LDAP group sync doesn't check parent group membership
When LDAP Group Sync is used on a subgroup it's possible that the group sync will try to add a user as a member of the subgroup at a lower access level than that user already inherits from a parent group. As a result, group validations fail with Members and requesters is invalid
. Upon further inspection we see that a group member hasn't been saved. When we try to save it manually we see that the validation fails because group sync tried to set an access level (i.e. Developer
) but the user already has a higher level from a parent group (i.e. Maintainer
).
Group sync needs to be aware of this in some way, although I'm not sure of the best approach. If group sync on the current group dictates the user should have a higher access level than parent groups specify, it's not a problem, and group sync should go ahead. But if the access level indicated by group sync is lower, it should be skipped.
FYI @mkozono