Skip to content

Add support for mixing direct member filter with 2FA filter

What does this MR do?

Related to #228675 (closed)

Currently you can not filter group members by "Direct only" and 2FA enabled/disabled, meaning the 2FA filter only works when also displaying inherited group members. This MR adds support for this in preparation for implementing a filtered search bar.

Raw SQL

Before

SELECT
    "members".*
FROM
    "members"
WHERE
    "members"."type" = 'GroupMember'
    AND "members"."source_id" = 9970
    AND "members"."source_type" = 'Namespace'
    AND "members"."requested_at" IS NULL
    AND "members"."access_level" != 5

After

SELECT
    "members".*
FROM
    "members"
    LEFT OUTER JOIN "users" ON "members"."user_id" = "users"."id"
WHERE
    "members"."type" = 'GroupMember'
    AND "members"."source_id" = 9970
    AND "members"."source_type" = 'Namespace'
    AND "members"."requested_at" IS NULL
    AND "members"."access_level" != 5
    AND (EXISTS (
            SELECT
                *
            FROM
                u2f_registrations AS u2f
            WHERE
                u2f.user_id = users.id)
            OR users.otp_required_for_login = TRUE
            OR EXISTS (
                SELECT
                    *
                FROM
                    webauthn_registrations AS webauthn
                WHERE
                    webauthn.user_id = users.id))

Explain Plan

https://explain.depesz.com/s/8GJs

Example of what the filtered search bar will look like

Screen_Shot_2020-11-18_at_2.15.45_PM

Since the current filter dropdowns will be converted to a filtered search bar in #228675 (closed) this MR does not change the current dropdowns to support this change.

Screenshots (strongly suggested)

Filters Before After
2FA: enabled, Direct only Screen_Shot_2020-11-18_at_2.06.39_PM Screen_Shot_2020-11-18_at_1.56.32_PM
2FA: disabled, Direct only Screen_Shot_2020-11-18_at_2.04.03_PM Screen_Shot_2020-11-18_at_1.57.02_PM

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • [-] Label as security and @ mention @gitlab-com/gl-security/appsec
  • [-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • [-] Security reports checked/validated by a reviewer from the AppSec team
Edited by Peter Hegman

Merge request reports

Loading