Skip to content

Instance-level MR approval settings are blocking editing project approval rules

Summary

When enabled, the new MR approval settings prevent users editing approval rules on the project-level when the project has an associated compliance framework label. The current UI text does not adequately communicate the intended behavior.

Steps to reproduce

  1. Go to [GDK_URL/GITLAB_URL]/admin/push_rule#merge-request-approval-settings
  2. Select at least one compliance framework label and optionally select checkboxes
  3. Go to a project of your choice and go to the general settings
  4. Select one of the compliance framework labels which matches one you ticked in the instance settings
  5. Open the merge request approval settings and see you do not get an Add approval rule button or any way to edit existing rules

What is the current experience?

Project-level approval rules are blocked from being edited even if Prevent users from modifying merge request approvers list is unticked.

Proposal

Clarify the UI text to communicate the behavior from enabling these instance-level settings.

Further detail

There are other proposals that are WIP that will affect this non-intuitive behavior. We should consider:

  1. Implementing #1111 (closed) to add group-level MR approval rules
  2. Validate whether we need to bring MR approvals to the instance-level or not
  3. Consider removing the instance-level controls depending on the validation outcome of 2

Relevant logs and/or screenshots

Video Screenshot of locked Approval Rules
Blocking_approval_rules image
### Possible fixes

The problem occurs because the project_helper is checking can_modify_approvers for the editing ability: ee/app/helpers/ee/projects_helper.rb:99. This checks the :modify_approvers_rules policy for the current user against the project.

This policy is blocked by cannot_modify_approvers_rules (ee/app/policies/ee/project_policy.rb:358), which in turn is controlled by has_regulated_settings? (ee/app/models/ee/project.rb:221). This checks to see if the compliance framework label set on the instance level matches the projects compliance framework. If it does, then it locks down the approval rules.

To fix this we need to change the policy so this locking only occurs for MR-level approval rules by tweaking the policy or creating a new check for the frontend to use.

Edited by Matt Gonzales (ex-GitLab)