FEATURE: Allow group owners promote more owners (#19768)

This change allows group owners (in addition to admins) to promote other members to owners.
2025-02-25 18:55:32 -06:00 · 2023-01-11 16:43:18 +08:00
parent 17daf077e2
commit d2e9ea6193
15 changed files with 227 additions and 187 deletions
--- a/spec/requests/admin/groups_controller_spec.rb
+++ b/spec/requests/admin/groups_controller_spec.rb
@@ -146,157 +146,6 @@ RSpec.describe Admin::GroupsController do
    end
  end

-  describe "#add_owners" do
-    context "when logged in as an admin" do
-      before { sign_in(admin) }
-
-      it "should work" do
-        put "/admin/groups/#{group.id}/owners.json",
-            params: {
-              group: {
-                usernames: [user.username, admin.username].join(","),
-              },
-            }
-
-        expect(response.status).to eq(200)
-
-        response_body = response.parsed_body
-
-        expect(response_body["usernames"]).to contain_exactly(user.username, admin.username)
-
-        expect(group.group_users.where(owner: true).map(&:user)).to contain_exactly(user, admin)
-      end
-
-      it "returns not-found error when there is no group" do
-        group.destroy!
-
-        put "/admin/groups/#{group.id}/owners.json", params: { group: { usernames: user.username } }
-
-        expect(response.status).to eq(404)
-      end
-
-      it "does not allow adding owners to an automatic group" do
-        group.update!(automatic: true)
-
-        expect do
-          put "/admin/groups/#{group.id}/owners.json",
-              params: {
-                group: {
-                  usernames: user.username,
-                },
-              }
-        end.to_not change { group.group_users.count }
-
-        expect(response.status).to eq(422)
-        expect(response.parsed_body["errors"]).to eq(["You cannot modify an automatic group"])
-      end
-
-      it "does not notify users when the param is not present" do
-        put "/admin/groups/#{group.id}/owners.json", params: { group: { usernames: user.username } }
-        expect(response.status).to eq(200)
-
-        topic =
-          Topic.find_by(
-            title:
-              I18n.t(
-                "system_messages.user_added_to_group_as_owner.subject_template",
-                group_name: group.name,
-              ),
-            archetype: "private_message",
-          )
-        expect(topic.nil?).to eq(true)
-      end
-
-      it "notifies users when the param is present" do
-        put "/admin/groups/#{group.id}/owners.json",
-            params: {
-              group: {
-                usernames: user.username,
-                notify_users: true,
-              },
-            }
-        expect(response.status).to eq(200)
-
-        topic =
-          Topic.find_by(
-            title:
-              I18n.t(
-                "system_messages.user_added_to_group_as_owner.subject_template",
-                group_name: group.name,
-              ),
-            archetype: "private_message",
-          )
-        expect(topic.nil?).to eq(false)
-        expect(topic.topic_users.map(&:user_id)).to include(-1, user.id)
-      end
-    end
-
-    context "when logged in as a moderator" do
-      before { sign_in(moderator) }
-
-      context "with moderators_manage_categories_and_groups enabled" do
-        before { SiteSetting.moderators_manage_categories_and_groups = true }
-
-        it "adds owners" do
-          put "/admin/groups/#{group.id}/owners.json",
-              params: {
-                group: {
-                  usernames: [user.username, admin.username, moderator.username].join(","),
-                },
-              }
-
-          response_body = response.parsed_body
-
-          expect(response.status).to eq(200)
-          expect(response_body["usernames"]).to contain_exactly(
-            user.username,
-            admin.username,
-            moderator.username,
-          )
-          expect(group.group_users.where(owner: true).map(&:user)).to contain_exactly(
-            user,
-            admin,
-            moderator,
-          )
-        end
-      end
-
-      context "with moderators_manage_categories_and_groups disabled" do
-        before { SiteSetting.moderators_manage_categories_and_groups = false }
-
-        it "prevents adding of owners with a 403 response" do
-          put "/admin/groups/#{group.id}/owners.json",
-              params: {
-                group: {
-                  usernames: [user.username, admin.username, moderator.username].join(","),
-                },
-              }
-
-          expect(response.status).to eq(403)
-          expect(response.parsed_body["errors"]).to include(I18n.t("invalid_access"))
-          expect(group.group_users.where(owner: true).map(&:user)).to be_empty
-        end
-      end
-    end
-
-    context "when logged in as a non-staff user" do
-      before { sign_in(user) }
-
-      it "prevents adding of owners with a 404 response" do
-        put "/admin/groups/#{group.id}/owners.json",
-            params: {
-              group: {
-                usernames: [user.username, admin.username].join(","),
-              },
-            }
-
-        expect(response.status).to eq(404)
-        expect(response.parsed_body["errors"]).to include(I18n.t("not_found"))
-        expect(group.group_users.where(owner: true).map(&:user)).to be_empty
-      end
-    end
-  end
-
  describe "#remove_owner" do
    let(:user2) { Fabricate(:user) }
    let(:user3) { Fabricate(:user) }
--- a/spec/requests/api/schemas/json/group_create_response.json
+++ b/spec/requests/api/schemas/json/group_create_response.json
@@ -119,6 +119,9 @@
        "can_admin_group": {
          "type": "boolean"
        },
+        "can_edit_group": {
+          "type": "boolean"
+        },
        "publish_read_state": {
          "type": "boolean"
        }
--- a/spec/requests/api/schemas/json/group_response.json
+++ b/spec/requests/api/schemas/json/group_response.json
@@ -122,6 +122,9 @@
        "can_admin_group": {
          "type": "boolean"
        },
+        "can_edit_group": {
+          "type": "boolean"
+        },
        "publish_read_state": {
          "type": "boolean"
        },
--- a/spec/requests/api/schemas/json/groups_list_response.json
+++ b/spec/requests/api/schemas/json/groups_list_response.json
@@ -131,6 +131,9 @@
            "can_admin_group": {
              "type": "boolean"
            },
+            "can_edit_group": {
+              "type": "boolean"
+            },
            "publish_read_state": {
              "type": "boolean"
            }
--- a/spec/requests/groups_controller_spec.rb
+++ b/spec/requests/groups_controller_spec.rb
@@ -1638,6 +1638,164 @@ RSpec.describe GroupsController do
      end
    end

+    describe "#add_owners" do
+      context "when logged in as an admin" do
+        before { sign_in(admin) }
+
+        it "should work" do
+          put "/groups/#{group.id}/owners.json",
+              params: {
+                usernames: [user.username, admin.username].join(","),
+              }
+
+          expect(response.status).to eq(200)
+
+          response_body = response.parsed_body
+
+          expect(response_body["usernames"]).to contain_exactly(user.username, admin.username)
+
+          expect(group.group_users.where(owner: true).map(&:user)).to contain_exactly(user, admin)
+        end
+
+        it "returns not-found error when there is no group" do
+          group.destroy!
+
+          put "/groups/#{group.id}/owners.json", params: { usernames: user.username }
+
+          expect(response.status).to eq(404)
+        end
+
+        it "does not allow adding owners to an automatic group" do
+          group.update!(automatic: true)
+
+          expect do
+            put "/groups/#{group.id}/owners.json", params: { usernames: user.username }
+          end.to_not change { group.group_users.count }
+
+          expect(response.status).to eq(422)
+          expect(response.parsed_body["errors"]).to eq(
+            [I18n.t("groups.errors.can_not_modify_automatic")],
+          )
+        end
+
+        it "does not notify users when the param is not present" do
+          put "/groups/#{group.id}/owners.json", params: { usernames: user.username }
+          expect(response.status).to eq(200)
+
+          topic =
+            Topic.find_by(
+              title:
+                I18n.t(
+                  "system_messages.user_added_to_group_as_owner.subject_template",
+                  group_name: group.name,
+                ),
+              archetype: "private_message",
+            )
+          expect(topic.nil?).to eq(true)
+        end
+
+        it "notifies users when the param is present" do
+          put "/groups/#{group.id}/owners.json",
+              params: {
+                usernames: user.username,
+                notify_users: true,
+              }
+          expect(response.status).to eq(200)
+
+          topic =
+            Topic.find_by(
+              title:
+                I18n.t(
+                  "system_messages.user_added_to_group_as_owner.subject_template",
+                  group_name: group.name,
+                ),
+              archetype: "private_message",
+            )
+          expect(topic.nil?).to eq(false)
+          expect(topic.topic_users.map(&:user_id)).to include(-1, user.id)
+        end
+      end
+
+      context "when logged in as a moderator" do
+        before { sign_in(moderator) }
+
+        context "with moderators_manage_categories_and_groups enabled" do
+          before { SiteSetting.moderators_manage_categories_and_groups = true }
+
+          it "adds owners" do
+            put "/groups/#{group.id}/owners.json",
+                params: {
+                  usernames: [user.username, admin.username, moderator.username].join(","),
+                }
+
+            response_body = response.parsed_body
+
+            expect(response.status).to eq(200)
+            expect(response_body["usernames"]).to contain_exactly(
+              user.username,
+              admin.username,
+              moderator.username,
+            )
+            expect(group.group_users.where(owner: true).map(&:user)).to contain_exactly(
+              user,
+              admin,
+              moderator,
+            )
+          end
+        end
+
+        context "with moderators_manage_categories_and_groups disabled" do
+          before { SiteSetting.moderators_manage_categories_and_groups = false }
+
+          it "prevents adding of owners with a 403 response" do
+            put "/groups/#{group.id}/owners.json",
+                params: {
+                  usernames: [user.username, admin.username, moderator.username].join(","),
+                }
+
+            expect(response.status).to eq(403)
+            expect(response.parsed_body["errors"]).to include(I18n.t("invalid_access"))
+            expect(group.group_users.where(owner: true).map(&:user)).to be_empty
+          end
+        end
+      end
+
+      context "when logged in as a non-owner" do
+        before { sign_in(user) }
+
+        it "prevents adding of owners with a 403 response" do
+          put "/groups/#{group.id}/owners.json",
+              params: {
+                usernames: [user.username, admin.username].join(","),
+              }
+
+          expect(response.status).to eq(403)
+          expect(response.parsed_body["errors"]).to include(I18n.t("invalid_access"))
+          expect(group.group_users.where(owner: true).map(&:user)).to be_empty
+        end
+      end
+
+      context "when logged in as an owner" do
+        before { sign_in(user) }
+
+        it "allows adding new owners" do
+          group.add_owner(user)
+
+          put "/groups/#{group.id}/owners.json",
+              params: {
+                usernames: [user.username, admin.username].join(","),
+              }
+
+          expect(response.status).to eq(200)
+          expect(response.parsed_body["usernames"]).to contain_exactly(
+            user.username,
+            admin.username,
+          )
+          expect(group.group_users.where(owner: true).map(&:user)).to contain_exactly(user, admin)
+        end
+      end
+    end
+
    describe "#join" do
      let(:public_group) { Fabricate(:public_group) }