Merge request approval settings API unintentionally resets unspecified parameters to false
Summary
When updating a single merge request approval setting via the API endpoint (/api/v4/projects/:id/merge_request_approval_setting), other unspecified approval settings are incorrectly reset to their default/false values instead of being preserved.
Steps to reproduce
- Check the specific approval settings for a given project. You must ensure that
allow_author_approvalisfalse, and thatallow_committer_approvalandallow_overrides_to_approver_list_per_merge_requestaretrue.
curl --header "private-token: <token>" "https://gitlab.example.com/api/v4/projects/1/merge_request_approval_setting" | jq
{
"allow_author_approval": {
"value": false,
...
},
"allow_committer_approval": {
"value": true,
...
},
"allow_overrides_to_approver_list_per_merge_request": {
"value": true,
...
},- Attempt to update only the
allow_author_approvalsetting:
curl -X PUT --header "private-token: <token>" "https://gitlab.example.com/api/v4/projects/1/merge_request_approval_setting?allow_author_approval=true" | jq
{
"allow_author_approval": {
"value": true,
...
},
"allow_committer_approval": {
"value": false,
...
},
"allow_overrides_to_approver_list_per_merge_request": {
"value": false,
...
},What is the current bug behavior?
If allow_author_approval is false but allow_committer_approval and allow_overrides_to_approver_list_per_merge_request are true, updating only allow_author_approval to true via the API will incorrectly change allow_committer_approval and allow_overrides_to_approver_list_per_merge_request to false.
What is the expected correct behavior?
Updating allow_author_approval via the API endpoint should not impact other unspecified settings.
Output of checks
This bug happens on GitLab.com
Possible fixes
Patch release information for backports
If the bug fix needs to be backported in a patch release to a version under the maintenance policy, please follow the steps on the patch release runbook for GitLab engineers.
Refer to the internal "Release Information" dashboard for information about the next patch release, including the targeted versions, expected release date, and current status.
High-severity bug remediation
To remediate high-severity issues requiring an internal release for single-tenant SaaS instances, refer to the internal release process for engineers.