Edit group members via API

Add an API endpoint to update the access level of an existing group member.

Edit group members via API
Add an API endpoint to update the access level of an existing group member.
b0dacc8e · Vinnie Okada · 04953950 · b0dacc8e · b0dacc8e · b0dacc8e
Commit b0dacc8e authored Jan 20, 2015 by Vinnie Okada
6 changed files
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -50,7 +50,7 @@ v 7.8.0 (unreleased)
  - 
  - Password reset token validity increased from 2 hours to 2 days since it is also send on account creation.
  - 
-  - 
+  - Edit group members via API
  - Enable raw image paste from clipboard, currently Chrome only (Marco Cyriacks)
  - 
  - 

--- a/doc/api/groups.md
+++ b/doc/api/groups.md
@@ -152,6 +152,20 @@ Parameters:
 - `user_id` (required) - The ID of a user to add
 - `access_level` (required) - Project access level

+### Edit group team member
+
+Updates a group team member to a specified access level.
+
+```
+PUT /groups/:id/members/:user_id
+```
+
+Parameters:
+
+- `id` (required) - The ID of a group
+- `user_id` (required) - The ID of a group member
+- `access_level` (required) - Project access level
+
 ### Remove user team member

 Removes user from user team.

--- a/lib/api/group_members.rb
+++ b/lib/api/group_members.rb
@@ -40,6 +40,30 @@ module API
        present member.user, with: Entities::GroupMember, group: group
      end

+      # Update group member
+      #
+      # Parameters:
+      #   id (required) - The ID of a group
+      #   user_id (required) - The ID of a group member
+      #   access_level (required) - Project access level
+      # Example Request:
+      #   PUT /groups/:id/members/:user_id
+      put ':id/members/:user_id' do
+        group = find_group(params[:id])
+        authorize! :manage_group, group
+        required_attributes! [:access_level]
+
+        team_member = group.group_members.find_by(user_id: params[:user_id])
+        not_found!('User can not be found') if team_member.nil?
+
+        if team_member.update_attributes(access_level: params[:access_level])
+          @member = team_member.user
+          present @member, with: Entities::GroupMember, group: group
+        else
+          handle_member_errors team_member.errors
+        end
+      end
+
      # Remove member.
      #
      # Parameters:

--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -238,5 +238,10 @@ module API
    def secret_token
      File.read(Rails.root.join('.gitlab_shell_secret'))
    end
+
+    def handle_member_errors(errors)
+      error!(errors[:access_level], 422) if errors[:access_level].any?
+      not_found!(errors)
+    end
  end
 end
--- a/lib/api/project_members.rb
+++ b/lib/api/project_members.rb
@@ -4,14 +4,6 @@ module API
    before { authenticate! }

    resource :projects do
-      helpers do
-        def handle_project_member_errors(errors)
-          if errors[:access_level].any?
-            error!(errors[:access_level], 422)
-          end
-          not_found!(errors)
-        end
-      end

      # Get a project team members
      #
@@ -66,7 +58,7 @@ module API
          @member = team_member.user
          present @member, with: Entities::ProjectMember, project: user_project
        else
-          handle_project_member_errors team_member.errors
+          handle_member_errors team_member.errors
        end
      end

@@ -89,7 +81,7 @@ module API
          @member = team_member.user
          present @member, with: Entities::ProjectMember, project: user_project
        else
-          handle_project_member_errors team_member.errors
+          handle_member_errors team_member.errors
        end
      end


--- a/spec/requests/api/group_members_spec.rb
+++ b/spec/requests/api/group_members_spec.rb
@@ -104,6 +104,69 @@ describe API::API, api: true  do
    end
  end

+  describe 'PUT /groups/:id/members/:user_id' do
+    context 'when not a member of the group' do
+      it 'should return a 409 error if the user is not a group member' do
+        put(
+          api("/groups/#{group_no_members.id}/members/#{developer.id}",
+              owner), access_level: GroupMember::MASTER
+        )
+        expect(response.status).to eq(404)
+      end
+    end
+
+    context 'when a member of the group' do
+      it 'should return ok and update member access level' do
+        put(
+          api("/groups/#{group_with_members.id}/members/#{reporter.id}",
+              owner),
+          access_level: GroupMember::MASTER
+        )
+
+        expect(response.status).to eq(200)
+
+        get api("/groups/#{group_with_members.id}/members", owner)
+        json_reporter = json_response.find do |e|
+          e['id'] == reporter.id
+        end
+
+        expect(json_reporter['access_level']).to eq(GroupMember::MASTER)
+      end
+
+      it 'should not allow guest to modify group members' do
+        put(
+          api("/groups/#{group_with_members.id}/members/#{developer.id}",
+              guest),
+          access_level: GroupMember::MASTER
+        )
+
+        expect(response.status).to eq(403)
+
+        get api("/groups/#{group_with_members.id}/members", owner)
+        json_developer = json_response.find do |e|
+          e['id'] == developer.id
+        end
+
+        expect(json_developer['access_level']).to eq(GroupMember::DEVELOPER)
+      end
+
+      it 'should return a 400 error when access level is not given' do
+        put(
+          api("/groups/#{group_with_members.id}/members/#{master.id}", owner)
+        )
+        expect(response.status).to eq(400)
+      end
+
+      it 'should return a 422 error when access level is not known' do
+        put(
+          api("/groups/#{group_with_members.id}/members/#{master.id}", owner),
+          access_level: 1234
+        )
+        expect(response.status).to eq(422)
+      end
+    end
+  end
+
  describe "DELETE /groups/:id/members/:user_id" do
    context "when not a member of the group" do
      it "should not delete guest's membership of group_with_members" do