LDAP subgroup sync fails when user-to-be-synced has requested (but not received) higher permissions in parent group
Summary
LDAP group sync fails for a subgroup where a user-to-be-synced has already requested access in the parent group.
This is the same class of problem as reported in #9613 (closed) and resolved in !13435 (merged).
This was reported (Zendesk, internal use only) by a starter customer.
Steps to reproduce
- Create parent group with internal visibility
- Using an account that belongs to an LDAP group, request for access to parent group
- Create subgroup in parent group
- In subgroup, set up LDAP group sync with
reporter
permissions
What is the current bug behavior?
The LDAP group sync fails due to the user having a higher permission requested (but not approved) in the parent group.
What is the expected correct behavior?
The LDAP group sync should succeed and ignore unapproved membership requests.
Relevant logs and/or screenshots
The subgroup sync fails due to the group's members and requesters being invalid:
irb(main):022:0> group = Group.find_by_full_path('ticket-141759/subgroup')
irb(main):023:0> group.save!
Traceback (most recent call last):
1: from (irb):23
ActiveRecord::RecordInvalid (Validation failed: Members and requesters is invalid)
Output of checks
This happens on a v12.6.2-ee instance. Presumably it still exists in master
at the time of posting.
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:env:info
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production
)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
(If you can, link to the line of code that might be responsible for the problem)