LDAP group sync leaves authorized_projects in inconstant state
Summary
When a user is removed from an LDAP group and LdapGroupSyncWorker
is executed the user still has access to projects under the group. This is also the case when clicking, "Sync" in the GitLab UI (this simply executes LdapGroupSyncWorker
)
Steps to reproduce
-
Ensure GitLab group (
ldap-link
) is linked with LDAP group - (developers
= master) -
Add user
uid=chris,dc=example,dc=org
tocn=developers,dc=example,dc=org
(LDAP group) -
Run
LdapGroupSyncWorker.new.perform
-
Check
ldap-link/project/settings/members
-
User
chris
exists -
Remove
uid=chris,dc=example,dc=org
fromcn=developers,dc=example,dc=org
(LDAP group) -
Execute
LdapGroupSyncWorker.new.perform
-
Check
ldap-link/project/settings/members
- User
chris
does not exist in the UI
- User
-
User
chris
still has access to ldap-link/project -
Project.find_by_full_path('ldap-link/project').team.members.map(&:username)
["john", "chris", "root"]
-
ProjectAuthorization.where(user_id: User.find_by_username('chris').id)
=> #<ActiveRecord::Relation [#<ProjectAuthorization user_id: 2, project_id: 1, access_level: 40>]>
-
Running
User.find_by_username('chris').refresh_authorized_projects
manually, removes the user
What is the current bug behavior?
Users authorized_projects is not updated on ldap group sync.
What is the expected correct behavior?
Update users authorized_projects on ldap group sync.