Allow admins to manage approval rules when disallowed instance-wide (!110607) · Merge requests · GitLab.org / GitLab

Patrick Bajao requested to merge 385357-allow-admins-modify-approval-rules into master Jan 31, 2023

What does this MR do and why?

A security fix to not allow bypassing the "Prevent editing approval rules in projects and merge requests" setting also disallowed instance admins to manage approval rules.

This affects workflows of some customers that use admin users to manage approval rules while the said setting is enabled.

This fixes that by allowing instance admins to manage approval rules even when it's not allowed globally.

How to set up and validate locally

Enable the "Prevent editing approval rules in projects and merge requests" setting on admin (http://localhost:3000/admin/push_rule, under "Merge request approvals").
As an admin, create a project approval rule via API (doc). It should be successful.
As a project owner and not an admin, create a project approval rule via API. It should fail.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Related to #385357 (closed)

Edited Feb 02, 2023 by Patrick Bajao

Allow admins to manage approval rules when disallowed instance-wide

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports