User without visibility of group can tag group

Summary

User without visibility of group can tag group

Steps to reproduce

Have self hosted GL instance and a @companyx user group, a contractor for example who has no other visibility/privileges other than to his own contractor-project.

Have User create an Issue or Merge request and mentioning @companyx (He doesn't know this group exists because of his limited privileges)

What is the current bug behavior?

This will tag the members of @companyx (and add them as participants).

What is the expected correct behavior?

If a user doesn't have permissions to see a group (does not show as hint when typing @), they should not have permissions to tag or group or interact with it in any way.

Proposal

Add a permission check in the @-mention logic. If the @-mentioned accounts do not have permission to view the issue/MR, the @-mention should be ignored (it should be like the @-mentioned accounts do not exist). The @-mentioned accounts should not receive notifications or be listed as Participants in the issue/MR.