Incorrect project authorizations
A GitLab.com user reported that they saw a strange user in the 'Assignee' dropdown in their projects. This user is no one they recognize and was never a member of their groups/projects. Upon further investigation, I noticed the user actually has access to the projects in question (found out via impersonation). I also confirmed the user is not a member of the projects or groups, though.
Refreshing project authorizations for the users yields the same result - the invalid authorizations are still present. Why did this happen and why is a refresh not fixing it.
I'm keeping this confidential for now in case we find it's a larger security issue