Wrong access level in api/v4/projects/:id/members/all

Summary

API endpoint api/v4/projects/:id/members/all delivers wrong access level for users which got access by sharing with group. This access level is not limited my Max access level.

Steps to reproduce

Share a project with a group and limit access level of this sharing to Developer. Many new owners and maintainers are listed via API.

Example Project

Following project has only one member (myself) and is shared with group siemens limiting to developer access level. Getting all members via api shows many members with access level maintainer and owner.

https://gitlab.com/api/v4/projects/12762042/members/all

What is the current bug behavior?

User access level provided via API is not limited by configured Max access level.

What is the expected correct behavior?

User access level provided via API should be limited by configured Max access level.

Relevant logs and/or screenshots

Output of checks

This bug happens on GitLab.com

Possible fixes

The queries are rather complicated after last update by !24005 (merged), so I don't exactly know how, but it's in the code touched by that MR. I have also tested in GDK that mentioned MR did not fix this problem...

/cc @jacopo-beschi

duplicate of https://gitlab.com/gitlab-org/gitlab-ce/issues/62284

Edited Jun 10, 2019 by 🙈 jacopo beschi 🙉