Able to add self to approvers when self-approval is disabled but allowed to override approvals
Summary
When Can override approvers and approvals required per merge request
and Prevent approval of merge requests by merge request author
are checked, users are able to edit the merge request and add themselves as approvers. This bypasses Prevent approval of merge requests by merge request author
.
Steps to reproduce
- Set
Prevent approval of merge requests by merge request author
- Set
Can override approvers and approvals required per merge request
- Open merge request and add yourself as an approver
- Merge request is opened with your automatic approval.
Example Project
https://gitlab.com/abuerer/approval-override/merge_requests/1
What is the current bug behavior?
When overriding approvals and adding yourself, as the merge request author, merge request is automatically approved.
What is the expected correct behavior?
You should not be able to approve your own merge request when Prevent approval of merge requests by merge request author
is checked.
Related links
Customer ticket: https://gitlab.zendesk.com/agent/tickets/119693 (internal link)
Observed on 11.10
Proposed solution
Modify the use_fallback?
logic. Currently it returns true if there are no regular rules.
We can modify that so it would check and see if all regular rules are without eligible approver. If that is the case, then return true. (and if there are no rules at all, return true like it does now)