There are a number of places where we were not checking for user access
rights (or assuming that authors automatically have them) so we were
potentially in situations where a user could create a merge request,
have their access rights revoked, and they would still be able to access
information or take actions related to their MR. This is potentially a
security issue, so we need to block this potential leak.