Merge pull request #3874 from getsentry/fix/role-downgrade

dcramer · mattrobenolt · commit 323a8ad3e8b6 · 2016-08-08T10:44:44.000-07:00
Fix role downgrade permissions
diff --git a/src/sentry/web/frontend/organization_member_settings.py b/src/sentry/web/frontend/organization_member_settings.py
@@ -72,11 +72,14 @@ def handle(self, request, organization, member_id):
                 user=request.user,
                 organization=organization,
             )
-            allowed_roles = [
-                r for r in roles.get_all()
-                if r.priority <= roles.get(acting_member.role).priority
-            ]
-            can_admin = bool(allowed_roles)
+            if roles.get(acting_member.role).priority < roles.get(member.role).priority:
+                can_admin = False
+            else:
+                allowed_roles = [
+                    r for r in roles.get_all()
+                    if r.priority <= roles.get(acting_member.role).priority
+                ]
+                can_admin = bool(allowed_roles)
         elif request.is_superuser():
             allowed_roles = roles.get_all()
 
diff --git a/tests/sentry/web/frontend/test_organization_member_settings.py b/tests/sentry/web/frontend/test_organization_member_settings.py
@@ -264,3 +264,35 @@ def test_manager_cant_assign_owner(self):
         member = OrganizationMember.objects.get(id=member_om.id)
 
         assert member.role == 'member'
+
+    def test_manager_cant_downgrade_owner(self):
+        organization = self.create_organization(name='foo', owner=self.user)
+
+        manager = self.create_user('bar@example.com')
+        OrganizationMember.objects.create(
+            organization=organization,
+            user=manager,
+            role='manager',
+        )
+
+        member = self.create_user('baz@example.com')
+        member_om = OrganizationMember.objects.create(
+            organization=organization,
+            user=member,
+            role='owner',
+        )
+
+        path = reverse('sentry-organization-member-settings',
+                       args=[organization.slug, member_om.id])
+
+        self.login_as(manager)
+
+        resp = self.client.post(path, {
+            'role': 'manager',
+        })
+
+        assert resp.status_code == 200
+
+        member = OrganizationMember.objects.get(id=member_om.id)
+
+        assert member.role == 'owner'
