Information leak: memberships for blocked users and not-yet-approved requests can apply

Summary

GitLab sends "project access requested" emails to blocked users.

Steps to reproduce

• Set a user in a group to be "blocked"
• Have another user request access to a group the blocked user is a developer for

Expected behavior

No emails should be sent to a blocked user

Actual behaviour

An email is sent to the blocked user. This discloses both the requestor's details, and the details of all other group members (in the To: header).

Relevant logs and/or screenshots

Here's the email I got (suitably redacted)

Return-Path: <gitlab@...>
Delivered-To: <...>
Received: from ...

Date: Tue, 30 Aug 2016 13:57:35 +0100
From:  Gitlab <gitlab@...>
Reply-To:  Gitlab <gitlab@...>
To: other-person-one@...,
 other-person-two@...,
  me@...
Subject: Request to join the ... group
Mime-Version: 1.0
Content-Type: multipart/alternative;
 boundary="--==_mimepart_57c582bfcdc18_5ec44ea279465161";
 charset=UTF-8
Content-Transfer-Encoding: 7bit



----==_mimepart_57c582bfcdc18_5ec44ea279465161
Content-Type: text/plain;
 charset=UTF-8
Content-Transfer-Encoding: 7bit

someone (https://gitlab..../u/...) requested Developer access to the ... group.

https://gitlab..../groups/.../group_members

----==_mimepart_57c582bfcdc18_5ec44ea279465161
Content-Type: text/html;
 charset=UTF-8
Content-Transfer-Encoding: quoted-printable
...
----==_mimepart_57c582bfcdc18_5ec44ea279465161--

Output of checks

N/a

Results of GitLab application Check

N/a

Results of GitLab environment info

N/a

Possible fixes

Assuming blocked users should not get any emails, ever, then this should just be an additional filter + check in app/services/notification_service.rb, but I haven't checked yet.