Add canApprove field to ApprovalRuleForSummaryType
What does this MR do and why?
Why
See Provide canApprove on ApprovalRuleForSummaryType (#448548 - closed)
We want to show for each rule if the user making the request can approve the deployment. In particular we want to facilitate a frontend experience where users can choose which group they approve as, instead of the backend choosing randomly.
What
- use existing Authorizable functionality to expose
canApprove
in graphQL on theProtectedEnvironmentApprovalRuleForSummary
type. - update spec
- compile docs
Add canApprove field to ApprovalRuleForSummaryType
The functionality is already in Authorizable. This commit exposes whether or not the current_user in the graphQL request is permitted to deploy per rule.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Authenticated as user who is an approver for all the groups and user level
Authenticated as user who is only approver for one group
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
Before | After |
---|---|
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
-
create new public project
-
create some groups you want to add as approvers
-
create an environment you want to protect
-
go to Settings / CI CD / Protected Environments to protect it
-
select approvers based on a group or user you want to test
-
create a minimal
.gitlab-ci.yml
to interact with the environment, something like:
deploy:
stage: deploy
environment:
name: production
script:
- echo "deploy to production"
-
run the pipeline
-
click into the job
-
you should see "Waiting for approvals"
-
open graphiql in a browser where you're authenticated as the user who should be able to approve.
-
example graphQL to see
canApprove
{
project(fullPath: "root/approve-pub") {
deployment(iid: 8) {
approvalSummary {
rules {
group {
name
}
canApprove
requiredApprovals
approvedCount
canApprove
group {
name
}
}
}
}
}
}
-
canApprove
should betrue
-
run the same query in a browser where no user is signed in
-
canApprove
should befalse
This is the basic local verification for testing on the rules. You can add groups, change rules around, and sign in as different users in different groups to test more cases.