Fix “Withdraw access request” for groups

2 files changed, 45 insertions, 16 deletions

diff --git a/app/controllers/groups/group_members_controller.rb b/app/controllers/groups/group_members_controller.rb
index 902ecc461bd..77b3d0fa5a5 100644
--- a/app/controllers/groups/group_members_controller.rb
+++ b/app/controllers/groups/group_members_controller.rb
@@ -3,7 +3,7 @@ class Groups::GroupMembersController < Groups::ApplicationController
   include SortingHelper
 
   # Authorize
-  before_action :authorize_admin_group_member!, except: [:index, :leave, :request_access]
+  before_action :authorize_admin_group_member!, except: [:index, :leave, :request_access, :withdraw_access_request]
 
   def index
     @sort = params[:sort].presence || sort_value_name
diff --git a/spec/controllers/groups/group_members_controller_spec.rb b/spec/controllers/groups/group_members_controller_spec.rb
index e88c7c2e4bb..21cc66bafee 100644
--- a/spec/controllers/groups/group_members_controller_spec.rb
+++ b/spec/controllers/groups/group_members_controller_spec.rb
@@ -160,21 +160,6 @@ describe Groups::GroupMembersController do
           expect(response).to have_http_status(403)
         end
       end
-
-      context 'and has requested access' do
-        before do
-          group.request_access(user)
-        end
-
-        it 'removes user from members' do
-          delete :leave, group_id: group
-
-          expect(response).to set_flash.to 'Your access request to the group has been withdrawn.'
-          expect(response).to redirect_to(group_path(group))
-          expect(group.access_requests).to be_empty
-          expect(group.users).not_to include user
-        end
-      end
     end
   end
 
@@ -193,6 +178,50 @@ describe Groups::GroupMembersController do
     end
   end
 
+  describe 'DELETE withdraw_access_request' do
+    context 'when the current_user has requested access to the group' do
+      let!(:access_request) { group.request_access(user) }
+
+      before do
+        sign_in(user)
+      end
+
+      it 'redirects with success message' do
+        delete :withdraw_access_request, group_id: group
+
+        expect(response).to set_flash.to /Your access request .* has been withdrawn/
+        expect(response).to redirect_to(group)
+      end
+
+      it 'destroys the access request' do
+        delete :withdraw_access_request, group_id: group
+
+        expect(group.access_requests.where(user: user)).not_to exist
+      end
+    end
+
+    context 'when the current_user has not requested access to the group' do
+      let(:other_user) { create(:user) }
+      let!(:other_access_request) { group.request_access(other_user) }
+
+      before do
+        sign_in(user)
+      end
+
+      it 'responds 404 Not Found' do
+        delete :withdraw_access_request, group_id: group
+
+        expect(response).to have_http_status(404)
+      end
+
+      it "does not destroy another user's access request" do
+        delete :withdraw_access_request, group_id: group
+
+        expect(group.access_requests.where(user: other_user)).to exist
+      end
+    end
+  end
+
   describe 'POST approve_access_request' do
     let(:member) { create(:group_member, :access_request, group: group) }