Updating role fails with "Could not update role." if email not in restricted domain

Summary

A customer reported a scenario where they tried to update the role for a direct member in a subgroup, but the update request fails with "Could not update role." The customer had Restrict membership by email domain enabled at the top-level group, but before enabling this, they must have added a user with a different domain. Then updating said user's role fails with Could not update role. This error doesn't really point the customer to what exactly the issue is. A clearer error message might be helpful.

Details of the call in Kibana:

json.controller Groups::GroupMembersController
json.meta.caller_id Groups::GroupMembersController#update
json.status 422
json.params.key [access_level, member_role_id, group_id, id, group_member]
json.params.value [50, (empty), example/group/path, group_id, {"access_level"=>50, "member_role_id"=>nil}]

Steps to reproduce

I was able to reproduce the issue on GitLab.com by following these steps:

• Add an example user to a top-level group
• Configure Restrict membership by email domain at the top-level group, making sure the above example user doesn't have an email address in said domain
• Now try to update user's role in the group -> Members page
  • This will fail with Could not update role.

What is the current bug behavior?

See above in summary.

What is the expected correct behavior?

I would expect an error message that points me to what exactly the problem is.

Output of checks

This bug happens on GItLab.com.