RO: IDOR when adding users to protected environments

Summary

While working on https://gitlab.com/gitlab-org/gitlab-ee/issues/11649 we noticed that any users also can be added to protected environment, even if they are not project members. The dropdown lists only users that are returned by Autocomplete::UsersFinder for the project but there is no backend check enforced.

Steps to reproduce

1. As a project Maintainer, go to https://gitlab.host/namespace/project/settings/ci_cd#js-protected-environments-settings
2. In the browser JS console run the following code, replacing the authenticity_token token and the protected_environment with the ones from the displayed form. Choose any user id that belongs to a user not a member of the project:

jQuery.post( "/gitlab-org/gitlab-shell//protected_environments",  {"authenticity_token":"******","protected_environment":{"name":"production","deploy_access_levels_attributes":[{"user_id":11}]}})

3. This will create protected environment and protected_environment_deploy_access_levels record with user_id used in the snippet above.

What is the current bug behavior?

IDOR which allows adding any user to protected environments

What is the expected correct behavior?

Only users that are project members should be allowed.

Impact

IDOR in adding any user to protected environments. Not sure can this be used at the moment and you need to be malicious maintainer to do it but should not be allowed.