2 files changed, 31 insertions, 6 deletions

diff --git a/app/controllers/concerns/membership_actions.rb b/app/controllers/concerns/membership_actions.rb
index 52682ef9dc9..ba7c02b0ba7 100644
--- a/app/controllers/concerns/membership_actions.rb
+++ b/app/controllers/concerns/membership_actions.rb
@@ -1,6 +1,5 @@
 module MembershipActions
   extend ActiveSupport::Concern
-  include MembersHelper
 
   def request_access
     membershipable.request_access(current_user)
@@ -10,11 +9,7 @@ module MembershipActions
   end
 
   def approve_access_request
-    @member = membershipable.requesters.find(params[:id])
-
-    return render_403 unless can?(current_user, action_member_permission(:update, @member), @member)
-
-    @member.accept_request
+    Members::ApproveAccessRequestService.new(membershipable, current_user, user_id: params[:id]).execute
 
     redirect_to polymorphic_url([membershipable, :members])
   end
diff --git a/app/services/members/approve_access_request_service.rb b/app/services/members/approve_access_request_service.rb
new file mode 100644
index 00000000000..0324f0bb4bd
--- /dev/null
+++ b/app/services/members/approve_access_request_service.rb
@@ -0,0 +1,30 @@
+module Members
+  class ApproveAccessRequestService < BaseService
+    include MembersHelper
+
+    attr_accessor :source
+
+    def initialize(source, current_user, params = {})
+      @source = source
+      @current_user = current_user
+      @params = params
+    end
+
+    def execute
+      access_requester = source.requesters.find_by!(user_id: params[:user_id])
+
+      raise Gitlab::Access::AccessDeniedError if cannot_update_access_requester?(access_requester)
+
+      access_requester.access_level = params[:access_level] if params[:access_level]
+      access_requester.accept_request
+
+      access_requester
+    end
+
+    private
+
+    def cannot_update_access_requester?(access_requester)
+      !access_requester || !can?(current_user, action_member_permission(:update, access_requester), access_requester)
+    end
+  end
+end