Add email notication on package/release removal

Until now, where there are multiple contributors on a single
the project, if one of them deletes a release or the whole
project the other contributors don't get any notification,
which is problematic.

Connected with issue #5714.

Signed-off-by: Martin Vrachev <[email protected]>

Author: MVrachev

tests/unit/email/test_init.py

@@ -2310,7 +2310,75 @@ def test_delete_project_disallow_deletion(self):
             pretend.call("manage.project.settings", project_name="foo")
         ]
 
-    def test_delete_project(self, db_request):
+    def test_get_project_contributors(self, db_request):
+        project = ProjectFactory.create(name="foo")
+        db_request.session = pretend.stub(
+            flash=pretend.call_recorder(lambda *a, **kw: None),
+        )
+
+        db_request.user = UserFactory.create()
+        project.users = [db_request.user]
+
+        res = views.get_project_contributors(project.name, db_request)
+        assert res == [db_request.user]
+
+    def test_get_user_role_in_project_single_role_owner(self, db_request):
+        project = ProjectFactory.create(name="foo")
+        db_request.session = pretend.stub(
+            flash=pretend.call_recorder(lambda *a, **kw: None),
+        )
+        db_request.user = UserFactory.create()
+        project.users = [db_request.user]
+        RoleFactory(user=db_request.user, project=project)
+
+        res = views.get_user_role_in_project(
+            project.name, db_request.user.username, db_request
+        )
+        assert res == "Owner"
+
+    def test_get_user_role_in_project_single_role_maintainer(self, db_request):
+        project = ProjectFactory.create(name="foo")
+        db_request.session = pretend.stub(
+            flash=pretend.call_recorder(lambda *a, **kw: None),
+        )
+        db_request.user = UserFactory.create()
+        project.users = [db_request.user]
+        RoleFactory(user=db_request.user, project=project, role_name="Maintainer")
+
+        res = views.get_user_role_in_project(
+            project.name, db_request.user.username, db_request
+        )
+        assert res == "Maintainer"
+
+    def test_get_user_role_in_project_two_roles_owner_and_maintainer(self, db_request):
+        project = ProjectFactory.create(name="foo")
+        db_request.session = pretend.stub(
+            flash=pretend.call_recorder(lambda *a, **kw: None),
+        )
+        db_request.user = UserFactory.create()
+        project.users = [db_request.user]
+        RoleFactory(user=db_request.user, project=project, role_name="Owner")
+        RoleFactory(user=db_request.user, project=project, role_name="Maintainer")
+
+        res = views.get_user_role_in_project(
+            project.name, db_request.user.username, db_request
+        )
+        assert res == "Owner"
+
+    def test_get_user_role_in_project_no_role(self, db_request):
+        project = ProjectFactory.create(name="foo")
+        db_request.session = pretend.stub(
+            flash=pretend.call_recorder(lambda *a, **kw: None),
+        )
+        db_request.user = UserFactory.create()
+        project.users = [db_request.user]
+
+        res = views.get_user_role_in_project(
+            project.name, db_request.user.username, db_request
+        )
+        assert res == ""
+
+    def test_delete_project(self, monkeypatch, db_request):
         project = ProjectFactory.create(name="foo")
 
         db_request.route_path = pretend.call_recorder(lambda *a, **kw: "/the-redirect")
@@ -2319,6 +2387,22 @@ def test_delete_project(self, db_request):
         )
         db_request.POST["confirm_project_name"] = project.normalized_name
         db_request.user = UserFactory.create()
+
+        get_user_role_in_project = pretend.call_recorder(
+            lambda project_name, username, req: "Owner"
+        )
+        monkeypatch.setattr(views, "get_user_role_in_project", get_user_role_in_project)
+
+        get_project_contributors = pretend.call_recorder(
+            lambda project_name, req: [db_request.user]
+        )
+        monkeypatch.setattr(views, "get_project_contributors", get_project_contributors)
+
+        send_removed_project_email = pretend.call_recorder(lambda req, user, **k: None)
+        monkeypatch.setattr(
+            views, "send_removed_project_email", send_removed_project_email
+        )
+
         db_request.remote_addr = "192.168.1.1"
 
         result = views.delete_project(project, db_request)
@@ -2329,6 +2413,26 @@ def test_delete_project(self, db_request):
         assert db_request.route_path.calls == [pretend.call("manage.projects")]
         assert isinstance(result, HTTPSeeOther)
         assert result.headers["Location"] == "/the-redirect"
+
+        assert get_user_role_in_project.calls == [
+            pretend.call(project.name, db_request.user.username, db_request,),
+            pretend.call(project.name, db_request.user.username, db_request,),
+        ]
+
+        assert get_project_contributors.calls == [
+            pretend.call(project.name, db_request,)
+        ]
+
+        assert send_removed_project_email.calls == [
+            pretend.call(
+                db_request,
+                db_request.user,
+                project_name=project.name,
+                submitter_name=db_request.user.username,
+                submitter_role="Owner",
+                recipient_role="Owner",
+            )
+        ]
         assert not (db_request.db.query(Project).filter(Project.name == "foo").count())
 
 
@@ -2495,6 +2599,7 @@ def test_delete_project_release(self, monkeypatch):
             project=pretend.stub(
                 name="foobar", record_event=pretend.call_recorder(lambda *a, **kw: None)
             ),
+            created=datetime.datetime(2017, 2, 5, 17, 18, 18, 462_634),
         )
         request = pretend.stub(
             POST={"confirm_version": release.version},
@@ -2511,7 +2616,25 @@ def test_delete_project_release(self, monkeypatch):
         )
         journal_obj = pretend.stub()
         journal_cls = pretend.call_recorder(lambda **kw: journal_obj)
+
+        get_user_role_in_project = pretend.call_recorder(
+            lambda project_name, username, req: "Owner"
+        )
+        monkeypatch.setattr(views, "get_user_role_in_project", get_user_role_in_project)
+        get_project_contributors = pretend.call_recorder(
+            lambda project_name, request: [request.user]
+        )
+        monkeypatch.setattr(views, "get_project_contributors", get_project_contributors)
+
         monkeypatch.setattr(views, "JournalEntry", journal_cls)
+        send_removed_project_release_email = pretend.call_recorder(
+            lambda req, contrib, **k: None
+        )
+        monkeypatch.setattr(
+            views,
+            "send_removed_project_release_email",
+            send_removed_project_release_email,
+        )
 
         view = views.ManageProjectRelease(release, request)
 
@@ -2520,6 +2643,25 @@ def test_delete_project_release(self, monkeypatch):
         assert isinstance(result, HTTPSeeOther)
         assert result.headers["Location"] == "/the-redirect"
 
+        assert get_user_role_in_project.calls == [
+            pretend.call(release.project.name, request.user.username, request,),
+            pretend.call(release.project.name, request.user.username, request,),
+        ]
+        assert get_project_contributors.calls == [
+            pretend.call(release.project.name, request,)
+        ]
+
+        assert send_removed_project_release_email.calls == [
+            pretend.call(
+                request,
+                request.user,
+                release=release,
+                submitter_name=request.user.username,
+                submitter_role="Owner",
+                recipient_role="Owner",
+            )
+        ]
+
         assert request.db.delete.calls == [pretend.call(release)]
         assert request.db.add.calls == [pretend.call(journal_obj)]
         assert request.flags.enabled.calls == [

tests/unit/manage/test_views.py

@@ -213,6 +213,40 @@ def send_two_factor_removed_email(request, user, method):
     return {"method": pretty_methods[method], "username": user.username}
 
 
+@_email("removed-project")
+def send_removed_project_email(
+    request, user, *, project_name, submitter_name, submitter_role, recipient_role
+):
+    recipient_role_descr = "an owner"
+    if recipient_role == "Maintainer":
+        recipient_role_descr = "a maintainer"
+
+    return {
+        "project": project_name,
+        "submitter": submitter_name,
+        "submitter_role": submitter_role,
+        "recipient_role_descr": recipient_role_descr,
+    }
+
+
+@_email("removed-project-release")
+def send_removed_project_release_email(
+    request, user, *, release, submitter_name, submitter_role, recipient_role
+):
+    recipient_role_descr = "an owner"
+    if recipient_role == "Maintainer":
+        recipient_role_descr = "a maintainer"
+
+    return {
+        "project": release.project.name,
+        "release": release.version,
+        "release_date": release.created.strftime("%Y-%m-%d"),
+        "submitter": submitter_name,
+        "submitter_role": submitter_role,
+        "recipient_role_descr": recipient_role_descr,
+    }
+
+
 def includeme(config):
     email_sending_class = config.maybe_dotted(config.registry.settings["mail.backend"])
     config.register_service_factory(email_sending_class.create_service, IEmailSender)

warehouse/email/__init__.py

@@ -38,6 +38,8 @@
     send_email_verification_email,
     send_password_change_email,
     send_primary_email_change_email,
+    send_removed_project_email,
+    send_removed_project_release_email,
     send_two_factor_added_email,
     send_two_factor_removed_email,
 )
@@ -899,6 +901,46 @@ def manage_project_settings(project, request):
     return {"project": project}
 
 
+def get_project_contributors(project_name, request):
+    query_res = (
+        request.db.query(Project)
+        .join(User, Project.users)
+        .filter(Project.name == project_name)
+        .one()
+    )
+    return query_res.users
+
+
+def get_user_role_in_project(project_name, username, request):
+    raw_res = (
+        request.db.query(Project)
+        .join(User, Project.users)
+        .filter(User.username == username, Project.name == project_name)
+        .with_entities(Role.role_name)
+        .distinct(Role.role_name)
+        .all()
+    )
+
+    query_res = []
+    for el in raw_res:
+        if el.role_name is not None:
+            query_res.append(el)
+
+    user_role = ""
+    # This check is needed because of
+    # issue https://github.com/pypa/warehouse/issues/2745
+    # which is not yet resolved and a user could be an owner
+    # and a maintainer at the same time
+    if len(query_res) == 2 and (
+        query_res[0].role_name == "Owner" or query_res[1].role_name == "Owner"
+    ):
+        user_role = "Owner"
+    if len(query_res) == 1:
+        user_role = query_res[0].role_name
+
+    return user_role
+
+
 @view_config(
     route_name="manage.project.delete_project",
     context=Project,
@@ -921,6 +963,26 @@ def delete_project(project, request):
         )
 
     confirm_project(project, request, fail_route="manage.project.settings")
+
+    submitter_role = get_user_role_in_project(
+        project.name, request.user.username, request
+    )
+    contributors = get_project_contributors(project.name, request)
+
+    for contributor in contributors:
+        contributor_role = get_user_role_in_project(
+            project.name, contributor.username, request
+        )
+
+        send_removed_project_email(
+            request,
+            contributor,
+            project_name=project.name,
+            submitter_name=request.user.username,
+            submitter_role=submitter_role,
+            recipient_role=contributor_role,
+        )
+
     remove_project(project, request)
 
     return HTTPSeeOther(request.route_path("manage.projects"))
@@ -1053,6 +1115,11 @@ def delete_project_release(self):
                 )
             )
 
+        submitter_role = get_user_role_in_project(
+            self.release.project.name, self.request.user.username, self.request
+        )
+        contributors = get_project_contributors(self.release.project.name, self.request)
+
         self.request.db.add(
             JournalEntry(
                 name=self.release.project.name,
@@ -1078,6 +1145,20 @@ def delete_project_release(self):
             f"Deleted release {self.release.version!r}", queue="success"
         )
 
+        for contributor in contributors:
+            contributor_role = get_user_role_in_project(
+                self.release.project.name, contributor.username, self.request
+            )
+
+            send_removed_project_release_email(
+                self.request,
+                contributor,
+                release=self.release,
+                submitter_name=self.request.user.username,
+                submitter_role=submitter_role,
+                recipient_role=contributor_role,
+            )
+
         return HTTPSeeOther(
             self.request.route_path(
                 "manage.project.releases", project_name=self.release.project.name

warehouse/manage/views.py

@@ -0,0 +1,41 @@
+{#
+ # Licensed under the Apache License, Version 2.0 (the "License");
+ # you may not use this file except in compliance with the License.
+ # You may obtain a copy of the License at
+ #
+ # http://www.apache.org/licenses/LICENSE-2.0
+ #
+ # Unless required by applicable law or agreed to in writing, software
+ # distributed under the License is distributed on an "AS IS" BASIS,
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ # See the License for the specific language governing permissions and
+ # limitations under the License.
+-#}
+{% extends "email/_base/body.html" %}
+
+{% block extra_style %}
+ul.collaborator-details {
+list-style-type: none;
+}
+{% endblock %}
+
+{% block content %}
+<p>
+  <ul class="removed-project-release">
+    <li>{% trans project=project, release=release, date=release_date %}The {{ project }} release {{ release }} released on {{ date }} has been deleted.{% endtrans  %}</li>
+    <li>{% trans submitter=submitter, role=submitter_role %}<strong>Deleted by:</strong> {{ submitter }} with a role:
+      {{ role }}.{% endtrans %}
+    </li>
+  </ul>
+</p>
+
+<p>{% trans href='mailto:[email protected]', email_address='[email protected]' %}If this was a mistake, you can email <a
+    href="{{ href }}">{{ email_address }}</a> to communicate with the PyPI administrators.{% endtrans %}</p>
+{% endblock %}
+
+{% block reason %}
+
+<p>{% trans recipient_role_descr=recipient_role_descr %}
+You are receiving this because you are {{ recipient_role_descr }} of this project.{% endtrans %}</p>
+
+{% endblock %}