Merge branch 'allow-leave-group' into 'master'

Allow a user to revoke its own membership See merge request !1184

Merge branch 'allow-leave-group' into 'master'
2dd45ed3 · Bastien Abadie · 62a387eb · 20d3788d · 2dd45ed3 · 2dd45ed3
Commit 2dd45ed3 authored 4 years ago by Bastien Abadie
--- a/arkindex/users/api.py
+++ b/arkindex/users/api.py
@@ -595,7 +595,12 @@ class MembershipDetails(RetrieveUpdateDestroyAPIView):
            # The request user does not have a read acces
            raise NotFound

-        if self.request.method not in SAFE_METHODS and access_level < Role.Admin.value:
+        if (
+            self.request.method not in SAFE_METHODS
+            # Allow an user to remove its own membership
+            and membership.user_id != self.request.user.id
+            and access_level < Role.Admin.value
+        ):
            raise PermissionDenied(
                detail='Only admins of the target membership group can perform this action.'
            )

--- a/arkindex/users/tests/test_generic_memberships.py
+++ b/arkindex/users/tests/test_generic_memberships.py
@@ -701,3 +701,28 @@ class TestMembership(FixtureAPITestCase):
            response = self.client.delete(reverse('api:membership-details', kwargs={'pk': str(group_membership.id)}))
        self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
        self.assertEqual(admin_group.rights.count(), 0)
+
+    def test_delete_non_admin(self):
+        """
+        Non admin members are not allowed to remove another member
+        """
+        self.client.force_login(self.non_admin)
+        with self.assertNumQueries(6):
+            response = self.client.delete(reverse('api:membership-details', kwargs={'pk': str(self.membership.id)}))
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+        self.assertDictEqual(
+            response.json(),
+            {'detail': 'Only admins of the target membership group can perform this action.'}
+        )
+
+    def test_delete_own_membership(self):
+        """
+        Any member is able to remove its own membership
+        """
+        non_admin_membership = self.group.memberships.get(user=self.non_admin)
+        self.client.force_login(self.non_admin)
+        with self.assertNumQueries(6):
+            response = self.client.delete(reverse('api:membership-details', kwargs={'pk': str(non_admin_membership.id)}))
+        self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT)
+        with self.assertRaises(Right.DoesNotExist):
+            non_admin_membership.refresh_from_db()