Members removed from team/repository keep watches

[michaelkuhn]

• Gitea version (or commit ref): 38a9cda
• Can you reproduce the bug at https://try.gitea.io:
  • Yes: https://try.gitea.io/7tl9ebtg7mio/test

Description

When removing members from a team, they lose access to the respective repositories but keep their watches on the repository. This allows them to receive notifications via e-mail even if they should not be able to access the repository.

Reproducer (see link above): I added lunny to the test team, gave the team access to the repository and then removed lunny again. He still has a watch on the repository.

[mqudsi]

This should be tagged with a security label and perhaps assigned a CVE.

[lunny]

@mqudsi it will only show the wrong watch but there is no wrong permission.

[mqudsi]

@lunny thanks, that's much better :)

[michaelkuhn]

From what I could tell, removed members will still get notification e-mails (including the full comments) for issues etc. While the removed members do not have access to the repository anymore, they may still get information they should not get.

[axifive]

Perhaps need to add security or priority label?

[daviian]

Just wanted to mention that I'm already working on it. Including #3343 and #4149, because it's closely related

[techknowlogick]

Closed with #4201