
+                                  'protected_branch_merge_access_levels.user_id' => self.user.id)
+
+      push_access_levels.destroy_all
+      merge_access_levels.destroy_all
+    end
+  end
+
  def send_invite
    notification_service.invite_project_member(self, @raw_invite_token) unless @skip_notification


--- a/spec/features/projects/members/member_is_removed_from_project_spec.rb
+++ b/spec/features/projects/members/member_is_removed_from_project_spec.rb
+require 'spec_helper'
+
+feature 'Projects > Members > Member is removed from project', feature: true do
+  let(:user) { create(:user) }
+  let(:project) { create(:project) }
+
+  background do
+    project.team << [user, :master]
+    login_as(user)
+    visit namespace_project_project_members_path(project.namespace, project)
+  end
+
+  scenario 'user is removed from project' do
+    within(".project_member") { find(".btn-remove").click }
+
+    expect(project.users.exists?(user.id)).to be_falsey
+  end
+
+  context 'when the user has been specifically allowed to access a protected branch' do
+    let(:other_user) { create(:user) }
+    let!(:matching_protected_branch) { create(:protected_branch, authorize_user_to_push: user, authorize_user_to_merge: user, project: project) }
+    let!(:non_matching_protected_branch) { create(:protected_branch, authorize_user_to_push: other_user, authorize_user_to_merge: other_user, project: project) }
+
+    scenario 'user leaves project' do
+      within(".project_member") { find(".btn-remove").click }
+
+      expect(project.users.exists?(user.id)).to be_falsey
+      expect(matching_protected_branch.push_access_levels.where(user: user)).not_to exist
+      expect(matching_protected_branch.merge_access_levels.where(user: user)).not_to exist
+      expect(non_matching_protected_branch.push_access_levels.where(user: other_user)).to exist
+      expect(non_matching_protected_branch.merge_access_levels.where(user: other_user)).to exist
+    end
+  end
+end
--- a/spec/features/projects/members/member_leaves_project_spec.rb
+++ b/spec/features/projects/members/member_leaves_project_spec.rb
@@ -16,4 +16,22 @@ feature 'Projects > Members > Member leaves project', feature: true do
    expect(current_path).to eq(dashboard_projects_path)
    expect(project.users.exists?(user.id)).to be_falsey
  end
+
+  context 'when the user has been specifically allowed to access a protected branch' do
+    let(:other_user) { create(:user) }
+    let!(:matching_protected_branch) { create(:protected_branch, authorize_user_to_push: user, authorize_user_to_merge: user, project: project) }
+    let!(:non_matching_protected_branch) { create(:protected_branch, authorize_user_to_push: other_user, authorize_user_to_merge: other_user, project: project) }
+
+    context 'user leaves project' do
+      it "removes the user's branch permissions" do
+        click_link 'Leave Project'
+
+        expect(current_path).to eq(dashboard_projects_path)
+        expect(matching_protected_branch.push_access_levels.where(user: user)).not_to exist
+        expect(matching_protected_branch.merge_access_levels.where(user: user)).not_to exist
+        expect(non_matching_protected_branch.push_access_levels.where(user: other_user)).to exist
+        expect(non_matching_protected_branch.merge_access_levels.where(user: other_user)).to exist
+      end
+    end
+  end
 end