1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
|
# frozen_string_literal: true
class Member < ApplicationRecord
extend ::Gitlab::Utils::Override
include EachBatch
include AfterCommitQueue
include Sortable
include Importable
include CreatedAtFilterable
include Expirable
include Gitlab::Access
include Presentable
include Gitlab::Utils::StrongMemoize
include FromUnion
include UpdateHighestRole
include RestrictedSignup
include Gitlab::Experiment::Dsl
AVATAR_SIZE = 40
ACCESS_REQUEST_APPROVERS_TO_BE_NOTIFIED_LIMIT = 10
STATE_ACTIVE = 0
STATE_AWAITING = 1
attr_accessor :raw_invite_token
belongs_to :created_by, class_name: "User"
belongs_to :user
belongs_to :source, polymorphic: true # rubocop:disable Cop/PolymorphicAssociations
belongs_to :member_namespace, inverse_of: :namespace_members, foreign_key: 'member_namespace_id', class_name: 'Namespace'
delegate :name, :username, :email, :last_activity_on, to: :user, prefix: true
has_many :member_approvals, inverse_of: :member, class_name: 'Members::MemberApproval'
validates :expires_at, allow_blank: true, future_date: true
validates :user, presence: true, unless: :invite?
validates :source, presence: true
validates :user_id, uniqueness: { scope: [:source_type, :source_id],
message: "already exists in source",
allow_nil: true }
validate :higher_access_level_than_group, unless: :importing?
validates :invite_email,
presence: {
if: :invite?
},
devise_email: {
allow_nil: true
},
uniqueness: {
scope: [:source_type, :source_id],
allow_nil: true
}
validate :signup_email_valid?, on: :create, if: ->(member) { member.invite_email.present? }
validates :user_id,
uniqueness: {
message: N_('project bots cannot be added to other groups / projects')
},
if: :project_bot?
validate :access_level_inclusion
scope :with_invited_user_state, -> do
joins('LEFT JOIN users as invited_user ON invited_user.email = members.invite_email')
.select('members.*', 'invited_user.state as invited_user_state')
.allow_cross_joins_across_databases(url: "https://gitlab.com/gitlab-org/gitlab/-/issues/417456")
end
scope :in_hierarchy, ->(source) do
groups = source.root_ancestor.self_and_descendants
group_members = Member.default_scoped.where(source: groups).select(*Member.cached_column_list)
projects = source.root_ancestor.all_projects
project_members = Member.default_scoped.where(source: projects).select(*Member.cached_column_list)
Member.default_scoped.from_union([group_members, project_members]).merge(self)
end
scope :excluding_users, ->(user_ids) do
where.not(user_id: user_ids)
end
# This scope encapsulates (most of) the conditions a row in the member table
# must satisfy if it is a valid permission. Of particular note:
#
# * Access requests must be excluded
# * Blocked users must be excluded
# * Invitations take effect immediately
# * expires_at is not implemented. A background worker purges expired rows
scope :active, -> do
is_external_invite = arel_table[:user_id].eq(nil).and(arel_table[:invite_token].not_eq(nil))
user_is_active = User.arel_table[:state].eq(:active)
user_ok = Arel::Nodes::Grouping.new(is_external_invite).or(user_is_active)
left_join_users
.where(user_ok)
.non_request
.non_minimal_access
.reorder(nil)
end
scope :blocked, -> do
is_external_invite = arel_table[:user_id].eq(nil).and(arel_table[:invite_token].not_eq(nil))
user_is_blocked = User.arel_table[:state].eq(:blocked)
left_join_users
.where(user_is_blocked)
.where.not(is_external_invite)
.non_request
.non_minimal_access
.reorder(nil)
end
scope :active_state, -> { where(state: STATE_ACTIVE) }
scope :connected_to_user, -> { where.not(user_id: nil) }
# This scope is exclusively used to get the members
# that can possibly have project_authorization records
# to projects/groups.
scope :authorizable, -> do
connected_to_user
.active_state
.non_request
.non_minimal_access
end
# Like active, but without invites. For when a User is required.
scope :active_without_invites_and_requests, -> do
left_join_users
.where(users: { state: 'active' })
.without_invites_and_requests
.reorder(nil)
end
scope :without_invites_and_requests, ->(minimal_access: false) do
result = active_state.non_request.non_invite
result = result.non_minimal_access unless minimal_access
result
end
scope :invite, -> { where.not(invite_token: nil) }
scope :non_invite, -> { where(invite_token: nil) }
scope :request, -> { where.not(requested_at: nil) }
scope :non_request, -> { where(requested_at: nil) }
scope :not_accepted_invitations, -> { invite.where(invite_accepted_at: nil) }
scope :not_accepted_invitations_by_user, -> (user) { not_accepted_invitations.where(created_by: user) }
scope :not_expired, -> (today = Date.current) { where(arel_table[:expires_at].gt(today).or(arel_table[:expires_at].eq(nil))) }
scope :expiring_and_not_notified, ->(date) { where("expiry_notified_at is null AND expires_at >= ? AND expires_at <= ?", Date.current, date) }
scope :created_today, -> do
now = Date.current
where(created_at: now.beginning_of_day..now.end_of_day)
end
scope :last_ten_days_excluding_today, -> (today = Date.current) { where(created_at: (today - 10).beginning_of_day..(today - 1).end_of_day) }
scope :has_access, -> { active.where('access_level > 0') }
scope :guests, -> { active.where(access_level: GUEST) }
scope :reporters, -> { active.where(access_level: REPORTER) }
scope :developers, -> { active.where(access_level: DEVELOPER) }
scope :maintainers, -> { active.where(access_level: MAINTAINER) }
scope :non_guests, -> { where('members.access_level > ?', GUEST) }
scope :non_minimal_access, -> { where('members.access_level > ?', MINIMAL_ACCESS) }
scope :owners, -> { active.where(access_level: OWNER) }
scope :all_owners, -> { where(access_level: OWNER) }
scope :owners_and_maintainers, -> { active.where(access_level: [OWNER, MAINTAINER]) }
scope :with_user, -> (user) { where(user: user) }
scope :by_access_level, -> (access_level) { active.where(access_level: access_level) }
scope :all_by_access_level, -> (access_level) { where(access_level: access_level) }
scope :preload_user, -> { preload(:user) }
scope :preload_user_and_notification_settings, -> do
preload(user: :notification_settings)
.allow_cross_joins_across_databases(url: "https://gitlab.com/gitlab-org/gitlab/-/issues/417456")
end
scope :with_source_id, ->(source_id) { where(source_id: source_id) }
scope :including_source, -> { includes(:source) }
scope :distinct_on_user_with_max_access_level, -> do
distinct_members = select('DISTINCT ON (user_id, invite_email) *')
.order('user_id, invite_email, access_level DESC, expires_at DESC, created_at ASC')
unscoped.from(distinct_members, :members)
end
scope :order_name_asc, -> do
build_keyset_order_on_joined_column(
scope: left_join_users,
attribute_name: 'member_user_full_name',
column: User.arel_table[:name],
direction: :asc,
nullable: :nulls_last
)
end
scope :order_name_desc, -> do
build_keyset_order_on_joined_column(
scope: left_join_users,
attribute_name: 'member_user_full_name',
column: User.arel_table[:name],
direction: :desc,
nullable: :nulls_last
)
end
scope :order_oldest_sign_in, -> do
build_keyset_order_on_joined_column(
scope: left_join_users,
attribute_name: 'member_user_last_sign_in_at',
column: User.arel_table[:last_sign_in_at],
direction: :asc,
nullable: :nulls_last
)
end
scope :order_recent_sign_in, -> do
build_keyset_order_on_joined_column(
scope: left_join_users,
attribute_name: 'member_user_last_sign_in_at',
column: User.arel_table[:last_sign_in_at],
direction: :desc,
nullable: :nulls_last
)
end
scope :order_oldest_last_activity, -> do
build_keyset_order_on_joined_column(
scope: left_join_users,
attribute_name: 'member_user_last_activity_on',
column: User.arel_table[:last_activity_on],
direction: :asc,
nullable: :nulls_first
)
end
scope :order_recent_last_activity, -> do
build_keyset_order_on_joined_column(
scope: left_join_users,
attribute_name: 'member_user_last_activity_on',
column: User.arel_table[:last_activity_on],
direction: :desc,
nullable: :nulls_last
)
end
scope :order_oldest_created_user, -> do
build_keyset_order_on_joined_column(
scope: left_join_users,
attribute_name: 'member_user_created_at',
column: User.arel_table[:created_at],
direction: :asc,
nullable: :nulls_first
)
end
scope :order_recent_created_user, -> do
build_keyset_order_on_joined_column(
scope: left_join_users,
attribute_name: 'member_user_created_at',
column: User.arel_table[:created_at],
direction: :desc,
nullable: :nulls_last
)
end
scope :on_project_and_ancestors, ->(project) { where(source: [project] + project.ancestors) }
before_validation :set_member_namespace_id, on: :create
before_validation :generate_invite_token, on: :create, if: -> (member) { member.invite_email.present? && !member.invite_accepted_at? }
after_create :send_invite, if: :invite?, unless: :importing?
after_create :create_notification_setting, unless: [:pending?, :importing?]
after_create :post_create_hook, unless: [:pending?, :importing?], if: :hook_prerequisites_met?
after_create :update_two_factor_requirement, unless: :invite?
after_create :create_organization_user_record
after_update :post_update_hook, unless: [:pending?, :importing?], if: :hook_prerequisites_met?
after_update :create_organization_user_record, if: :saved_change_to_user_id? # only occurs on invite acceptance
after_destroy :destroy_notification_setting
after_destroy :post_destroy_hook, unless: :pending?, if: :hook_prerequisites_met?
after_destroy :update_two_factor_requirement, unless: :invite?
after_save :log_invitation_token_cleanup
after_commit :send_request, if: :request?, unless: :importing?, on: [:create]
after_commit on: [:create, :update, :destroy], unless: :importing? do
refresh_member_authorized_projects
end
attribute :notification_level, default: -> { NotificationSetting.levels[:global] }
class << self
def search(query)
scope = joins(:user)
.merge(User.search(query, use_minimum_char_limit: false))
.allow_cross_joins_across_databases(url: "https://gitlab.com/gitlab-org/gitlab/-/issues/417456")
return scope unless Gitlab::Pagination::Keyset::Order.keyset_aware?(scope)
# If the User.search method returns keyset pagination aware AR scope then we
# need call apply_cursor_conditions which adds the ORDER BY columns from the scope
# to the SELECT clause.
#
# Why is this needed:
# When using keyset pagination, the next page is loaded using the ORDER BY
# values of the last record (cursor). This query selects `members.*` and
# orders by a custom SQL expression on `users` and `users.name`. The values
# will not be part of `members.*`.
#
# Result: `SELECT members.*, users.column1, users.column2 FROM members ...`
order = Gitlab::Pagination::Keyset::Order.extract_keyset_order_object(scope)
order.apply_cursor_conditions(scope).reorder(order)
end
def search_invite_email(query)
invite.where(['invite_email ILIKE ?', "%#{query}%"])
end
def filter_by_2fa(value)
case value
when 'enabled'
left_join_users.merge(User.with_two_factor)
when 'disabled'
left_join_users.merge(User.without_two_factor)
else
all
end
end
def filter_by_user_type(value)
return unless ::User.user_types.key?(value)
left_join_users.merge(::User.where(user_type: value))
end
def sort_by_attribute(method)
case method.to_s
when 'access_level_asc' then reorder(access_level: :asc)
when 'access_level_desc' then reorder(access_level: :desc)
when 'recent_sign_in' then order_recent_sign_in
when 'oldest_sign_in' then order_oldest_sign_in
when 'recent_created_user' then order_recent_created_user
when 'oldest_created_user' then order_oldest_created_user
when 'recent_last_activity' then order_recent_last_activity
when 'oldest_last_activity' then order_oldest_last_activity
when 'last_joined' then order_created_desc
when 'oldest_joined' then order_created_asc
else
order_by(method)
end
end
def left_join_users
left_outer_joins(:user)
.allow_cross_joins_across_databases(url: "https://gitlab.com/gitlab-org/gitlab/-/issues/417456")
end
def access_for_user_ids(user_ids)
with_user(user_ids).has_access.pluck(:user_id, :access_level).to_h
end
def find_by_invite_token(raw_invite_token)
invite_token = Devise.token_generator.digest(self, :invite_token, raw_invite_token)
find_by(invite_token: invite_token)
end
def valid_email?(email)
Devise.email_regexp.match?(email)
end
def pluck_user_ids
pluck(:user_id)
end
end
def real_source_type
source_type
end
def access_field
access_level
end
def invite?
self.invite_token.present?
end
def request?
requested_at.present?
end
def pending?
invite? || request?
end
def hook_prerequisites_met?
# It is essential that an associated user record exists
# so that we can successfully fire any member related hooks/notifications.
user.present?
end
def accept_request(current_user)
return false unless request?
updated = self.update(requested_at: nil, created_by: current_user)
after_accept_request if updated
updated
end
def accept_invite!(new_user)
return false unless invite?
return false unless new_user
self.user = new_user
return false unless self.user.save
self.invite_token = nil
self.invite_accepted_at = Time.current.utc
saved = self.save
after_accept_invite if saved
saved
end
def decline_invite!
return false unless invite?
destroyed = self.destroy
after_decline_invite if destroyed
destroyed
end
def generate_invite_token
raw, enc = Devise.token_generator.generate(self.class, :invite_token)
@raw_invite_token = raw
self.invite_token = enc
end
def generate_invite_token!
generate_invite_token && save(validate: false)
end
def resend_invite
return unless invite?
generate_invite_token! unless @raw_invite_token
send_invite
end
def send_invitation_reminder(reminder_index)
return unless invite?
generate_invite_token! unless @raw_invite_token
run_after_commit_or_now { notification_service.invite_member_reminder(self, @raw_invite_token, reminder_index) }
end
def create_notification_setting
user.notification_settings.find_or_create_for(source)
end
def destroy_notification_setting
notification_setting&.destroy
end
def notification_setting
@notification_setting ||= user&.notification_settings_for(source)
end
# rubocop: disable CodeReuse/ServiceClass
def notifiable?(type, opts = {})
# always notify when there isn't a user yet
return true if user.blank?
NotificationRecipients::BuildService.notifiable?(user, type, notifiable_options.merge(opts))
end
# rubocop: enable CodeReuse/ServiceClass
# Find the user's group member with a highest access level
def highest_group_member
strong_memoize(:highest_group_member) do
next unless user_id && source&.ancestors&.any?
GroupMember
.where(source: source.ancestors, user_id: user_id)
.non_request
.order(:access_level).last
end
end
def invite_to_unknown_user?
invite? && user_id.nil?
end
def created_by_name
created_by&.name
end
def update_two_factor_requirement
return unless source.is_a?(Group)
return unless user
Gitlab::Database::QueryAnalyzers::PreventCrossDatabaseModification.temporary_ignore_tables_in_transaction(
%w[users user_details user_preferences], url: 'https://gitlab.com/gitlab-org/gitlab/-/issues/424288'
) do
user.update_two_factor_requirement
end
end
private
# TODO: https://gitlab.com/groups/gitlab-org/-/epics/7054
# temporary until we can we properly remove the source columns
def set_member_namespace_id
self.member_namespace_id = self.source_id
end
def access_level_inclusion
return if access_level.in?(Gitlab::Access.all_values)
errors.add(:access_level, "is not included in the list")
end
def send_invite
run_after_commit_or_now { notification_service.invite_member(self, @raw_invite_token) }
end
def send_request
notification_service.new_access_request(self)
todo_service.create_member_access_request_todos(self)
end
def post_create_hook
# The creator of a personal project gets added as a `ProjectMember`
# with `OWNER` access during creation of a personal project,
# but we do not want to trigger notifications to the same person who created the personal project.
unless source.is_a?(Project) && source.personal_namespace_holder?(user)
event_service.join_source(source, user)
run_after_commit_or_now { notification_service.new_member(self) }
end
system_hook_service.execute_hooks_for(self, :create)
end
def post_update_hook
if saved_change_to_access_level?
run_after_commit { notification_service.updated_member_access_level(self) }
end
if saved_change_to_expires_at?
run_after_commit { notification_service.updated_member_expiration(self) }
end
system_hook_service.execute_hooks_for(self, :update)
end
def post_destroy_hook
system_hook_service.execute_hooks_for(self, :destroy)
end
# Refreshes authorizations of the current member.
#
# This method schedules a job using Sidekiq and as such **must not** be called
# in a transaction. Doing so can lead to the job running before the
# transaction has been committed, resulting in the job either throwing an
# error or not doing any meaningful work.
# rubocop: disable CodeReuse/ServiceClass
# This method is overridden in the test environment, see stubbed_member.rb
def refresh_member_authorized_projects
UserProjectAccessChangedService.new(user_id).execute
end
# rubocop: enable CodeReuse/ServiceClass
def after_accept_invite
run_after_commit_or_now do
notification_service.accept_invite(self)
end
update_two_factor_requirement
post_create_hook
end
def after_decline_invite
notification_service.decline_invite(self)
end
def after_accept_request
post_create_hook
end
# rubocop: disable CodeReuse/ServiceClass
def system_hook_service
SystemHooksService.new
end
# rubocop: enable CodeReuse/ServiceClass
# rubocop: disable CodeReuse/ServiceClass
def notification_service
NotificationService.new
end
# rubocop: enable CodeReuse/ServiceClass
# rubocop: disable CodeReuse/ServiceClass
def todo_service
TodoService.new
end
# rubocop: enable CodeReuse/ServiceClass
def notifiable_options
case source
when Group
{ group: source }
when Project
{ project: source }
end
end
def higher_access_level_than_group
if highest_group_member && highest_group_member.access_level > access_level
error_parameters = { access: highest_group_member.human_access, group_name: highest_group_member.group.name }
errors.add(:access_level, s_("should be greater than or equal to %{access} inherited membership from group %{group_name}") % error_parameters)
end
end
def signup_email_valid?
error = validate_admin_signup_restrictions(invite_email)
errors.add(:user, error) if error
end
def signup_email_invalid_message
if source_type == 'Project'
_("is not allowed for this project.")
else
_("is not allowed for this group.")
end
end
def update_highest_role?
return unless user_id.present?
previous_changes[:access_level].present? || destroyed?
end
def update_highest_role_attribute
user_id
end
def project_bot?
user&.project_bot?
end
def log_invitation_token_cleanup
return true unless Gitlab.com? && invite? && invite_accepted_at?
error = StandardError.new("Invitation token is present but invite was already accepted!")
Gitlab::ErrorTracking.track_exception(error, attributes.slice(%w["invite_accepted_at created_at source_type source_id user_id id"]))
end
def event_service
EventCreateService.new # rubocop:todo CodeReuse/ServiceClass -- Legacy, convert to value object eventually
end
def create_organization_user_record
return if Feature.disabled?(:update_organization_users, source.root_ancestor, type: :gitlab_com_derisk)
return if invite?
return if source.organization.blank?
Organizations::OrganizationUser.upsert(
{ organization_id: source.organization_id, user_id: user_id, access_level: :default },
unique_by: [:organization_id, :user_id],
on_duplicate: :skip # Do not change access_level, could make :owner :default
)
end
end
Member.prepend_mod_with('Member')
|
