Downgrade group member role if LDAP dictates
Fixes #170 (closed)
If a group link was updated to set a lower maximum role/access level, a user's role was not downgraded. Similarly, if the user was moved to another group where their role should be lowered, their access was not downgraded. For some reason we were preferring the higher of LDAP or GitLab access even if LDAP said it should be lower. After this change, what LDAP says, wins.
If a user is a member of multiple LDAP groups that are linked with the same GitLab group, they still receive the highest of all roles.
Things to check
Can you think of a reason we would have chosen to preserve the higher of the roles? I can't think of a reason we would want this.