Skip to content

For RefreshAuthorizedProjectsService, reset the user only after obtaining the lease

Manoj M J requested to merge mmj-reset-object-after-obtaining-lock into master

What does this MR do?

This change originates from the discussion at https://gitlab.com/gitlab-org/gitlab/-/issues/332120#note_589576340 (confidential)

For a service/worker that performs the work only after obtaining a lease, another instance of the same service/worker could have modified the object and its associations while this one was waiting for obtaining the lease.

So, if we .reset the object before obtaining the lease, it will not be aware of the changes that happened to it, while it was waiting for obtaining the lease.

Logically, it makes sense to .reset the object after obtaining the lease. This way, the object becomes aware of whatever changes that happened to it in the meantime, in a different instance of the same service/worker.

Screenshots (strongly suggested)

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

Does this MR contain changes to processing or storing of credentials or tokens, authorization and authentication methods or other items described in the security review guidelines? If not, then delete this Security section.

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Manoj M J

Merge request reports

Loading