Merge pull request #44 from isb-cgc/bug_1228

Bug 1228
isb-cgc · Aug 20, 2016 · f3b0bf6 · f3b0bf6
2 parents 0ea6e49 + 3156585
commit f3b0bf6
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 9 deletions.
diff --git a/cohorts/urls.py b/cohorts/urls.py
@@ -32,6 +32,7 @@
     url(r'^clone_cohort/(?P<cohort_id>\d+)/',       views.clone_cohort, name='clone_cohort'),
     url(r'^share_cohort/$',                         views.share_cohort, name='share_cohorts'),
     url(r'^share_cohort/(?P<cohort_id>\d+)/',       views.share_cohort, name='share_cohort'),
+    url(r'^unshare_cohort/$',                       views.unshare_cohort, name='unshare_cohorts'),
     url(r'^unshare_cohort/(?P<cohort_id>\d+)/',     views.unshare_cohort, name='unshare_cohort'),
     url(r'^set_operation/',                         views.set_operation, name='set_operation'),
     url(r'^save_cohort_comment/',                   views.save_comment, name='save_cohort_comment'),

diff --git a/cohorts/views.py b/cohorts/views.py
@@ -2134,20 +2134,38 @@ def streaming_csv_view(request, cohort_id=0):
 @login_required
 def unshare_cohort(request, cohort_id=0):
 
-    if request.POST.get('owner'):
-        # The owner of the resource should also be able to remove users they shared with.
-        # Get user_id from post
-        user_id = request.POST.get('user_id')
-        resc = Cohort_Perms.objects.get(cohort_id=cohort_id, user_id=user_id)
+    cohort_set = None
+
+    if request.POST.get('cohorts'):
+        cohort_set = json.loads(request.POST.get('cohorts'))
     else:
-        # This allows users to remove resources shared with them
-        resc = Cohort_Perms.objects.get(cohort_id=cohort_id, user_id=request.user.id)
+        if cohort_id == 0:
+            return JsonResponse({
+                'msg': 'No cohort IDs were provided!'
+            }, status=500)
+        else:
+            cohort_set = [cohort_id]
+
+    for cohort in cohort_set:
+        owner = str(Cohort.objects.get(id=cohort).get_owner().id)
+        req_user = str(request.user.id)
+        unshare_user = str(request.POST.get('user_id'))
+
+        if req_user != unshare_user and owner != req_user:
+            return JsonResponse({
+                'msg': 'Cannot unshare with another user if you are not the owner'
+            }, status=500)
+
+        cohort_perms = Cohort_Perms.objects.filter(cohort=cohort, user=unshare_user)
 
-    resc.delete()
+        for resc in cohort_perms:
+            # Don't try to delete your own permissions as owner
+            if str(resc.perm) != 'OWNER':
+                resc.delete()
 
     return JsonResponse({
         'status': 'success'
-    })
+    }, status=200)
 
 
 @login_required