Add regression test for rust-lang#2736

Author: Turbo87

src/tests/routes/crates/owners/remove.rs

@@ -1,5 +1,8 @@
+use crate::models::{CrateOwner, OwnerKind};
 use crate::tests::builders::CrateBuilder;
 use crate::tests::util::{RequestHelper, TestApp};
+use crate::util::diesel::prelude::*;
+use crates_io_database::schema::{crate_owners, users};
 use http::StatusCode;
 use insta::assert_snapshot;
 
@@ -80,3 +83,71 @@ async fn test_unknown_team() {
     assert_eq!(response.status(), StatusCode::BAD_REQUEST);
     assert_snapshot!(response.text(), @r#"{"errors":[{"detail":"could not find team with login `github:unknown:unknown`"}]}"#);
 }
+
+/// See <https://github.com/rust-lang/crates.io/issues/2736>.
+#[tokio::test(flavor = "multi_thread")]
+async fn test_issue_2736() -> anyhow::Result<()> {
+    use diesel::RunQueryDsl;
+
+    let (app, _) = TestApp::full().empty();
+    let mut conn = app.db_conn();
+
+    // - A user had a GitHub account named, let's say, `foo`
+    let foo1 = app.db_new_user("foo");
+
+    // - Another user `someone_else` added them as an owner of a crate
+    let someone_else = app.db_new_user("someone_else");
+
+    let krate = CrateBuilder::new("crate1", someone_else.as_model().id).expect_build(&mut conn);
+
+    diesel::insert_into(crate_owners::table)
+        .values(CrateOwner {
+            crate_id: krate.id,
+            owner_id: foo1.as_model().id,
+            created_by: someone_else.as_model().id,
+            owner_kind: OwnerKind::User,
+            email_notifications: true,
+        })
+        .execute(&mut conn)?;
+
+    // - `foo` deleted their GitHub account (but crates.io has no real knowledge of this)
+    // - `foo` recreated their GitHub account with the same username (because it was still available), but in this situation GitHub assigns them a new ID
+    // - When `foo` now logs in to crates.io, it's a different account than their old `foo` crates.io account because of the new GitHub ID (and if it wasn't, this would be a security problem)
+    let foo2 = app.db_new_user("foo");
+
+    let github_ids = users::table
+        .filter(users::gh_login.eq("foo"))
+        .select(users::gh_id)
+        .load::<i32>(&mut conn)?;
+
+    assert_eq!(github_ids.len(), 2);
+    assert_ne!(github_ids[0], github_ids[1]);
+
+    // - The new `foo` account is NOT an owner of the crate
+    let owner_ids = crate_owners::table
+        .filter(crate_owners::crate_id.eq(krate.id))
+        .filter(crate_owners::deleted.eq(false))
+        .select(crate_owners::owner_id)
+        .load::<i32>(&mut conn)?;
+
+    assert_eq!(owner_ids.len(), 2);
+    assert!(!owner_ids.contains(&foo2.as_model().id));
+
+    // - `someone_else` can't add the new `foo` account as an owner, nor can they remove the old `foo` as an owner :(
+    let url = "/api/v1/crates/crate1/owners";
+    let payload = json!({ "owners": ["foo"] }).to_string();
+    let response = someone_else.delete_with_body::<()>(url, payload).await;
+    assert_eq!(response.status(), StatusCode::OK);
+    assert_snapshot!(response.text(), @r#"{"msg":"owners successfully removed","ok":true}"#);
+
+    let owner_ids = crate_owners::table
+        .filter(crate_owners::crate_id.eq(krate.id))
+        .filter(crate_owners::deleted.eq(false))
+        .select(crate_owners::owner_id)
+        .load::<i32>(&mut conn)?;
+
+    assert_eq!(owner_ids.len(), 1);
+    assert_eq!(owner_ids[0], someone_else.as_model().id);
+
+    Ok(())
+}