Add subresources removal to member destroy service

1 files changed, 27 insertions, 1 deletions

diff --git a/app/services/members/destroy_service.rb b/app/services/members/destroy_service.rb
index ae0c644e6c0..f9717a9426b 100644
--- a/app/services/members/destroy_service.rb
+++ b/app/services/members/destroy_service.rb
@@ -2,9 +2,11 @@
 
 module Members
   class DestroyService < Members::BaseService
-    def execute(member, skip_authorization: false)
+    def execute(member, skip_authorization: false, skip_subresources: false)
       raise Gitlab::Access::AccessDeniedError unless skip_authorization || can_destroy_member?(member)
 
+      @skip_auth = skip_authorization
+
       return member if member.is_a?(GroupMember) && member.source.last_owner?(member.user)
 
       member.destroy
@@ -15,6 +17,7 @@ module Members
         notification_service.decline_access_request(member)
       end
 
+      delete_subresources(member) unless skip_subresources
       enqueue_delete_todos(member)
 
       after_execute(member: member)
@@ -24,6 +27,29 @@ module Members
 
     private
 
+    def delete_subresources(member)
+      return unless member.is_a?(GroupMember) && member.user && member.group
+
+      delete_project_members(member)
+      delete_subgroup_members(member) if Group.supports_nested_objects?
+    end
+
+    def delete_project_members(member)
+      groups = member.group.self_and_descendants
+
+      ProjectMember.in_namespaces(groups).with_user(member.user).each do |project_member|
+        self.class.new(current_user).execute(project_member, skip_authorization: @skip_auth)
+      end
+    end
+
+    def delete_subgroup_members(member)
+      groups = member.group.descendants
+
+      GroupMember.in_groups(groups).with_user(member.user).each do |group_member|
+        self.class.new(current_user).execute(group_member, skip_authorization: @skip_auth, skip_subresources: true)
+      end
+    end
+
     def can_destroy_member?(member)
       can?(current_user, destroy_member_permission(member), member)
     end