Project Approval Settings in Security Policies no override when merge request has no policy violations

Summary

Merge request approval policies settings only override project-level settings when there are policy violations found (vulnerability found or scan missing).

When the policy detects no policy violation, the project settings are not override.

[Edit] - See closing notes #506904 (comment 2390198669)

Steps to reproduce

  1. Create a project with the setting Prevent approval by author and Prevent approvals by users who add commits disabled.
  2. Create a merge request approval rule in the project with yourself as an approver.
  3. Create a MR in the project and check you are able to approve
  4. Create a Merge request approval policy with Prevent approval by merge request's author and Prevent approval by commit author enabled with Fail open.
  5. Refresh the MR - The merge request approval rule in step 2 should be auto-approved because of the policy that override the project settings.
  6. Make sure you have the scan needed running on the source and target branch of the MR and that there is no violation. You should be able to approve the MR again.

Example Project

https://gitlab.com/sbouly_ultimate_group/repro/approvaltest

What is the current bug behavior?

Project Approval Settings in Security Policies are not always overriding the project settings.

What is the expected correct behavior?

The policy should always override the project settings

Relevant logs and/or screenshots

Project settings: Screenshot_2024-11-29_at_16.28.14

Policy: Screenshot_2024-11-29_at_16.28.55

MR has no policy violation: Screenshot_2024-11-29_at_16.30.19

MR has policy violation: Screenshot_2024-11-29_at_16.29.36

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes

Edited by Segolene Bouly