Merge Request Approval Process

2020-04-22 Update Please note this issue is closed due to #39060 (closed) being released in GitLab 12.8.

Problem to solve

Per the documentation: Allowing merge request authors to approve their own merge requests , by default, an author is not able to approve a MR they created unless the box labeled Prevent approval of merge requests by merge request author is UNCHECKED.

However with this box checked, the author of the MR can click edit on the MR and change the settings so that the approvals list only includes them and they are then able to approve/merge the MR. The author would add themselves and set the other approval amount required to 0: Photo Link

Further details

This seems that the settings to how MR approvals are set can be easily changed, making them non-affective.

Or the documentation we have here needs to be adjusted if this is the intended way MR approvals should function.

Proposal

To take a look into the security of these settings, and be sure things function as intended, or update our documentation to more clearly address how these settings can be set.

Edited Apr 22, 2020 by Eric Brinkman