From a5d512f2e42352e5eb3298d1fa44d59ea25262f7 Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Thu, 31 Jul 2025 16:18:03 -0500
Subject: Revoke roles a user has on group when they are removed as a member.

---
 gn_auth/auth/authorisation/resources/groups/models.py | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'gn_auth')

diff --git a/gn_auth/auth/authorisation/resources/groups/models.py b/gn_auth/auth/authorisation/resources/groups/models.py
index 3189302..e027b2c 100644
--- a/gn_auth/auth/authorisation/resources/groups/models.py
+++ b/gn_auth/auth/authorisation/resources/groups/models.py
@@ -359,6 +359,9 @@ def remove_user_from_group(
             "DELETE FROM group_users "
             "WHERE group_id=:group_id AND user_id=:user_id",
             {"group_id": str(group.group_id), "user_id": str(user.user_id)})
+        cursor.execute(
+            "DELETE FROM user_roles WHERE user_id=? AND resource_id=?",
+            (str(user.user_id), str(grp_resource.resource_id)))
         assign_user_role_by_name(cursor,
                                  user,
                                  grp_resource.resource_id,
-- 
cgit 1.4.1