Skip to content

Add canApprove field to ApprovalRuleForSummaryType

Hunter Stewart requested to merge hustewart-graphql-check-access into master

What does this MR do and why?

Why

See Provide canApprove on ApprovalRuleForSummaryType (#448548 - closed)

We want to show for each rule if the user making the request can approve the deployment. In particular we want to facilitate a frontend experience where users can choose which group they approve as, instead of the backend choosing randomly.

What

  • use existing Authorizable functionality to expose canApprove in graphQL on the ProtectedEnvironmentApprovalRuleForSummary type.
  • update spec
  • compile docs

Add canApprove field to ApprovalRuleForSummaryType

The functionality is already in Authorizable. This commit exposes whether or not the current_user in the graphQL request is permitted to deploy per rule.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Authenticated as user who is an approver for all the groups and user level

Screenshot_2024-03-27_at_8.48.37_AM

Authenticated as user who is only approver for one group

Screenshot_2024-03-27_at_8.49.10_AM

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  • create new public project

  • create some groups you want to add as approvers

  • create an environment you want to protect

  • go to Settings / CI CD / Protected Environments to protect it

  • select approvers based on a group or user you want to test

  • create a minimal .gitlab-ci.yml to interact with the environment, something like:

deploy:
  stage: deploy
  environment:
    name: production
  script:
    - echo "deploy to production"

  • run the pipeline

  • click into the job

  • you should see "Waiting for approvals"

  • open graphiql in a browser where you're authenticated as the user who should be able to approve.

  • example graphQL to see canApprove

{
  project(fullPath: "root/approve-pub") {
    deployment(iid: 8) {
      approvalSummary {
        rules {
          group {
            name
          }
          canApprove
          requiredApprovals
          approvedCount
          canApprove
          group {
            name
          }

        }
      }
    }
  }
}

  • canApprove should be true

  • run the same query in a browser where no user is signed in

  • canApprove should be false

This is the basic local verification for testing on the rules. You can add groups, change rules around, and sign in as different users in different groups to test more cases.

Edited by Hunter Stewart

Merge request reports