Group Request Membership email sent to too wide an audience

Summary

When a user requests access to a group and email is sent to the owners and masters of that group. Group membership can only be managed by group owners though.

Steps to reproduce

Create a group with 1 owner and 1 master user. As a third user request access.

Expected behavior

When a user requests access to a group only the owners should be emailed.

Actual behavior

Owners and masters are emailed.

Possible fixes

This is probably caused by https://gitlab.com/gitlab-org/gitlab-ce/blob/master/app/mailers/emails/members.rb . Specifically:

    def member_access_requested_email(member_source_type, member_id)
      @member_source_type = member_source_type
      @member_id = member_id
      admins = member_source.members.owners_and_masters.includes(:user).pluck(:notification_email)
      # A project in a group can have no explicit owners/masters, in that case
      # we fallbacks to the group's owners/masters.
      if admins.empty? && member_source.respond_to?(:group) && member_source.group
        admins = member_source.group.members.owners_and_masters.includes(:user).pluck(:notification_email)
      end
      mail(to: admins,
           subject: subject("Request to join the #{member_source.human_name} #{member_source.model_name.singular}"))
    end

It appears to be returning owners_and_masters for everything whereas I believe the user list should be limited for just owners for groups (project members can be managed by both owners and masters though so the logic needs to work out the users based on the request source).

Edited Sep 02, 2020 by 🤖 GitLab Bot 🤖