User can leave group from group page.

9 files changed, 53 insertions, 26 deletions

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 5f6485e57c5..acb2f2c21d8 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -135,12 +135,12 @@ class ApplicationController < ActionController::Base
     end
   end
 
-  def render_404
-    render file: Rails.root.join("public", "404"), layout: false, status: "404"
+  def render_403
+    head :forbidden
   end
 
-  def render_403
-    render file: Rails.root.join("public", "403"), layout: false, status: "403"
+  def render_404
+    render file: Rails.root.join("public", "404"), layout: false, status: "404"
   end
 
   def require_non_empty_project
diff --git a/app/controllers/profiles/groups_controller.rb b/app/controllers/profiles/groups_controller.rb
index bdd991bec06..9a4d088651e 100644
--- a/app/controllers/profiles/groups_controller.rb
+++ b/app/controllers/profiles/groups_controller.rb
@@ -7,12 +7,11 @@ class Profiles::GroupsController < ApplicationController
 
   def leave
     @users_group = group.users_groups.where(user_id: current_user.id).first
-
-    if group.last_owner?(current_user)
-      redirect_to(profile_groups_path, alert: "You can't leave group. You must add at least one more owner to it.")
-    else
+    if can?(current_user, :destroy, @users_group)
       @users_group.destroy
       redirect_to(profile_groups_path, info: "You left #{group.name} group.")
+    else
+      return render_403
     end
   end
 
diff --git a/app/controllers/users_groups_controller.rb b/app/controllers/users_groups_controller.rb
index bc5db445528..b9bdc189522 100644
--- a/app/controllers/users_groups_controller.rb
+++ b/app/controllers/users_groups_controller.rb
@@ -19,11 +19,14 @@ class UsersGroupsController < ApplicationController
 
   def destroy
     @users_group = @group.users_groups.find(params[:id])
-    @users_group.destroy
-
-    respond_to do |format|
-      format.html { redirect_to members_group_path(@group), notice: 'User was  successfully removed from group.' }
-      format.js { render nothing: true }
+    if can?(current_user, :destroy, @users_group)  # May fail if last owner.
+      @users_group.destroy
+      respond_to do |format|
+        format.html { redirect_to members_group_path(@group), notice: 'User was  successfully removed from group.' }
+        format.js { render nothing: true }
+      end
+    else
+      return render_403
     end
   end
 
diff --git a/app/helpers/groups_helper.rb b/app/helpers/groups_helper.rb
index 7c09273d53e..5865396b698 100644
--- a/app/helpers/groups_helper.rb
+++ b/app/helpers/groups_helper.rb
@@ -1,6 +1,10 @@
 module GroupsHelper
   def remove_user_from_group_message(group, user)
-    "You are going to remove #{user.name} from #{group.name} Group. Are you sure?"
+    "Are you sure you want to remove \"#{user.name}\" from \"#{group.name}\"?"
+  end
+
+  def leave_group_message(group)
+    "Are you sure you want to leave \"#{group}\" group?"
   end
 
   def group_head_title
diff --git a/app/models/ability.rb b/app/models/ability.rb
index 120af807448..ba0ce527f64 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -14,6 +14,7 @@ class Ability
       when "MergeRequest" then merge_request_abilities(user, subject)
       when "Group" then group_abilities(user, subject)
       when "Namespace" then namespace_abilities(user, subject)
+      when "UsersGroup" then users_group_abilities(user, subject)
       else []
       end.concat(global_abilities(user))
     end
@@ -219,5 +220,19 @@ class Ability
         end
       end
     end
+
+    def users_group_abilities(user, subject)
+      rules = []
+      target_user = subject.user
+      group = subject.group
+      can_manage = group_abilities(user, group).include?(:manage_group)
+      if can_manage && (user != target_user)
+        rules << :modify
+      end
+      if !group.last_owner?(user) && (can_manage || (user == target_user))
+        rules << :destroy
+      end
+      rules
+    end
   end
 end
diff --git a/app/views/groups/members.html.haml b/app/views/groups/members.html.haml
index 124560e4786..3095a2c7b74 100644
--- a/app/views/groups/members.html.haml
+++ b/app/views/groups/members.html.haml
@@ -6,7 +6,6 @@
   %strong= link_to "here", help_permissions_path, class: "vlink"
 
 %hr
-- can_manage_group =  current_user.can? :manage_group, @group
 .ui-box
   .title
     %strong #{@group.name}
@@ -15,6 +14,6 @@
       (#{@members.count})
   %ul.well-list
     - @members.each do |member|
-      = render 'users_groups/users_group', member: member, show_controls: can_manage_group
-- if can_manage_group
+      = render 'users_groups/users_group', member: member, show_controls: true
+- if current_user.can? :manage_group, @group
   = render "new_group_member"
diff --git a/app/views/help/permissions.html.haml b/app/views/help/permissions.html.haml
index 6505609022a..7fd0c74057d 100644
--- a/app/views/help/permissions.html.haml
+++ b/app/views/help/permissions.html.haml
@@ -217,3 +217,4 @@
         %td
         %td
         %td.permission-x &#10003;
+  %p.light Any user can remove himself from a group, unless he is the last Owner of the group.
diff --git a/app/views/profiles/groups/index.html.haml b/app/views/profiles/groups/index.html.haml
index 1d24e636bf4..eefebf98c51 100644
--- a/app/views/profiles/groups/index.html.haml
+++ b/app/views/profiles/groups/index.html.haml
@@ -22,9 +22,10 @@
               %i.icon-cogs
               Settings
 
-          = link_to leave_profile_group_path(group), data: { confirm: "Are you sure you want to leave #{group.name} group?"}, method: :delete, class: "btn-small btn grouped", title: 'Remove user from group' do
-            %i.icon-signout
-            Leave
+          - if can?(current_user, :destroy, user_group)
+            = link_to leave_profile_group_path(group), data: { confirm: leave_group_message(group.name) }, method: :delete, class: "btn-small btn grouped", title: 'Remove user from group' do
+              %i.icon-signout
+              Leave
 
         = link_to group, class: 'group-name' do
           %strong= group.name
diff --git a/app/views/users_groups/_users_group.html.haml b/app/views/users_groups/_users_group.html.haml
index 5f477f3c976..b66b486fbc5 100644
--- a/app/views/users_groups/_users_group.html.haml
+++ b/app/views/users_groups/_users_group.html.haml
@@ -9,12 +9,17 @@
 
   %span.pull-right
     %strong= member.human_access
-
-    - if show_controls && can?(current_user, :manage_group, @group) && current_user != user
-      = link_to '#', class: "btn-tiny btn js-toggle-button", title: 'Edit access level' do
-        %i.icon-edit
-      = link_to group_users_group_path(@group, member), data: { confirm: remove_user_from_group_message(@group, user) }, method: :delete, remote: true, class: "btn-tiny btn btn-remove", title: 'Remove user from group' do
-        %i.icon-minus.icon-white
+    - if show_controls
+      - if can?(current_user, :modify, member)
+        = link_to '#', class: "btn-tiny btn js-toggle-button", title: 'Edit access level' do
+          %i.icon-edit
+      - if can?(current_user, :destroy, member)
+        - if current_user == member.user
+          = link_to leave_profile_group_path(@group), data: { confirm: leave_group_message(@group.name)}, method: :delete, class: "btn-tiny btn btn-remove", title: 'Remove user from group' do
+            %i.icon-minus.icon-white
+        - else
+          = link_to group_users_group_path(@group, member), data: { confirm: remove_user_from_group_message(@group, user) }, method: :delete, remote: true, class: "btn-tiny btn btn-remove", title: 'Remove user from group' do
+            %i.icon-minus.icon-white
 
   .edit-member.hide.js-toggle-content
     = form_for [@group, member], remote: true do |f|