Branch rules cannot modify code owner approval when security policy applied
Summary
The toggle for Code owner approval results in an error on branch rule page
Steps to reproduce
- Navigate to a project => Secure => Policies => New policy => Merge request approval policy
- Create the following policy. Feel free to update the affected branch to any protected branch
approval_policy: - name: Apply Pushing and force pushing setting description: '' enabled: true rules: - type: scan_finding scanners: [] vulnerabilities_allowed: 0 severity_levels: [] vulnerability_states: [] branches: - security-training approval_settings: block_branch_modification: true prevent_pushing_and_force_pushing: true prevent_approval_by_author: false prevent_approval_by_commit_author: false remove_approvals_with_new_commit: false require_password_to_approve: false - Navigate to the project => Settings => Repository => Protected Branches
- Verify the user can toggle
Code owner approvalfor the affected branch (e.g.security-training) - Navigate to the project => Settings => Repository => Branch rules => Edit the affected branch
- Verify the user can toggle
Code owner approvalfor the affected branch's branch rule
Example Project
What is the current bug behavior?
Code owner approval can not be toggled with security policy enabled
What is the expected correct behavior?
Code owner approval can be toggled with security policy enabled
Relevant logs and/or screenshots
{
"errors": [
{
"message": "Internal server error: Gitlab::Access::AccessDeniedError",
"raisedAt": "/Users/paulinasedlak-jakubowska/Repositories/gdk/gitlab/ee/app/services/ee/protected_branches/base_policy_check.rb:17:in `check!' \u003c-- /Users/paulinasedlak-jakubowska/Repositories/gdk/gitlab/ee/app/services/ee/protected_branches/base_policy_check.rb:7:in `check!' \u003c-- /Users/paulinasedlak-jakubowska/Repositories/gdk/gitlab/ee/app/services/ee/protected_branches/force_push_changes_blocked_by_policy.rb:43:in `execute' \u003c-- /Users/paulinasedlak-jakubowska/Repositories/gdk/gitlab/ee/app/services/ee/protected_branches/renaming_blocked_by_policy.rb:51:in `execute' \u003c-- /Users/paulinasedlak-jakubowska/Repositories/gdk/gitlab/app/services/branch_rules/update_service.rb:14:in `execute_on_branch_rule' \u003c-- /Users/paulinasedlak-jakubowska/Repositories/gdk/gitlab/ee/app/services/ee/branch_rules/base_service.rb:22:in `execute' \u003c-- /Users/paulinasedlak-jakubowska/Repositories/gdk/gitlab/app/graphql/mutations/branch_rules/update.rb:30:in `resolve' \u003c-- /Users/paulinasedlak-jakubowska/.local/share/mise/installs/ruby/3.3.10/lib/ruby/gems/3.3.0/gems/graphql-2.5.11/lib/graphql/schema/resolver.rb:118:in `public_send' \u003c-- /Users/paulinasedlak-jakubowska/.local/share/mise/installs/ruby/3.3.10/lib/ruby/gems/3.3.0/gems/graphql-2.5.11/lib/graphql/schema/resolver.rb:118:in `call_resolve' \u003c-- /Users/paulinasedlak-jakubowska/.local/share/mise/installs/ruby/3.3.10/lib/ruby/gems/3.3.0/gems/graphql-2.5.11/lib/graphql/schema/mutation.rb:69:in `call_resolve' \u003c-- /Users/paulinasedlak-jakubowska/.local/share/mise/installs/ruby/3.3.10/lib/ruby/gems/3.3.0/gems/graphql-2.5.11/lib/graphql/schema/resolver.rb:105:in `block (3 levels) in resolve_with_support'"
}
]
}Possible fixes
Patch release information for backports
If the bug fix needs to be backported in a patch release to a version under the maintenance policy, please follow the steps on the patch release runbook for GitLab engineers.
Refer to the internal "Release Information" dashboard for information about the next patch release, including the targeted versions, expected release date, and current status.
High-severity bug remediation
To remediate high-severity issues requiring an internal release for single-tenant SaaS instances, refer to the internal release process for engineers.
Edited by 🤖 GitLab Bot 🤖