Performant group-level membership checking
Problem to solve
Currently there is no performant way how to query list of groups a user is member of. A use case is to get a list of group-level resources in a set of groups the user can read. Specifically, for confidential epics task we need to filter only epics which are either not-confidential or are in a group the user is member of. This could be done by using group members sub-query to get user's membership, but since the member can be a whole group , it's probably not possible to do this with a single query.
Intended users
Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/
Proposal
An option would be to denormalize group membership and introduce group_autorizations
table (similar to the existing project_authorizations
table) which would keep group membership access level for each group member?
Permissions and Security
Similar to project_authorizations
we should make sure we update this table whenever user's membership is updated (either directly or indirectly - when sharing with group).