Non-authorized groups in merge request approval suggestions

Summary

When searching for a group member to add as an approver for a Merge Request, an irrelevant groups which do not have access to the current group or project are suggested.

Steps to reproduce

  1. Go to a project in gitlab.com in a group which has the Gold plan, ensure the group is private and the project is also private.
  2. Go to Merge Requests
  3. Click on "new merge request"
  4. Select a source branch and click "Compare branches and continue"
  5. Click on "Add approval rule"
  6. click on "Search users or groups" (the input below "Approvers")
  7. Type a and wait
  8. You should see a list of groups which are not a part of your group.

What is the current bug behavior?

Irrelevant groups are suggested.

What is the expected correct behavior?

No groups suggested and only people within the group with the a character suggested.

Relevant logs and/or screenshots

Screen_Shot_2019-11-17_at_18.46.51

Output of checks

This bug happens on GitLab.com

Edited by Gilad S.