From 9ab7bdf7739935bf79c2e033212726a4be421a26 Mon Sep 17 00:00:00 2001
From: Douglas Barbosa Alexandre <dbalexandre@gmail.com>
Date: Tue, 1 Dec 2015 19:45:58 -0200
Subject: Signed in admin should be able to add/remove himself to a group

---
 app/models/ability.rb          |  6 ++----
 features/admin/groups.feature  | 16 ++++++++++++++++
 features/steps/admin/groups.rb | 29 +++++++++++++++++++++++++++++
 features/steps/shared/group.rb |  4 ++++
 4 files changed, 51 insertions(+), 4 deletions(-)

diff --git a/app/models/ability.rb b/app/models/ability.rb
index 07f3a56ec7a..10c41306c55 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -346,12 +346,10 @@ class Ability
       unless group.last_owner?(target_user)
         can_manage = group_abilities(user, group).include?(:admin_group_member)
 
-        if can_manage && user != target_user
+        if can_manage
           rules << :update_group_member
           rules << :destroy_group_member
-        end
-
-        if user == target_user
+        elsif user == target_user
           rules << :destroy_group_member
         end
       end
diff --git a/features/admin/groups.feature b/features/admin/groups.feature
index 973918086a3..2edb3964f70 100644
--- a/features/admin/groups.feature
+++ b/features/admin/groups.feature
@@ -33,3 +33,19 @@ Feature: Admin Groups
     When I visit admin group page
     When I select user "johndoe@gitlab.com" from user list as "Reporter"
     Then I should see "johndoe@gitlab.com" in team list in every project as "Reporter"
+
+  @javascript
+  Scenario: Signed in admin should be able to add himself to a group
+    Given "John Doe" is owner of group "Owned"
+    When I visit group "Owned" members page
+    When I select current user as "Developer"
+    Then I should see current user as "Developer"
+
+  @javascript
+  Scenario: Signed in admin should be able to remove himself from group
+    Given current user is developer of group "Owned"
+    When I visit group "Owned" members page
+    Then I should see current user as "Developer"
+    When I click on the "Remove User From Group" button for current user
+    When I visit group "Owned" members page
+    Then I should not see current user as "Developer"
diff --git a/features/steps/admin/groups.rb b/features/steps/admin/groups.rb
index d27634858a2..43fd91d0d4c 100644
--- a/features/steps/admin/groups.rb
+++ b/features/steps/admin/groups.rb
@@ -1,5 +1,6 @@
 class Spinach::Features::AdminGroups < Spinach::FeatureSteps
   include SharedAuthentication
+  include SharedGroup
   include SharedPaths
   include SharedUser
   include SharedActiveTab
@@ -88,6 +89,34 @@ class Spinach::Features::AdminGroups < Spinach::FeatureSteps
     end
   end
 
+  step 'I select current user as "Developer"' do
+    page.within ".users-group-form" do
+      select2(current_user.id, from: "#user_ids", multiple: true)
+      select "Developer", from: "access_level"
+    end
+
+    click_button "Add users to group"
+  end
+
+  step 'I should see current user as "Developer"' do
+    page.within '.content-list' do
+      expect(page).to have_content(current_user.name)
+      expect(page).to have_content('Developer')
+    end
+  end
+
+  step 'I click on the "Remove User From Group" button for current user' do
+    find(:css, 'li', text: current_user.name).find(:css, 'a.btn-remove').click
+    # poltergeist always confirms popups.
+  end
+
+  step 'I should not see current user as "Developer"' do
+    page.within '.content-list' do
+      expect(page).not_to have_content(current_user.name)
+      expect(page).not_to have_content('Developer')
+    end
+  end
+
   protected
 
   def current_group
diff --git a/features/steps/shared/group.rb b/features/steps/shared/group.rb
index 58581653f28..fe6736dacd4 100644
--- a/features/steps/shared/group.rb
+++ b/features/steps/shared/group.rb
@@ -1,6 +1,10 @@
 module SharedGroup
   include Spinach::DSL
 
+  step 'current user is developer of group "Owned"' do
+    is_member_of(current_user.name, "Owned", Gitlab::Access::DEVELOPER)
+  end
+
   step '"John Doe" is owner of group "Owned"' do
     is_member_of("John Doe", "Owned", Gitlab::Access::OWNER)
   end
-- 
cgit v1.2.1


From 67cc6b0642573fe443126042dd36b15f05bc539c Mon Sep 17 00:00:00 2001
From: Douglas Barbosa Alexandre <dbalexandre@gmail.com>
Date: Tue, 1 Dec 2015 20:47:26 -0200
Subject: Signed in admin should be able to add/remove himself to a project

---
 app/models/ability.rb            |  6 ++----
 features/admin/projects.feature  | 16 ++++++++++++++++
 features/steps/admin/projects.rb | 37 +++++++++++++++++++++++++++++++++++++
 3 files changed, 55 insertions(+), 4 deletions(-)

diff --git a/app/models/ability.rb b/app/models/ability.rb
index 10c41306c55..cd5ae0fb0fd 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -365,12 +365,10 @@ class Ability
       unless target_user == project.owner
         can_manage = project_abilities(user, project).include?(:admin_project_member)
 
-        if can_manage && user != target_user
+        if can_manage
           rules << :update_project_member
           rules << :destroy_project_member
-        end
-
-        if user == target_user
+        elsif user == target_user
           rules << :destroy_project_member
         end
       end
diff --git a/features/admin/projects.feature b/features/admin/projects.feature
index f7cec04eb75..c5ee80136c8 100644
--- a/features/admin/projects.feature
+++ b/features/admin/projects.feature
@@ -27,3 +27,19 @@ Feature: Admin Projects
     And I visit admin project page
     When I transfer project to group 'Web'
     Then I should see project transfered
+
+  @javascript
+  Scenario: Signed in admin should be able to add himself to a project
+    Given "John Doe" owns private project "Enterprise"
+    When I visit project "Enterprise" members page
+    When I select current user as "Developer"
+    Then I should see current user as "Developer"
+
+  @javascript
+  Scenario: Signed in admin should be able to remove himself from a project
+    Given "John Doe" owns private project "Enterprise"
+    And current user is developer of project "Enterprise"
+    When I visit project "Enterprise" members page
+    Then I should see current user as "Developer"
+    When I click on the "Remove User From Project" button for current user
+    Then I should not see current user as "Developer"
diff --git a/features/steps/admin/projects.rb b/features/steps/admin/projects.rb
index 5a1cc9aa151..a7a28755a6c 100644
--- a/features/steps/admin/projects.rb
+++ b/features/steps/admin/projects.rb
@@ -3,6 +3,8 @@ class Spinach::Features::AdminProjects < Spinach::FeatureSteps
   include SharedPaths
   include SharedAdmin
   include SharedProject
+  include SharedUser
+  include Select2Helper
 
   step 'I should see all non-archived projects' do
     Project.non_archived.each do |p|
@@ -56,6 +58,41 @@ class Spinach::Features::AdminProjects < Spinach::FeatureSteps
     expect(page).to have_content 'Namespace: Web'
   end
 
+  step 'I visit project "Enterprise" members page' do
+    project = Project.find_by!(name: "Enterprise")
+    visit namespace_project_project_members_path(project.namespace, project)
+  end
+
+  step 'I select current user as "Developer"' do
+    page.within ".users-project-form" do
+      select2(current_user.id, from: "#user_ids", multiple: true)
+      select "Developer", from: "access_level"
+    end
+
+    click_button "Add users to project"
+  end
+
+  step 'I should see current user as "Developer"' do
+    page.within '.content-list' do
+      expect(page).to have_content(current_user.name)
+      expect(page).to have_content('Developer')
+    end
+  end
+
+  step 'current user is developer of project "Enterprise"' do
+    project = Project.find_by!(name: "Enterprise")
+    project.team << [current_user, :developer]
+  end
+
+  step 'I click on the "Remove User From Project" button for current user' do
+    find(:css, 'li', text: current_user.name).find(:css, 'a.btn-remove').click
+    # poltergeist always confirms popups.
+  end
+
+  step 'I should not see current_user as "Developer"' do
+    expect(page).not_to have_selector(:css, '.content-list')
+  end
+
   def project
     @project ||= Project.first
   end
-- 
cgit v1.2.1


From 8034b61b52ed9e54366ee9d73d17a4ea1c00de44 Mon Sep 17 00:00:00 2001
From: Douglas Barbosa Alexandre <dbalexandre@gmail.com>
Date: Tue, 1 Dec 2015 20:58:31 -0200
Subject: Update CHANGELOG

---
 CHANGELOG | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG b/CHANGELOG
index db812796b69..c088c89d861 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -13,6 +13,7 @@ v 8.2.2
   - Fix Error 500 when viewing user's personal projects from admin page (Stan Hu)
   - Fix: Raw private snippets access workflow
   - Prevent "413 Request entity too large" errors when pushing large files with LFS
+  - Fix: As an admin, cannot add oneself as a member to a group/project
 
 v 8.2.1
   - Forcefully update builds that didn't want to update with state machine
-- 
cgit v1.2.1