Users can add approvers that are not members of a group or project
Summary
In private projects, users can add approvers that are not members and therefore cannot access the project
Steps to reproduce
- Head to project settings and in the merge request settings
- Add someone not in the project to approve the merge request
What is the current bug behavior?
In project settings and in the merge request settings, if approvals are required you can add any GitLab user that is not a member of the group
What is the expected correct behavior?
You shouldn't be able to add approvers who aren't members