Users#PUT API can update the wrong GroupSAML identity
The following discussion from !14045 (merged) should be addressed:
-
@jamedjo started a discussion: A user could have multiple identities with
provider: 'group_saml'
, one for each GitLab.com group they belong to. This could find and update the wrong identity.Before the
find_or_create_by
we hadfind_by(provider: identity_params[:provider], saml_provider_id: saml_provider_id)
, so could probably dofind_by(provider_params)
and override those in EE to includesaml_provider_id
when present.I'll create a follow up issue.