readthedocs · humitos · Jun 30, 2020 · Jun 11, 2020 · Jun 15, 2020 · Jun 22, 2020
diff --git a/readthedocs/oauth/services/github.py b/readthedocs/oauth/services/github.py
@@ -6,6 +6,8 @@
 
 from allauth.socialaccount.models import SocialToken
 from allauth.socialaccount.providers.github.views import GitHubOAuth2Adapter
+
+from django.db.models import Q
 from django.conf import settings
 from django.urls import reverse
 from requests.exceptions import RequestException
@@ -35,15 +37,23 @@ class GitHubService(Service):
 
     def sync(self):
         """Sync repositories and organizations."""
-        self.sync_repositories()
-        self.sync_organizations()
+        repos = self.sync_repositories()
+        organization_repos = self.sync_organizations()
+
+        # Delete RemoteRepository where the user doesn't have access anymore
+        # (skip RemoteRepository tied to a Project on this user)
+        full_names = {repo.get('full_name') for repo in repos + organization_repos}
+        self.user.oauth_repositories.exclude(
+            Q(full_name__in=full_names) | Q(project__isnull=False)
+        ).delete()
 
     def sync_repositories(self):
         """Sync repositories from GitHub API."""
         repos = self.paginate('https://api.github.com/user/repos?per_page=100')
         try:
             for repo in repos:
                 self.create_repository(repo)
+            return repos
         except (TypeError, ValueError):
             log.warning('Error syncing GitHub repositories')
             raise SyncServiceError(
@@ -65,6 +75,7 @@ def sync_organizations(self):
                 )
                 for repo in org_repos:
                     self.create_repository(repo, organization=org_obj)
+                return org_repos
         except (TypeError, ValueError):
             log.warning('Error syncing GitHub organizations')
             raise SyncServiceError(

diff --git a/readthedocs/organizations/models.py b/readthedocs/organizations/models.py
@@ -1,6 +1,7 @@
 """Organizations models."""
 
 from autoslug import AutoSlugField
+from django.conf import settings
 from django.contrib.auth.models import User
 from django.db import models
 from django.db.models import Q
@@ -93,7 +94,25 @@ def get_absolute_url(self):
 
     @property
     def users(self):
-        return (self.members.all() | self.owners.all().distinct()).distinct()
+        sso_users = User.objects.none()
+        # TODO: find another way to check if we are under corporate site
+        if settings.ALLOW_PRIVATE_REPOS:
+            from readthedocsinc.acl.sso.models import SSOIntegration  # noqa
+            if SSOIntegration.objects.filter(organization=self).exists():
+                # TODO: use RemoteRepository.remote_id instead of full_name
+                full_names = self.projects.values('remote_repository__full_name')
+                sso_users = User.objects.filter(
+                    oauth_repositories__full_name__in=full_names,
+                ).distinct()
+
+        return (
+            # Members
+            self.members.all() |
+            # Owners
+            self.owners.all().distinct() |
+            # SSO Users
+            sso_users
+        ).distinct()
 
     @property
     def members(self):