Non "Eligible User" able to create and approve MRs

Problem to Solve

In public projects where non-project members can submit merge requests via a fork those users are made Eligible approvers on that specific merge request. This allows them to approve the merge request, which could satisfy any approval rules the project may have.

Proposal

Users who submit a merge request via a fork should be treated as an eligible approver.

Additional Details

It's possible we're giving these users implicit developer roles on that merge request which gives them that capability.

It was reproduced in phikai/my-public-test-project!58