From 763c8052f636292bb5d80322432f7aa0018dbe65 Mon Sep 17 00:00:00 2001 From: Eugie Limpin Date: Wed, 10 Sep 2025 16:09:52 +0800 Subject: [PATCH 1/2] Use Members::DestroyService when destroying members on LDAP group sync --- ee/lib/ee/gitlab/auth/ldap/sync/group.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ee/lib/ee/gitlab/auth/ldap/sync/group.rb b/ee/lib/ee/gitlab/auth/ldap/sync/group.rb index 93ad77b1db5bea..419570b818a4e6 100644 --- a/ee/lib/ee/gitlab/auth/ldap/sync/group.rb +++ b/ee/lib/ee/gitlab/auth/ldap/sync/group.rb @@ -217,7 +217,8 @@ def update_existing_group_membership(group, access_levels) elsif group.last_owner?(user) warn_cannot_remove_last_owner(user, group) else - group.group_members.destroy(member.id) + ::Members::DestroyService.new.execute(member.reset, + skip_authorization: true, skip_subresources: true, skip_saml_identity: true) end end end -- GitLab From 874cf30cda49af9bd66973d37319735e36a18b35 Mon Sep 17 00:00:00 2001 From: Eugie Limpin Date: Thu, 11 Sep 2025 10:57:58 +0800 Subject: [PATCH 2/2] Reload member by doing Member.find instead of calling reset This ensures possible changes made to the member are present when DestroyService processes it. --- ee/lib/ee/gitlab/auth/ldap/sync/group.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ee/lib/ee/gitlab/auth/ldap/sync/group.rb b/ee/lib/ee/gitlab/auth/ldap/sync/group.rb index 419570b818a4e6..dbf0518d1a7ff3 100644 --- a/ee/lib/ee/gitlab/auth/ldap/sync/group.rb +++ b/ee/lib/ee/gitlab/auth/ldap/sync/group.rb @@ -217,7 +217,7 @@ def update_existing_group_membership(group, access_levels) elsif group.last_owner?(user) warn_cannot_remove_last_owner(user, group) else - ::Members::DestroyService.new.execute(member.reset, + ::Members::DestroyService.new.execute(::GroupMember.find(member.id), skip_authorization: true, skip_subresources: true, skip_saml_identity: true) end end -- GitLab