Skip to content

Users with a Reporter role cannot approve merge request when projects has overlapping protected branches

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Summary

Discovered during the investigation https://gitlab.com/gitlab-com/dev-sub-department/section-dev-request-for-help/-/issues/339#note_2228467708.

Setup

A project with two protected branches:

  • Protected branch with name: main
  • Protected branch with wildcard: *main* (also matches branch main)

An approval rule is set for branch 'main' for a Reporters group (see configuration).

Problem

Policy merge_request_group_approver returns false.

It happens because the code below matches protected branch with wildcard *main* that doesn't have approval rules.

protected_branch = project
          .protected_branches
          .find { |pb| pb.matches?(@subject.target_branch) }

as a result

protected_branch.approval_project_rules => []
protected_branch.approval_project_rules.for_groups(@user.group_members.reporters.select(:source_id)).exists? => false

Possible fixes

I believe that the condition merge_request_group_approver is incorrect.

Why do we check approval rules of the project? It's possible that merge request might have customized rules. It sounds more logical to check approval rules of the merge request rather than the project.

condition(:merge_request_group_approver, score: 140) do
  @subject.approval_rules.for_groups(@user.group_members.reporters.select(:source_id)).exists?
end

Note: for_groups scope should use approval_merge_request_rules_groups instead of approval_project_rules_groups

Steps to reproduce

  1. Create a new project
  2. Add two protected branches with name main and *main*
  3. Enable approval permissions for Reporters for branch main (see documentation).
  4. As a Reporter user try to approve the merge request

Note: I haven't reproduced it. If it's still doesn't work, check the original issue: https://gitlab.com/gitlab-com/dev-sub-department/section-dev-request-for-help/-/issues/339.

Example Project

What is the current bug behavior?

Reporters do not see the Approve button on Merge Requests

What is the expected correct behavior?

Reporters should see the Approve button on Merge Requests

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes

Edited by 🤖 GitLab Bot 🤖