From c604dbd0f69be59b4d6fa246b86555617c0c8931 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Thu, 14 Apr 2016 17:39:45 -0400
Subject: [PATCH] Fix permissions when converting a user to an org

Fixes #1366
---
 data/model/organization.py                 | 31 +++++++++++++---------
 static/directives/convert-user-to-org.html | 20 ++++++++------
 test/test_api_usage.py                     | 14 ++++++++++
 3 files changed, 45 insertions(+), 20 deletions(-)

diff --git a/data/model/organization.py b/data/model/organization.py
index e83c6907e..a63b020cc 100644
--- a/data/model/organization.py
+++ b/data/model/organization.py
@@ -35,23 +35,30 @@ def get_organization(name):
 
 
 def convert_user_to_organization(user_obj, admin_user):
-  # Change the user to an organization.
-  user_obj.organization = True
+  if user_obj.robot:
+    raise DataModelException('Cannot convert a robot into an organization')
 
-  # disable this account for login.
-  user_obj.password_hash = None
-  user_obj.save()
+  with db_transaction():
+    # Change the user to an organization and disable this account for login.
+    user_obj.organization = True
+    user_obj.password_hash = None
+    user_obj.save()
 
-  # Clear any federated auth pointing to this user
-  FederatedLogin.delete().where(FederatedLogin.user == user_obj).execute()
+    # Clear any federated auth pointing to this user.
+    FederatedLogin.delete().where(FederatedLogin.user == user_obj).execute()
 
-  # Create a team for the owners
-  owners_team = team.create_team('owners', user_obj, 'admin')
+    # Delete any user-specific permissions on repositories.
+    (RepositoryPermission.delete()
+                         .where(RepositoryPermission.user == user_obj)
+                         .execute())
 
-  # Add the user who will admin the org to the owners team
-  team.add_user_to_team(admin_user, owners_team)
+    # Create a team for the owners
+    owners_team = team.create_team('owners', user_obj, 'admin')
 
-  return user_obj
+    # Add the user who will admin the org to the owners team
+    team.add_user_to_team(admin_user, owners_team)
+
+    return user_obj
 
 
 def get_user_organizations(username):
diff --git a/static/directives/convert-user-to-org.html b/static/directives/convert-user-to-org.html
index 4ba2d356a..17de3c008 100644
--- a/static/directives/convert-user-to-org.html
+++ b/static/directives/convert-user-to-org.html
@@ -1,15 +1,19 @@
 <div class="convert-user-to-org-element">
   <!-- Step 0 -->
-  <div class="panel" ng-show="convertStep == 0">
-    <div class="panel-body" ng-show="user.organizations.length > 0">
-      <div class="co-alert co-alert-info">
-        Cannot convert this account into an organization, as it is a member of {{user.organizations.length}} other
-        organization{{user.organizations.length > 1 ? 's' : ''}}. Please leave
-        {{user.organizations.length > 1 ? 'those organizations' : 'that organization'}} first.
-      </div>
+  <div ng-show="convertStep == 0">
+    <div ng-show="user.organizations.length > 0">
+      Cannot convert this account into an organization, as it is a member of {{user.organizations.length}} other
+      organization{{user.organizations.length > 1 ? 's' : ''}}. Please leave
+      {{user.organizations.length > 1 ? 'those organizations' : 'that organization'}} first.
+
+      <ul>
+        <li ng-repeat="org in user.organizations">
+          {{ org.name }}
+        </li>
+      </ul>
     </div>
 
-    <div class="panel-body" ng-show="user.organizations.length == 0">
+    <div ng-show="user.organizations.length == 0">
       <div class="co-alert co-alert-warning">
         Note: Converting a user account into an organization <b>cannot be undone</b>
       </div>
diff --git a/test/test_api_usage.py b/test/test_api_usage.py
index 66e24df22..7f6e69c7c 100644
--- a/test/test_api_usage.py
+++ b/test/test_api_usage.py
@@ -417,6 +417,15 @@ class TestConvertToOrganization(ApiTestCase):
 
   def test_convert(self):
     self.login(READ_ACCESS_USER)
+
+    # Add at least one permission for the read-user.
+    read_user = model.user.get_user(READ_ACCESS_USER)
+    simple_repo = model.repository.get_repository(ADMIN_ACCESS_USER, 'simple')
+    read_role = database.Role.get(name='read')
+
+    database.RepositoryPermission.create(user=read_user, repository=simple_repo, role=read_role)
+
+    # Convert the read user into an organization.
     json = self.postJsonResponse(ConvertToOrganization,
                                  data={'adminUser': ADMIN_ACCESS_USER,
                                        'adminPassword': 'password',
@@ -436,6 +445,11 @@ class TestConvertToOrganization(ApiTestCase):
     self.assertEquals(READ_ACCESS_USER, json['name'])
     self.assertEquals(True, json['is_admin'])
 
+    # Verify the now-org has no permissions.
+    count = (database.RepositoryPermission.select()
+                                          .where(database.RepositoryPermission.user == organization)
+                                          .count())
+    self.assertEquals(0, count)
 
   def test_convert_via_email(self):
     self.login(READ_ACCESS_USER)