If a user is a member of the project foo/bar, the foo group will be returned with the current query even if he's not a member of that group.
With group sync enabled, the user will be added to Sonar groups even though he's not a member of the Gitlab group.
The /groups Gitlab API endpoint list all groups related to the Gitlab users, not only the groups on which the user is a member.
The query should include the min_access_level set to 10 (guest access) to limit the returned list.
Note: filtering with min_access_level=10 will filter out groups visible because of child sharing, for example:
- Group1 <- user is not a member of this group, the group is private
- Group1/project2 <- project2 is private and shared with Group2
- Group2 <- Group2 is private, the user is a member of this group
In this situation, with the existing implementation, the user would be sync in Group1. With min_access_level=10, they will be sync only with Group2.