Make approval rules only editable by group admins (!144452) · Merge requests · GitLab.org / GitLab

Gavin Hinfey requested to merge use_correct_permission_for_approval_group_rules_endpoint into master Feb 12, 2024

What does this MR do and why?

Previously group maintainers were able to add Group Approval Rules via the POST endpoint. This MR restricts this to group admins/owners with the admin_merge_request_approval_settings permission when creating rules via the POST endpoint. It also moves the update_approval_rule permission to only be available to group admins or owners.

Group approval rules are currently behind a development feature flag and have not yet been released.

Closes Restrict group approval rule updates to group a... (#441439 - closed)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

Edited Feb 12, 2024 by Gavin Hinfey

Make approval rules only editable by group admins

What does this MR do and why?

MR acceptance checklist

How to set up and validate locally

Merge request reports