google · ViniciustCosta · Mar 23, 2026 · Mar 20, 2026
@@ -21,6 +21,7 @@
 from clusterfuzz._internal.datastore import data_handler
 from clusterfuzz._internal.google_cloud_utils import google_groups
 from clusterfuzz._internal.issue_management import issue_tracker_utils
+from clusterfuzz._internal.metrics import logs
 from libs import auth
 from libs import helpers
 
@@ -47,12 +48,16 @@ def _is_privileged_user(email):
         utils.is_service_account(privileged_group)):
       continue
 
-    group_id = google_groups.get_group_id(privileged_group)
-    if not group_id:
-      continue
+    try:
+      group_id = google_groups.get_group_id(privileged_group)
+      if not group_id:
+        continue
 
-    if google_groups.check_transitive_group_membership(group_id, email):
-      return True
+      if google_groups.check_transitive_group_membership(group_id, email):
+        return True
+    except:
+      logs.error(f'Failed to check privileged group membership for {email}')
+      return False
 
   return False
 

@@ -138,6 +138,19 @@ def test_not_member_privileged_group(self):
     self.mock.check_transitive_group_membership.assert_called_with(
         1, 'usertest@google.com')
 
+  def test_not_member_google_group_exception(self):
+    """Test failed access if user not member of privileged group."""
+    self.mock.get_value.side_effect = self._get_value_mock
+    self.mock.get_identity_api.return_value = None
+    self.mock.get_group_id.return_value = 1
+    self.mock.check_transitive_group_membership.return_value = True
+    self.mock.check_transitive_group_membership.side_effect = Exception()
+
+    self.assertFalse(access._is_privileged_user('usertest@google.com'))
+    self.mock.get_group_id.assert_called_with('test@group.com')
+    self.mock.check_transitive_group_membership.assert_called_with(
+        1, 'usertest@google.com')
+
 
 class IsDomainAllowedTest(unittest.TestCase):
   """Test _is_domain_allowed."""