Exclude requesters from Project#members, Group#members and User#members

What does this MR do?

It excludes requesters from the Project#members, Group#members and User#members associations, and adds new Project#requesters and Group#requesters associations.

Are there points in the code the reviewer needs to double check?

No.

Why was this MR needed?

Without this, if you call project.members, requesters are included in the results! This is at best misleading, and at worst can lead to security issues. By excluding requesters from the #members associations, we avoid introducing security inadvertently since you have to call the #requesters association explicitly to get requesters.

What are the relevant issue numbers?

This is something I realized while fixing the security issue #19102 (closed).

Does this MR meet the acceptance criteria?

• I don't think this needs a CHANGELOG since this is an internal change
• Tests
  • Added for this feature/bug
  • All builds are passing
• Conform by the style guides
• Branch has no merge conflicts with master (if you do - rebase it please)
• Squashed related commits together

Added 1 commit:

• dd3cfca8 - Exclude requesters from Project#members, Group#members and User#members

Marked this merge request as a Work In Progress

Note to myself: rebase upon master after https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/1973 lands on it.

mentioned in merge request !4833 (merged)

Added 215 commits:

• dd3cfca8...c5d164d1 - 214 commits from branch master
• 6fa8c72d - Exclude requesters from Project#members, Group#members and User#members

Added 75 commits:

• 6fa8c72d...557ca2b3 - 74 commits from branch master
• bd78f573 - Exclude requesters from Project#members, Group#members and User#members

Unmarked this merge request as a Work In Progress

Reassigned to @DouweM

mentioned in commit d1c94f03

Status changed to merged