[ENG-9157] Add atomic ability to remove contributors from children projects in API (CenterForOpenScience#11425)

* add include_children to delete contributors

* atomic contributor remove; add tests

* remove from children only for nodes

* fix tests

---------

Co-authored-by: Yuhuai Liu <yuhuai@cos.io>

Author: antkryt

api/nodes/views.py

@@ -161,7 +161,7 @@
     Preprint,
     Collection,
     Contributor,
-    NotificationTypeEnum,
+    NotificationType,
 )
 from addons.osfstorage.models import Region
 from osf.utils.permissions import ADMIN, WRITE_NODE
@@ -572,8 +572,6 @@ def perform_destroy(self, instance):
             )
             with transaction.atomic():
                 for descendant in targets:
-                    if not descendant.has_permission(auth.user, osf_permissions.ADMIN):
-                        raise PermissionDenied(f'Must have admin permission on {descendant._id} to remove contributor.')
                     removed = descendant.remove_contributor(instance, auth)
                     if not removed:
                         raise ValidationError(f'{descendant._id} must have at least one registered admin contributor')

api_tests/draft_registrations/views/test_draft_registration_contributor_detail.py

@@ -277,19 +277,6 @@ def test_remove_contributor_include_children_is_atomic_on_violation(self, app, u
         project.reload()
         assert user_write_contrib not in project.contributors
 
-    def test_remove_contributor_include_children_forbidden_if_unauthorized_child(self, app, user, user_write_contrib, project):
-        # Draft registrations have no child components, so include_children does not
-        # trigger any descendant permission checks; the contributor is simply removed.
-        assert user_write_contrib in project.contributors
-
-        url = f'/{API_BASE}draft_registrations/{project._id}/contributors/{user_write_contrib._id}/?include_children=true'
-        with disconnected_from_listeners(contributor_removed):
-            res = app.delete(url, auth=user.auth)
-        assert res.status_code == 204
-
-        project.reload()
-        assert user_write_contrib not in project.contributors
-
 
 @pytest.mark.django_db
 class TestDraftBibliographicContributorDetail():

api_tests/nodes/views/test_node_contributors_detail.py

@@ -493,29 +493,7 @@ def test_remove_contributor_include_children_is_atomic_on_violation(self, app, u
         with disconnected_from_listeners(contributor_removed):
             res = app.delete(url, auth=user.auth, expect_errors=True)
 
-        assert res.status_code == 403
-
-        project.reload()
-        child.reload()
-
-        assert user_write_contrib in project.contributors
-        assert user_write_contrib in child.contributors
-
-    def test_remove_contributor_include_children_forbidden_if_unauthorized_child(self, app, user, user_write_contrib, project):
-        other_admin = AuthUserFactory()
-        child = ProjectFactory(parent=project, creator=other_admin)
-        child.add_contributor(user_write_contrib, permissions=permissions.WRITE, visible=True, save=True)
-
-        assert user in project.contributors
-        assert user not in child.contributors
-        assert other_admin in child.contributors
-        assert user_write_contrib in project.contributors
-        assert user_write_contrib in child.contributors
-
-        url = f'/{API_BASE}nodes/{project._id}/contributors/{user_write_contrib._id}/?include_children=true'
-        with disconnected_from_listeners(contributor_removed):
-            res = app.delete(url, auth=user.auth, expect_errors=True)
-        assert res.status_code == 403
+        assert res.status_code == 400
 
         project.reload()
         child.reload()