tenseleyflow/shithub / ad9035a

+func (h *Handlers) secretTeamWriteNotice(ctx context.Context, orgID int64, team orgsdb.Team) (string, error) {

+	if team.Privacy != orgsdb.TeamPrivacySecret {

+		return "", nil

+	}

+	decision, err := entitlements.CheckOrgFeature(ctx, entitlements.Deps{Pool: h.d.Pool}, orgID, entitlements.FeatureOrgSecretTeams)

+	if err != nil {

+		return "", err

+	}

+	if decision.Allowed {

+		return "", nil

+	}

+	switch decision.Reason {

+	case entitlements.ReasonBillingActionNeeded:

+		return "secret-teams-billing", nil

+	case entitlements.ReasonEnterpriseContactSales:

+		return "secret-teams-enterprise", nil

+	default:

+		return "secret-teams-upgrade", nil

+	}

+}

+

+	canExpandTeam := false

+	secretTeamWritesDisabledMessage := ""

+		canExpandTeam = isOwner

+		if isOwner {

+			noticeCode, nerr := h.secretTeamWriteNotice(r.Context(), org.ID, team)

+			if nerr != nil {

+				h.d.Logger.WarnContext(r.Context(), "teams: secret-team entitlement check", "org_id", org.ID, "team_id", team.ID, "error", nerr)

+				canExpandTeam = false

+				secretTeamWritesDisabledMessage = "Secret team changes are temporarily unavailable."

+			} else if noticeCode != "" {

+				canExpandTeam = false

+				secretTeamWritesDisabledMessage = teamsNoticeMessage(noticeCode)

+			}

+		}

+		"Title":                           string(org.Slug) + "/" + string(team.Slug),

+		"CSRFToken":                       middleware.CSRFTokenForRequest(r),

+		"Org":                             org,

+		"AvatarURL":                       "/avatars/" + url.PathEscape(string(org.Slug)),

+		"ActiveOrgNav":                    "teams",

+		"Team":                            team,

+		"TeamDisplayName":                 teamDisplayName(team),

+		"TeamPath":                        h.teamPath(org, team),

+		"TeamPrivacy":                     string(team.Privacy),

+		"TeamIsSecret":                    team.Privacy == orgsdb.TeamPrivacySecret,

+		"ChildTeams":                      childItems,

+		"Members":                         members,

+		"MemberCandidates":                memberCandidates,

+		"Repos":                           repos,

+		"RepoCandidates":                  repoCandidates,

+		"RepoCount":                       navCounts.RepoCount,

+		"MemberCount":                     navCounts.MemberCount,

+		"TeamCount":                       navCounts.TeamCount,

+		"IsOwner":                         isOwner,

+		"CanExpandTeam":                   canExpandTeam,

+		"SecretTeamWritesDisabledMessage": secretTeamWritesDisabledMessage,

+		"Notice":                          teamsNoticeMessage(r.URL.Query().Get("notice")),

+		noticeCode, err := h.secretTeamWriteNotice(r.Context(), org.ID, team)

+		if err != nil {

+			h.d.Logger.ErrorContext(r.Context(), "teams: secret-team entitlement check", "org_id", org.ID, "team_id", team.ID, "error", err)

+			h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+			return

+		}

+		if noticeCode != "" {

+			http.Redirect(w, r, h.teamPath(org, team)+"?notice="+noticeCode, http.StatusSeeOther)

+			return

+		}

+		noticeCode, err := h.secretTeamWriteNotice(r.Context(), org.ID, team)

+		if err != nil {

+			h.d.Logger.ErrorContext(r.Context(), "teams: secret-team entitlement check", "org_id", org.ID, "team_id", team.ID, "error", err)

+			h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+			return

+		}

+		if noticeCode != "" {

+			http.Redirect(w, r, h.teamPath(org, team)+"?notice="+noticeCode, http.StatusSeeOther)

+			return

+		}

+	"time"

+	"github.com/tenseleyFlow/shithub/internal/billing"

+func TestSecretTeamAddMemberRequiresEntitlementButRemoveAllowed(t *testing.T) {

+	t.Parallel()

+	ctx := context.Background()

+	pool := dbtest.NewTestDB(t)

+	ownerID := insertOrgAvatarUser(t, pool, "owner")

+	memberID := insertOrgAvatarUser(t, pool, "member")

+	orgID := insertOrgAvatarOrg(t, pool, ownerID, "acme")

+	if _, err := pool.Exec(ctx, `INSERT INTO org_members (org_id, user_id, role) VALUES ($1, $2, 'member')`, orgID, memberID); err != nil {

+		t.Fatalf("insert org member: %v", err)

+	}

+	teamID := insertTeamForTest(t, pool, orgID, "security", "Security", "secret")

+

+	form := url.Values{"user_id": {strconv.FormatInt(memberID, 10)}, "role": {"member"}}

+	body, status, location := performTeamsRequest(t, pool, middleware.CurrentUser{ID: ownerID, Username: "owner"}, http.MethodPost, "/acme/teams/security/members", form)

+	if status != http.StatusSeeOther {

+		t.Fatalf("free add status=%d body=%s", status, body)

+	}

+	if location != "/acme/teams/security?notice=secret-teams-upgrade" {

+		t.Fatalf("free add redirect=%q", location)

+	}

+	assertTeamMemberCount(t, pool, teamID, 0)

+

+	if _, err := pool.Exec(ctx, `INSERT INTO team_members (team_id, user_id, role) VALUES ($1, $2, 'member')`, teamID, memberID); err != nil {

+		t.Fatalf("seed team member: %v", err)

+	}

+	assertTeamMemberCount(t, pool, teamID, 1)

+

+	remove := url.Values{

+		"user_id": {strconv.FormatInt(memberID, 10)},

+		"action":  {"remove"},

+	}

+	body, status, _ = performTeamsRequest(t, pool, middleware.CurrentUser{ID: ownerID, Username: "owner"}, http.MethodPost, "/acme/teams/security/members", remove)

+	if status != http.StatusSeeOther {

+		t.Fatalf("remove status=%d body=%s", status, body)

+	}

+	assertTeamMemberCount(t, pool, teamID, 0)

+

+	activateTeamPlanForTest(t, pool, orgID)

+	body, status, _ = performTeamsRequest(t, pool, middleware.CurrentUser{ID: ownerID, Username: "owner"}, http.MethodPost, "/acme/teams/security/members", form)

+	if status != http.StatusSeeOther {

+		t.Fatalf("team add status=%d body=%s", status, body)

+	}

+	assertTeamMemberCount(t, pool, teamID, 1)

+}

+

+func TestSecretTeamRepoGrantRequiresEntitlementButRevokeAllowed(t *testing.T) {

+	t.Parallel()

+	ctx := context.Background()

+	pool := dbtest.NewTestDB(t)

+	ownerID := insertOrgAvatarUser(t, pool, "owner")

+	orgID := insertOrgAvatarOrg(t, pool, ownerID, "acme")

+	teamID := insertTeamForTest(t, pool, orgID, "security", "Security", "secret")

+	repoID := insertTeamRepoForTest(t, pool, orgID, "private-repo")

+

+	form := url.Values{"repo_id": {strconv.FormatInt(repoID, 10)}, "role": {"write"}}

+	body, status, location := performTeamsRequest(t, pool, middleware.CurrentUser{ID: ownerID, Username: "owner"}, http.MethodPost, "/acme/teams/security/repos", form)

+	if status != http.StatusSeeOther {

+		t.Fatalf("free grant status=%d body=%s", status, body)

+	}

+	if location != "/acme/teams/security?notice=secret-teams-upgrade" {

+		t.Fatalf("free grant redirect=%q", location)

+	}

+	assertTeamRepoGrantCount(t, pool, teamID, 0)

+

+	if _, err := pool.Exec(ctx, `INSERT INTO team_repo_access (team_id, repo_id, role) VALUES ($1, $2, 'write')`, teamID, repoID); err != nil {

+		t.Fatalf("seed team repo access: %v", err)

+	}

+	assertTeamRepoGrantCount(t, pool, teamID, 1)

+

+	remove := url.Values{

+		"repo_id": {strconv.FormatInt(repoID, 10)},

+		"action":  {"remove"},

+	}

+	body, status, _ = performTeamsRequest(t, pool, middleware.CurrentUser{ID: ownerID, Username: "owner"}, http.MethodPost, "/acme/teams/security/repos", remove)

+	if status != http.StatusSeeOther {

+		t.Fatalf("revoke status=%d body=%s", status, body)

+	}

+	assertTeamRepoGrantCount(t, pool, teamID, 0)

+

+	activateTeamPlanForTest(t, pool, orgID)

+	body, status, _ = performTeamsRequest(t, pool, middleware.CurrentUser{ID: ownerID, Username: "owner"}, http.MethodPost, "/acme/teams/security/repos", form)

+	if status != http.StatusSeeOther {

+		t.Fatalf("team grant status=%d body=%s", status, body)

+	}

+	assertTeamRepoGrantCount(t, pool, teamID, 1)

+}

+

+

+func insertTeamRepoForTest(t *testing.T, db orgsdb.DBTX, orgID int64, name string) int64 {

+	t.Helper()

+	var id int64

+	if err := db.QueryRow(context.Background(),

+		`INSERT INTO repos (owner_org_id, name, visibility, default_branch)

+		 VALUES ($1, $2, 'private', 'trunk')

+		 RETURNING id`,

+		orgID, name,

+	).Scan(&id); err != nil {

+		t.Fatalf("insert repo: %v", err)

+	}

+	return id

+}

+

+func activateTeamPlanForTest(t *testing.T, pool *pgxpool.Pool, orgID int64) {

+	t.Helper()

+	now := time.Now().UTC().Truncate(time.Second)

+	_, err := billing.ApplySubscriptionSnapshot(context.Background(), billing.Deps{Pool: pool}, billing.SubscriptionSnapshot{

+		OrgID:                    orgID,

+		Plan:                     billing.PlanTeam,

+		Status:                   billing.SubscriptionStatusActive,

+		StripeSubscriptionID:     "sub_teams_" + strconv.FormatInt(orgID, 10),

+		StripeSubscriptionItemID: "si_teams_" + strconv.FormatInt(orgID, 10),

+		CurrentPeriodStart:       now,

+		CurrentPeriodEnd:         now.Add(30 * 24 * time.Hour),

+		LastWebhookEventID:       "evt_teams_" + strconv.FormatInt(orgID, 10),

+	})

+	if err != nil {

+		t.Fatalf("activate team plan: %v", err)

+	}

+}

+

+func assertTeamMemberCount(t *testing.T, db orgsdb.DBTX, teamID int64, want int) {

+	t.Helper()

+	var count int

+	if err := db.QueryRow(context.Background(), `SELECT count(*) FROM team_members WHERE team_id = $1`, teamID).Scan(&count); err != nil {

+		t.Fatalf("count team members: %v", err)

+	}

+	if count != want {

+		t.Fatalf("team member count=%d, want %d", count, want)

+	}

+}

+

+func assertTeamRepoGrantCount(t *testing.T, db orgsdb.DBTX, teamID int64, want int) {

+	t.Helper()

+	var count int

+	if err := db.QueryRow(context.Background(), `SELECT count(*) FROM team_repo_access WHERE team_id = $1`, teamID).Scan(&count); err != nil {

+		t.Fatalf("count team repo grants: %v", err)

+	}

+	if count != want {

+		t.Fatalf("team repo grant count=%d, want %d", count, want)

+	}

+}

+	"strconv"

+func TestSettingsBranchesAllowsDowngradedOrgToRemoveAdvancedSettings(t *testing.T) {

+	t.Parallel()

+	f := newRepoFixture(t)

+	orgID := f.insertOwnedOrg(t, "acme")

+	repo := f.insertOrgRepo(t, orgID, "private-org-repo", reposdb.RepoVisibilityPrivate)

+	ruleID, err := f.handlers.rq.UpsertBranchProtectionRule(context.Background(), f.pool, reposdb.UpsertBranchProtectionRuleParams{

+		RepoID:          repo.ID,

+		Pattern:         "trunk",

+		PreventDeletion: true,

+	})

+	if err != nil {

+		t.Fatalf("seed branch rule: %v", err)

+	}

+	if err := f.handlers.rq.UpdateBranchProtectionReviewSettings(context.Background(), f.pool, reposdb.UpdateBranchProtectionReviewSettingsParams{

+		ID:                        ruleID,

+		RequiredReviewCount:       2,

+		DismissStaleReviewsOnPush: true,

+	}); err != nil {

+		t.Fatalf("seed review settings: %v", err)

+	}

+	if err := f.handlers.rq.UpdateBranchProtectionCheckSettings(context.Background(), f.pool, reposdb.UpdateBranchProtectionCheckSettingsParams{

+		ID:                             ruleID,

+		StatusChecksRequired:           []string{"ci"},

+		DismissStaleStatusChecksOnPush: true,

+	}); err != nil {

+		t.Fatalf("seed check settings: %v", err)

+	}

+

+	mux := f.branchesSettingsMux(f.owner.ID, f.owner.Username)

+	resp := httptest.NewRecorder()

+	req := newFormRequest(http.MethodPost, "/acme/private-org-repo/settings/branches", url.Values{

+		"id":      {strconv.FormatInt(ruleID, 10)},

+		"pattern": {"trunk"},

+	})

+	mux.ServeHTTP(resp, req)

+

+	if resp.Code != http.StatusSeeOther {

+		t.Fatalf("POST status=%d body=%s", resp.Code, resp.Body.String())

+	}

+	if got := resp.Header().Get("Location"); got != "/acme/private-org-repo/settings/branches?notice=saved" {

+		t.Fatalf("redirect location=%q", got)

+	}

+	assertBranchProtectionRule(t, f, repo.ID, 0, nil, false, false)

+}

+

+    {{ with .Notice }}<p class="shithub-flash shithub-flash-notice" role="status">{{ . }}</p>{{ end }}

+    {{ with .SecretTeamWritesDisabledMessage }}<p class="shithub-flash shithub-flash-notice" role="status">{{ . }}</p>{{ end }}

+      {{ if .CanExpandTeam }}

+      {{ end }}