add api delete endpoint for addon authors (#19180)

* add api delete endpoint for addon authors

* Update addons.rst

docs/topics/api/addons.rst

@@ -808,6 +808,24 @@ This endpoint allows the properties of an add-on author to be edited.
     :<json int position: The position the author should be returned in the list of authors of the add-on :ref:`detail <addon-detail-object>`. Order is ascending so lower positions are placed earlier.
 
 
+-------------
+Author Delete
+-------------
+
+.. _addon-author-delete:
+
+This endpoint allows an add-on author to be removed from an add-on.
+Add-ons must have at least one owner, and at least one listed author.
+
+    .. note::
+        This API requires :doc:`authentication <auth>`, and for the user to be an owner of the add-on.
+
+    .. warning::
+        If you delete yourself as an add-on author you will lose all access to the add-on.
+
+.. http:delete:: /api/v5/addons/addon/(int:addon_id|string:addon_slug|string:addon_guid)/authors/(int:user_id)/
+
+
 -------------
 Upload Create
 -------------

docs/topics/api/overview.rst

@@ -440,6 +440,7 @@ These are `v5` specific changes - `v4` changes apply also.
 * 2022-04-14: added a ``previews`` endpoint under /addon/ that can be used to create, update, and delete add-on previews for non-themes. https://github.com/mozilla/addons-server/issues/18236
 * 2022-04-28: added the ability to delete add-ons via addon detail api endpoint. https://github.com/mozilla/addons-server/issues/19072
 * 2022-05-05: added the ability to list and edit add-on authors. https://github.com/mozilla/addons-server/issues/18231
+* 2022-05-05: added the ability to delete add-on authors. https://github.com/mozilla/addons-server/issues/19163
 
 .. _`#11380`: https://github.com/mozilla/addons-server/issues/11380/
 .. _`#11379`: https://github.com/mozilla/addons-server/issues/11379/

src/olympia/addons/tests/test_views.py

@@ -5820,3 +5820,29 @@ class TestAddonAuthorViewSet(TestCase):
         self.addonuser.reload()
         assert response.data['listed'] is False
         self.addonuser.listed is False
+
+    def test_delete(self):
+        new_author = AddonUser.objects.create(
+            addon=self.addon,
+            user=user_factory(),
+            role=amo.AUTHOR_ROLE_DEV,
+            listed=False,
+        )
+        assert self.client.delete(self.detail_url).status_code == 401
+
+        self.client.login_api(user_factory())
+        assert self.client.delete(self.detail_url).status_code == 403
+
+        self.client.login_api(self.user)
+        response = self.client.delete(self.detail_url)
+        assert response.status_code == 400
+        assert response.data == ['Add-ons need at least one owner.']
+
+        new_author.update(role=amo.AUTHOR_ROLE_OWNER)
+        response = self.client.delete(self.detail_url)
+        assert response.status_code == 400
+        assert response.data == ['Add-ons need at least one listed author.']
+
+        new_author.update(listed=True)
+        response = self.client.delete(self.detail_url)
+        assert response.status_code == 204

src/olympia/addons/views.py

@@ -692,6 +692,7 @@ class AddonAuthorViewSet(
     ListModelMixin,
     RetrieveModelMixin,
     UpdateModelMixin,
+    DestroyModelMixin,
     GenericViewSet,
 ):
     # We can't define permissions here because we need slightly different permissions
@@ -741,6 +742,12 @@ class AddonAuthorViewSet(
     def get_queryset(self):
         return self.get_addon_object().addonuser_set.all().order_by('position')
 
+    def perform_destroy(self, instance):
+        serializer = self.get_serializer(instance)
+        serializer.validate_role(value=None)
+        serializer.validate_listed(value=None)
+        return super().perform_destroy(instance)
+
 
 class AddonSearchView(ListAPIView):
     authentication_classes = []