From 57e2f011530a209be7b3c5e6329dd282e93afe69 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sybren=20A=2E=20St=C3=BCvel?= <sybren@stuvel.eu>
Date: Wed, 6 Jul 2016 12:35:16 +0200
Subject: [PATCH] Bug fix: users loose their project groups after getting role.

The badger service erased the user's groups when assigning subscriber
group membership.
---
 pillar/application/modules/service.py |  2 +-
 tests/test_service_badger.py          | 27 +++++++++++++++++++++++++++
 2 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/pillar/application/modules/service.py b/pillar/application/modules/service.py
index 849ceb53..0d477f5e 100644
--- a/pillar/application/modules/service.py
+++ b/pillar/application/modules/service.py
@@ -80,7 +80,7 @@ def badger():
         return 'Role not allowed', 403
 
     # Fetch the user
-    db_user = users_coll.find_one({'email': user_email}, projection={'roles': 1})
+    db_user = users_coll.find_one({'email': user_email}, projection={'roles': 1, 'groups': 1})
     if db_user is None:
         log.warning('badger(%s, %s, %s): user not found', action, user_email, role)
         return 'User not found', 404
diff --git a/tests/test_service_badger.py b/tests/test_service_badger.py
index 9be6f27f..ff8c5432 100644
--- a/tests/test_service_badger.py
+++ b/tests/test_service_badger.py
@@ -76,3 +76,30 @@ class BadgerServiceTest(AbstractPillarTest):
 
             # This role isn't linked to group membership.
             test_for_group('succubus', test=self.assertNotIn)
+
+    def test_project_groups(self):
+        """Projects groups should be maintained."""
+
+        group_ids = self.create_standard_groups()
+
+        with self.app.test_request_context():
+            user_coll = self.app.data.driver.db['users']
+
+            def test_group_membership(expected_groups):
+                user = user_coll.find_one(self.user_id)
+                self.assertEqual(expected_groups, set(user['groups']))
+
+            # Fresh user, no roles.
+            test_group_membership(set())
+
+            # Add some groups
+            user_coll.update_one({'_id': self.user_id},
+                                 {'$set': {'groups': ['project1', 'project2']}})
+            test_group_membership({'project1', 'project2'})
+
+            # Grant subscriber role.
+            resp = self._post({'action': 'grant',
+                               'user_email': self.user_email,
+                               'role': 'subscriber'})
+            self.assertEqual(204, resp.status_code)
+            test_group_membership({'project1', 'project2', group_ids['subscriber']})