Merge branch 'tchu-fix-n+1-in-search-filter' into 'master'

Refactor project custom role filter See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/168591 Merged-by: Dmitry Gruzd <dgruzd@gitlab.com> Approved-by: mo khan <mo@mokhan.ca> Approved-by: Dmitry Gruzd <dgruzd@gitlab.com> Co-authored-by: Terri Chu <tchu@gitlab.com>

Merge branch 'tchu-fix-n+1-in-search-filter' into 'master'
51342bf6 · Dmitry Gruzd · GitLab · 63c505c9 · f4b16875 · 51342bf6
Unverified Commit 51342bf6 authored 4 months ago by Dmitry Gruzd Committed by GitLab 4 months ago
--- a/.rubocop_todo/rspec/before_all_role_assignment.yml
+++ b/.rubocop_todo/rspec/before_all_role_assignment.yml
@@ -276,7 +276,6 @@ RSpec/BeforeAllRoleAssignment:
    - 'ee/spec/lib/ee/gitlab/ci/pipeline/chain/validate/abilities_spec.rb'
    - 'ee/spec/lib/ee/gitlab/git_access_project_spec.rb'
    - 'ee/spec/lib/ee/gitlab/import_export/project/tree_saver_spec.rb'
-    - 'ee/spec/lib/elastic/latest/git_class_proxy_spec.rb'
    - 'ee/spec/lib/elastic/latest/user_instance_proxy_spec.rb'
    - 'ee/spec/lib/gitlab/code_owners/loader_spec.rb'
    - 'ee/spec/lib/gitlab/code_owners/validator_spec.rb'

--- a/.rubocop_todo/rspec/named_subject.yml
+++ b/.rubocop_todo/rspec/named_subject.yml
@@ -309,7 +309,6 @@ RSpec/NamedSubject:
    - 'ee/spec/lib/elastic/latest/application_instance_proxy_spec.rb'
    - 'ee/spec/lib/elastic/latest/epic_class_proxy_spec.rb'
    - 'ee/spec/lib/elastic/latest/epic_instance_proxy_spec.rb'
-    - 'ee/spec/lib/elastic/latest/git_class_proxy_spec.rb'
    - 'ee/spec/lib/elastic/latest/git_instance_proxy_spec.rb'
    - 'ee/spec/lib/elastic/latest/note_class_proxy_spec.rb'
    - 'ee/spec/lib/elastic/latest/routing_spec.rb'

--- a/ee/lib/search/elastic/filters.rb
+++ b/ee/lib/search/elastic/filters.rb
@@ -678,7 +678,7 @@ def pick_projects_by_membership(
                {
                  terms: {
                    _name: context.name(:membership, :id),
-                    id_field => filter_ids_by_feature(project_ids, user, feature)
+                    id_field => filter_project_ids_by_feature(project_ids, user, feature)
                  }
                }
              end
@@ -776,7 +776,7 @@ def rejected_project_filter(namespaces, options)
  
          project_ids = []
          Array.wrap(options[:features]).each do |feature|
-            project_ids.concat(filter_ids_by_feature(scoped_project_ids, current_user, feature))
+            project_ids.concat(filter_project_ids_by_feature(scoped_project_ids, current_user, feature))
          end
  
          rejected_ids = namespaces.flat_map do |namespace|
@@ -822,7 +822,7 @@ def ancestry_filter(namespace_ancestry, traversal_id_field:)
          end
        end
  
-        def filter_ids_by_feature(project_ids, user, feature)
+        def filter_project_ids_by_feature(project_ids, user, feature)
          Project
            .id_in(project_ids)
            .filter_by_feature_visibility(feature, user)
@@ -832,20 +832,25 @@ def filter_ids_by_feature(project_ids, user, feature)
        def project_ids_for_features(projects, user, features)
          project_ids = projects.pluck_primary_key
  
-          [].tap do |allowed_ids|
-            features.each do |feature|
-              allowed_ids.concat(filter_ids_by_feature(project_ids, user, feature))
-              allowed_ids.concat(filter_project_ids_by_ability(projects, user, ability_to_access_feature(feature)))
-            end
-          end.uniq
+          allowed_ids = []
+          features.each do |feature|
+            allowed_ids.concat(filter_project_ids_by_feature(project_ids, user, feature))
+          end
+
+          abilities = features.map { |feature| ability_to_access_feature(feature) }
+
+          allowed_ids.concat(filter_project_ids_by_abilities(projects, user, abilities))
+          allowed_ids.uniq
        end
  
-        def filter_project_ids_by_ability(projects, user, ability)
-          return [] if ability.nil? || user.blank?
+        def filter_project_ids_by_abilities(projects, user, target_abilities)
+          return [] if target_abilities.empty? || user.blank?
+
+          actual_abilities = ::Authz::Project.new(user, scope: projects).permitted
  
-          projects.select do |project|
-            ::Authz::CustomAbility.allowed?(user, ability, project)
-          end.pluck(:id) # rubocop:disable CodeReuse/ActiveRecord -- not an ActiveRecord relation
+          projects.filter_map do |project|
+            project.id if (actual_abilities[project.id] || []).intersection(target_abilities).any?
+          end
        end
  
        def ability_to_access_feature(feature)

--- a/ee/spec/lib/elastic/latest/git_class_proxy_spec.rb
+++ b/ee/spec/lib/elastic/latest/git_class_proxy_spec.rb