Bugfix: User can't change the access level of an access requester

The endpoint was returning 404 because it was only searching on the current members of a Group or Project and not the access requesters.

Bugfix: User can't change the access level of an access requester
The endpoint was returning 404 because it was only searching on the current members of a Group or Project and not the access requesters.
429302b3 · Rubén Dávila · 806a68a8 · 429302b3 · 429302b3 · 429302b3
Commit 429302b3 authored Dec 11, 2017 by Rubén Dávila
5 changed files
--- a/app/controllers/groups/group_members_controller.rb
+++ b/app/controllers/groups/group_members_controller.rb
@@ -22,7 +22,7 @@ class Groups::GroupMembersController < Groups::ApplicationController
  end

  def update
-    @group_member = @group.group_members.find(params[:id])
+    @group_member = @group.members_and_requesters.find(params[:id])

    return render_403 unless can?(current_user, :update_group_member, @group_member)


--- a/app/controllers/projects/project_members_controller.rb
+++ b/app/controllers/projects/project_members_controller.rb
@@ -26,7 +26,7 @@ class Projects::ProjectMembersController < Projects::ApplicationController
  end

  def update
-    @project_member = @project.project_members.find(params[:id])
+    @project_member = @project.members_and_requesters.find(params[:id])

    return render_403 unless can?(current_user, :update_project_member, @project_member)


--- a/changelogs/unreleased/15832-fix-access-level-update-for-requesters.yml
+++ b/changelogs/unreleased/15832-fix-access-level-update-for-requesters.yml
+---
+title: Fix error that was preventing users to change the access level of access requests for Groups or Projects
+merge_request: 15832
+author:
+type: fixed
--- a/spec/controllers/groups/group_members_controller_spec.rb
+++ b/spec/controllers/groups/group_members_controller_spec.rb
@@ -62,6 +62,25 @@ describe Groups::GroupMembersController do
    end
  end

+  describe 'PUT update' do
+    let(:requester) { create(:group_member, :access_request, group: group) }
+
+    before do
+      group.add_owner(user)
+      sign_in(user)
+    end
+
+    Gitlab::Access.options.each do |label, value|
+      it "can change the access level to #{label}" do
+        xhr :put, :update, group_member: { access_level: value },
+                           group_id: group,
+                           id: requester
+
+        expect(requester.reload.human_access).to eq(label)
+      end
+    end
+  end
+
  describe 'DELETE destroy' do
    let(:member) { create(:group_member, :developer, group: group) }


--- a/spec/controllers/projects/project_members_controller_spec.rb
+++ b/spec/controllers/projects/project_members_controller_spec.rb
@@ -66,6 +66,26 @@ describe Projects::ProjectMembersController do
    end
  end

+  describe 'PUT update' do
+    let(:requester) { create(:project_member, :access_request, project: project) }
+
+    before do
+      project.add_master(user)
+      sign_in(user)
+    end
+
+    Gitlab::Access.options.each do |label, value|
+      it "can change the access level to #{label}" do
+        xhr :put, :update, project_member: { access_level: value },
+                           namespace_id: project.namespace,
+                           project_id: project,
+                           id: requester
+
+        expect(requester.reload.human_access).to eq(label)
+      end
+    end
+  end
+
  describe 'DELETE destroy' do
    let(:member) { create(:project_member, :developer, project: project) }