Merge branch 'fix_project_member_access_levels' into 'master'

Fix project member access levels

Migrate invalid project members (owner -> master)

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/18616

See merge request !6957

Signed-off-by: Rémy Coutable <remy@rymai.me>

5 files changed, 64 insertions, 1 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4f420cf5d8d..b9b7db57190 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -140,6 +140,7 @@ Please view this file on the master branch, on stable branches it's out of date.
   - Fix buggy iOS tooltip layering behavior.
   - Make guests unable to view MRs on private projects
   - Fix broken Project API docs (Takuya Noguchi)
+  - Migrate invalid project members (owner -> master)
 
 ## 8.12.7
 
diff --git a/db/migrate/20161018124658_make_project_owners_masters.rb b/db/migrate/20161018124658_make_project_owners_masters.rb
new file mode 100644
index 00000000000..a576bb7b622
--- /dev/null
+++ b/db/migrate/20161018124658_make_project_owners_masters.rb
@@ -0,0 +1,15 @@
+class MakeProjectOwnersMasters < ActiveRecord::Migration
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  def up
+    update_column_in_batches(:members, :access_level, 40) do |table, query|
+      query.where(table[:access_level].eq(50).and(table[:source_type].eq('Project')))
+    end
+  end
+
+  def down
+    # do nothing
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index a3c7fc2fd57..f5c01511195 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -843,7 +843,7 @@ ActiveRecord::Schema.define(version: 20161019213545) do
     t.integer "builds_access_level"
     t.datetime "created_at"
     t.datetime "updated_at"
-    t.integer  "repository_access_level",     default: 20, null: false
+    t.integer "repository_access_level", default: 20, null: false
   end
 
   add_index "project_features", ["project_id"], name: "index_project_features_on_project_id", using: :btree
diff --git a/spec/controllers/projects/project_members_controller_spec.rb b/spec/controllers/projects/project_members_controller_spec.rb
index 074f85157de..9128224c7c5 100644
--- a/spec/controllers/projects/project_members_controller_spec.rb
+++ b/spec/controllers/projects/project_members_controller_spec.rb
@@ -271,4 +271,40 @@ describe Projects::ProjectMembersController do
       end
     end
   end
+
+  describe 'POST create' do
+    let(:stranger) { create(:user) }
+
+    context 'when creating owner' do
+      before do
+        project.team << [user, :master]
+        sign_in(user)
+      end
+
+      it 'does not create a member' do
+        expect do
+          post :create, user_ids: stranger.id,
+                        namespace_id: project.namespace,
+                        access_level: Member::OWNER,
+                        project_id: project
+        end.to change { project.members.count }.by(0)
+      end
+    end
+
+    context 'when create master' do
+      before do
+        project.team << [user, :master]
+        sign_in(user)
+      end
+
+      it 'creates a member' do
+        expect do
+          post :create, user_ids: stranger.id,
+                        namespace_id: project.namespace,
+                        access_level: Member::MASTER,
+                        project_id: project
+        end.to change { project.members.count }.by(1)
+      end
+    end
+  end
 end
diff --git a/spec/requests/api/members_spec.rb b/spec/requests/api/members_spec.rb
index d22e0595788..493c0a893d1 100644
--- a/spec/requests/api/members_spec.rb
+++ b/spec/requests/api/members_spec.rb
@@ -328,4 +328,15 @@ describe API::Members, api: true  do
   it_behaves_like 'DELETE /:sources/:id/members/:user_id', 'group' do
     let(:source) { group }
   end
+
+  context 'Adding owner to project' do
+    it 'returns 403' do
+      expect do
+        post api("/projects/#{project.id}/members", master),
+             user_id: stranger.id, access_level: Member::OWNER
+
+        expect(response).to have_http_status(422)
+      end.to change { project.members.count }.by(0)
+    end
+  end
 end