"view:organization" permission for sll org members

- Allow read access to organization for all members
- Allow non-owners to remove self from organization

Author: divbzero

tests/unit/accounts/test_views.py

@@ -2257,9 +2257,6 @@ def test_verify_organization_role(
             pretend.call(
                 "manage.organization.roles", organization_name=organization.name
             )
-            if desired_role == "Owner"
-            # TODO: Test redirecting to managing organization projects.
-            else pretend.call("manage.organizations")
         ]
 
     @pytest.mark.parametrize(

tests/unit/manage/test_views.py

@@ -3453,7 +3453,7 @@ def test_delete_role(self, db_request, enable_organizations, monkeypatch):
             )
         ]
         assert db_request.session.flash.calls == [
-            pretend.call("Removed member", queue="success")
+            pretend.call("Removed from organization", queue="success")
         ]
         assert isinstance(result, HTTPSeeOther)
         assert result.headers["Location"] == "/the-redirect"
@@ -3478,6 +3478,36 @@ def test_delete_missing_role(self, db_request, enable_organizations):
         assert isinstance(result, HTTPSeeOther)
         assert result.headers["Location"] == "/the-redirect"
 
+    def test_delete_other_role_as_nonowner(self, db_request, enable_organizations):
+        organization = OrganizationFactory.create(name="foobar")
+        user = UserFactory.create(username="testuser")
+        role = OrganizationRoleFactory.create(
+            organization=organization,
+            user=user,
+            role_name=OrganizationRoleType.Owner,
+        )
+        user_2 = UserFactory.create()
+
+        db_request.method = "POST"
+        db_request.user = user_2
+        db_request.POST = MultiDict({"role_id": role.id})
+        db_request.has_permission = pretend.call_recorder(lambda *a, **kw: False)
+        db_request.session = pretend.stub(
+            flash=pretend.call_recorder(lambda *a, **kw: None)
+        )
+        db_request.route_path = pretend.call_recorder(lambda *a, **kw: "/the-redirect")
+
+        result = views.delete_organization_role(organization, db_request)
+
+        assert db_request.has_permission.calls == [pretend.call("manage:organization")]
+        assert db_request.session.flash.calls == [
+            pretend.call(
+                "Cannot remove other people from the organization", queue="error"
+            )
+        ]
+        assert isinstance(result, HTTPSeeOther)
+        assert result.headers["Location"] == "/the-redirect"
+
     def test_delete_own_owner_role(self, db_request, enable_organizations):
         organization = OrganizationFactory.create(name="foobar")
         user = UserFactory.create(username="testuser")

tests/unit/organizations/test_models.py

@@ -81,26 +81,50 @@ def test_acl(self, db_session):
         # ] +
         assert acls == sorted(
             [
-                (Allow, f"user:{owner1.user.id}", ["manage:organization"]),
-                (Allow, f"user:{owner2.user.id}", ["manage:organization"]),
+                (
+                    Allow,
+                    f"user:{owner1.user.id}",
+                    ["view:organization", "manage:organization"],
+                ),
+                (
+                    Allow,
+                    f"user:{owner2.user.id}",
+                    ["view:organization", "manage:organization"],
+                ),
             ],
             key=lambda x: x[1],
         ) + sorted(
             [
-                (Allow, f"user:{billing_mgr1.user.id}", ["manage:billing"]),
-                (Allow, f"user:{billing_mgr2.user.id}", ["manage:billing"]),
+                (
+                    Allow,
+                    f"user:{billing_mgr1.user.id}",
+                    ["view:organization", "manage:billing"],
+                ),
+                (
+                    Allow,
+                    f"user:{billing_mgr2.user.id}",
+                    ["view:organization", "manage:billing"],
+                ),
             ],
             key=lambda x: x[1],
         ) + sorted(
             [
-                (Allow, f"user:{account_mgr1.user.id}", ["manage:team"]),
-                (Allow, f"user:{account_mgr2.user.id}", ["manage:team"]),
+                (
+                    Allow,
+                    f"user:{account_mgr1.user.id}",
+                    ["view:organization", "manage:team"],
+                ),
+                (
+                    Allow,
+                    f"user:{account_mgr2.user.id}",
+                    ["view:organization", "manage:team"],
+                ),
             ],
             key=lambda x: x[1],
         ) + sorted(
             [
-                (Allow, f"user:{member1.user.id}", ["organization:member"]),
-                (Allow, f"user:{member2.user.id}", ["organization:member"]),
+                (Allow, f"user:{member1.user.id}", ["view:organization"]),
+                (Allow, f"user:{member2.user.id}", ["view:organization"]),
             ],
             key=lambda x: x[1],
         )

warehouse/accounts/views.py

@@ -983,20 +983,11 @@ def _error(message):
         queue="success",
     )
 
-    if desired_role == "Owner":
-        return HTTPSeeOther(
-            request.route_path(
-                "manage.organization.roles", organization_name=organization.name
-            )
+    return HTTPSeeOther(
+        request.route_path(
+            "manage.organization.roles", organization_name=organization.name
         )
-    else:
-        # TODO: Redirect to managing organization projects.
-        # return HTTPSeeOther(
-        #     request.route_path(
-        #         "manage.organization.projects", name=organization.name
-        #     )
-        # )
-        return HTTPSeeOther(request.route_path("manage.organizations"))
+    )
 
 
 @view_config(