From 6c6e8b0778874ff486bfb68f4acd81f7c77385c6 Mon Sep 17 00:00:00 2001 From: Eugie Limpin Date: Mon, 13 Oct 2025 14:46:03 +0800 Subject: [PATCH 1/2] Remove use_user_group_member_roles feature flag UserMemberRolesInGroupsPreloader and UserMemberRolesInProjectsPreloader will now use the cached data in user_group_member_roles table to determine a user's custom permissions in a given project or group. Changelog: changed EE: true --- .../user_member_roles_in_groups_preloader.rb | 109 +-------------- ...user_member_roles_in_projects_preloader.rb | 52 ------- .../use_user_group_member_roles.yml | 10 -- ee/spec/factories/group_members.rb | 10 ++ ee/spec/factories/member_roles.rb | 8 ++ ee/spec/models/ee/member_spec.rb | 8 -- ...r_member_roles_in_groups_preloader_spec.rb | 127 ------------------ ...member_roles_in_projects_preloader_spec.rb | 26 ---- .../update_for_group_service_spec.rb | 9 +- .../update_for_shared_group_service_spec.rb | 3 +- .../support/helpers/member_role_helpers.rb | 10 +- spec/spec_helper.rb | 16 --- 12 files changed, 30 insertions(+), 358 deletions(-) delete mode 100644 ee/config/feature_flags/gitlab_com_derisk/use_user_group_member_roles.yml diff --git a/ee/app/models/preloaders/user_member_roles_in_groups_preloader.rb b/ee/app/models/preloaders/user_member_roles_in_groups_preloader.rb index 3d3f0394ca1c3f..5a157f6f0348c8 100644 --- a/ee/app/models/preloaders/user_member_roles_in_groups_preloader.rb +++ b/ee/app/models/preloaders/user_member_roles_in_groups_preloader.rb @@ -32,9 +32,7 @@ def abilities_for_user_grouped_by_group(group_ids) log_statistics(group_ids) - get_results(query).tap do |results| - track_diff(results) - end + get_results(query) end def build_groups_with_traversal_ids(group_ids) @@ -75,52 +73,7 @@ def get_results(query) end end - def union_query - union_queries = [] - - member = Member.select('member_roles.permissions').with_user(user) - - group_member = member - .joins(:member_role) - .where(source_type: 'Namespace') - .where('members.source_id IN (SELECT UNNEST(namespace_ids) as ids)') - .to_sql - - if custom_role_for_group_link_enabled? - group_link_join = member - .joins('JOIN group_group_links ON members.source_id = group_group_links.shared_with_group_id') - .where('group_group_links.shared_group_id IN (SELECT UNNEST(namespace_ids) as ids)') - - invited_member_role = group_link_join - .joins('JOIN member_roles ON member_roles.id = group_group_links.member_role_id') - .where('access_level > group_access') - .to_sql - - # when both roles are custom roles with the same base access level, - # choose the source role as the max role - source_member_role = group_link_join - .joins('JOIN member_roles ON member_roles.id = members.member_role_id') - .where('(access_level < group_access) OR ' \ - '(access_level = group_access AND group_group_links.member_role_id IS NOT NULL)') - .to_sql - - union_queries.push(invited_member_role, source_member_role) - end - - union_queries.push(group_member) - - union_queries.join(" UNION ALL ") - end - def query - if use_user_group_member_roles? - user_group_member_roles_query - else - union_query - end - end - - def user_group_member_roles_query query = ::Authz::UserGroupMemberRole.joins(:member_role) .where('user_group_member_roles.group_id IN (SELECT UNNEST(namespace_ids) as ids)') .where(user: user) @@ -162,65 +115,5 @@ def log_statistics(group_ids) group_ids: group_ids.first(10) ) end - - # Remove when use_user_group_member_roles feature flag is removed - def track_diff(results) - return if use_user_group_member_roles? - return unless ::Gitlab::Saas.feature_available?(:gitlab_com_subscriptions) - - group_ids = groups_with_traversal_ids.map(&:first) - - # Limit diff checks to usage with <= 20 input groups. This prevents log - # explosion for cases where input groups count is in the hundreds (e.g. - # global search). - return if group_ids.length > 20 - - group_ids_with_diff = [] - cached_permissions = [] - uncached_permissions = [] - - if use_user_group_member_roles? - cached_results = results - union_query_results = get_results(union_query) - else - cached_results = get_results(user_group_member_roles_query) - union_query_results = results - end - - group_ids.each do |id| - cached_permissions = extract_permissions(cached_results, id) - uncached_permissions = extract_permissions(union_query_results, id) - - next if cached_permissions == uncached_permissions - - group_ids_with_diff << id - end - - return if group_ids_with_diff.empty? - - log_info = { class: self.class.name, event: 'Inaccurate user_group_member_roles data', user_id: user.id, - use_user_group_member_roles: use_user_group_member_roles? } - - log_info = if group_ids_with_diff.length > 1 - log_info.merge(group_ids: group_ids_with_diff) - else - log_info.merge( - group_id: group_ids_with_diff.first, - permissions: uncached_permissions, - user_group_member_roles_permissions: cached_permissions - ) - end - - ::Gitlab::AppLogger.info(**log_info) - end - - def extract_permissions(result, group_id) - result.fetch(group_id, []).sort.join(', ') - end - - def use_user_group_member_roles? - ::Feature.enabled?(:use_user_group_member_roles, Feature.current_request) - end - strong_memoize_attr :use_user_group_member_roles? end end diff --git a/ee/app/models/preloaders/user_member_roles_in_projects_preloader.rb b/ee/app/models/preloaders/user_member_roles_in_projects_preloader.rb index 4ffb245e40edb2..e0577ef908dfd1 100644 --- a/ee/app/models/preloaders/user_member_roles_in_projects_preloader.rb +++ b/ee/app/models/preloaders/user_member_roles_in_projects_preloader.rb @@ -65,59 +65,7 @@ def abilities_for_user_grouped_by_project(project_ids) end end - def union_query - union_queries = [] - - member = Member.select('member_roles.permissions') - .with_user(user) - - project_member = member - .joins(:member_role) - .where(source_type: 'Project') - .where('members.source_id = project_ids.project_id') - .to_sql - - namespace_member = member - .joins(:member_role) - .where(source_type: 'Namespace') - .where('members.source_id IN (SELECT UNNEST(project_ids.namespace_ids) as ids)') - .to_sql - - if custom_role_for_group_link_enabled? - group_link_join = member - .joins('JOIN group_group_links ON members.source_id = group_group_links.shared_with_group_id') - .where('group_group_links.shared_group_id IN (SELECT UNNEST(project_ids.namespace_ids) as ids)') - - invited_member_role = group_link_join - .joins('JOIN member_roles ON member_roles.id = group_group_links.member_role_id') - .where('access_level > group_access') - .to_sql - - # when both roles are custom roles with the same base access level, - # choose the source role as the max role - source_member_role = group_link_join - .joins('JOIN member_roles ON member_roles.id = members.member_role_id') - .where('(access_level < group_access) OR ' \ - '(access_level = group_access AND group_group_links.member_role_id IS NOT NULL)') - .to_sql - - union_queries.push(invited_member_role, source_member_role) - end - - union_queries.push(project_member, namespace_member) - - union_queries.join(" UNION ALL ") - end - def query - if ::Feature.enabled?(:use_user_group_member_roles, Feature.current_request) - user_group_member_roles_query - else - union_query - end - end - - def user_group_member_roles_query union_queries = [] project_member = Member.select('member_roles.permissions') diff --git a/ee/config/feature_flags/gitlab_com_derisk/use_user_group_member_roles.yml b/ee/config/feature_flags/gitlab_com_derisk/use_user_group_member_roles.yml deleted file mode 100644 index 8714d5132e32fb..00000000000000 --- a/ee/config/feature_flags/gitlab_com_derisk/use_user_group_member_roles.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -name: use_user_group_member_roles -description: Use data from user_group_member_roles table to determine custom role permissions for a user within groups, replacing the existing complex query approach. -feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/513033 -introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/198880 -rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/557017 -milestone: '18.4' -group: group::authorization -type: gitlab_com_derisk -default_enabled: false diff --git a/ee/spec/factories/group_members.rb b/ee/spec/factories/group_members.rb index ebf079c447350e..f308c36627c966 100644 --- a/ee/spec/factories/group_members.rb +++ b/ee/spec/factories/group_members.rb @@ -7,5 +7,15 @@ create(:namespace_ban, namespace: member.member_namespace.root_ancestor, user: member.user) unless member.owner? end end + + transient do + create_user_group_member_roles { true } + end + + after(:create) do |member, context| + if context.create_user_group_member_roles && member.member_role + ::Authz::UserGroupMemberRoles::UpdateForGroupService.new(member).execute + end + end end end diff --git a/ee/spec/factories/member_roles.rb b/ee/spec/factories/member_roles.rb index da4644743435f6..0bc7087f57ccf5 100644 --- a/ee/spec/factories/member_roles.rb +++ b/ee/spec/factories/member_roles.rb @@ -86,5 +86,13 @@ read_code { false } read_admin_users { true } end + + after(:create) do |member_role, _context| + member_role.members.each do |member| + next unless member.is_a?(::GroupMember) + + ::Authz::UserGroupMemberRoles::UpdateForGroupService.new(member).execute + end + end end end diff --git a/ee/spec/models/ee/member_spec.rb b/ee/spec/models/ee/member_spec.rb index 05082b767858b3..4d731a51fdaed3 100644 --- a/ee/spec/models/ee/member_spec.rb +++ b/ee/spec/models/ee/member_spec.rb @@ -1057,14 +1057,6 @@ def webhook_data(group_member, event) it_behaves_like 'invited group members' end - - context 'when `use_user_group_member_roles_members_page` feature flag is enabled' do - before do - stub_feature_flags(use_user_group_member_roles: true) - end - - it_behaves_like 'invited group members' - end end context 'when custom roles are not enabled' do diff --git a/ee/spec/models/preloaders/user_member_roles_in_groups_preloader_spec.rb b/ee/spec/models/preloaders/user_member_roles_in_groups_preloader_spec.rb index e24eb0dc49a0c8..f8a4ee07203eb4 100644 --- a/ee/spec/models/preloaders/user_member_roles_in_groups_preloader_spec.rb +++ b/ee/spec/models/preloaders/user_member_roles_in_groups_preloader_spec.rb @@ -205,131 +205,4 @@ it_behaves_like 'returns expected member role abilities for the user' end end - - context 'when use_user_group_member_roles feature flag is enabled' do - before do - stub_feature_flags(use_user_group_member_roles: true) - end - - MemberRole.all_customizable_group_permissions.each do |ability| - it_behaves_like 'custom roles', ability - end - - context 'when group has a group link assigned to a custom role' do - let_it_be(:source) { sub_group_1 } - - include_context 'with multiple users in a group with custom roles' - - it_behaves_like 'returns expected member role abilities' - end - - context 'when multiple groups are invited with custom roles' do - let_it_be(:source) { sub_group_1 } - - include_context 'with a user in multiple groups with custom role' - - it_behaves_like 'returns expected member role abilities for the user' - end - end - - describe 'old query vs new query results diff tracking', :saas do - let_it_be(:ability) { MemberRole.all_customizable_group_permissions.first } - let_it_be(:member_role) { create_member_role(group, ability) } - let_it_be(:expected_abilities) { expected_group_abilities(ability) } - - let(:groups_list) { [sub_group_1] } - let(:base_log_payload) do - { - class: described_class.name, - event: 'Inaccurate user_group_member_roles data', - user_id: user.id, - use_user_group_member_roles: false - } - end - - let(:log_payload) do - base_log_payload.merge({ - group_id: sub_group_1.id, - permissions: instance_of(String), - user_group_member_roles_permissions: instance_of(String) - }) - end - - before do - sub_group_1_member.update!(member_role: member_role) - - allow(Gitlab::AppLogger).to receive(:info) - end - - context 'when use_user_group_member_roles feature flag is enabled' do - before do - stub_feature_flags(use_user_group_member_roles: true) - end - - it 'does not execute the old query ("... UNION ALL ...")' do - query_recorder = ActiveRecord::QueryRecorder.new { result } - - expect(query_recorder.log).not_to include(/UNION ALL/) - end - end - - # Here, the result will be different because there are no - # user_group_member_roles records for user i.e. - # ::Authz::UserGroupMemberRoles::UpdateForGroupService was not run on the - # user's member record for sub_group_1. - context 'when result of query using user_group_member_roles table is different' do - it 'logs' do - expect(Gitlab::AppLogger).to receive(:info) # earlier call in #log_statistics - expect(Gitlab::AppLogger).to receive(:info).with({ - **log_payload, - permissions: expected_abilities.join(', '), - user_group_member_roles_permissions: '' - }) - - result - end - - context 'when there are multiple groups with different results' do - let(:groups_list) { [sub_group_1, sub_group_2] } - - let(:log_payload) do - base_log_payload.merge({ group_ids: groups_list.map(&:id) }) - end - - before do - role = create_member_role(group, MemberRole.all_customizable_group_permissions.second) - sub_group_2_member.update!(member_role: role) - end - - it 'logs' do - expect(Gitlab::AppLogger).to receive(:info).with(log_payload) - - result - end - - it 'does not execute additional queries' do - control = ActiveRecord::QueryRecorder.new(skip_cached: false) do - described_class.new(groups: [sub_group_1], user: user).execute - end - - # add with_threshold(1) since - # group.root_ancestor.should_process_custom_roles? is called for each - # input group - expect { result }.to issue_same_number_of_queries_as(control).with_threshold(1) - end - end - end - - context 'when result of query using user_group_member_roles table is the same' do - before do - ::Authz::UserGroupMemberRoles::UpdateForGroupService.new(sub_group_1_member).execute - end - - it 'does not log' do - expect(Gitlab::AppLogger).to receive(:info).once - - result - end - end - end end diff --git a/ee/spec/models/preloaders/user_member_roles_in_projects_preloader_spec.rb b/ee/spec/models/preloaders/user_member_roles_in_projects_preloader_spec.rb index b3db709eb847c9..484b91f0195db3 100644 --- a/ee/spec/models/preloaders/user_member_roles_in_projects_preloader_spec.rb +++ b/ee/spec/models/preloaders/user_member_roles_in_projects_preloader_spec.rb @@ -224,30 +224,4 @@ it_behaves_like 'returns expected member role abilities for the user' end end - - context 'when use_user_group_member_roles feature flag is enabled' do - before do - stub_feature_flags(use_user_group_member_roles: true) - end - - MemberRole.all_customizable_project_permissions.each do |ability| - it_behaves_like 'custom roles', ability - end - - context "when project's parent group invites a group with a custom role" do - let(:source) { project } - - include_context 'with multiple users in a group with custom roles' - - it_behaves_like 'returns expected member role abilities' - end - - context "when project's parent group invites multiple groups with a custom role" do - let(:source) { project } - - include_context 'with a user in multiple groups with custom role' - - it_behaves_like 'returns expected member role abilities for the user' - end - end end diff --git a/ee/spec/services/authz/user_group_member_roles/update_for_group_service_spec.rb b/ee/spec/services/authz/user_group_member_roles/update_for_group_service_spec.rb index 9ad1343888655e..7241c05e7acbeb 100644 --- a/ee/spec/services/authz/user_group_member_roles/update_for_group_service_spec.rb +++ b/ee/spec/services/authz/user_group_member_roles/update_for_group_service_spec.rb @@ -9,7 +9,9 @@ # Set access_level to GUEST (< group_group_link.group_access i.e. DEVELOPER) # so we can assert created/updated user_group_member_role.member_role == member.role - let_it_be_with_reload(:member) { create(:group_member, :guest, member_role: role, user: user, group: group) } + let_it_be_with_reload(:member) do + create(:group_member, :guest, member_role: role, user: user, group: group, create_user_group_member_roles: false) + end subject(:execute) do described_class.new(member).execute @@ -110,7 +112,10 @@ def fetch_records(user, group, member_role) context 'with minimal access role', :saas do let_it_be(:group) { create(:group_with_plan, plan: :ultimate_plan) } let_it_be(:role) { create(:member_role, :minimal_access, namespace: group) } - let_it_be(:member) { create(:group_member, :minimal_access, member_role: role, user: user, group: group) } + let_it_be(:member) do + create(:group_member, :minimal_access, member_role: role, user: user, group: group, + create_user_group_member_roles: false) + end it 'creates UserGroupMemberRole records for the user in the group and in the shared group' do expect { execute }.to change { diff --git a/ee/spec/services/authz/user_group_member_roles/update_for_shared_group_service_spec.rb b/ee/spec/services/authz/user_group_member_roles/update_for_shared_group_service_spec.rb index f4be95aaa2f1d2..3d1f39e4f28e73 100644 --- a/ee/spec/services/authz/user_group_member_roles/update_for_shared_group_service_spec.rb +++ b/ee/spec/services/authz/user_group_member_roles/update_for_shared_group_service_spec.rb @@ -72,7 +72,8 @@ let_it_be(:shared_with_group) { create(:group_with_plan, plan: :ultimate_plan) } let_it_be(:minimal_access_role) { create(:member_role, :minimal_access) } let_it_be(:member) do - create(:group_member, :minimal_access, member_role: minimal_access_role, user: user, group: shared_with_group) + create(:group_member, :minimal_access, member_role: minimal_access_role, user: user, group: shared_with_group, + create_user_group_member_roles: false) end let_it_be_with_reload(:group_group_link) do diff --git a/ee/spec/support/helpers/member_role_helpers.rb b/ee/spec/support/helpers/member_role_helpers.rb index 14550950396bd6..04ecc987ae73ce 100644 --- a/ee/spec/support/helpers/member_role_helpers.rb +++ b/ee/spec/support/helpers/member_role_helpers.rb @@ -15,25 +15,19 @@ def requirements(ability) def create_group_member(*factory_args) create(:group_member, *factory_args).tap do |m| - if ::Feature.enabled?(:use_user_group_member_roles, Feature.current_request) - ::Authz::UserGroupMemberRoles::UpdateForGroupService.new(m).execute - end + ::Authz::UserGroupMemberRoles::UpdateForGroupService.new(m).execute end end def create_group_link(*factory_args) create(:group_group_link, *factory_args).tap do |l| - if ::Feature.enabled?(:use_user_group_member_roles, Feature.current_request) - ::Authz::UserGroupMemberRoles::UpdateForSharedGroupService.new(l).execute - end + ::Authz::UserGroupMemberRoles::UpdateForSharedGroupService.new(l).execute end end def assign_member_role(group_member, member_role) group_member.update!(member_role: member_role) - return unless ::Feature.enabled?(:use_user_group_member_roles, Feature.current_request) - ::Authz::UserGroupMemberRoles::UpdateForGroupService.new(group_member).execute end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 14ace0d0fb1f7d..cd6d21549754ee 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -357,22 +357,6 @@ # Opting out of Organizations is the exception. stub_feature_flags(opt_out_organizations: false) - # The `use_user_group_member_roles` feature flag controls whether member role preloaders - # fetch data from the `user_group_member_roles` table instead of using the - # existing query to fetch a user's custom permissions in groups/projects. - # - # When enabled: - # - Preloaders::UserMemberRolesIn*Preloader modules use the `user_group_member_roles` table - # - This table is populated by Authz::UserGroupMemberRoles::UpdateFor*GroupService when - # users are assigned member roles - # - # When disabled: - # - The preloaders fall back to their original query implementation - # - # For testing consistency, we default to the original query implementation in specs - # until the new implementation is fully validated and the feature flag is removed. - stub_feature_flags(use_user_group_member_roles: false) - # Enabled only when debugging stub_feature_flags(track_struct_event_logger: false) -- GitLab From 5e68048e7af42156e47895f60fd08d0ae4228e12 Mon Sep 17 00:00:00 2001 From: Eugie Limpin Date: Fri, 17 Oct 2025 17:28:05 +0800 Subject: [PATCH 2/2] Remove spec helper methods --- ee/spec/factories/group_group_links.rb | 15 +++++++++++++++ ee/spec/models/ee/member_spec.rb | 6 +++--- .../user_member_roles_in_groups_preloader_spec.rb | 2 +- ...ser_member_roles_in_projects_preloader_spec.rb | 2 +- .../update_for_group_service_spec.rb | 3 ++- .../update_for_shared_group_service_spec.rb | 6 ++++-- ee/spec/support/helpers/member_role_helpers.rb | 12 ------------ .../models/authz/member_roles_shared_examples.rb | 14 +++++++------- 8 files changed, 33 insertions(+), 27 deletions(-) create mode 100644 ee/spec/factories/group_group_links.rb diff --git a/ee/spec/factories/group_group_links.rb b/ee/spec/factories/group_group_links.rb new file mode 100644 index 00000000000000..1680954b0249dd --- /dev/null +++ b/ee/spec/factories/group_group_links.rb @@ -0,0 +1,15 @@ +# frozen_string_literal: true + +FactoryBot.modify do + factory :group_group_link do + transient do + create_user_group_member_roles { true } + end + + after(:create) do |link, context| + if context.create_user_group_member_roles + ::Authz::UserGroupMemberRoles::UpdateForSharedGroupService.new(link).execute + end + end + end +end diff --git a/ee/spec/models/ee/member_spec.rb b/ee/spec/models/ee/member_spec.rb index 4d731a51fdaed3..04db85d769333b 100644 --- a/ee/spec/models/ee/member_spec.rb +++ b/ee/spec/models/ee/member_spec.rb @@ -994,7 +994,7 @@ def webhook_data(group_member, event) let(:group_role) { create(:member_role, base_access_level: group_access, namespace: shared_group) } let(:member) do - create_group_member( + create(:group_member, user: user, source: invited_group, member_role: user_role, @@ -1003,7 +1003,7 @@ def webhook_data(group_member, event) end before do - create_group_link( + create(:group_group_link, group_access: group_access, shared_group: shared_group, shared_with_group: invited_group, @@ -1028,7 +1028,7 @@ def webhook_data(group_member, event) let_it_be(:role) { create(:member_role, :developer, namespace: shared_group) } let_it_be(:direct_member) do - create_group_member( + create(:group_member, user: user, source: shared_group, member_role: role, diff --git a/ee/spec/models/preloaders/user_member_roles_in_groups_preloader_spec.rb b/ee/spec/models/preloaders/user_member_roles_in_groups_preloader_spec.rb index f8a4ee07203eb4..6389035d68b56b 100644 --- a/ee/spec/models/preloaders/user_member_roles_in_groups_preloader_spec.rb +++ b/ee/spec/models/preloaders/user_member_roles_in_groups_preloader_spec.rb @@ -163,7 +163,7 @@ context 'when user has custom role that enables custom permission outside of group hierarchy' do let_it_be(:sub_group_3) { create(:group, :private, parent: group) } let_it_be_with_reload(:sub_group_3_member) do - create_group_member(user: user, source: sub_group_3, member_role: member_role) + create(:group_member, user: user, source: sub_group_3, member_role: member_role) end it 'ignores custom role outside of group hierarchy' do diff --git a/ee/spec/models/preloaders/user_member_roles_in_projects_preloader_spec.rb b/ee/spec/models/preloaders/user_member_roles_in_projects_preloader_spec.rb index 484b91f0195db3..a77b661c15d86b 100644 --- a/ee/spec/models/preloaders/user_member_roles_in_projects_preloader_spec.rb +++ b/ee/spec/models/preloaders/user_member_roles_in_projects_preloader_spec.rb @@ -182,7 +182,7 @@ context 'when user has custom role that enables custom permission outside of project hierarchy' do let_it_be(:sub_group_2) { create(:group, :private, parent: group) } let_it_be_with_reload(:sub_group_2_member) do - create_group_member(:guest, user: user, source: sub_group_2, member_role: member_role) + create(:group_member, :guest, user: user, source: sub_group_2, member_role: member_role) end it 'ignores custom role outside of project hierarchy' do diff --git a/ee/spec/services/authz/user_group_member_roles/update_for_group_service_spec.rb b/ee/spec/services/authz/user_group_member_roles/update_for_group_service_spec.rb index 7241c05e7acbeb..051e3fb87f3db2 100644 --- a/ee/spec/services/authz/user_group_member_roles/update_for_group_service_spec.rb +++ b/ee/spec/services/authz/user_group_member_roles/update_for_group_service_spec.rb @@ -30,7 +30,8 @@ def create_record(user, group, member_role, shared_with_group: nil) def create_group_group_link(group, shared_with_group) # Set group_access to DEVELOPER (> member.access_level i.e. GUEST) so we can # assert created/updated user_group_member_role.member_role == member.role - create(:group_group_link, :developer, shared_group: group, shared_with_group: shared_with_group) + create(:group_group_link, :developer, shared_group: group, shared_with_group: shared_with_group, + create_user_group_member_roles: false) end def fetch_records(user, group, member_role) diff --git a/ee/spec/services/authz/user_group_member_roles/update_for_shared_group_service_spec.rb b/ee/spec/services/authz/user_group_member_roles/update_for_shared_group_service_spec.rb index 3d1f39e4f28e73..f058b0b036c2b7 100644 --- a/ee/spec/services/authz/user_group_member_roles/update_for_shared_group_service_spec.rb +++ b/ee/spec/services/authz/user_group_member_roles/update_for_shared_group_service_spec.rb @@ -16,7 +16,8 @@ let_it_be(:role) { create(:member_role, :guest) } let_it_be_with_reload(:group_group_link) do - create(:group_group_link, :guest, shared_group: group, shared_with_group: shared_with_group, member_role: role) + create(:group_group_link, :guest, shared_group: group, shared_with_group: shared_with_group, member_role: role, + create_user_group_member_roles: false) end subject(:execute) do @@ -77,7 +78,8 @@ end let_it_be_with_reload(:group_group_link) do - create(:group_group_link, :guest, shared_group: group, shared_with_group: shared_with_group, member_role: role) + create(:group_group_link, :guest, shared_group: group, shared_with_group: shared_with_group, member_role: role, + create_user_group_member_roles: false) end it 'creates UserGroupMemberRole records for each user in group_group_link.shared_with_group' do diff --git a/ee/spec/support/helpers/member_role_helpers.rb b/ee/spec/support/helpers/member_role_helpers.rb index 04ecc987ae73ce..bd49da00d12a08 100644 --- a/ee/spec/support/helpers/member_role_helpers.rb +++ b/ee/spec/support/helpers/member_role_helpers.rb @@ -13,18 +13,6 @@ def requirements(ability) MemberRole.all_customizable_permissions[ability][:requirements] || [] end - def create_group_member(*factory_args) - create(:group_member, *factory_args).tap do |m| - ::Authz::UserGroupMemberRoles::UpdateForGroupService.new(m).execute - end - end - - def create_group_link(*factory_args) - create(:group_group_link, *factory_args).tap do |l| - ::Authz::UserGroupMemberRoles::UpdateForSharedGroupService.new(l).execute - end - end - def assign_member_role(group_member, member_role) group_member.update!(member_role: member_role) diff --git a/ee/spec/support/shared_examples/models/authz/member_roles_shared_examples.rb b/ee/spec/support/shared_examples/models/authz/member_roles_shared_examples.rb index 6a0f0b64199d73..eceb4f14ce0312 100644 --- a/ee/spec/support/shared_examples/models/authz/member_roles_shared_examples.rb +++ b/ee/spec/support/shared_examples/models/authz/member_roles_shared_examples.rb @@ -15,12 +15,12 @@ create(:member_role, :developer, :instance, admin_vulnerability: true, read_vulnerability: true) end - let_it_be(:user_a) { create_group_member(:guest, source: invited_group, member_role: guest_read_runners) } - let_it_be(:user_b) { create_group_member(:guest, source: invited_group, member_role: guest_read_vulnerability) } + let_it_be(:user_a) { create(:group_member, :guest, source: invited_group, member_role: guest_read_runners) } + let_it_be(:user_b) { create(:group_member, :guest, source: invited_group, member_role: guest_read_vulnerability) } let_it_be(:user_c) { create(:group_member, :guest, source: invited_group) } let_it_be(:user_d) { create(:group_member, :developer, source: invited_group) } let_it_be(:user_e) do - create_group_member(:developer, source: invited_group, member_role: developer_admin_vulnerability) + create(:group_member, :developer, source: invited_group, member_role: developer_admin_vulnerability) end end @@ -58,7 +58,7 @@ with_them do before do - create_group_link( + create(:group_group_link, group_access: invited_group_access, member_role: invited_group_member_role, shared_group: group, @@ -136,7 +136,7 @@ let_it_be(:member_a) { create(:group_member, :reporter, source: group_a, user: user) } let_it_be(:member_b) do - create_group_member(:reporter, source: group_b, user: user, member_role: reporter_member_role) + create(:group_member, :reporter, source: group_b, user: user, member_role: reporter_member_role) end end @@ -151,14 +151,14 @@ with_them do before do - create_group_link( + create(:group_group_link, group_access: group_a_access, member_role: group_a_member_role, shared_group: group, shared_with_group: group_a ) - create_group_link( + create(:group_group_link, group_access: group_b_access, member_role: group_b_member_role, shared_group: group, -- GitLab