Users/Groups without access to private project showing in user dropdowns
Summary
When selecting MR approvers or MR approver groups on a private project's settings page or when creating/editing a MR, the autocomplete box pulls up every user in the GitLab installation (thousands of users on gitlab.com). This is surprising behavior given those users don't have access to the private project and can't actually get to the MR to approve it.
Steps to reproduce
- Create a private project on gitlab.com.
- Go to the project settings page.
- Click on the Approvers or Approver Group fields.
What is the current bug behavior?
The autocomplete box shows all users / groups on the GitLab instance.
What is the expected correct behavior?
The autocomplete box should only show users / groups that actually have access to the project.
Output of checks
This bug happens on GitLab.com.
Possible fixes
The "assignee" field when opening/editing a MR has what looks to be the correct filtering and only shows users who have permission to the project.