Merge branch...

Merge branch '336468-prevent-sharing-a-project-within-group-with-other-groups-times-out-for-large-group-2' into 'master' Resolve ""Prevent sharing a project within ${GROUP} with other groups" times out for large group hierarchies" See merge request gitlab-org/gitlab!72955

Merge branch...
Merge branch '336468-prevent-sharing-a-project-within-group-with-other-groups-times-out-for-large-group-2' into 'master' Resolve ""Prevent sharing a project within ${GROUP} with other groups" times out for large group hierarchies" See merge request gitlab-org/gitlab!72955
a65a85f3 · Alper Akgun · 56873056 · 2dfecc4f · a65a85f3 · a65a85f3
Commit a65a85f3 authored Oct 28, 2021 by Alper Akgun
Hide whitespace changes
Inline Side-by-side

Showing with 34 additions and 15 deletions

app/models/namespace.rb app/models/namespace.rb +16 -14

spec/models/namespace_spec.rb spec/models/namespace_spec.rb +18 -1

No files found.
--- a/app/models/namespace.rb
+++ b/app/models/namespace.rb
@@ -538,21 +538,23 @@ class Namespace < ApplicationRecord
      # Until we compare the inconsistency rates of the new specialized worker and
      # the old approach, we still run AuthorizedProjectsWorker
      # but with some delay and lower urgency as a safety net.
-      Group
-        .joins(project_group_links: :project)
-        .where(projects: { namespace_id: id })
-        .distinct
-        .find_each do |group|
-        group.refresh_members_authorized_projects(
-          blocking: false,
-          priority: UserProjectAccessChangedService::LOW_PRIORITY
-        )
-      end
+      enqueue_jobs_for_groups_requiring_authorizations_refresh(priority: UserProjectAccessChangedService::LOW_PRIORITY)
    else
-      Group
-        .joins(project_group_links: :project)
-        .where(projects: { namespace_id: id })
-        .find_each(&:refresh_members_authorized_projects)
+      enqueue_jobs_for_groups_requiring_authorizations_refresh(priority: UserProjectAccessChangedService::HIGH_PRIORITY)
+    end
+  end
+
+  def enqueue_jobs_for_groups_requiring_authorizations_refresh(priority:)
+    groups_requiring_authorizations_refresh = Group
+                                              .joins(project_group_links: :project)
+                                              .where(projects: { namespace_id: id })
+                                              .distinct
+
+    groups_requiring_authorizations_refresh.find_each do |group|
+      group.refresh_members_authorized_projects(
+        blocking: false,
+        priority: priority
+      )
    end
  end


--- a/spec/models/namespace_spec.rb
+++ b/spec/models/namespace_spec.rb
@@ -1341,6 +1341,7 @@ RSpec.describe Namespace do
  context 'refreshing project access on updating share_with_group_lock' do
    let(:group) { create(:group, share_with_group_lock: false) }
    let(:project) { create(:project, :private, group: group) }
+    let(:another_project) { create(:project, :private, group: group) }

    let_it_be(:shared_with_group_one) { create(:group) }
    let_it_be(:shared_with_group_two) { create(:group) }
@@ -1353,6 +1354,7 @@ RSpec.describe Namespace do
      shared_with_group_one.add_developer(group_one_user)
      shared_with_group_two.add_developer(group_two_user)
      create(:project_group_link, group: shared_with_group_one, project: project)
+      create(:project_group_link, group: shared_with_group_one, project: another_project)
      create(:project_group_link, group: shared_with_group_two, project: project)
    end

@@ -1360,6 +1362,9 @@ RSpec.describe Namespace do
      expect(AuthorizedProjectUpdate::ProjectRecalculateWorker)
        .to receive(:perform_async).with(project.id).once

+      expect(AuthorizedProjectUpdate::ProjectRecalculateWorker)
+        .to receive(:perform_async).with(another_project.id).once
+
      execute_update
    end

@@ -1392,11 +1397,23 @@ RSpec.describe Namespace do
        stub_feature_flags(specialized_worker_for_group_lock_update_auth_recalculation: false)
      end

-      it 'refreshes the permissions of the members of the old and new namespace' do
+      it 'updates authorizations leading to users from shared groups losing access', :sidekiq_inline do
        expect { execute_update }
          .to change { group_one_user.authorized_projects.include?(project) }.from(true).to(false)
          .and change { group_two_user.authorized_projects.include?(project) }.from(true).to(false)
      end
+
+      it 'updates the authorizations in a non-blocking manner' do
+        expect(AuthorizedProjectsWorker).to(
+          receive(:bulk_perform_async)
+            .with([[group_one_user.id]])).once
+
+        expect(AuthorizedProjectsWorker).to(
+          receive(:bulk_perform_async)
+            .with([[group_two_user.id]])).once
+
+        execute_update
+      end
    end
  end