Check membership before removing project member.

hc/accounts/tests/test_project.py

@@ -93,6 +93,17 @@ class ProfileTestCase(BaseTestCase):
         self.bobs_profile.refresh_from_db()
         self.assertEqual(self.bobs_profile.current_project, None)
 
+    def test_it_checks_membership_when_removing_team_member(self):
+        self.client.login(username="charlie@example.org", password="password")
+
+        url = "/projects/%s/settings/" % self.charlies_project.code
+        form = {"remove_team_member": "1", "email": "alice@example.org"}
+        r = self.client.post(url, form)
+        self.assertEqual(r.status_code, 400)
+
+        self.profile.refresh_from_db()
+        self.assertIsNotNone(self.profile.current_project)
+
     def test_it_sets_project_name(self):
         self.client.login(username="alice@example.org", password="password")
 

hc/accounts/views.py

@@ -283,16 +283,20 @@ def project(request, code):
         elif "remove_team_member" in request.POST:
             form = RemoveTeamMemberForm(request.POST)
             if form.is_valid():
+                q = User.objects
+                q = q.filter(email=form.cleaned_data["email"])
+                q = q.filter(memberships__project=project)
+                farewell_user = q.first()
+                if farewell_user is None:
+                    return HttpResponseBadRequest()
 
-                email = form.cleaned_data["email"]
-                farewell_user = User.objects.get(email=email)
                 farewell_user.profile.current_project = None
                 farewell_user.profile.save()
 
                 Member.objects.filter(project=project,
                                       user=farewell_user).delete()
 
-                ctx["team_member_removed"] = email
+                ctx["team_member_removed"] = form.cleaned_data["email"]
                 ctx["team_status"] = "info"
         elif "set_project_name" in request.POST:
             form = ProjectNameForm(request.POST)