1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
# frozen_string_literal: true
class GroupMember < Member
include FromUnion
include CreatedAtFilterable
SOURCE_TYPE = 'Namespace'
SOURCE_TYPE_FORMAT = /\ANamespace\z/
belongs_to :group, foreign_key: 'source_id'
alias_attribute :namespace_id, :source_id
# Make sure group member points only to group as it source
attribute :source_type, default: SOURCE_TYPE
validates :source_type, format: { with: SOURCE_TYPE_FORMAT }
default_scope { where(source_type: SOURCE_TYPE) } # rubocop:disable Cop/DefaultScope
scope :of_groups, ->(groups) { where(source_id: groups&.select(:id)) }
scope :of_ldap_type, -> { where(ldap: true) }
scope :count_users_by_group_id, -> { group(:source_id).count }
after_create :update_two_factor_requirement, unless: :invite?
after_destroy :update_two_factor_requirement, unless: :invite?
attr_accessor :last_owner
def update_two_factor_requirement
return unless user
Gitlab::Database::QueryAnalyzers::PreventCrossDatabaseModification.temporary_ignore_tables_in_transaction(
%w[users user_details user_preferences], url: 'https://gitlab.com/gitlab-org/gitlab/-/issues/424288'
) do
user.update_two_factor_requirement
end
end
# For those who get to see a modal with a role dropdown, here are the options presented
def self.permissible_access_level_roles(_, _)
# This method is a stopgap in preparation for https://gitlab.com/gitlab-org/gitlab/-/issues/364087
access_level_roles
end
def self.access_level_roles
Gitlab::Access.options_with_owner
end
def group
source
end
# Because source_type is `Namespace`...
def real_source_type
Group.sti_name
end
def notifiable_options
{ group: group }
end
def last_owner_of_the_group?
return false unless access_level == Gitlab::Access::OWNER
return last_owner unless last_owner.nil?
owners = group.member_owners_excluding_project_bots
owners.reject! do |member|
member.group == group && member.user_id == user_id
end
owners.empty?
end
private
override :refresh_member_authorized_projects
def refresh_member_authorized_projects
# Here, `destroyed_by_association` will be present if the
# GroupMember is being destroyed due to the `dependent: :destroy`
# callback on Group. In this case, there is no need to refresh the
# authorizations, because whenever a Group is being destroyed,
# its projects are also destroyed, so the removal of project_authorizations
# will happen behind the scenes via DB foreign keys anyway.
return if destroyed_by_association.present?
super
end
def send_invite
run_after_commit_or_now { notification_service.invite_group_member(self, @raw_invite_token) }
super
end
def post_create_hook
if send_welcome_email?
run_after_commit_or_now { notification_service.new_group_member(self) }
end
super
end
def post_update_hook
if saved_change_to_access_level?
run_after_commit { notification_service.update_group_member(self) }
end
if saved_change_to_expires_at?
run_after_commit { notification_service.updated_group_member_expiration(self) }
end
super
end
def after_accept_invite
run_after_commit_or_now do
notification_service.accept_group_invite(self)
end
update_two_factor_requirement
super
end
def send_welcome_email?
true
end
end
GroupMember.prepend_mod_with('GroupMember')
|
