Minor updates to LDAP override membership API

Minor updates to `peterlloydcc` work to expose the ability to
override LDAP membership via the API. This along with `peterlloydcc`
original commit allow users to set the override flag on a member
to true or false, as needed.

doc/api/members.md

@@ -282,13 +282,14 @@ Example response:
 }
 ```
 
-### Override LDAP permissions for a member from a group
+### Set override flag for a member of a group
 
-Allows access level to be overriden for a LDAP group member
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/4875) in GitLab 12.10.
 
->**Note:** This API endpoint is only available on 11.x Starter and above.
+By default, the access level of LDAP group members is set to the value specified
+by LDAP through Group Sync. You can allow access level overrides by calling this endpoint.
 
-```
+```plaintext
 POST /groups/:id/members/:user_id/override
 ```
 
@@ -317,13 +318,14 @@ Example response:
 }
 ```
 
-### Un-override LDAP permissions for a member from a group
+### Remove override for a member of a group
 
-Resets access level for a LDAP group member back to be level determined by the LDAP group
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/4875) in GitLab 12.10.
 
->**Note:** This API endpoint is only available on 11.x Starter and above.
+Sets the override flag to false and allows LDAP Group Sync to reset the access
+level to the LDAP-prescribed value.
 
-```
+```plaintext
 DELETE /groups/:id/members/:user_id/override
 ```
 

ee/app/models/ee/group_member.rb

@@ -20,6 +20,7 @@ module EE
       end
 
       scope :non_owners, -> { where("members.access_level < ?", ::Gitlab::Access::OWNER) }
+      scope :by_user_id, ->(user_id) { where(user_id: user_id) }
     end
 
     class_methods do

ee/changelogs/unreleased-ee/pl-override-api.yml

 ---
 title: Add API methods to manipulate LDAP Override attribute
-merge_request:
+merge_request: 28674
 author: Peter Lloyd <peter.lloyd@cambridgeconsultants.com>
 type: added

ee/lib/ee/api/entities/member.rb

@@ -14,7 +14,7 @@ module EE
           expose :is_using_seat, if: -> (_, options) { options[:show_seat_info] }
 
           expose :override,
-                 if: ->(member, options) { member.source_type == 'Namespace' && member.ldap? }
+                 if: ->(member, _) { member.source_type == 'Namespace' && member.ldap? }
         end
       end
     end

ee/lib/ee/api/helpers/members_helpers.rb

@@ -45,6 +45,21 @@ module EE
           member
         end
 
+        def find_member(params)
+          source = find_source(:group, params.delete(:id))
+          authorize! :override_group_member, source
+
+          source.members.by_user_id(params[:user_id]).first
+        end
+
+        def present_member(updated_member)
+          if updated_member.valid?
+            present updated_member, with: ::API::Entities::Member
+          else
+            render_validation_error!(updated_member)
+          end
+        end
+
         def log_audit_event(member)
           ::AuditEventService.new(
             current_user,

ee/lib/ee/api/members.rb

@@ -10,55 +10,37 @@ module EE
           requires :id, type: String, desc: 'The ID of a group'
         end
         resource :groups, requirements: ::API::API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
-          desc 'Overrides a member of a group.' do
+          desc 'Overrides the access level of an LDAP group member.' do
             success Entities::Member
           end
           params do
             requires :user_id, type: Integer, desc: 'The user ID of the member'
           end
-          # rubocop: disable CodeReuse/ActiveRecord
           post ":id/members/:user_id/override" do
-            source = find_source(:group, params.delete(:id))
-            authorize_admin_source!(:group, source)
+            member = find_member(params)
 
-            member = source.members.find_by!(user_id: params[:user_id])
-            updated_member =
-              ::Members::UpdateService
-                .new(current_user, { override: true })
-                .execute(member, permission: :override)
+            updated_member = ::Members::UpdateService
+              .new(current_user, { override: true })
+              .execute(member, permission: :override)
 
-            if updated_member.valid?
-              present updated_member, with: ::API::Entities::Member
-            else
-              render_validation_error!(updated_member)
-            end
+            present_member(updated_member)
           end
-          # rubocop: enable CodeReuse/ActiveRecord
 
-          desc 'Remove an override of a member of a group.' do
+          desc 'Remove an LDAP group member access level override.' do
             success Entities::Member
           end
           params do
             requires :user_id, type: Integer, desc: 'The user ID of the member'
           end
-          # rubocop: disable CodeReuse/ActiveRecord
           delete ":id/members/:user_id/override" do
-            source = find_source(:group, params.delete(:id))
-            authorize_admin_source!(:group, source)
+            member = find_member(params)
 
-            member = source.members.find_by!(user_id: params[:user_id])
-            updated_member =
-              ::Members::UpdateService
-                .new(current_user, { override: false })
-                .execute(member, permission: :override)
+            updated_member = ::Members::UpdateService
+              .new(current_user, { override: false })
+              .execute(member, permission: :override)
 
-            if updated_member.valid?
-              present updated_member, with: ::API::Entities::Member
-            else
-              render_validation_error!(updated_member)
-            end
+            present_member(updated_member)
           end
-          # rubocop: enable CodeReuse/ActiveRecord
         end
       end
     end