### Summary GitLab sends "project access requested" emails to blocked users. ### Steps to reproduce * Set a user in a group to be "blocked" * Have another user request access to a group the blocked user is a developer for ### Expected behavior No emails should be sent to a blocked user ### Actual behaviour An email is sent to the blocked user. This discloses both the requestor's details, and the details of all other group members (in the To: header). ### Relevant logs and/or screenshots Here's the email I got (suitably redacted) ```text Return-Path: <gitlab@...> Delivered-To: <...> Received: from ... Date: Tue, 30 Aug 2016 13:57:35 +0100 From: Gitlab <gitlab@...> Reply-To: Gitlab <gitlab@...> To: other-person-one@..., other-person-two@..., me@... Subject: Request to join the ... group Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="--==_mimepart_57c582bfcdc18_5ec44ea279465161"; charset=UTF-8 Content-Transfer-Encoding: 7bit ----==_mimepart_57c582bfcdc18_5ec44ea279465161 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit someone (https://gitlab..../u/...) requested Developer access to the ... group. https://gitlab..../groups/.../group_members ----==_mimepart_57c582bfcdc18_5ec44ea279465161 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable ... ----==_mimepart_57c582bfcdc18_5ec44ea279465161-- ``` ### Output of checks N/a #### Results of GitLab application Check N/a #### Results of GitLab environment info N/a ### Possible fixes Assuming blocked users should not get any emails, ever, then this should just be an additional filter + check in `app/services/notification_service.rb`, but I haven't checked yet.