Add latest changes from gitlab-org/gitlab@14-2-stable-eev14.2.0-rc42

2 files changed, 32 insertions, 8 deletions

diff --git a/app/models/members/group_member.rb b/app/models/members/group_member.rb
index cf5906a4cbf..a13133c90e9 100644
--- a/app/models/members/group_member.rb
+++ b/app/models/members/group_member.rb
@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 class GroupMember < Member
+  extend ::Gitlab::Utils::Override
   include FromUnion
   include CreatedAtFilterable
 
@@ -28,8 +29,6 @@ class GroupMember < Member
 
   attr_accessor :last_owner, :last_blocked_owner
 
-  self.enumerate_columns_in_select_statements = true
-
   def self.access_level_roles
     Gitlab::Access.options_with_owner
   end
@@ -51,6 +50,19 @@ class GroupMember < Member
     { group: group }
   end
 
+  override :refresh_member_authorized_projects
+  def refresh_member_authorized_projects
+    # Here, `destroyed_by_association` will be present if the
+    # GroupMember is being destroyed due to the `dependent: :destroy`
+    # callback on Group. In this case, there is no need to refresh the
+    # authorizations, because whenever a Group is being destroyed,
+    # its projects are also destroyed, so the removal of project_authorizations
+    # will happen behind the scenes via DB foreign keys anyway.
+    return if destroyed_by_association.present?
+
+    super
+  end
+
   private
 
   def access_level_inclusion
diff --git a/app/models/members/project_member.rb b/app/models/members/project_member.rb
index 5040879e177..b45c0b6a0cc 100644
--- a/app/models/members/project_member.rb
+++ b/app/models/members/project_member.rb
@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 class ProjectMember < Member
+  extend ::Gitlab::Utils::Override
   SOURCE_TYPE = 'Project'
 
   belongs_to :project, foreign_key: 'source_id'
@@ -19,11 +20,6 @@ class ProjectMember < Member
       .where(projects: { namespace_id: groups.select(:id) })
   end
 
-  scope :without_project_bots, -> do
-    left_join_users
-      .merge(User.without_project_bot)
-  end
-
   class << self
     # Add users to projects with passed access option
     #
@@ -48,7 +44,7 @@ class ProjectMember < Member
         project_ids.each do |project_id|
           project = Project.find(project_id)
 
-          Members::Projects::CreatorService.add_users( # rubocop:todo CodeReuse/ServiceClass
+          Members::Projects::CreatorService.add_users( # rubocop:disable CodeReuse/ServiceClass
             project,
             users,
             access_level,
@@ -94,6 +90,22 @@ class ProjectMember < Member
     { project: project }
   end
 
+  override :refresh_member_authorized_projects
+  def refresh_member_authorized_projects
+    return super unless Feature.enabled?(:specialized_service_for_project_member_auth_refresh)
+    return unless user
+
+    # rubocop:disable CodeReuse/ServiceClass
+    AuthorizedProjectUpdate::ProjectRecalculatePerUserService.new(project, user).execute
+
+    # Until we compare the inconsistency rates of the new, specialized service and
+    # the old approach, we still run AuthorizedProjectsWorker
+    # but with some delay and lower urgency as a safety net.
+    UserProjectAccessChangedService.new(user_id)
+      .execute(blocking: false, priority: UserProjectAccessChangedService::LOW_PRIORITY)
+    # rubocop:enable CodeReuse/ServiceClass
+  end
+
   private
 
   def send_invite