Prevent edits to MRAP approval rules

Summary

It should not be possible to bypass merge request rules originating from Merge request approval policies. But by default, edits to approval rules are not prevented, and this includes edits to MRAP approval rules.

Although we hide MRAP approval rules in the user interface, we do not prevent edits.

Steps to reproduce

  1. Create a new group
  2. Navigate to Security > Policies and create the following Merge request approval policy:
approval_policy:
  - name: Policy Rule
    enabled: true
    rules:
      - type: any_merge_request
        branch_type: protected
        commits: any
    actions:
      - type: require_approval
        approvals_required: 1
        role_approvers: [owner]
      - type: send_bot_message
        enabled: true
    approval_settings:
      block_branch_modification: true
      block_group_branch_modification: true
      prevent_pushing_and_force_pushing: true
      prevent_approval_by_author: true
      prevent_approval_by_commit_author: true
      remove_approvals_with_new_commit: true
      require_password_to_approve: false
  1. Create a new contained project
  2. Navigate to Manage > Members and add a new Developer
  3. Impersonate the Developer
  4. Open a merge request targeting main and verify it requires approval
  5. Identify the approval rule ID through the GraphQL API:
query {
  project(fullPath: "fast-sun-1328/fast-flower-2021") {
    mergeRequest(iid: "1") {
      approvalState {
        rules {
          name
          id
        }
      }
    }
  }
}
  1. On the merge request page, click Edit
  2. At this point it's easiest to open your browser's web inspector and substitute the ID of the default Any eligible user rule in the markup with the ID of the policy approval rule:
  1. Click Save changes and verify no approval is required

Example Project

n/a

What is the current bug behavior?

PUT/PATCH /$FULL_PATH/-/merge_requests/$IID accepts edits to MRAP approval rules with default approval settings.

What is the expected correct behavior?

PUT/PATCH /$FULL_PATH/-/merge_requests/$IID rejects edits to MRAP approval rules with default approval settings.

Relevant logs and/or screenshots

n/a

Output of checks

n/a

Results of GitLab environment info

n/a

Possible fixes

Either reject edits to MRAP approval rules regardless of approval settings, or provide an approval_settings.prevent_editing_approval_rules property to override the behaviour.

Patch release information for backports

n/a

High-severity bug remediation

n/a

Edited by Dominic Bauer