Guest users can be assigned as approvers (and get 404 page)

Summary

If I add a guest user as an approver for MRs on my project (while guests can’t approve MRs), that guest user can see the message of the MR approver request (see screenshot) but when he clicks the link it’s a 404 page.

Steps to reproduce

  1. Add a guest user to be an approver of MRs for a project
  2. Create an MR
  3. The guest user receives a message he was added as an approver for that MR
  4. In that message, the link to the MR leads to 404 page

Example Project

What is the current bug behavior?

Guest users can be added as approvers, although they cannot in fact see the MR itself, or approve it.

What is the expected correct behavior?

Guest users cannot be added as approvers.

Relevant logs and/or screenshots

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

Expand for output related to GitLab environment info 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:env:info)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes

Screenshot_2019-10-04_at_15.48.17