Subgroup member can list members of parent group

Even though the user it not a member of the parent group in any way, we only check read_group permission when listing members of a parent group, which is enabled by has_projects .

Steps to reproduce

1. create group and subgroup
2. create a project in subgroup
3. add user to subgroup

What is the current bug behavior?

Subgroup member has access to the member list of the parent group.

If we skip step 2 (creating a project), the user won't have access to the members of the parent group.

What is the expected correct behavior?

Subgroup member not to have access to the member list of the parent group regardless of the existence of a project.