Add API to verify if a given user can merge an MR / Allow access to Merge Requests API for CI_JOB_TOKEN
This is a very similar request to gitlab-foss#44740 (closed) , but it was not solved by gitlab-foss!25207 (merged).
Like the other issue, we have a bot that can perform the merge under some conditions, but we need the information "does the requester have the right permission to merge". However, requesting the MR from the Merge Requests API only provides the information "does the bot have permission to merge", which is trivially true.
CI_JOB_TOKEN
would seem like an appropriate means to do this, since it has the same rights as the user who started the pipeline, but it cannot access the Merge Requests API.
All other ways I can think of to do this check (list users and compare access levels, upload personal access tokens) are excessively heavy, brittle or unsafe.
Proposal
Either:
- provide a dedicated API to answer the query "Is this user allowed to merge this MR?", or
- allow the
CI_JOB_TOKEN
to access the GET endpoints of the Merge Requests API, such that it can check that the requester has the rights to merge the MR.
Context
My company pays for several hundred seats of Gitlab Premum.