From d0138712bdefa9945485e069d1a8d628417aadbc Mon Sep 17 00:00:00 2001
From: Denis Ledoux <dle@odoo.com>
Date: Mon, 9 Dec 2019 18:14:17 +0100
Subject: [PATCH] [ADD] runbot_merge: automatic reviewer de-provisioning

When an employee sadly leaves Odoo,
the Odoo production database (odoo.com) will call these routes
in order to remove the reviewer rights automatically.

So a user who no longer works for Odoo can't "r+" Github PRs.

This is related to odoo/internal#617
---
 runbot_merge/controllers/__init__.py          |  1 +
 .../controllers/reviewer_provisioning.py      | 34 +++++++++++++++++++
 2 files changed, 35 insertions(+)
 create mode 100644 runbot_merge/controllers/reviewer_provisioning.py

diff --git a/runbot_merge/controllers/__init__.py b/runbot_merge/controllers/__init__.py
index a7debc29..58870470 100644
--- a/runbot_merge/controllers/__init__.py
+++ b/runbot_merge/controllers/__init__.py
@@ -8,6 +8,7 @@ import werkzeug.exceptions
 from odoo.http import Controller, request, route
 
 from . import dashboard
+from . import reviewer_provisioning
 from .. import utils, github
 
 _logger = logging.getLogger(__name__)
diff --git a/runbot_merge/controllers/reviewer_provisioning.py b/runbot_merge/controllers/reviewer_provisioning.py
new file mode 100644
index 00000000..785001c9
--- /dev/null
+++ b/runbot_merge/controllers/reviewer_provisioning.py
@@ -0,0 +1,34 @@
+# -*- coding: utf-8 -*-
+
+from odoo import http
+from odoo.http import request
+try:
+    from odoo.addons.saas_worker.util import from_role
+except ImportError:
+    def from_role(_):
+        return lambda _: None
+
+
+class MergebotReviewerProvisioning(http.Controller):
+
+    @from_role('accounts')
+    @http.route(['/runbot_merge/get_reviewers'], type='json', auth='public')
+    def fetch_reviewers(self, **kwargs):
+        partners = request.env['res.partner'].sudo().search(['|', ('self_reviewer', '=', True), ('reviewer', '=', True)])
+        return partners.mapped('github_login')
+
+    @from_role('accounts')
+    @http.route(['/runbot_merge/remove_reviewers'], type='json', auth='public', methods=['POST'])
+    def update_reviewers(self, github_logins, **kwargs):
+        partners = request.env['res.partner'].sudo().search([('github_login', 'in', github_logins)])
+
+        # remove reviewer flag from the partner
+        partners.write({
+            'reviewer': False,
+            'self_reviewer': False,
+        })
+
+        # Assign the linked users as portal users
+        partners.mapped('user_ids').write({
+            'groups_id': [(6, 0, [request.env.ref('base.group_portal').id])]
+        })