Skip to content
GitLab
Next
Closed
Issue created by Martin Brümmer@mbruemmerDeveloper

Prevent editing approval rules not enforced on project level

Summary

The instance level setting Prevent editing approval rules in projects and merge requests greys out the Approvals required approval rule attribute, but does not prevent editing of approval rules via the API. A simple CSS edit of the page enables a Maintainer to still change Approvals required.

The group level setting Prevent editing approval rules in projects and merge requests does not grey out the Approvals required approval rule attribute and does not seem to have any effect at all.

Steps to reproduce

  • Configure Prevent editing approval rules in projects and merge requests on the instance

  • Open a project as a Maintainer

  • Access the Merge Request approval rule settings

  • Right click the Approvals required field and enable it via CSS

  • Change Approvals required. The change is sent to the API and performed

  • Using the group level setting, there does not seem to be any effect at all and settings can be edited freely on project level

Example video

Changing_MR_approvals_not_prevented

What is the current bug behavior?

Prevent editing approval rules in projects and merge requests does not prevent editing approval rules in projects.

What is the expected correct behavior?

Prevent editing approval rules in projects and merge requests prevents editing approval rules in projects.

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 

System information
System:		Ubuntu 18.04
Proxy:		no
Current User:	git
Using RVM:	no
Ruby Version:	2.7.5p203
Gem Version:	3.1.4
Bundler Version:2.2.33
Rake Version:	13.0.6
Redis Version:	6.2.6
Sidekiq Version:6.4.0
Go Version:	unknown

GitLab information
Version:	14.10.0-ee
Revision:	ad109bc62af
Directory:	/opt/gitlab/embedded/service/gitlab-rails
DB Adapter:	PostgreSQL
DB Version:	12.7
URL:		http://gitlab.here
HTTP Clone URL:	http://gitlab.here/some-group/some-project.git
SSH Clone URL:	git@gitlab.here:some-group/some-project.git
Elasticsearch:	no
Geo:		no
Using LDAP:	no
Using Omniauth:	yes
Omniauth Providers: gitlab

GitLab Shell
Version:	13.25.1
Repository storage paths:
- default: 	/var/opt/gitlab/git-data/repositories
GitLab Shell path:		/opt/gitlab/embedded/service/gitlab-shell

Results of GitLab application Check

Expand for output related to the GitLab application check 
Checking GitLab subtasks ...

Checking GitLab Shell ...


GitLab Shell: ... GitLab Shell version >= 13.25.1 ? ... OK (13.25.1)
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Internal API available: OK
Redis available via internal API: OK
gitlab-shell self-check successful


Checking GitLab Shell ... Finished


Checking Gitaly ...


Gitaly: ... default ... OK


Checking Gitaly ... Finished


Checking Sidekiq ...


Sidekiq: ... Running? ... yes
Number of Sidekiq processes (cluster/worker) ... 1/1


Checking Sidekiq ... Finished


Checking Incoming Email ...


Incoming Email: ... Reply by email is disabled in config/gitlab.yml


Checking Incoming Email ... Finished


Checking LDAP ...


LDAP: ... LDAP is disabled in config/gitlab.yml


Checking LDAP ... Finished


Checking GitLab App ...


Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... yes
Systemd unit files or init script exist? ... skipped (omnibus-gitlab has neither init script nor systemd units)
Systemd unit files or init script up-to-date? ... skipped (omnibus-gitlab has neither init script nor systemd units)
Projects have namespace: ...
2/1 ... yes
4/2 ... yes
1/3 ... yes
25/4 ... yes
4/5 ... yes
6/7 ... yes
9/8 ... yes
4/9 ... yes
4/10 ... yes
1/11 ... yes
41/12 ... yes
Redis version >= 5.0.0? ... yes
Ruby version >= 2.7.2 ? ... yes (2.7.5)
Git user has default SSH configuration? ... yes
Active users: ... 5
Is authorized keys file accessible? ... yes
GitLab configured to store new projects in hashed storage? ... yes
All projects are in hashed storage? ... yes
Elasticsearch version 7.x (6.4 - 6.x deprecated to be removed in 13.8)? ... skipped (elasticsearch is disabled)


Checking GitLab App ... Finished


Checking GitLab subtasks ... Finished