Bugfix: User can't change the access level of an access requester

The endpoint was returning 404 because it was only searching on the
current members of a Group or Project and not the access requesters.

2 files changed, 2 insertions, 2 deletions

diff --git a/app/controllers/groups/group_members_controller.rb b/app/controllers/groups/group_members_controller.rb
index 8fc234a62b1..5919bf54468 100644
--- a/app/controllers/groups/group_members_controller.rb
+++ b/app/controllers/groups/group_members_controller.rb
@@ -22,7 +22,7 @@ class Groups::GroupMembersController < Groups::ApplicationController
   end
 
   def update
-    @group_member = @group.group_members.find(params[:id])
+    @group_member = @group.members_and_requesters.find(params[:id])
 
     return render_403 unless can?(current_user, :update_group_member, @group_member)
 
diff --git a/app/controllers/projects/project_members_controller.rb b/app/controllers/projects/project_members_controller.rb
index d925dcd21ff..5a01a59481b 100644
--- a/app/controllers/projects/project_members_controller.rb
+++ b/app/controllers/projects/project_members_controller.rb
@@ -26,7 +26,7 @@ class Projects::ProjectMembersController < Projects::ApplicationController
   end
 
   def update
-    @project_member = @project.project_members.find(params[:id])
+    @project_member = @project.members_and_requesters.find(params[:id])
 
     return render_403 unless can?(current_user, :update_project_member, @project_member)