Approval widget incorrectly removes commit authors from allowed approvers list when multiple policies have conflicting commit author settings
Summary
When multiple Merge Request Approval policies apply to the same MR with conflicting prevent_approval_by_commit_author settings (one policy preventing commit authors from approving and another allowing it), the Approval widget incorrectly removes the committer from the list of users who are allowed to approve on both policies. Each policy should independently display the correct list of users who are allowed to approve based on its own settings.
Additionally, the widget also incorrectly removes commit authors from CODEOWNERS approvals, and this bug persists even when Policy A is ignored due to bypass_settings rules.
Steps to reproduce
- Create a project with at least one commit author who is also a project member with approval permissions
- Create two Merge Request Approval policies that apply to the same merge request:
-
Policy A: Set
prevent_approval_by_commit_author: true -
Policy B: Set
prevent_approval_by_commit_author: false
-
Policy A: Set
- Create a merge request where the commit author is someone who would normally be eligible to approve
- Navigate to the merge request and observe the Approval widget
Example Project
Notice that the commit author @ekaterina-grechishkina2 is not on the list of available users to approve on both of the Policies. While they should be only excluded from commit author not allowed Policy.
What is the current bug behavior?
The Approval widget removes the commit author from the list of users who are allowed to approve on both policies, even though Policy B should allow the commit author to approve. Both policies show the same (incorrect) list of eligible approvers with the commit author excluded.
Additionally:
- The widget incorrectly removes commit authors from CODEOWNERS approvals
- The bug persists even when Policy A is ignored due to source branch bypass_settings rules
What is the expected correct behavior?
Each policy should independently display the correct list of users who are allowed to approve based on its own prevent_approval_by_commit_author setting:
-
Policy A (with
prevent_approval_by_commit_author: true): Should show eligible approvers excluding the commit author -
Policy B (with
prevent_approval_by_commit_author: false): Should show eligible approvers including the commit author
The approval widget should respect each policy's individual settings rather than applying a global exclusion across all policies.
CODEOWNERS approvals should also correctly include or exclude commit authors based on the applicable policy settings, and source branch bypass_settings rules should be properly respected when determining which policies apply.
Relevant logs and/or screenshots
Policy:
---
approval_policy:
- name: From release to release (commit author is allowed)
description: ''
enabled: true
policy_scope:
projects:
excluding: []
rules:
- type: any_merge_request
branch_type: protected
commits: any
actions:
- type: require_approval
approvals_required: 1
role_approvers:
- owner
- developer
- maintainer
- type: send_bot_message
enabled: false
approval_settings:
block_branch_modification: false
block_group_branch_modification: false
prevent_pushing_and_force_pushing: false
prevent_approval_by_author: true
prevent_approval_by_commit_author: false
remove_approvals_with_new_commit: true
require_password_to_approve: false
fallback_behavior:
fail: closed
bypass_settings:
branches: []
- name: From feature to release (commit author not allowed)
description: ''
enabled: true
policy_scope:
projects:
excluding: []
rules:
- type: any_merge_request
branch_type: protected
commits: any
actions:
- type: require_approval
approvals_required: 1
role_approvers:
- maintainer
- owner
- developer
- type: send_bot_message
enabled: false
approval_settings:
block_branch_modification: false
block_group_branch_modification: false
prevent_pushing_and_force_pushing: false
prevent_approval_by_author: true
prevent_approval_by_commit_author: true
remove_approvals_with_new_commit: true
require_password_to_approve: false
fallback_behavior:
fail: closed
bypass_settings:
branches: []Output of checks
This bug likely affects GitLab.com and self-managed instances where multiple approval policies with conflicting commit author settings are configured.
Results of GitLab environment info
This bug happens on Gitlab.com