rust-lang · bors-voyager · Aug 27, 2017 · Aug 21, 2017 · Aug 27, 2017 · Aug 27, 2017
diff --git a/src/krate.rs b/src/krate.rs
@@ -1404,8 +1404,8 @@ fn modify_owners(req: &mut Request, add: bool) -> CargoResult<Response> {
         } else {
             // Removing the team that gives you rights is prevented because
             // team members only have Rights::Publish
-            if *login == user.gh_login {
-                return Err(human("cannot remove yourself as an owner"));
+            if owners.len() == 1 {
+                return Err(human("cannot remove the sole owner of a crate"));
             }
             krate.owner_remove(&conn, user, login)?;
         }

diff --git a/src/tests/krate.rs b/src/tests/krate.rs
@@ -1263,6 +1263,71 @@ fn following() {
     assert_eq!(::json::<CrateList>(&mut response).crates.len(), 0);
 }
 
+// Ensures that so long as at least one owner remains associated with the crate,
+// a user can still remove their own login as an owner
+#[test]
+fn owners_can_remove_self() {
+    #[derive(Deserialize)]
+    struct R {
+        users: Vec<EncodablePublicUser>,
+    }
+    #[derive(Deserialize)]
+    struct O {
+        ok: bool,
+    }
+
+    let (_b, app, middle) = ::app();
+    let mut req = ::req(
+        app.clone(),
+        Method::Get,
+        "/api/v1/crates/owners_selfremove/owners",
+    );
+    {
+        let conn = app.diesel_database.get().unwrap();
+        ::new_user("secondowner").create_or_update(&conn).unwrap();
+        let user = ::new_user("firstowner").create_or_update(&conn).unwrap();
+        ::sign_in_as(&mut req, &user);
+        ::CrateBuilder::new("owners_selfremove", user.id).expect_build(&conn);
+    }
+
+    let mut response = ok_resp!(middle.call(&mut req));
+    let r: R = ::json(&mut response);
+    assert_eq!(r.users.len(), 1);
+
+    // Deleting yourself when you're the only owner isn't allowed.
+    let body = r#"{"users":["firstowner"]}"#;
+    let mut response = ok_resp!(middle.call(req.with_method(Method::Delete).with_body(
+        body.as_bytes(),
+    )));
+    let json = ::json::<::Bad>(&mut response);
+    assert!(json.errors[0].detail.contains(
+        "cannot remove the sole owner of a crate",
+    ));
+
+    let body = r#"{"users":["secondowner"]}"#;
+    let mut response = ok_resp!(middle.call(req.with_method(Method::Put).with_body(
+        body.as_bytes(),
+    )));
+    assert!(::json::<O>(&mut response).ok);
+
+    // Deleting yourself when there are other owners is allowed.
+    let body = r#"{"users":["firstowner"]}"#;
+    let mut response = ok_resp!(middle.call(req.with_method(Method::Delete).with_body(
+        body.as_bytes(),
+    )));
+    assert!(::json::<O>(&mut response).ok);
+
+    // After you delete yourself, you no longer have permisions to manage the crate.
+    let body = r#"{"users":["secondowner"]}"#;
+    let mut response = ok_resp!(middle.call(req.with_method(Method::Delete).with_body(
+        body.as_bytes(),
+    )));
+    let json = ::json::<::Bad>(&mut response);
+    assert!(json.errors[0].detail.contains(
+        "only owners have permission to modify owners",
+    ));
+}
+
 #[test]
 fn owners() {
     #[derive(Deserialize)]