Branch protection allowlist user search does not show new team members

[jussara-ti]

Description

Description

• I have checked the FAQ
• I have searched existing issues (Closest found was #20083, but with a different root cause)
• Issue persists without Proxy/CDN

When a team is added as a collaborator to a repository, its members can be searched and added individually to a protected branch's push allowlist. However, if a new user account is added to that team later, this new member does not appear in the protected branch's Search users field, even though their team is already a collaborator on the repository.

Steps to Reproduce

1. In an organization, create or use an existing team (e.g., Team A, with 4 members, the initial amount of members does not matter, this is just for context).
2. As an administrator, open a repository in this organization, go to Settings > Collaborators and add Team A (in this example scenario, one of the initial 4 team members is "Alice").
3. Go to Settings > Branches, select a branch (e.g., main), and click Edit.
4. In the Push section, enable Allowlist Restricted Push. If you search the Search users field for members who were already in Team A (e.g., Alice), they appear normally and can be added to the allowlist.
5. Suppose a new collaborator is hired: create a new account for them (e.g., Bob) and add them as a member to Team A. Now the team has 5 members. It is worth noting that this issue happens not only with Bob but with any other user added afterwards (e.g., Charles).
6. Return to the protected branch settings (as an administrator) and try to search for the new user (Bob or Charles) in the Search users field within the push allowlist.

Expected Behavior

The new member should appear in the push allowlist's Search users field so the administrator can select them, as they are now part of Team A (which is a collaborator on the repository).

Actual Behavior

The new member does not appear in the search. To work around this and make the new user appear in the protected branch search, the administrator must:

1. Go to the repository's Settings > Collaborators.
2. Remove Team A.
3. Add Team A back again.

Only after removing and re-adding the team does the new user start appearing in the allowlist's Search users field.

Additional Notes:

• The new user (Bob), upon being added to the team, can successfully see and read ALL repositories that Team A has access to. The permission inheritance works fine; it seems to be a specific bug where the data populating the Search users dropdown is not updated when the team receives new members.
• This is confirmed not to be a synchronization delay issue: the behavior persists even after the user has been added to the team for more than 3 months.
• Older members (like Alice), who already existed in the team when it was originally added to the Collaborators tab, continue to appear and function normally in the search.

Gitea Version: 1.25.1
Installation Method: Helm Chart / Kubernetes

Gitea Version

1.25.1

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

2.49.1

Operating System

Alpine Linux 3.22.2

How are you running Gitea?

I am running Gitea on a Kubernetes cluster using the community Helm Chart (gitea-charts/gitea)

Database

PostgreSQL

[bircni]

Have you seen this one?
Sounds kinda familiar #35499

[bircni]

Maybe try updating to gitea 1.25.4?