Team members doesn't validate who is being removed
Created by: orf
In the team members tab of the repository view a user is able to add or remove members of a repository. The currently viewing user does not have the option to remove himself from the repository (some "This is you!" text replaces the remove button), however it is still possible to remove yourself from the project.
The simplest way to test this is to add another user and use Chrome's developers tools to edit the remove button's HREF for the other user to point to your username. For example if I am the user "tom" and I have added "chris" to my repository I can change the href of his remove button from "/tom/PROJECT/team_members/chris" to "/tom/PROJECT/team_members/tom". Once I press the remove button I am removed instead of chris, which shouldn't be possible. The remove endpoint should validate this and stop a user from removing himself if the interface attempts to prevent this.