Merge branch 'fix-18717' into 'master'

Ensure that group owner cannot request access to a project of their group

## What does this MR do?

It fixes two things:

- 91ad995d69e1a0f8991fd896f1d9febc109273fe Ensure that group owner cannot request access to a project of their group
- ec3ff061148d556757e7cd486cdc6083d77acf34 Ensure group/project owners can see their members' access_level (see the commit message for details)

## Are there points in the code the reviewer needs to double check?

Not really, these are pretty simple fixes.

## Why was this MR needed?

Because there was an issue created!

## What are the relevant issue numbers?

Fixes #18717.

## Does this MR meet the acceptance criteria?

- [x] CHANGELOG is not needed since the bug is only present in a 8.9 RC
- [x] Tests
  - [x] Added for this feature/bug
  - [x] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)

See merge request !4729

2 files changed, 71 insertions, 0 deletions

diff --git a/spec/features/projects/members/group_member_cannot_request_access_to_his_group_project_spec.rb b/spec/features/projects/members/group_member_cannot_request_access_to_his_group_project_spec.rb
new file mode 100644
index 00000000000..4d5d656f00c
--- /dev/null
+++ b/spec/features/projects/members/group_member_cannot_request_access_to_his_group_project_spec.rb
@@ -0,0 +1,50 @@
+require 'spec_helper'
+
+feature 'Projects > Members > Group member cannot request access to his group project', feature: true do
+  let(:user) { create(:user) }
+  let(:group) { create(:group) }
+  let(:project) { create(:project, namespace: group) }
+
+  background do
+  end
+
+  scenario 'owner does not see the request access button' do
+    group.add_owner(user)
+    login_and_visit_project_page(user)
+
+    expect(page).not_to have_content 'Request Access'
+  end
+
+  scenario 'master does not see the request access button' do
+    group.add_master(user)
+    login_and_visit_project_page(user)
+
+    expect(page).not_to have_content 'Request Access'
+  end
+
+  scenario 'developer does not see the request access button' do
+    group.add_developer(user)
+    login_and_visit_project_page(user)
+
+    expect(page).not_to have_content 'Request Access'
+  end
+
+  scenario 'reporter does not see the request access button' do
+    group.add_reporter(user)
+    login_and_visit_project_page(user)
+
+    expect(page).not_to have_content 'Request Access'
+  end
+
+  scenario 'guest does not see the request access button' do
+    group.add_guest(user)
+    login_and_visit_project_page(user)
+
+    expect(page).not_to have_content 'Request Access'
+  end
+
+  def login_and_visit_project_page(user)
+    login_as(user)
+    visit namespace_project_path(project.namespace, project)
+  end
+end
diff --git a/spec/features/projects/members/group_requester_cannot_request_access_to_project_spec.rb b/spec/features/projects/members/group_requester_cannot_request_access_to_project_spec.rb
new file mode 100644
index 00000000000..c4ed92d2780
--- /dev/null
+++ b/spec/features/projects/members/group_requester_cannot_request_access_to_project_spec.rb
@@ -0,0 +1,21 @@
+require 'spec_helper'
+
+feature 'Projects > Members > Group requester cannot request access to project', feature: true do
+  let(:user) { create(:user) }
+  let(:owner) { create(:user) }
+  let(:group) { create(:group, :public) }
+  let(:project) { create(:project, :public, namespace: group) }
+
+  background do
+    group.add_owner(owner)
+    login_as(user)
+    visit group_path(group)
+    perform_enqueued_jobs { click_link 'Request Access' }
+    visit namespace_project_path(project.namespace, project)
+  end
+
+  scenario 'group requester does not see the request access / withdraw access request button' do
+    expect(page).not_to have_content 'Request Access'
+    expect(page).not_to have_content 'Withdraw Access Request'
+  end
+end