1 files changed, 32 insertions, 2 deletions
diff --git a/app/models/members/group_member.rb b/app/models/members/group_member.rb
index a8a4fbedc41..87af6a9a7f7 100644
--- a/app/models/members/group_member.rb
+++ b/app/models/members/group_member.rb
@@ -7,6 +7,7 @@ class GroupMember < Member
 
   SOURCE_TYPE = 'Namespace'
   SOURCE_TYPE_FORMAT = /\ANamespace\z/.freeze
+  THRESHOLD_FOR_REFRESHING_AUTHORIZATIONS_VIA_PROJECTS = 1000
 
   belongs_to :group, foreign_key: 'source_id'
   alias_attribute :namespace_id, :source_id
@@ -28,6 +29,12 @@ class GroupMember < Member
 
   attr_accessor :last_owner, :last_blocked_owner
 
+  # For those who get to see a modal with a role dropdown, here are the options presented
+  def self.permissible_access_level_roles(_, _)
+    # This method is a stopgap in preparation for https://gitlab.com/gitlab-org/gitlab/-/issues/364087
+    access_level_roles
+  end
+
   def self.access_level_roles
     Gitlab::Access.options_with_owner
   end
@@ -60,8 +67,28 @@ class GroupMember < Member
     # its projects are also destroyed, so the removal of project_authorizations
     # will happen behind the scenes via DB foreign keys anyway.
     return if destroyed_by_association.present?
+    return unless user_id
+    return super if Feature.disabled?(:refresh_authorizations_via_affected_projects_on_group_membership, group)
 
-    super
+    # rubocop:disable CodeReuse/ServiceClass
+    projects_to_refresh = Groups::ProjectsRequiringAuthorizationsRefresh::OnDirectMembershipFinder.new(group).execute
+    threshold_exceeded = (projects_to_refresh.size > THRESHOLD_FOR_REFRESHING_AUTHORIZATIONS_VIA_PROJECTS)
+
+    # We want to try the new approach only if the number of affected projects are greater than the set threshold.
+    return super unless threshold_exceeded
+
+    AuthorizedProjectUpdate::ProjectAccessChangedService
+      .new(projects_to_refresh)
+      .execute(blocking: false)
+
+    # Until we compare the inconsistency rates of the new approach
+    # the old approach, we still run AuthorizedProjectsWorker
+    # but with some delay and lower urgency as a safety net.
+    UserProjectAccessChangedService
+      .new(user_id)
+      .execute(blocking: false, priority: UserProjectAccessChangedService::LOW_PRIORITY)
+
+    # rubocop:enable CodeReuse/ServiceClass
   end
 
   def send_invite
@@ -91,7 +118,10 @@ class GroupMember < Member
   end
 
   def after_accept_invite
-    notification_service.accept_group_invite(self)
+    run_after_commit_or_now do
+      notification_service.accept_group_invite(self)
+    end
+
     update_two_factor_requirement
 
     super