**Problem:** Users with `Guest` role are displayed in merge request approval lists even though they cannot actually view or approve the MR. **Root Cause:** The approver list for an approval rule uses the `group_users` association ([source](https://gitlab.com/gitlab-org/gitlab/-/blob/143a46c68e167ce5244b57f23579c5b35775cd92/ee/app/models/concerns/approval_rule_like.rb#L174)), which includes all group members, not just those with `approve_merge_request` permission. **Impact:** Confusing UX - developers see "approvers" who can't actually approve. ### Reproduction Steps 1. Create an approval rule with group-based approvers (see [docs](https://docs.gitlab.com/user/project/merge_requests/approvals/rules/#enable-approval-permissions-for-additional-users)) 2. Add a Guest user to that group 3. Create MR targeting the protected branch → Guest appears in approver list 4. Impersonate Guest → 404 on MR page