Fix project member access for group links

`ProjectTeam#find_member` doesn't take group links into account. It was
used in two places:

1. An admin view - it can stay here.
2. `ProjectTeam#member?`, which is often used to decide if a user has
   access to view something.

This second part broke confidential issues viewing. `IssuesFinder` ends
up delegating to `Project#authorized_for_user?`, which does consider
group links, so users with access to the project via a group link could
see confidential issues on the index page. However, `IssuesPolicy` used
`ProjectTeam#member?`, so the same user couldn't view the issue when
going to it directly.

1 files changed, 2 insertions, 8 deletions

diff --git a/app/models/project_team.rb b/app/models/project_team.rb
index 79d041d2775..a6e911df9bd 100644
--- a/app/models/project_team.rb
+++ b/app/models/project_team.rb
@@ -125,14 +125,8 @@ class ProjectTeam
     max_member_access(user.id) == Gitlab::Access::MASTER
   end
 
-  def member?(user, min_member_access = nil)
-    member = !!find_member(user.id)
-
-    if min_member_access
-      member && max_member_access(user.id) >= min_member_access
-    else
-      member
-    end
+  def member?(user, min_member_access = Gitlab::Access::GUEST)
+    max_member_access(user.id) >= min_member_access
   end
 
   def human_max_access(user_id)