Improve EpicsFinder membership subquery
As linear traversal queries are being rolled out, we should investigate the performance benefit of eliminating recursive traversal queries and also investigate if traversal ids could be used to eliminate N+1 queries (when checking permission for all subgroups).
There is also an issue regarding members from shared groups: either by switching to linear traversal queries or when #195423 (closed) is done, we should improve epics finder to address situation when only a subgroup is shared with other group - in such situation users from the shared group may not have access to confidential epics in the subgroup.
The following discussion from !31337 (merged) should be addressed:
-
@jprovaznik started a discussion: (+3 comments) Here we filter only groups user is member of - if he is a non-guest member of a group he has also permissions to read confidential epics in the group.
There is an edge case - this query doesn't handle membership through shared groups (as there is currently no simple way how to do this w/o adding N+1 query issue - #217327 (closed)).
group A subgroup B confidential epic C
So supposing we have a structure like this
☝ and user lists all epics and subepics ingroup A
, then:- if he is direct or indirect member of
group A
he will seeconfidential epic C
(indirect membership is checked thanks tocan_read_all_related_groups?
) - if he is not member of
group A
but is direct member ofsubgroup B
, he will seeconfidential epic C
- if he is not member of
group A
but is indirect member (through a shared group) ofsubgroup B
, he will not seeconfidential epic C
- if he is direct or indirect member of