Remove pending todos from MemberRoles::RolesFinder
What does this MR do and why?
- Up until 17.0, we were returning both instance-level member roles and group-level member roles irrespective of the mode. Now that the migration has been complete in 17.0, we can now update
MemberRoles::RolesFinderto only return instance-level roles on self-managed and group-level roles on SaaS. - Updates
Members::UpdateServiceto use theRolesFinderservice to find the member role before assigning it to the user.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
- Enable SaaS mode with
export GITLAB_SIMULATE_SAAS=1
gdk restart- Delete any existing member roles you might have:
MemberRole.delete_all-
Navigate to any group that you are an owner of, then go to
Settings > Roles and Permissions -
You should be able to create a custom role and assign it to a member of that group, sub-group/project in that group. However, you should not be able to assign it to a member in a different parent group.
-
Disable SaaS mode
export GITLAB_SIMULATE_SAAS=0
gdk restart- Delete the group-level custom role:
MemberRole.delete_all- Sign-in as an instance admin, and after enabling admin mode navigate to
/admin/application_settings/roles_and_permissions. - You should be able to create a custom role and assign it to a member in any of the groups/projects on the instance as a group-owner.
Database
Related to #441652 (closed)
Edited by Hinam Mehra