Downgrade group member role if LDAP dictates (!123) · Merge requests · GitLab.org / GitLab

Drew Blessing requested to merge dblessing/gitlab-ee:fix_ldap_group_sync into master Jan 18, 2016

If a group link was updated to set a lower maximum role/access level, a user's role was not downgraded. Similarly, if the user was moved to another group where their role should be lowered, their access was not downgraded. For some reason we were preferring the higher of LDAP or GitLab access even if LDAP said it should be lower. After this change, what LDAP says, wins.

If a user is a member of multiple LDAP groups that are linked with the same GitLab group, they still receive the highest of all roles.

Things to check

Can you think of a reason we would have chosen to preserve the higher of the roles? I can't think of a reason we would want this.

Admin message

Admin message

Downgrade group member role if LDAP dictates

Things to check

Merge request reports