Recent security releases broke ability for project merge request approval rules to be edited via API
The recent security releases on 2022-09-29 included this commit fc7549c1 from https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/2767+
While I understand the context and scope of this relevant security fix, this commit broke the ability to manage (create/update/delete) project level merge request approval rules via the API when the instance level setting Prevent editing approval rules in projects and merge requests
is enabled under Admin Area - Push Rules - Merge request approvals - Approval settings
.
Previously, a PAT with the api
scope associated with an Admin
level account was able to manage (create/update/delete) project level merge request approval rules via the API. I currently heavily rely on this capability to manage merge request approval rules for our projects with Terraform while still globally preventing users from editing/deleting those API managed rules from the UI.
I'm unsure what the possible ways are to address this, or even if it can be addressed. However, I would appreciate it if this could be looked into, even if the result is "the capability you relied on was a vulnerability and should not be available".
Testing
Additional tests would need to be added specifically for admin user for create/update/delete