Even though the user it not a member of the parent group in any way, we only check `read_group` permission when listing members of a parent group, which is enabled by [`has_projects`](https://gitlab.com/gitlab-org/gitlab/-/blob/v14.8.0-ee/app/policies/group_policy.rb#L116) . ### Steps to reproduce 1. create group and subgroup 1. create a project in subgroup 1. add user to subgroup ### What is the current *bug* behavior? Subgroup member has access to the member list of the parent group. If we skip step `2` (creating a project), the user won't have access to the members of the parent group. ### What is the expected *correct* behavior? Subgroup member not to have access to the member list of the parent group regardless of the existence of a project.