Commit a65a85f3 authored by Alper Akgun's avatar Alper Akgun

Merge branch...

Merge branch '336468-prevent-sharing-a-project-within-group-with-other-groups-times-out-for-large-group-2' into 'master'

Resolve ""Prevent sharing a project within ${GROUP} with other groups" times out for large group hierarchies"

See merge request gitlab-org/gitlab!72955
parents 56873056 2dfecc4f
...@@ -538,22 +538,24 @@ class Namespace < ApplicationRecord ...@@ -538,22 +538,24 @@ class Namespace < ApplicationRecord
# Until we compare the inconsistency rates of the new specialized worker and # Until we compare the inconsistency rates of the new specialized worker and
# the old approach, we still run AuthorizedProjectsWorker # the old approach, we still run AuthorizedProjectsWorker
# but with some delay and lower urgency as a safety net. # but with some delay and lower urgency as a safety net.
Group enqueue_jobs_for_groups_requiring_authorizations_refresh(priority: UserProjectAccessChangedService::LOW_PRIORITY)
else
enqueue_jobs_for_groups_requiring_authorizations_refresh(priority: UserProjectAccessChangedService::HIGH_PRIORITY)
end
end
def enqueue_jobs_for_groups_requiring_authorizations_refresh(priority:)
groups_requiring_authorizations_refresh = Group
.joins(project_group_links: :project) .joins(project_group_links: :project)
.where(projects: { namespace_id: id }) .where(projects: { namespace_id: id })
.distinct .distinct
.find_each do |group|
groups_requiring_authorizations_refresh.find_each do |group|
group.refresh_members_authorized_projects( group.refresh_members_authorized_projects(
blocking: false, blocking: false,
priority: UserProjectAccessChangedService::LOW_PRIORITY priority: priority
) )
end end
else
Group
.joins(project_group_links: :project)
.where(projects: { namespace_id: id })
.find_each(&:refresh_members_authorized_projects)
end
end end
def nesting_level_allowed def nesting_level_allowed
......
...@@ -1341,6 +1341,7 @@ RSpec.describe Namespace do ...@@ -1341,6 +1341,7 @@ RSpec.describe Namespace do
context 'refreshing project access on updating share_with_group_lock' do context 'refreshing project access on updating share_with_group_lock' do
let(:group) { create(:group, share_with_group_lock: false) } let(:group) { create(:group, share_with_group_lock: false) }
let(:project) { create(:project, :private, group: group) } let(:project) { create(:project, :private, group: group) }
let(:another_project) { create(:project, :private, group: group) }
let_it_be(:shared_with_group_one) { create(:group) } let_it_be(:shared_with_group_one) { create(:group) }
let_it_be(:shared_with_group_two) { create(:group) } let_it_be(:shared_with_group_two) { create(:group) }
...@@ -1353,6 +1354,7 @@ RSpec.describe Namespace do ...@@ -1353,6 +1354,7 @@ RSpec.describe Namespace do
shared_with_group_one.add_developer(group_one_user) shared_with_group_one.add_developer(group_one_user)
shared_with_group_two.add_developer(group_two_user) shared_with_group_two.add_developer(group_two_user)
create(:project_group_link, group: shared_with_group_one, project: project) create(:project_group_link, group: shared_with_group_one, project: project)
create(:project_group_link, group: shared_with_group_one, project: another_project)
create(:project_group_link, group: shared_with_group_two, project: project) create(:project_group_link, group: shared_with_group_two, project: project)
end end
...@@ -1360,6 +1362,9 @@ RSpec.describe Namespace do ...@@ -1360,6 +1362,9 @@ RSpec.describe Namespace do
expect(AuthorizedProjectUpdate::ProjectRecalculateWorker) expect(AuthorizedProjectUpdate::ProjectRecalculateWorker)
.to receive(:perform_async).with(project.id).once .to receive(:perform_async).with(project.id).once
expect(AuthorizedProjectUpdate::ProjectRecalculateWorker)
.to receive(:perform_async).with(another_project.id).once
execute_update execute_update
end end
...@@ -1392,11 +1397,23 @@ RSpec.describe Namespace do ...@@ -1392,11 +1397,23 @@ RSpec.describe Namespace do
stub_feature_flags(specialized_worker_for_group_lock_update_auth_recalculation: false) stub_feature_flags(specialized_worker_for_group_lock_update_auth_recalculation: false)
end end
it 'refreshes the permissions of the members of the old and new namespace' do it 'updates authorizations leading to users from shared groups losing access', :sidekiq_inline do
expect { execute_update } expect { execute_update }
.to change { group_one_user.authorized_projects.include?(project) }.from(true).to(false) .to change { group_one_user.authorized_projects.include?(project) }.from(true).to(false)
.and change { group_two_user.authorized_projects.include?(project) }.from(true).to(false) .and change { group_two_user.authorized_projects.include?(project) }.from(true).to(false)
end end
it 'updates the authorizations in a non-blocking manner' do
expect(AuthorizedProjectsWorker).to(
receive(:bulk_perform_async)
.with([[group_one_user.id]])).once
expect(AuthorizedProjectsWorker).to(
receive(:bulk_perform_async)
.with([[group_two_user.id]])).once
execute_update
end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment