Namespace#force_share_with_group_lock_on_descendants will always update ALL namespaces, ignoring the output of `Namespace#descendants`
Found as part of https://gitlab.com/gitlab-com/infrastructure/issues/2773:
Namespace.find_by(path: 'gitlab-org').send(:force_share_with_group_lock_on_descendants)
This will produce:
UPDATE "namespaces" SET "share_with_group_lock" = 't'
This is a massive issue since it allows one to:
- Set
share_with_group_lock
for everybody (which at this point has probably already messed up namespaces) - DoS attack GitLab.com by triggering this procedure many times
This needs to be fixed ASAP as we're already getting hit by this on GitLab.com.
cc @mkozono