Custom roles based on Developer are unable to be selected in merge request approval policies

Summary

When creating a custom merge request security policy for a role, you are not able to select custom roles based on the Developer role (which have access to approve merge requests inherited from developer role) however you are able to select a custom role based on a role lower than Developer with the Can approve merge requests permission checked manually. Both custom roles have the Can approve merge requests permission, however the role based on Developer is not shown in the UI.

A GitLab Ultimate customer reported this behaviour via a ticket

Steps to reproduce

  1. Create a custom role based on Developer (add any additional permission)
  2. Create another custom role based on Reporter with Can approve merge requests permission
  3. Create a new security policy on a project (any merge request on any protected branch)
  4. Select Require X approval and Roles
  5. In the role dropdown, notice that the custom role based on Developer is not visible, but the custom role based on Reporter with the Can approve merge requests is visible

Example Project

N/A - See example screenshots:

Merge Request Policy Editor

image

Custom Roles of Namespace

image

Reporter Plus Permissions

image

Developer Plus Permissions

image

What is the current bug behavior?

Custom roles based on the Developer role that inherit the Can approve merge requests permission are unable to be selected in Merge Request Policies, whilst custom roles based on a role below Developer such as Reporter but has the Can approve merge requests permission manually selected show as expected.

What is the expected correct behavior?

Custom roles based on Developer should show in the policy editor UI as per the documentation:

You can also specify custom roles (or custom role identifiers in YAML mode) as role_approvers if the custom roles have the permission to approve merge requests. The custom roles can be selected along with user and group approvers.

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes

Edited by Thomas Loughlin