From b3f0a82f501ce26717a6f9e57d91cb2b1f1a967b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9my=20Coutable?= <remy@rymai.me>
Date: Thu, 28 Jul 2016 19:30:34 +0200
Subject: [PATCH 1/3] New Members::ApproveAccessRequestService
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Rémy Coutable <remy@rymai.me>
---
 .../concerns/membership_actions.rb            |  7 +-
 .../members/approve_access_request_service.rb | 30 +++++++
 lib/api/access_requests.rb                    |  7 +-
 .../approve_access_request_service_spec.rb    | 88 +++++++++++++++++++
 4 files changed, 120 insertions(+), 12 deletions(-)
 create mode 100644 app/services/members/approve_access_request_service.rb
 create mode 100644 spec/services/members/approve_access_request_service_spec.rb

diff --git a/app/controllers/concerns/membership_actions.rb b/app/controllers/concerns/membership_actions.rb
index 52682ef9dc9..ba7c02b0ba7 100644
--- a/app/controllers/concerns/membership_actions.rb
+++ b/app/controllers/concerns/membership_actions.rb
@@ -1,6 +1,5 @@
 module MembershipActions
   extend ActiveSupport::Concern
-  include MembersHelper
 
   def request_access
     membershipable.request_access(current_user)
@@ -10,11 +9,7 @@ module MembershipActions
   end
 
   def approve_access_request
-    @member = membershipable.requesters.find(params[:id])
-
-    return render_403 unless can?(current_user, action_member_permission(:update, @member), @member)
-
-    @member.accept_request
+    Members::ApproveAccessRequestService.new(membershipable, current_user, user_id: params[:id]).execute
 
     redirect_to polymorphic_url([membershipable, :members])
   end
diff --git a/app/services/members/approve_access_request_service.rb b/app/services/members/approve_access_request_service.rb
new file mode 100644
index 00000000000..0324f0bb4bd
--- /dev/null
+++ b/app/services/members/approve_access_request_service.rb
@@ -0,0 +1,30 @@
+module Members
+  class ApproveAccessRequestService < BaseService
+    include MembersHelper
+
+    attr_accessor :source
+
+    def initialize(source, current_user, params = {})
+      @source = source
+      @current_user = current_user
+      @params = params
+    end
+
+    def execute
+      access_requester = source.requesters.find_by!(user_id: params[:user_id])
+
+      raise Gitlab::Access::AccessDeniedError if cannot_update_access_requester?(access_requester)
+
+      access_requester.access_level = params[:access_level] if params[:access_level]
+      access_requester.accept_request
+
+      access_requester
+    end
+
+    private
+
+    def cannot_update_access_requester?(access_requester)
+      !access_requester || !can?(current_user, action_member_permission(:update, access_requester), access_requester)
+    end
+  end
+end
diff --git a/lib/api/access_requests.rb b/lib/api/access_requests.rb
index 29a97ccbd75..9d1d9058996 100644
--- a/lib/api/access_requests.rb
+++ b/lib/api/access_requests.rb
@@ -55,13 +55,8 @@ module API
         put ':id/access_requests/:user_id/approve' do
           required_attributes! [:user_id]
           source = find_source(source_type, params[:id])
-          authorize_admin_source!(source_type, source)
 
-          member = source.requesters.find_by!(user_id: params[:user_id])
-          if params[:access_level]
-            member.update(access_level: params[:access_level])
-          end
-          member.accept_request
+          member = ::Members::ApproveAccessRequestService.new(source, current_user, params).execute
 
           status :created
           present member.user, with: Entities::Member, member: member
diff --git a/spec/services/members/approve_access_request_service_spec.rb b/spec/services/members/approve_access_request_service_spec.rb
new file mode 100644
index 00000000000..6951adc5828
--- /dev/null
+++ b/spec/services/members/approve_access_request_service_spec.rb
@@ -0,0 +1,88 @@
+require 'spec_helper'
+
+describe Members::ApproveAccessRequestService, services: true do
+  let(:user) { create(:user) }
+  let(:access_requester) { create(:user) }
+  let(:project) { create(:project, :public) }
+  let(:group) { create(:group, :public) }
+
+  shared_examples 'a service raising ActiveRecord::RecordNotFound' do
+    it 'raises ActiveRecord::RecordNotFound' do
+      expect { described_class.new(source, user, params).execute }.to raise_error(ActiveRecord::RecordNotFound)
+    end
+  end
+
+  shared_examples 'a service raising Gitlab::Access::AccessDeniedError' do
+    it 'raises Gitlab::Access::AccessDeniedError' do
+      expect { described_class.new(source, user, params).execute }.to raise_error(Gitlab::Access::AccessDeniedError)
+    end
+  end
+
+  shared_examples 'a service approving an access request' do
+    it 'succeeds' do
+      expect { described_class.new(source, user, params).execute }.to change { source.requesters.count }.by(-1)
+    end
+
+    it 'returns a <Source>Member' do
+      member = described_class.new(source, user, params).execute
+
+      expect(member).to be_a "#{source.class.to_s}Member".constantize
+      expect(member.requested_at).to be_nil
+    end
+
+    context 'with a custom access level' do
+      let(:params) { { user_id: access_requester.id, access_level: Gitlab::Access::MASTER } }
+
+      it 'returns a ProjectMember with the custom access level' do
+        member = described_class.new(source, user, params).execute
+
+        expect(member.access_level).to eq Gitlab::Access::MASTER
+      end
+    end
+  end
+
+  context 'when no access requester are found' do
+    let(:params) { { user_id: 42 } }
+
+    it_behaves_like 'a service raising ActiveRecord::RecordNotFound' do
+      let(:source) { project }
+    end
+
+    it_behaves_like 'a service raising ActiveRecord::RecordNotFound' do
+      let(:source) { group }
+    end
+  end
+
+  context 'when an access requester is found' do
+    before do
+      project.request_access(access_requester)
+      group.request_access(access_requester)
+    end
+    let(:params) { { user_id: access_requester.id } }
+
+    context 'when current user cannot approve access request to the project' do
+      it_behaves_like 'a service raising Gitlab::Access::AccessDeniedError' do
+        let(:source) { project }
+      end
+
+      it_behaves_like 'a service raising Gitlab::Access::AccessDeniedError' do
+        let(:source) { group }
+      end
+    end
+
+    context 'when current user can approve access request to the project' do
+      before do
+        project.team << [user, :master]
+        group.add_owner(user)
+      end
+
+      it_behaves_like 'a service approving an access request' do
+        let(:source) { project }
+      end
+
+      it_behaves_like 'a service approving an access request' do
+        let(:source) { group }
+      end
+    end
+  end
+end

From 5dcdf1d51bbd5bde4ea9417dd4402571608c90f0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9my=20Coutable?= <remy@rymai.me>
Date: Fri, 9 Sep 2016 18:06:36 +0200
Subject: [PATCH 2/3] Ensure Members::ApproveAccessRequestService can fin a
 requester by ID
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Rémy Coutable <remy@rymai.me>
---
 app/controllers/concerns/membership_actions.rb            | 2 +-
 app/services/members/approve_access_request_service.rb    | 3 ++-
 spec/controllers/groups/group_members_controller_spec.rb  | 3 ++-
 .../members/approve_access_request_service_spec.rb        | 8 ++++++++
 4 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/app/controllers/concerns/membership_actions.rb b/app/controllers/concerns/membership_actions.rb
index ba7c02b0ba7..b8ed2c159a7 100644
--- a/app/controllers/concerns/membership_actions.rb
+++ b/app/controllers/concerns/membership_actions.rb
@@ -9,7 +9,7 @@ module MembershipActions
   end
 
   def approve_access_request
-    Members::ApproveAccessRequestService.new(membershipable, current_user, user_id: params[:id]).execute
+    Members::ApproveAccessRequestService.new(membershipable, current_user, params).execute
 
     redirect_to polymorphic_url([membershipable, :members])
   end
diff --git a/app/services/members/approve_access_request_service.rb b/app/services/members/approve_access_request_service.rb
index 0324f0bb4bd..c05d061b6a0 100644
--- a/app/services/members/approve_access_request_service.rb
+++ b/app/services/members/approve_access_request_service.rb
@@ -11,7 +11,8 @@ module Members
     end
 
     def execute
-      access_requester = source.requesters.find_by!(user_id: params[:user_id])
+      condition = params[:user_id] ? { user_id: params[:user_id] } : { id: params[:id] }
+      access_requester = source.requesters.find_by!(condition)
 
       raise Gitlab::Access::AccessDeniedError if cannot_update_access_requester?(access_requester)
 
diff --git a/spec/controllers/groups/group_members_controller_spec.rb b/spec/controllers/groups/group_members_controller_spec.rb
index c34475976c6..92b97bf3d0c 100644
--- a/spec/controllers/groups/group_members_controller_spec.rb
+++ b/spec/controllers/groups/group_members_controller_spec.rb
@@ -2,9 +2,10 @@ require 'spec_helper'
 
 describe Groups::GroupMembersController do
   let(:user)  { create(:user) }
-  let(:group) { create(:group) }
 
   describe '#index' do
+    let(:group) { create(:group) }
+
     before do
       group.add_owner(user)
       stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
diff --git a/spec/services/members/approve_access_request_service_spec.rb b/spec/services/members/approve_access_request_service_spec.rb
index 6951adc5828..6fca80b5613 100644
--- a/spec/services/members/approve_access_request_service_spec.rb
+++ b/spec/services/members/approve_access_request_service_spec.rb
@@ -83,6 +83,14 @@ describe Members::ApproveAccessRequestService, services: true do
       it_behaves_like 'a service approving an access request' do
         let(:source) { group }
       end
+
+      context 'when given a :id' do
+        let(:params) { { id: project.requesters.find_by!(user_id: access_requester.id).id } }
+
+        it_behaves_like 'a service approving an access request' do
+          let(:source) { project }
+        end
+      end
     end
   end
 end

From 94996963c594b673f8c380e3e06fd3fbdd1ce105 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9my=20Coutable?= <remy@rymai.me>
Date: Thu, 22 Sep 2016 15:50:24 +0200
Subject: [PATCH 3/3] Inverse condition in Members::ApproveAccessRequestService
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Rémy Coutable <remy@rymai.me>
---
 app/services/members/approve_access_request_service.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/services/members/approve_access_request_service.rb b/app/services/members/approve_access_request_service.rb
index c05d061b6a0..416aee2ab51 100644
--- a/app/services/members/approve_access_request_service.rb
+++ b/app/services/members/approve_access_request_service.rb
@@ -14,7 +14,7 @@ module Members
       condition = params[:user_id] ? { user_id: params[:user_id] } : { id: params[:id] }
       access_requester = source.requesters.find_by!(condition)
 
-      raise Gitlab::Access::AccessDeniedError if cannot_update_access_requester?(access_requester)
+      raise Gitlab::Access::AccessDeniedError unless can_update_access_requester?(access_requester)
 
       access_requester.access_level = params[:access_level] if params[:access_level]
       access_requester.accept_request
@@ -24,8 +24,8 @@ module Members
 
     private
 
-    def cannot_update_access_requester?(access_requester)
-      !access_requester || !can?(current_user, action_member_permission(:update, access_requester), access_requester)
+    def can_update_access_requester?(access_requester)
+      access_requester && can?(current_user, action_member_permission(:update, access_requester), access_requester)
     end
   end
 end