Skip to content

Always return the direct member of an object that requests it

Jarka Košanová requested to merge 442473-fix-cr-override into master

What does this MR do and why?

This bug was discovered for custom roles but it does apply to both predefined and static roles, for predefined roles it simple doesn't matter what a user sees.

The problem

Let's say we have a structure Group A (id 1) -> Group B (id 2). A user is a guest in Group A but also was invited as a guest to Group B.

When you go the group members page of Group A, you can see the user with a changeable role, that means the correct membership, the one that applies to the specific group, was returned as the result of a query.

When you go the members page of a Group B you see you can't change the role of the user. That means, inherited membership was selected.

This is not correct and we should always return the direct membership of the user -> return the membership of the group we are selecting for, if there is one.

The fix

This MR fixes the problem by using conditional ordering.

Custom roles

This was discovered during work on custom roles. When a user is guest in Group A but guest + in Group B, we could still see only Guest on Group B.

Database queries

gitlab-org group (id 9970) used for the query plans.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After
old_subgroup new_subgroup

How to set up and validate locally

Prerequisities

  1. Setup a structure group -> subgroup
  2. Create a custom role based on guest (guest +), eg. on admin page, http://gdk.test:3000/admin/application_settings/roles_and_permissions

Verify the fix

  1. Invite a user to group as guest, then go to subgroup members page. The user should not have their role changable.
  2. Invite the same user to the subgroup as guest.
  3. Reload the page
  4. This user should now have their role changeable (on master this should still not be changeable)
  5. To verify we also fixed the original bug, assign the guest + custom role to the same user.
  6. Reload the page
  7. You should now see the user's custom role on the members page

Related to #442473 (closed)

Edited by Jarka Košanová

Merge request reports