path: root/spec/requests/api/members_spec.rb

# frozen_string_literal: true

require 'spec_helper'

RSpec.describe API::Members do
  let_it_be(:maintainer) { create(:user, username: 'maintainer_user') }
  let_it_be(:maintainer2) { create(:user, username: 'user-with-maintainer-role') }
  let_it_be(:developer) { create(:user) }
  let_it_be(:access_requester) { create(:user) }
  let_it_be(:stranger) { create(:user) }
  let_it_be(:user_with_minimal_access) { create(:user) }

  let_it_be(:project, refind: true) do
    create(:project, :public, creator_id: maintainer.id, group: create(:group, :public)) do |project|
      project.add_maintainer(maintainer)
      project.add_developer(developer, current_user: maintainer)
      project.request_access(access_requester)
    end
  end

  let_it_be(:group, refind: true) do
    create(:group, :public) do |group|
      group.add_owner(maintainer)
      group.add_developer(developer, maintainer)
      create(:group_member, :minimal_access, source: group, user: user_with_minimal_access)
      group.request_access(access_requester)
    end
  end

  shared_examples 'GET /:source_type/:id/members/(all)' do |source_type, all|
    let(:members_url) do
      (+"/#{source_type.pluralize}/#{source.id}/members").tap do |url|
        url << "/all" if all
      end
    end

    context "with :source_type == #{source_type.pluralize}" do
      it_behaves_like 'a 404 response when source is private' do
        let(:route) { get api(members_url, stranger) }
      end

      %i[maintainer developer access_requester stranger].each do |type|
        context "when authenticated as a #{type}" do
          it 'returns 200' do
            user = public_send(type)

            get api(members_url, user)

            expect(response).to have_gitlab_http_status(:ok)
            expect(response).to include_pagination_headers
            expect(json_response).to be_an Array
            expect(json_response.size).to eq(2)
            expect(json_response.map { |u| u['id'] }).to match_array [maintainer.id, developer.id]
            expect(json_response).to contain_exactly(
              a_hash_including('created_by' => a_hash_including('id' => maintainer.id)),
              hash_not_including('created_by')
            )
          end
        end
      end

      it 'avoids N+1 queries' do
        # Establish baseline
        get api(members_url, maintainer)

        control = ActiveRecord::QueryRecorder.new do
          get api(members_url, maintainer)
        end

        project.add_developer(create(:user))

        expect do
          get api(members_url, maintainer)
        end.not_to exceed_query_limit(control)
      end

      it 'does not return invitees' do
        create(:"#{source_type}_member", invite_token: '123', invite_email: 'test@abc.com', source: source, user: nil)

        get api(members_url, developer)

        expect(response).to have_gitlab_http_status(:ok)
        expect(response).to include_pagination_headers
        expect(json_response).to be_an Array
        expect(json_response.size).to eq(2)
        expect(json_response.map { |u| u['id'] }).to match_array [maintainer.id, developer.id]
      end

      context 'with cross db check disabled' do
        around do |example|
          allow_cross_joins_across_databases(url: 'https://gitlab.com/gitlab-org/gitlab/-/issues/343305') do
            example.run
          end
        end

        it 'finds members with query string' do
          get api(members_url, developer), params: { query: maintainer.username }

          expect(response).to have_gitlab_http_status(:ok)
          expect(response).to include_pagination_headers
          expect(json_response).to be_an Array
          expect(json_response.count).to eq(1)
          expect(json_response.first['username']).to eq(maintainer.username)
        end
      end

      it 'finds members with the given user_ids' do
        get api(members_url, developer), params: { user_ids: [maintainer.id, developer.id, stranger.id] }

        expect(response).to have_gitlab_http_status(:ok)
        expect(response).to include_pagination_headers
        expect(json_response).to be_an Array
        expect(json_response.map { |u| u['id'] }).to contain_exactly(maintainer.id, developer.id)
      end

      it 'finds all members with no query specified' do
        get api(members_url, developer), params: { query: '' }

        expect(response).to have_gitlab_http_status(:ok)
        expect(response).to include_pagination_headers
        expect(json_response).to be_an Array
        expect(json_response.count).to eq(2)
        expect(json_response.map { |u| u['id'] }).to match_array [maintainer.id, developer.id]
      end
    end
  end

  describe 'GET /:source_type/:id/members/all' do
    let(:nested_user) { create(:user) }
    let(:project_user) { create(:user) }
    let(:linked_group_user) { create(:user) }
    let!(:project_group_link) { create(:project_group_link, project: project, group: linked_group) }

    let(:project) do
      create(:project, :public, group: nested_group) do |project|
        project.add_developer(project_user)
      end
    end

    let(:linked_group) do
      create(:group) do |linked_group|
        linked_group.add_developer(linked_group_user)
      end
    end

    let(:nested_group) do
      create(:group, parent: group) do |nested_group|
        nested_group.add_developer(nested_user)
      end
    end

    it 'finds all project members including inherited members' do
      get api("/projects/#{project.id}/members/all", developer)

      expect(response).to have_gitlab_http_status(:ok)
      expect(response).to include_pagination_headers
      expect(json_response).to be_an Array
      expect(json_response.map { |u| u['id'] }).to match_array [maintainer.id, developer.id, nested_user.id, project_user.id, linked_group_user.id]
    end

    it 'returns only one member for each user without returning duplicated members' do
      linked_group.add_developer(developer)

      get api("/projects/#{project.id}/members/all", developer)

      expect(response).to have_gitlab_http_status(:ok)
      expect(response).to include_pagination_headers
      expect(json_response).to be_an Array

      expected_users_and_access_levels = [
        [developer.id, Gitlab::Access::DEVELOPER],
        [maintainer.id, Gitlab::Access::OWNER],
        [nested_user.id, Gitlab::Access::DEVELOPER],
        [project_user.id, Gitlab::Access::DEVELOPER],
        [linked_group_user.id, Gitlab::Access::DEVELOPER]
      ]
      expect(json_response.map { |u| [u['id'], u['access_level']] }).to match_array(expected_users_and_access_levels)
    end

    it 'finds all group members including inherited members' do
      get api("/groups/#{nested_group.id}/members/all", developer)

      expect(response).to have_gitlab_http_status(:ok)
      expect(response).to include_pagination_headers
      expect(json_response).to be_an Array
      expect(json_response.map { |u| u['id'] }).to match_array [maintainer.id, developer.id, nested_user.id]
    end

    context 'with a subgroup' do
      let(:group) { create(:group, :private) }
      let(:subgroup) { create(:group, :private, parent: group) }
      let(:project) { create(:project, group: subgroup) }

      before do
        subgroup.add_developer(developer)
      end

      it 'subgroup member cannot get parent group members list' do
        get api("/groups/#{group.id}/members/all", developer)
        expect(response).to have_gitlab_http_status(:forbidden)
      end
    end
  end

  shared_examples 'GET /:source_type/:id/members/(all/):user_id' do |source_type, all|
    context "with :source_type == #{source_type.pluralize} and all == #{all}" do
      it_behaves_like 'a 404 response when source is private' do
        let(:route) { get api("/#{source_type.pluralize}/#{source.id}/members/#{all ? 'all/' : ''}#{developer.id}", stranger) }
      end

      context 'when authenticated as a non-member' do
        %i[access_requester stranger].each do |type|
          context "as a #{type}" do
            it 'returns 200' do
              user = public_send(type)
              get api("/#{source_type.pluralize}/#{source.id}/members/#{all ? 'all/' : ''}#{developer.id}", user)

              expect(response).to have_gitlab_http_status(:ok)
              # User attributes
              expect(json_response['id']).to eq(developer.id)
              expect(json_response['name']).to eq(developer.name)
              expect(json_response['username']).to eq(developer.username)
              expect(json_response['state']).to eq(developer.state)
              expect(json_response['avatar_url']).to eq(developer.avatar_url)
              expect(json_response['web_url']).to eq(Gitlab::Routing.url_helpers.user_url(developer))

              # Member attributes
              expect(json_response['access_level']).to eq(Member::DEVELOPER)
              expect(json_response['created_at'].to_time).to be_present
            end
          end
        end
      end

      context 'with ancestral membership' do
        shared_examples 'response with correct access levels' do
          it do
            get api("/#{source_type.pluralize}/#{source.id}/members/#{all ? 'all/' : ''}#{developer.id}", developer)

            expect(response).to have_gitlab_http_status(:ok)
            expect(json_response['access_level']).to eq(Member::MAINTAINER)
          end
        end

        before do
          source.add_maintainer(developer)
        end

        include_examples 'response with correct access levels'

        context 'having email invite' do
          before do
            Member
              .find_by(source: group, user: developer)
              .update!(invite_email: 'email@email.com')
          end

          include_examples 'response with correct access levels'
        end
      end
    end
  end

  shared_examples 'POST /:source_type/:id/members' do |source_type|
    context "with :source_type == #{source_type.pluralize}" do
      it_behaves_like 'a 404 response when source is private' do
        let(:route) do
          post api("/#{source_type.pluralize}/#{source.id}/members", stranger),
               params: { user_id: access_requester.id, access_level: Member::MAINTAINER }
        end
      end

      context 'when authenticated as a non-member or member with insufficient rights' do
        %i[access_requester stranger developer].each do |type|
          context "as a #{type}" do
            it 'returns 403' do
              user = public_send(type)
              post api("/#{source_type.pluralize}/#{source.id}/members", user),
                   params: { user_id: access_requester.id, access_level: Member::MAINTAINER }

              expect(response).to have_gitlab_http_status(:forbidden)
            end
          end

          context 'adding a member of higher access level' do
            before do
              # the other 'maintainer' is in fact an owner of the group!
              source.add_maintainer(maintainer2)
            end

            context 'when an access requester' do
              it 'is not successful' do
                post api("/#{source_type.pluralize}/#{source.id}/members", maintainer2),
                     params: { user_id: access_requester.id, access_level: Member::OWNER }

                expect(response).to have_gitlab_http_status(:forbidden)
              end
            end

            context 'when a totally new user' do
              it 'is not successful' do
                post api("/#{source_type.pluralize}/#{source.id}/members", maintainer2),
                     params: { user_id: stranger.id, access_level: Member::OWNER }

                expect(response).to have_gitlab_http_status(:forbidden)
              end
            end
          end
        end
      end

      context 'when authenticated as a member with membership management rights' do
        context 'and new member is already a requester' do
          context 'when the requester is of equal or lower access level' do
            it 'transforms the requester into a proper member' do
              expect do
                post api("/#{source_type.pluralize}/#{source.id}/members", maintainer),
                     params: { user_id: access_requester.id, access_level: Member::MAINTAINER }

                expect(response).to have_gitlab_http_status(:created)
              end.to change { source.members.count }.by(1)
              expect(source.requesters.count).to eq(0)
              expect(json_response['id']).to eq(access_requester.id)
              expect(json_response['access_level']).to eq(Member::MAINTAINER)
            end
          end
        end

        it 'creates a new member' do
          expect do
            post api("/#{source_type.pluralize}/#{source.id}/members", maintainer),
                 params: { user_id: stranger.id, access_level: Member::DEVELOPER }

            expect(response).to have_gitlab_http_status(:created)
          end.to change { source.members.count }.by(1)
          expect(json_response['id']).to eq(stranger.id)
          expect(json_response['access_level']).to eq(Member::DEVELOPER)
        end

        context 'with invite_source considerations', :snowplow do
          let(:params) { { user_id: stranger.id, access_level: Member::DEVELOPER } }

          it 'tracks the invite source as api' do
            post api("/#{source_type.pluralize}/#{source.id}/members", maintainer),
                 params: params

            expect_snowplow_event(
              category: 'Members::CreateService',
              action: 'create_member',
              label: 'members-api',
              property: 'existing_user',
              user: maintainer
            )
          end

          it 'tracks the invite source from params' do
            post api("/#{source_type.pluralize}/#{source.id}/members", maintainer),
                 params: params.merge(invite_source: '_invite_source_')

            expect_snowplow_event(
              category: 'Members::CreateService',
              action: 'create_member',
              label: '_invite_source_',
              property: 'existing_user',
              user: maintainer
            )
          end
        end

        context 'when executing the Members::CreateService for multiple user_ids' do
          let(:user_ids) { [stranger.id, access_requester.id].join(',') }

          it 'returns success when it successfully create all members' do
            expect do
              post api("/#{source_type.pluralize}/#{source.id}/members", maintainer),
                   params: { user_id: user_ids, access_level: Member::DEVELOPER }

              expect(response).to have_gitlab_http_status(:created)
            end.to change { source.members.count }.by(2)
            expect(json_response['status']).to eq('success')
          end

          it 'returns the error message if there was an error adding members to group' do
            error_message = 'Unable to find User ID'
            allow_next_instance_of(::Members::CreateService) do |service|
              expect(service).to receive(:execute).and_return({ status: :error, message: error_message })
            end

            expect do
              post api("/#{source_type.pluralize}/#{source.id}/members", maintainer),
                   params: { user_id: user_ids, access_level: Member::DEVELOPER }
            end.not_to change { source.members.count }
            expect(json_response['status']).to eq('error')
            expect(json_response['message']).to eq(error_message)
          end
        end
      end

      context 'access levels' do
        it 'does not create the member if group level is higher' do
          parent = create(:group)

          group.update!(parent: parent)
          project.update!(group: group)
          parent.add_developer(stranger)

          post api("/#{source_type.pluralize}/#{source.id}/members", maintainer),
               params: { user_id: stranger.id, access_level: Member::REPORTER }

          expect(response).to have_gitlab_http_status(:bad_request)
          expect(json_response['message']['access_level']).to eq(["should be greater than or equal to Developer inherited membership from group #{parent.name}"])
        end

        it 'creates the member if group level is lower' do
          parent = create(:group)

          group.update!(parent: parent)
          project.update!(group: group)
          parent.add_developer(stranger)

          post api("/#{source_type.pluralize}/#{source.id}/members", maintainer),
               params: { user_id: stranger.id, access_level: Member::MAINTAINER }

          expect(response).to have_gitlab_http_status(:created)
          expect(json_response['id']).to eq(stranger.id)
          expect(json_response['access_level']).to eq(Member::MAINTAINER)
        end
      end

      context 'access expiry date' do
        subject do
          post api("/#{source_type.pluralize}/#{source.id}/members", maintainer),
               params: { user_id: stranger.id, access_level: Member::DEVELOPER, expires_at: expires_at }
        end

        context 'when set to a date in the past' do
          let(:expires_at) { 2.days.ago.to_date }

          it 'does not create a member' do
            expect do
              subject
            end.not_to change { source.members.count }

            expect(response).to have_gitlab_http_status(:bad_request)
            expect(json_response['message']).to eq({ 'expires_at' => ['cannot be a date in the past'] })
          end
        end

        context 'when set to a date in the future' do
          let(:expires_at) { 2.days.from_now.to_date }

          it 'creates a member' do
            expect do
              subject
            end.to change { source.members.count }.by(1)

            expect(response).to have_gitlab_http_status(:created)
            expect(json_response['id']).to eq(stranger.id)
            expect(json_response['expires_at']).to eq(expires_at.to_s)
          end
        end
      end

      context 'with tasks_to_be_done and tasks_project_id in the params' do
        let(:project_id) { source_type == 'project' ? source.id : create(:project, namespace: source).id }

        context 'when there is 1 user to add' do
          it 'creates a member_task with the correct attributes' do
            post api("/#{source_type.pluralize}/#{source.id}/members", maintainer),
                 params: { user_id: stranger.id, access_level: Member::DEVELOPER, tasks_to_be_done: %w(code ci), tasks_project_id: project_id }

            member = source.members.find_by(user_id: stranger.id)
            expect(member.tasks_to_be_done).to match_array([:code, :ci])
            expect(member.member_task.project_id).to eq(project_id)
          end
        end

        context 'when there are multiple users to add' do
          it 'creates a member_task with the correct attributes' do
            post api("/#{source_type.pluralize}/#{source.id}/members", maintainer),
                 params: { user_id: [developer.id, stranger.id].join(','), access_level: Member::DEVELOPER, tasks_to_be_done: %w(code ci), tasks_project_id: project_id }

            members = source.members.where(user_id: [developer.id, stranger.id])
            members.each do |member|
              expect(member.tasks_to_be_done).to match_array([:code, :ci])
              expect(member.member_task.project_id).to eq(project_id)
            end
          end
        end
      end

      it "returns 409 if member already exists" do
        source.add_guest(stranger)

        post api("/#{source_type.pluralize}/#{source.id}/members", maintainer),
             params: { user_id: maintainer.id, access_level: Member::MAINTAINER }

        expect(response).to have_gitlab_http_status(:conflict)
      end

      it 'returns 404 when the user_id is not valid' do
        post api("/#{source_type.pluralize}/#{source.id}/members", maintainer),
             params: { user_id: non_existing_record_id, access_level: Member::MAINTAINER }

        expect(response).to have_gitlab_http_status(:not_found)
        expect(json_response['message']).to eq('404 User Not Found')
      end

      it 'returns 400 when user_id is not given' do
        post api("/#{source_type.pluralize}/#{source.id}/members", maintainer),
             params: { access_level: Member::MAINTAINER }

        expect(response).to have_gitlab_http_status(:bad_request)
      end

      it 'returns 400 when access_level is not given' do
        post api("/#{source_type.pluralize}/#{source.id}/members", maintainer),
             params: { user_id: stranger.id }

        expect(response).to have_gitlab_http_status(:bad_request)
      end

      it 'returns 400 when access_level is not valid' do
        post api("/#{source_type.pluralize}/#{source.id}/members", maintainer),
             params: { user_id: stranger.id, access_level: non_existing_record_access_level }

        expect(response).to have_gitlab_http_status(:bad_request)
      end
    end

    context 'adding project bot' do
      let_it_be(:project_bot) { create(:user, :project_bot) }

      before do
        unrelated_project = create(:project)
        unrelated_project.add_maintainer(project_bot)
      end

      it 'returns 400' do
        expect do
          post api("/#{source_type.pluralize}/#{source.id}/members", maintainer),
               params: { user_id: project_bot.id, access_level: Member::DEVELOPER }

          expect(response).to have_gitlab_http_status(:bad_request)
          expect(json_response['message']['user_id']).to(
            include('project bots cannot be added to other groups / projects'))
        end.not_to change { project.members.count }
      end
    end
  end

  shared_examples 'PUT /:source_type/:id/members/:user_id' do |source_type|
    context "with :source_type == #{source_type.pluralize}" do
      it_behaves_like 'a 404 response when source is private' do
        let(:route) do
          put api("/#{source_type.pluralize}/#{source.id}/members/#{developer.id}", stranger),
              params: { access_level: Member::MAINTAINER }
        end
      end

      context 'when authenticated as a non-member or member with insufficient rights' do
        %i[access_requester stranger developer].each do |type|
          context "as a #{type}" do
            it 'returns 403' do
              user = public_send(type)
              put api("/#{source_type.pluralize}/#{source.id}/members/#{developer.id}", user),
                  params: { access_level: Member::MAINTAINER }

              expect(response).to have_gitlab_http_status(:forbidden)
            end
          end
        end

        context 'as a maintainer updating a member to one with higher access level than themselves' do
          before do
            # the other 'maintainer' is in fact an owner of the group!
            source.add_maintainer(maintainer2)
          end

          it 'returns 403' do
            put api("/#{source_type.pluralize}/#{source.id}/members/#{developer.id}", maintainer2),
                params: { access_level: Member::OWNER }

            expect(response).to have_gitlab_http_status(:forbidden)
          end
        end
      end

      context 'when authenticated as a maintainer/owner' do
        context 'when updating a member with the same or lower access level' do
          it 'updates the member' do
            put api("/#{source_type.pluralize}/#{source.id}/members/#{developer.id}", maintainer),
                params: { access_level: Member::MAINTAINER }

            expect(response).to have_gitlab_http_status(:ok)
            expect(json_response['id']).to eq(developer.id)
            expect(json_response['access_level']).to eq(Member::MAINTAINER)
          end
        end

        context 'when updating a member with higher access level' do
          let(:owner) { create(:user) }

          before do
            source.add_owner(owner)
            # the other 'maintainer' is in fact an owner of the group!
            source.add_maintainer(maintainer2)
          end

          it 'returns 403' do
            put api("/#{source_type.pluralize}/#{source.id}/members/#{owner.id}", maintainer2),
                params: { access_level: Member::DEVELOPER }

            expect(response).to have_gitlab_http_status(:forbidden)
          end
        end
      end

      context 'access expiry date' do
        subject do
          put api("/#{source_type.pluralize}/#{source.id}/members/#{developer.id}", maintainer),
              params: { expires_at: expires_at, access_level: Member::MAINTAINER }
        end

        context 'when set to a date in the past' do
          let(:expires_at) { 2.days.ago.to_date }

          it 'does not update the member' do
            subject

            expect(response).to have_gitlab_http_status(:bad_request)
            expect(json_response['message']).to eq({ 'expires_at' => ['cannot be a date in the past'] })
          end
        end

        context 'when set to a date in the future' do
          let(:expires_at) { 2.days.from_now.to_date }

          it 'updates the member' do
            subject

            expect(response).to have_gitlab_http_status(:ok)
            expect(json_response['expires_at']).to eq(expires_at.to_s)
          end
        end
      end

      it 'returns 409 if member does not exist' do
        put api("/#{source_type.pluralize}/#{source.id}/members/#{non_existing_record_id}", maintainer),
            params: { access_level: Member::MAINTAINER }

        expect(response).to have_gitlab_http_status(:not_found)
      end

      it 'returns 400 when access_level is not given' do
        put api("/#{source_type.pluralize}/#{source.id}/members/#{developer.id}", maintainer)

        expect(response).to have_gitlab_http_status(:bad_request)
      end

      it 'returns 400 when access level is not valid' do
        put api("/#{source_type.pluralize}/#{source.id}/members/#{developer.id}", maintainer),
            params: { access_level: non_existing_record_access_level }

        expect(response).to have_gitlab_http_status(:bad_request)
      end
    end
  end

  shared_examples 'DELETE /:source_type/:id/members/:user_id' do |source_type|
    context "with :source_type == #{source_type.pluralize}" do
      it_behaves_like 'a 404 response when source is private' do
        let(:route) { delete api("/#{source_type.pluralize}/#{source.id}/members/#{developer.id}", stranger) }
      end

      context 'when authenticated as a non-member or member with insufficient rights' do
        %i[access_requester stranger].each do |type|
          context "as a #{type}" do
            it 'returns 403' do
              user = public_send(type)
              delete api("/#{source_type.pluralize}/#{source.id}/members/#{developer.id}", user)

              expect(response).to have_gitlab_http_status(:forbidden)
            end
          end
        end
      end

      context 'when authenticated as a member and deleting themself' do
        it 'deletes the member' do
          expect do
            delete api("/#{source_type.pluralize}/#{source.id}/members/#{developer.id}", developer)

            expect(response).to have_gitlab_http_status(:no_content)
          end.to change { source.members.count }.by(-1)
        end
      end

      context 'when authenticated as a maintainer/owner' do
        context 'and member is a requester' do
          it 'returns 404' do
            expect do
              delete api("/#{source_type.pluralize}/#{source.id}/members/#{access_requester.id}", maintainer)

              expect(response).to have_gitlab_http_status(:not_found)
            end.not_to change { source.requesters.count }
          end
        end

        context 'when attempting to delete a member with higher access level' do
          let(:owner) { create(:user) }

          before do
            source.add_owner(owner)
            # the other 'maintainer' is in fact an owner of the group!
            source.add_maintainer(maintainer2)
          end

          it 'returns 403' do
            delete api("/#{source_type.pluralize}/#{source.id}/members/#{owner.id}", maintainer2),
                   params: { access_level: Member::DEVELOPER }

            expect(response).to have_gitlab_http_status(:forbidden)
          end
        end

        it 'deletes the member' do
          expect do
            delete api("/#{source_type.pluralize}/#{source.id}/members/#{developer.id}", maintainer)

            expect(response).to have_gitlab_http_status(:no_content)
          end.to change { source.members.count }.by(-1)
        end

        it_behaves_like '412 response' do
          let(:request) { api("/#{source_type.pluralize}/#{source.id}/members/#{developer.id}", maintainer) }
        end
      end

      it 'returns 404 if member does not exist' do
        delete api("/#{source_type.pluralize}/#{source.id}/members/#{non_existing_record_id}", maintainer)

        expect(response).to have_gitlab_http_status(:not_found)
      end
    end
  end

  describe 'DELETE /groups/:id/members/:user_id' do
    let(:other_user) { create(:user) }
    let(:nested_group) { create(:group, parent: group) }

    before do
      nested_group.add_developer(developer)
      nested_group.add_developer(other_user)
    end

    it 'deletes only the member with skip_subresources=true' do
      expect do
        delete api("/groups/#{group.id}/members/#{developer.id}", maintainer), params: { skip_subresources: true }

        expect(response).to have_gitlab_http_status(:no_content)
      end.to change { group.members.count }.by(-1)
          .and change { nested_group.members.count }.by(0)
    end

    it 'deletes member and its sub memberships with skip_subresources=false' do
      expect do
        delete api("/groups/#{group.id}/members/#{developer.id}", maintainer), params: { skip_subresources: false }

        expect(response).to have_gitlab_http_status(:no_content)
      end.to change { group.members.count }.by(-1)
          .and change { nested_group.members.count }.by(-1)
    end
  end

  [false, true].each do |all|
    it_behaves_like 'GET /:source_type/:id/members/(all)', 'project', all do
      let(:source) { project }
    end

    it_behaves_like 'GET /:source_type/:id/members/(all)', 'group', all do
      let(:source) { group }
    end
  end

  [false, true].each do |all|
    it_behaves_like 'GET /:source_type/:id/members/(all/):user_id', 'project', all do
      let(:source) { all ? create(:project, :public, group: group) : project }
    end

    it_behaves_like 'GET /:source_type/:id/members/(all/):user_id', 'group', all do
      let(:source) { all ? create(:group, parent: group) : group }
    end
  end

  describe 'POST /projects/:id/members' do
    it_behaves_like 'POST /:source_type/:id/members', 'project' do
      let(:source) { project }
    end

    context 'adding owner to project' do
      it 'returns 403' do
        post api("/projects/#{project.id}/members", maintainer),
             params: { user_id: stranger.id, access_level: Member::OWNER }

        expect(response).to have_gitlab_http_status(:forbidden)
      end
    end

    context 'remove bot from project' do
      it 'returns a 403 forbidden' do
        project_bot = create(:user, :project_bot)
        create(:project_member, project: project, user: project_bot)

        expect do
          delete api("/projects/#{project.id}/members/#{project_bot.id}", maintainer)

          expect(response).to have_gitlab_http_status(:forbidden)
        end.not_to change { project.members.count }
      end
    end
  end

  it_behaves_like 'POST /:source_type/:id/members', 'group' do
    let(:source) { group }
  end

  it_behaves_like 'PUT /:source_type/:id/members/:user_id', 'project' do
    let(:source) { project }
  end

  it_behaves_like 'PUT /:source_type/:id/members/:user_id', 'group' do
    let(:source) { group }
  end

  it_behaves_like 'DELETE /:source_type/:id/members/:user_id', 'project' do
    let(:source) { project }
  end

  it_behaves_like 'DELETE /:source_type/:id/members/:user_id', 'group' do
    let(:source) { group }
  end
end