Users can add approvers that are not members of a group or project

Summary

In private projects, users can add approvers that are not members and therefore cannot access the project

Steps to reproduce

1. Head to project settings and in the merge request settings
2. Add someone not in the project to approve the merge request

What is the current bug behavior?

In project settings and in the merge request settings, if approvals are required you can add any GitLab user that is not a member of the group

What is the expected correct behavior?

You shouldn't be able to add approvers who aren't members