Skip to content

Approval rules don't work as expected on GitLab Enterprise Edition 12.6.2-ee

Summary

Similar to #36014 (closed) -> Gitlab Merge Request Default Approval Rule Cannot Be Deleted by Admin/Sudo user, I have more insights of this and also more impacts with new features I guess.

Before the last update of Gitlab on our company, I was using the API to create and delete approval rules for a specific MR. When there wasn't any rule, the default one was added, but as soon as I added the custom one, the any_approver one was removed or simply didn't take into account.

From the last update of Gitlab of yesterrday, when the API creates a new rule, the any_approver one is not removed and also it's considered as more important as the custom one. Then when we update or create a rule from the Gitlab page, it removes effectively the default one, and leave the custom one created by the API.

If the API tries to remove the any_approver one, I get the 403 Forbidden error Couldn't delete a rule on merge request: 403 Forbidden: {"message":["Prohibited"]}, even though the user have owner permission.

Steps to reproduce

  1. With the version of GitLab Enterprise Edition 12.6.2-ee I create a MR with the default rule of any_approver and 2 approvals required defined by the project.
  2. With the API I create a new rule with the users I want to approve the MR making a POST on projects/#{project_id}/merge_requests/#{mr_id}/approval_rules with params: "{\"user_ids\": #{user_ids}, \"name\": \"#{rule_name}\", \"approvals_required\": #{approvals_required}}".
  3. On the Gitlab page, the new rule don't appear, and still we have the any_approver one. If I fetch the rules on MR I get the two rules (the any_approver one and the custom one)
  4. Curiously, if I edit the MR in the Gitlab page and setup a new rule in there, then the new rule is ignored, the any_approver one is removed and it puts the custom one configured by the API...
  5. Any try to remove the any_approver one returns the 403 Forbidden error.

What is the expected correct behavior?

IMO, the expected behaviour would be to be able to remove the any_approver rule and just configure one rule. But previously, it was working just fine by simply configuring one rule on top of the any_approver one in the API and it was removing the any_approver and setting the new one.

Possible fixes

Allowing to remove the any_approver rule or make the behaviour of the Gitlab page similar in the API (any_approver rule is deleted when a custom one is created)