Allow a project member to leave the projected through the APIremove-myself-from-project-api-7687

author: Zeger-Jan van de Weg <zegerjan@gitlab.com> 2016-04-08 12:41:37 +0200
committer: Zeger-Jan van de Weg <zegerjan@gitlab.com> 2016-04-12 14:30:42 +0200
commit: 6dbcb880cc72f7511358612bbc76e2ab9ded14c5 (patch)
tree: 0f3510583a254f6e5a0d7027f670e20ef6c6b060 /lib/api/project_members.rb
parent: 734df1bb504aedec6a5668567de808b549a84749 (diff)
download: gitlab-ce-6dbcb880cc72f7511358612bbc76e2ab9ded14c5.tar.gz
1 files changed, 9 insertions, 4 deletions
diff --git a/lib/api/project_members.rb b/lib/api/project_members.rb
index c756bb479fc..4aefdf319c6 100644
--- a/lib/api/project_members.rb
+++ b/lib/api/project_members.rb
@@ -93,12 +93,17 @@ module API
       # Example Request:
       #   DELETE /projects/:id/members/:user_id
       delete ":id/members/:user_id" do
-        authorize! :admin_project, user_project
         project_member = user_project.project_members.find_by(user_id: params[:user_id])
-        unless project_member.nil?
-          project_member.destroy
-        else
+
+        unless current_user.can?(:admin_project, user_project) ||
+                current_user.can?(:destroy_project_member, project_member)
+          forbidden!
+        end
+
+        if project_member.nil?
           { message: "Access revoked", id: params[:user_id].to_i }
+        else
+          project_member.destroy
         end
       end
     end
author	Zeger-Jan van de Weg <zegerjan@gitlab.com>	2016-04-08 12:41:37 +0200
committer	Zeger-Jan van de Weg <zegerjan@gitlab.com>	2016-04-12 14:30:42 +0200
commit	6dbcb880cc72f7511358612bbc76e2ab9ded14c5 (patch)
tree	0f3510583a254f6e5a0d7027f670e20ef6c6b060 /lib/api/project_members.rb
parent	734df1bb504aedec6a5668567de808b549a84749 (diff)
download	gitlab-ce-6dbcb880cc72f7511358612bbc76e2ab9ded14c5.tar.gz