Do not allow adding users via api if member lock is enabled.

lib/api/project_members.rb

@@ -53,6 +53,10 @@ module API
         authorize! :admin_project, user_project
         required_attributes! [:user_id, :access_level]
 
+        if user_project.group && user_project.group.membership_lock
+          not_allowed!
+        end
+
         # either the user is already a team member or a new one
         team_member = user_project.team_member_by_id(params[:user_id])
         if team_member.nil?

spec/requests/api/project_members_spec.rb

@@ -90,6 +90,18 @@ describe API::API, api: true  do
       post api("/projects/#{project.id}/members", user), user_id: user2.id, access_level: 1234
       response.status.should == 422
     end
+
+    context 'project in a group' do
+      before do
+        project2 = create(:project, group: create(:group, membership_lock: true))
+        project2.group.add_owner(user)
+        post api("/projects/#{project2.id}/members", user), user_id: user2.id, access_level: ProjectMember::MASTER
+      end
+
+      it 'should return a 405 method not allowed error when group membership lock is enabled' do
+        response.status.should == 405
+      end
+    end
   end
 
   describe "PUT /projects/:id/members/:user_id" do