Add latest changes from gitlab-org/gitlab@master

1 files changed, 16 insertions, 1 deletions

diff --git a/app/services/members/approve_access_request_service.rb b/app/services/members/approve_access_request_service.rb
index 919c22894c1..5337279f702 100644
--- a/app/services/members/approve_access_request_service.rb
+++ b/app/services/members/approve_access_request_service.rb
@@ -3,7 +3,7 @@
 module Members
   class ApproveAccessRequestService < Members::BaseService
     def execute(access_requester, skip_authorization: false, skip_log_audit_event: false)
-      raise Gitlab::Access::AccessDeniedError unless skip_authorization || can_update_access_requester?(access_requester)
+      validate_access!(access_requester) unless skip_authorization
 
       access_requester.access_level = params[:access_level] if params[:access_level]
       access_requester.accept_request
@@ -15,9 +15,24 @@ module Members
 
     private
 
+    def validate_access!(access_requester)
+      raise Gitlab::Access::AccessDeniedError unless can_update_access_requester?(access_requester)
+
+      if approving_member_with_owner_access_level?(access_requester) &&
+        cannot_assign_owner_responsibilities_to_member_in_project?(access_requester)
+        raise Gitlab::Access::AccessDeniedError
+      end
+    end
+
     def can_update_access_requester?(access_requester)
       can?(current_user, update_member_permission(access_requester), access_requester)
     end
+
+    def approving_member_with_owner_access_level?(access_requester)
+      access_level_value = params[:access_level] || access_requester.access_level
+
+      access_level_value == Gitlab::Access::OWNER
+    end
   end
 end