From 70e0128052944f03fdd5d718ef0d39dc71fbab11 Mon Sep 17 00:00:00 2001
From: Hugh Rundle <hugh@hughrundle.net>
Date: Sat, 2 Oct 2021 14:41:23 +1000
Subject: [PATCH] non-owners can't add users to groups

- hide add-user pages from non-owners
- hide user searchbox from non-owners
- fix find-user searchbox being in wrong place where no results
---
 bookwyrm/templates/groups/group.html          |  2 ++
 .../templates/groups/suggested_users.html     |  7 +++----
 bookwyrm/views/group.py                       | 19 ++++++++++++++++++-
 3 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/bookwyrm/templates/groups/group.html b/bookwyrm/templates/groups/group.html
index 1ea8f00dd..4d1cdf79c 100644
--- a/bookwyrm/templates/groups/group.html
+++ b/bookwyrm/templates/groups/group.html
@@ -61,6 +61,7 @@
         {% include "snippets/pagination.html" with page=items %}
     </section>
 
+    {% if group.user == request.user %}
     <section class="column is-one-quarter">
       <div class="block">
           <h2 class="title is-5">Find new members</h2>
@@ -78,6 +79,7 @@
           </form>
       </div>
     </section>
+    {% endif %}
 
 </div>
 {% endblock %}
diff --git a/bookwyrm/templates/groups/suggested_users.html b/bookwyrm/templates/groups/suggested_users.html
index ce5eab6d8..75dfe491c 100644
--- a/bookwyrm/templates/groups/suggested_users.html
+++ b/bookwyrm/templates/groups/suggested_users.html
@@ -3,7 +3,6 @@
 {% load humanize %}
 
 {% if suggested_users %}
-<div class="columns is-mobile scroll-x mb-0">
     {% for user in suggested_users %}
     <div class="column is-flex is-flex-grow-0">
         <div class="box has-text-centered is-shadowless has-background-white-bis m-0">
@@ -37,7 +36,7 @@
     </div>
     {% endfor %}
     {% else %}
-    No potential members found for "{{ query }}"
+    <div >
+      No potential members found for "{{ query }}"
+    </div>
 {% endif %}
-</div>
-
diff --git a/bookwyrm/views/group.py b/bookwyrm/views/group.py
index 60ca8d21f..5ae2cecdb 100644
--- a/bookwyrm/views/group.py
+++ b/bookwyrm/views/group.py
@@ -114,6 +114,12 @@ class FindUsers(View):
 
         group = get_object_or_404(models.BookwyrmGroup, id=group_id)
 
+        if not group:
+            return HttpResponseBadRequest()
+
+        if not group.user == request.user:
+            return HttpResponseBadRequest()
+
         data = {
           "suggested_users": user_results,
           "group": group,
@@ -186,7 +192,18 @@ def remove_member(request):
         except IntegrityError:
             pass
 
-        # TODO: should send notification to all members including the now ex-member that they have been removed.
+        # let the other members know about it
+        model = apps.get_model("bookwyrm.Notification", require_ready=True)
+        memberships = models.BookwyrmGroupMember.objects.get(group=group)
+        for membership in memberships:
+            member = membership.user 
+            if member != request.user:
+                model.objects.create(
+                    user=member,
+                    related_user=request.user,
+                    related_group=request.group,
+                    notification_type="REMOVE",
+                )
 
     return redirect(user.local_path)