1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
|
# frozen_string_literal: true
class GroupMember < Member
extend ::Gitlab::Utils::Override
include FromUnion
include CreatedAtFilterable
SOURCE_TYPE = 'Namespace'
SOURCE_TYPE_FORMAT = /\ANamespace\z/.freeze
THRESHOLD_FOR_REFRESHING_AUTHORIZATIONS_VIA_PROJECTS = 1000
belongs_to :group, foreign_key: 'source_id'
alias_attribute :namespace_id, :source_id
delegate :update_two_factor_requirement, to: :user, allow_nil: true
# Make sure group member points only to group as it source
default_value_for :source_type, SOURCE_TYPE
validates :source_type, format: { with: SOURCE_TYPE_FORMAT }
default_scope { where(source_type: SOURCE_TYPE) } # rubocop:disable Cop/DefaultScope
scope :of_groups, ->(groups) { where(source_id: groups&.select(:id)) }
scope :of_ldap_type, -> { where(ldap: true) }
scope :count_users_by_group_id, -> { group(:source_id).count }
scope :with_user, -> (user) { where(user: user) }
after_create :update_two_factor_requirement, unless: :invite?
after_destroy :update_two_factor_requirement, unless: :invite?
attr_accessor :last_owner, :last_blocked_owner
# For those who get to see a modal with a role dropdown, here are the options presented
def self.permissible_access_level_roles(_, _)
# This method is a stopgap in preparation for https://gitlab.com/gitlab-org/gitlab/-/issues/364087
access_level_roles
end
def self.access_level_roles
Gitlab::Access.options_with_owner
end
def self.pluck_user_ids
pluck(:user_id)
end
def group
source
end
# Because source_type is `Namespace`...
def real_source_type
Group.sti_name
end
def notifiable_options
{ group: group }
end
private
override :refresh_member_authorized_projects
def refresh_member_authorized_projects(blocking:)
# Here, `destroyed_by_association` will be present if the
# GroupMember is being destroyed due to the `dependent: :destroy`
# callback on Group. In this case, there is no need to refresh the
# authorizations, because whenever a Group is being destroyed,
# its projects are also destroyed, so the removal of project_authorizations
# will happen behind the scenes via DB foreign keys anyway.
return if destroyed_by_association.present?
return unless user_id
return super if Feature.disabled?(:refresh_authorizations_via_affected_projects_on_group_membership, group)
# rubocop:disable CodeReuse/ServiceClass
projects_to_refresh = Groups::ProjectsRequiringAuthorizationsRefresh::OnDirectMembershipFinder.new(group).execute
threshold_exceeded = (projects_to_refresh.size > THRESHOLD_FOR_REFRESHING_AUTHORIZATIONS_VIA_PROJECTS)
# We want to try the new approach only if the number of affected projects are greater than the set threshold.
return super unless threshold_exceeded
AuthorizedProjectUpdate::ProjectAccessChangedService
.new(projects_to_refresh)
.execute(blocking: false)
# Until we compare the inconsistency rates of the new approach
# the old approach, we still run AuthorizedProjectsWorker
# but with some delay and lower urgency as a safety net.
UserProjectAccessChangedService
.new(user_id)
.execute(blocking: false, priority: UserProjectAccessChangedService::LOW_PRIORITY)
# rubocop:enable CodeReuse/ServiceClass
end
def send_invite
run_after_commit_or_now { notification_service.invite_group_member(self, @raw_invite_token) }
super
end
def post_create_hook
if send_welcome_email?
run_after_commit_or_now { notification_service.new_group_member(self) }
end
super
end
def post_update_hook
if saved_change_to_access_level?
run_after_commit { notification_service.update_group_member(self) }
end
if saved_change_to_expires_at?
run_after_commit { notification_service.updated_group_member_expiration(self) }
end
super
end
def after_accept_invite
run_after_commit_or_now do
notification_service.accept_group_invite(self)
end
update_two_factor_requirement
super
end
def after_decline_invite
notification_service.decline_group_invite(self)
super
end
def send_welcome_email?
true
end
end
GroupMember.prepend_mod_with('GroupMember')
|