Reporter Groups can be added to protected branches
Summary
When a group is added as a reporter to any project, users of that group are able to see the merge button and click it. The MR is not merged but this seems to be an UI bug, since Reporters are supposed see the merge button grayed out.
Steps to reproduce
I've tested this on GitLab 14.2:
- Create a test project
- Create a test user and group. Add the user to the group with reporter permissions.
- Add the group to the project as Reporter
- Create an MR
- Impersonate the test user and check the MR, merge button should be clickable.
Side note: This also happens if the group is added as Maintainer and the user of the group is added as Reporter to the group.
What actually happens
The user is able to see the merge button and click on it.
What you should see instead
The user should be able to see the merge button grayed out, followed by the message:
Ready to be merged automatically. Ask someone with write access to this repository to merge this request