webhooks: force sync when user is removed from org

matt-codecov · matt-codecov · commit f15481caa111 · 2024-10-18T13:06:32.000-07:00
diff --git a/webhook_handlers/tests/test_github.py b/webhook_handlers/tests/test_github.py
@@ -1127,8 +1127,10 @@ def test_installation_trigger_refresh_with_other_actions(self, refresh_mock):
             repos_affected=[("12321", "R_kgDOG2tZYQ"), ("12343", "R_kgDOG2tABC")],
         )
 
+    @patch("services.task.TaskService.refresh")
     def test_organization_with_removed_action_removes_user_from_org_and_activated_user_list(
         self,
+        mock_refresh,
     ):
         org = OwnerFactory(service_id="4321", service=Service.GITHUB.value)
         user = OwnerFactory(
@@ -1149,7 +1151,13 @@ def test_organization_with_removed_action_removes_user_from_org_and_activated_us
         user.refresh_from_db()
         org.refresh_from_db()
 
-        assert org.ownerid not in user.organizations
+        mock_refresh.assert_called_with(
+            ownerid=user.ownerid,
+            username=user.username,
+            sync_teams=True,
+            sync_repos=True,
+            using_integration=False,
+        )
         assert user.ownerid not in org.plan_activated_users
 
     def test_organization_member_removed_with_nonexistent_org_doesnt_crash(self):
diff --git a/webhook_handlers/tests/test_github_enterprise.py b/webhook_handlers/tests/test_github_enterprise.py
@@ -899,8 +899,10 @@ def test_installation_trigger_refresh_with_other_actions(self, refresh_mock):
             repos_affected=[("12321", "R_12321CAT"), ("12343", "R_12343DOG")],
         )
 
+    @patch("services.task.TaskService.refresh")
     def test_organization_with_removed_action_removes_user_from_org_and_activated_user_list(
         self,
+        mock_refresh,
     ):
         org = OwnerFactory(service_id="4321", service=Service.GITHUB_ENTERPRISE.value)
         user = OwnerFactory(
@@ -923,7 +925,13 @@ def test_organization_with_removed_action_removes_user_from_org_and_activated_us
         user.refresh_from_db()
         org.refresh_from_db()
 
-        assert org.ownerid not in user.organizations
+        mock_refresh.assert_called_with(
+            ownerid=user.ownerid,
+            username=user.username,
+            sync_teams=True,
+            sync_repos=True,
+            using_integration=False,
+        )
         assert user.ownerid not in org.plan_activated_users
 
     def test_organization_member_removed_with_nonexistent_org_doesnt_crash(self):
diff --git a/webhook_handlers/views/github.py b/webhook_handlers/views/github.py
@@ -635,12 +635,15 @@ def organization(self, request, *args, **kwargs):
                     data="Attempted to remove non Codecov user from Codecov org failed",
                 )
 
-            try:
-                if member.organizations:
-                    member.organizations.remove(org.ownerid)
-                    member.save(update_fields=["organizations"])
-            except ValueError:
-                pass
+            # Force a sync for the removed member to remove their access to the
+            # org and its private repositories.
+            TaskService().refresh(
+                ownerid=member.ownerid,
+                username=member.username,
+                sync_teams=True,
+                sync_repos=True,
+                using_integration=False,
+            )
 
             try:
                 if org.plan_activated_users:
