Don't include users without project access in participants.

CHANGELOG

@@ -44,7 +44,7 @@ v 7.11.0 (unreleased)
   - Fix bug where avatar filenames were not actually deleted from the database during removal (Stan Hu)
   - Fix bug where Slack service channel was not saved in admin template settings. (Stan Hu)
   - Protect OmniAuth request phase against CSRF.
-  -
+  - Don't send notifications to mentioned users that don't have access to the project in question.
   -
   - Move snippets UI to fluid layout
   - Improve UI for sidebar. Increase separation between navigation and content

app/models/concerns/participable.rb

@@ -35,8 +35,8 @@ module Participable
     end
   end
 
-  def participants(current_user = self.author)
-    self.class.participant_attrs.flat_map do |attr|
+  def participants(current_user = self.author, project = self.project)
+    participants = self.class.participant_attrs.flat_map do |attr|
       meth = method(attr)
 
       value = 
@@ -46,20 +46,28 @@ module Participable
           meth.call
         end
 
-      participants_for(value, current_user)
+      participants_for(value, current_user, project)
     end.compact.uniq
+
+    if project
+      participants.select! do |user|
+        user.can?(:read_project, project)
+      end
+    end
+
+    participants
   end
 
   private
   
-  def participants_for(value, current_user = nil)
+  def participants_for(value, current_user = nil, project = nil)
     case value
     when User
       [value]
     when Enumerable, ActiveRecord::Relation
-      value.flat_map { |v| participants_for(v, current_user) }
+      value.flat_map { |v| participants_for(v, current_user, project) }
     when Participable
-      value.participants(current_user)
+      value.participants(current_user, project)
     end
   end
 end