From 6dbcb880cc72f7511358612bbc76e2ab9ded14c5 Mon Sep 17 00:00:00 2001
From: Zeger-Jan van de Weg <zegerjan@gitlab.com>
Date: Fri, 8 Apr 2016 12:41:37 +0200
Subject: Allow a project member to leave the projected through the API

---
 lib/api/project_members.rb | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

(limited to 'lib')

diff --git a/lib/api/project_members.rb b/lib/api/project_members.rb
index c756bb479fc..4aefdf319c6 100644
--- a/lib/api/project_members.rb
+++ b/lib/api/project_members.rb
@@ -93,12 +93,17 @@ module API
       # Example Request:
       #   DELETE /projects/:id/members/:user_id
       delete ":id/members/:user_id" do
-        authorize! :admin_project, user_project
         project_member = user_project.project_members.find_by(user_id: params[:user_id])
-        unless project_member.nil?
-          project_member.destroy
-        else
+
+        unless current_user.can?(:admin_project, user_project) ||
+                current_user.can?(:destroy_project_member, project_member)
+          forbidden!
+        end
+
+        if project_member.nil?
           { message: "Access revoked", id: params[:user_id].to_i }
+        else
+          project_member.destroy
         end
       end
     end
-- 
cgit v1.2.3