Auto Merge button load time temporarily allows unauthorised immediate merge
Summary
In the MR window, the merge button appears for a moment before being replaced by the "Set to auto merge" button appears. This button is clickable and allows users who would not be permitted to "merge immediately" to do so in a window of time that has caused unauthorised merges to occur.
Steps to reproduce
- Configure auto-merge. Be a user without permission to merge immediately.
- Start a MR
- On the resulting screen, the "Set to auto-merge button" may be "Merge" for a small ammount of time, during which time it will be clickable
- Click this button and see that the request is merged
Example Project
On a customer project so I am not currently able to show project
What is the current bug behavior?
Button says merge is temporarily clickable
What is the expected correct behavior?
Button should say "Set to auto-merge" at all times
Relevant logs and/or screenshots
N/A
Output of checks
N/A
Results of GitLab environment info
N/A
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
N/A
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)