Always return the direct member of an object that requests it
What does this MR do and why?
This bug was discovered for custom roles but it does apply to both predefined and static roles, for predefined roles it simple doesn't matter what a user sees.
The problem
Let's say we have a structure Group A (id 1) -> Group B (id 2). A user is a guest
in Group A
but also was invited as a guest
to Group B
.
When you go the group members page of Group A
, you can see the user with a changeable role, that means the correct membership, the one that applies to the specific group, was returned as the result of a query.
When you go the members page of a Group B
you see you can't change the role of the user. That means, inherited membership was selected.
This is not correct and we should always return the direct membership of the user -> return the membership of the group we are selecting for, if there is one.
The fix
This MR fixes the problem by using conditional ordering.
Custom roles
This was discovered during work on custom roles. When a user is guest
in Group A
but guest +
in Group B, we could still see only Guest
on Group B.
Database queries
gitlab-org
group (id 9970) used for the query plans.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
Before | After |
---|---|
How to set up and validate locally
Prerequisities
- Setup a structure group -> subgroup
- Create a custom role based on
guest
(guest +
), eg. on admin page, http://gdk.test:3000/admin/application_settings/roles_and_permissions
Verify the fix
- Invite a user to
group
asguest
, then go tosubgroup
members page. The user should not have their role changable. - Invite the same user to the
subgroup
as guest. - Reload the page
- This user should now have their role changeable (on master this should still not be changeable)
- To verify we also fixed the original bug, assign the
guest +
custom role to the same user. - Reload the page
- You should now see the user's custom role on the members page
Related to #442473 (closed)