Fix permissions when converting a user to an org

Fixes #1366
2016-04-14 17:39:45 -04:00 · 2016-04-14 17:39:45 -04:00 · c604dbd0f6
commit c604dbd0f6
parent a65012a71e
3 changed files with 45 additions and 20 deletions
--- a/data/model/organization.py
+++ b/data/model/organization.py
@ -35,16 +35,23 @@ def get_organization(name):


 def convert_user_to_organization(user_obj, admin_user):
-  # Change the user to an organization.
-  user_obj.organization = True
+  if user_obj.robot:
+    raise DataModelException('Cannot convert a robot into an organization')

-  # disable this account for login.
+  with db_transaction():
+    # Change the user to an organization and disable this account for login.
+    user_obj.organization = True
    user_obj.password_hash = None
    user_obj.save()

-  # Clear any federated auth pointing to this user
+    # Clear any federated auth pointing to this user.
    FederatedLogin.delete().where(FederatedLogin.user == user_obj).execute()

+    # Delete any user-specific permissions on repositories.
+    (RepositoryPermission.delete()
+                         .where(RepositoryPermission.user == user_obj)
+                         .execute())
+
    # Create a team for the owners
    owners_team = team.create_team('owners', user_obj, 'admin')

--- a/static/directives/convert-user-to-org.html
+++ b/static/directives/convert-user-to-org.html
@ -1,15 +1,19 @@
 <div class="convert-user-to-org-element">
  <!-- Step 0 -->
-  <div class="panel" ng-show="convertStep == 0">
-    <div class="panel-body" ng-show="user.organizations.length > 0">
-      <div class="co-alert co-alert-info">
+  <div ng-show="convertStep == 0">
+    <div ng-show="user.organizations.length > 0">
      Cannot convert this account into an organization, as it is a member of {{user.organizations.length}} other
      organization{{user.organizations.length > 1 ? 's' : ''}}. Please leave
      {{user.organizations.length > 1 ? 'those organizations' : 'that organization'}} first.
-      </div>
+
+      <ul>
+        <li ng-repeat="org in user.organizations">
+          {{ org.name }}
+        </li>
+      </ul>
    </div>

-    <div class="panel-body" ng-show="user.organizations.length == 0">
+    <div ng-show="user.organizations.length == 0">
      <div class="co-alert co-alert-warning">
        Note: Converting a user account into an organization <b>cannot be undone</b>
      </div>
--- a/test/test_api_usage.py
+++ b/test/test_api_usage.py
@ -417,6 +417,15 @@ class TestConvertToOrganization(ApiTestCase):

  def test_convert(self):
    self.login(READ_ACCESS_USER)
+
+    # Add at least one permission for the read-user.
+    read_user = model.user.get_user(READ_ACCESS_USER)
+    simple_repo = model.repository.get_repository(ADMIN_ACCESS_USER, 'simple')
+    read_role = database.Role.get(name='read')
+
+    database.RepositoryPermission.create(user=read_user, repository=simple_repo, role=read_role)
+
+    # Convert the read user into an organization.
    json = self.postJsonResponse(ConvertToOrganization,
                                 data={'adminUser': ADMIN_ACCESS_USER,
                                       'adminPassword': 'password',
@ -436,6 +445,11 @@ class TestConvertToOrganization(ApiTestCase):
    self.assertEquals(READ_ACCESS_USER, json['name'])
    self.assertEquals(True, json['is_admin'])

+    # Verify the now-org has no permissions.
+    count = (database.RepositoryPermission.select()
+                                          .where(database.RepositoryPermission.user == organization)
+                                          .count())
+    self.assertEquals(0, count)

  def test_convert_via_email(self):
    self.login(READ_ACCESS_USER)