Group Request Membership email sent to too wide an audience
Summary
When a user requests access to a group and email is sent to the owners and masters of that group. Group membership can only be managed by group owners though.
Steps to reproduce
Create a group with 1 owner and 1 master user. As a third user request access.
Expected behavior
When a user requests access to a group only the owners should be emailed.
Actual behavior
Owners and masters are emailed.
Possible fixes
This is probably caused by https://gitlab.com/gitlab-org/gitlab-ce/blob/master/app/mailers/emails/members.rb . Specifically:
def member_access_requested_email(member_source_type, member_id)
@member_source_type = member_source_type
@member_id = member_id
admins = member_source.members.owners_and_masters.includes(:user).pluck(:notification_email)
# A project in a group can have no explicit owners/masters, in that case
# we fallbacks to the group's owners/masters.
if admins.empty? && member_source.respond_to?(:group) && member_source.group
admins = member_source.group.members.owners_and_masters.includes(:user).pluck(:notification_email)
end
mail(to: admins,
subject: subject("Request to join the #{member_source.human_name} #{member_source.model_name.singular}"))
end
It appears to be returning owners_and_masters for everything whereas I believe the user list should be limited for just owners for groups (project members can be managed by both owners and masters though so the logic needs to work out the users based on the request source).