Add latest changes from gitlab-org/gitlab@15-9-stable-eev15.9.0-rc42

3 files changed, 39 insertions, 17 deletions

diff --git a/spec/models/members/group_member_spec.rb b/spec/models/members/group_member_spec.rb
index 4ac7ce95b84..c416e63b915 100644
--- a/spec/models/members/group_member_spec.rb
+++ b/spec/models/members/group_member_spec.rb
@@ -253,17 +253,13 @@ RSpec.describe GroupMember do
 
       let(:action) { group.members.find_by(user: user).destroy! }
 
-      it 'changes access level', :sidekiq_inline do
+      it 'changes access level' do
         expect { action }.to change { user.can?(:guest_access, project_a) }.from(true).to(false)
           .and change { user.can?(:guest_access, project_b) }.from(true).to(false)
           .and change { user.can?(:guest_access, project_c) }.from(true).to(false)
       end
 
-      it 'schedules an AuthorizedProjectsWorker job to recalculate authorizations' do
-        expect(AuthorizedProjectsWorker).to receive(:bulk_perform_async).with([[user.id]])
-
-        action
-      end
+      it_behaves_like 'calls AuthorizedProjectsWorker inline to recalculate authorizations'
     end
   end
 end
diff --git a/spec/models/members/member_role_spec.rb b/spec/models/members/member_role_spec.rb
index b118a3c0968..4bf33eb1fce 100644
--- a/spec/models/members/member_role_spec.rb
+++ b/spec/models/members/member_role_spec.rb
@@ -78,4 +78,30 @@ RSpec.describe MemberRole, feature_category: :authentication_and_authorization d
       end
     end
   end
+
+  describe 'callbacks' do
+    context 'for preventing deletion after member is associated' do
+      let_it_be(:member_role) { create(:member_role) }
+
+      subject(:destroy_member_role) { member_role.destroy } # rubocop: disable Rails/SaveBang
+
+      it 'allows deletion without any member associated' do
+        expect(destroy_member_role).to be_truthy
+      end
+
+      it 'prevent deletion when member is associated' do
+        create(:group_member, { group: member_role.namespace,
+                                access_level: Gitlab::Access::DEVELOPER,
+                                member_role: member_role })
+        member_role.members.reload
+
+        expect(destroy_member_role).to be_falsey
+        expect(member_role.errors.messages[:base])
+          .to(
+            include(s_("MemberRole|cannot be deleted because it is already assigned to a user. "\
+                       "Please disassociate the member role from all users before deletion."))
+          )
+      end
+    end
+  end
 end
diff --git a/spec/models/members/project_member_spec.rb b/spec/models/members/project_member_spec.rb
index d573fde5a74..f0069b89494 100644
--- a/spec/models/members/project_member_spec.rb
+++ b/spec/models/members/project_member_spec.rb
@@ -200,7 +200,8 @@ RSpec.describe ProjectMember do
       end
 
       it 'refreshes the authorization without calling AuthorizedProjectUpdate::ProjectRecalculatePerUserWorker' do
-        expect(AuthorizedProjectUpdate::ProjectRecalculatePerUserWorker).not_to receive(:bulk_perform_and_wait)
+        # this is inline with the overridden behaviour in stubbed_member.rb
+        expect(AuthorizedProjectUpdate::ProjectRecalculatePerUserWorker).not_to receive(:new)
 
         project.destroy!
       end
@@ -215,8 +216,9 @@ RSpec.describe ProjectMember do
         expect(project.authorized_users).not_to include(user)
       end
 
-      it 'refreshes the authorization without calling UserProjectAccessChangedService' do
-        expect(UserProjectAccessChangedService).not_to receive(:new)
+      it 'refreshes the authorization without calling `AuthorizedProjectUpdate::ProjectRecalculatePerUserWorker`' do
+        # this is inline with the overridden behaviour in stubbed_member.rb
+        expect(AuthorizedProjectUpdate::ProjectRecalculatePerUserWorker).not_to receive(:new)
 
         user.destroy!
       end
@@ -224,7 +226,8 @@ RSpec.describe ProjectMember do
 
     context 'when importing' do
       it 'does not refresh' do
-        expect(AuthorizedProjectUpdate::ProjectRecalculatePerUserWorker).not_to receive(:bulk_perform_and_wait)
+        # this is inline with the overridden behaviour in stubbed_member.rb
+        expect(AuthorizedProjectUpdate::ProjectRecalculatePerUserWorker).not_to receive(:new)
 
         member = build(:project_member, project: project)
         member.importing = true
@@ -250,6 +253,8 @@ RSpec.describe ProjectMember do
 
     shared_examples_for 'calls AuthorizedProjectUpdate::UserRefreshFromReplicaWorker with a delay to update project authorizations' do
       it 'calls AuthorizedProjectUpdate::UserRefreshFromReplicaWorker' do
+        stub_feature_flags(do_not_run_safety_net_auth_refresh_jobs: false)
+
         expect(AuthorizedProjectUpdate::UserRefreshFromReplicaWorker).to(
           receive(:bulk_perform_in)
             .with(1.hour,
@@ -294,16 +299,11 @@ RSpec.describe ProjectMember do
         project.add_member(user, Gitlab::Access::GUEST)
       end
 
-      it 'changes access level', :sidekiq_inline do
+      it 'changes access level' do
         expect { action }.to change { user.can?(:guest_access, project) }.from(true).to(false)
       end
 
-      it 'calls AuthorizedProjectUpdate::ProjectRecalculatePerUserWorker to recalculate authorizations' do
-        expect(AuthorizedProjectUpdate::ProjectRecalculatePerUserWorker).to receive(:perform_async).with(project.id, user.id)
-
-        action
-      end
-
+      it_behaves_like 'calls AuthorizedProjectUpdate::ProjectRecalculatePerUserWorker inline to recalculate authorizations'
       it_behaves_like 'calls AuthorizedProjectUpdate::UserRefreshFromReplicaWorker with a delay to update project authorizations'
     end
   end