1 files changed, 19 insertions, 3 deletions

diff --git a/app/models/concerns/protected_ref_access.rb b/app/models/concerns/protected_ref_access.rb
index c1c670db543..f0bb1cc359b 100644
--- a/app/models/concerns/protected_ref_access.rb
+++ b/app/models/concerns/protected_ref_access.rb
@@ -29,14 +29,30 @@ module ProtectedRefAccess
     def humanize(access_level)
       human_access_levels[access_level]
     end
+
+    def non_role_types
+      []
+    end
   end
 
   included do
     scope :maintainer, -> { where(access_level: Gitlab::Access::MAINTAINER) }
     scope :developer, -> { where(access_level: Gitlab::Access::DEVELOPER) }
-    scope :for_role, -> { where(user_id: nil, group_id: nil) }
-
-    validates :access_level, presence: true, if: :role?, inclusion: { in: allowed_access_levels }
+    scope :for_role, -> {
+      if non_role_types.present?
+        where.missing(*non_role_types)
+          .allow_cross_joins_across_databases(url: "https://gitlab.com/gitlab-org/gitlab/-/issues/417457")
+      else
+        all
+      end
+    }
+
+    protected_ref_fk = "#{module_parent.model_name.singular}_id"
+    validates :access_level,
+      presence: true,
+      inclusion: { in: allowed_access_levels },
+      uniqueness: { scope: protected_ref_fk, conditions: -> { for_role } },
+      if: :role?
   end
 
   def humanize