Max role not applied in api/v4/projects/:id/members/all output for members invited through other groups

Summary

The access level does not take into account the Max role setting for group members invited through other groups.

This is only a visual issue in the api output. The invited members are not able to perform actions above the restrictions applied by the max role in the target group.

Steps to reproduce

Create Group A
Invite User A with Maintainer access
Create Group B
Invite Group A to Group B with max role set to Developer
Check api/v4/projects/:id/members/all for Group B. User A shows access 40(Maintainer), but it should be 30(Developer)
Log in as User A
Try to navigate to /groups/group-b/-/edit. A 404 is displayed. This is the settings page, available only for owners and maintainers, which means the Max role is actually applied.

Example Project

The below groups were used on Gitlab.com for testing:

Group A: https://gitlab.com/groups/group-a54/
Group B: https://gitlab.com/group-b6
User A : Vlad-Mihai

What is the current bug behavior?

The API does not take into account the Max role setting when showing the access level for members invited through other groups.

What is the expected correct behavior?

The API should show the correct access level.

Relevant logs and/or screenshots

Output of checks

Direct members of Group A

curl -s --header "PRIVATE-TOKEN: <token>" "https://gitlab.com/api/v4/groups/62882576/members"|jq --raw-output '.[]| [.access_level, .username]|@tsv'
50	vmihai
40	Vlad-Mihai

Direct members of Group B

curl -s --header "PRIVATE-TOKEN: <token>" "https://gitlab.com/api/v4/groups/62882585/members"|jq --raw-output '.[]| [.access_level, .username]|@tsv'
50	vmihai

Group A is shared with Group B having max role set to 30(Developer)

curl -s --header "PRIVATE-TOKEN: <token>" "https://gitlab.com/api/v4/groups/62882585/"|jq '.shared_with_groups'
[
  {
    "group_id": 62882576,
    "group_name": "Group A",
    "group_full_path": "group-a54",
    "group_access_level": 30,
    "expires_at": null
  }
]

API shows Vlad-Mihai's access level 40(Maintainer), but it should be 30(Developer)

curl -s --header "PRIVATE-TOKEN: <token>" "https://gitlab.com/api/v4/groups/62882585/members/all"|jq --raw-output '.[]| [.access_level, .username]|@tsv'
50	vmihai
40	Vlad-Mihai

This bug happens on GitLab.com

Results of GitLab environment info

Expand for output related to GitLab environment info


(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check

(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)
(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)
(we will only investigate if the tests are passing)

Possible fixes

Edited Jan 24, 2023 by Katrin Leinweber