Skip to content

Fix custom roles can not be used for MRAP

Marcos Rocharequested to merge
mc_rocha-fix-custom-roles-can-not-be-selected-mrap-542536 into master

What does this MR do and why?

This MR fixes the error Required approvals exceed eligible approvers described here, when using custom roles as approvers in Merge request approval policies.

New queries

eligible_approvers_by_project_id_and_custom_roles

SELECT
    "members"."id",
    "members"."access_level",
    "members"."source_id",
    "members"."source_type",
    "members"."user_id",
    "members"."notification_level",
    "members"."type",
    "members"."created_at",
    "members"."updated_at",
    "members"."created_by_id",
    "members"."invite_email",
    "members"."invite_token",
    "members"."invite_accepted_at",
    "members"."requested_at",
    "members"."expires_at",
    "members"."ldap",
    "members"."override",
    "members"."state",
    "members"."invite_email_success",
    "members"."member_namespace_id",
    "members"."member_role_id",
    "members"."expiry_notified_at",
    "members"."request_accepted_at"
FROM
    "members"
WHERE
    "members"."type" = 'ProjectMember'
    AND "members"."source_type" = 'Project'
    AND "members"."source_id" = 66918000
    AND "members"."member_role_id" IN (2004055, 1002074)

https://postgres.ai/console/gitlab/gitlab-production-main/sessions/41821/commands/128322

eligible_approvers_by_group_ids_and_custom_roles

SELECT
    "members"."id",
    "members"."access_level",
    "members"."source_id",
    "members"."source_type",
    "members"."user_id",
    "members"."notification_level",
    "members"."type",
    "members"."created_at",
    "members"."updated_at",
    "members"."created_by_id",
    "members"."invite_email",
    "members"."invite_token",
    "members"."invite_accepted_at",
    "members"."requested_at",
    "members"."expires_at",
    "members"."ldap",
    "members"."override",
    "members"."state",
    "members"."invite_email_success",
    "members"."member_namespace_id",
    "members"."member_role_id",
    "members"."expiry_notified_at",
    "members"."request_accepted_at"
FROM
    "members"
WHERE
    "members"."type" = 'GroupMember'
    AND "members"."source_type" = 'Namespace'
    AND "members"."source_id" = 79430960
    AND "members"."member_role_id" IN (2004055, 1002074)

https://postgres.ai/console/gitlab/gitlab-production-main/sessions/41821/commands/128325

References

Related to #542536 (closed)

Screenshots or screen recordings

Before After
image Screenshot_2025-07-24_at_2.38.45_PM

How to set up and validate locally

Create a new custom role

  1. Go to the Admin Area > Settings > Roles and permissions
  2. Create a custom role with Developer as base role and add any additional permissions

Direct project member

  1. Create a new project
  2. Go to Manage > Members
  3. Invite a user with the custom role to the project
  4. Go to Secure > Policies
  5. Click on New Policy
  6. Select Merge request approval policy
  7. Create a policy that requires approval from the custom role created on step 1
approval_policy:
  - name: mrap
    description: ''
    enabled: true
    rules:
      - type: scan_finding
        scanners: []
        vulnerabilities_allowed: 0
        severity_levels: []
        vulnerability_states: []
        branch_type: protected
    actions:
      - type: require_approval
        approvals_required: 1
        role_approvers:
          - 2
      - type: send_bot_message
        enabled: true
    approval_settings:
      block_branch_modification: true
      prevent_pushing_and_force_pushing: true
      prevent_approval_by_author: true
      prevent_approval_by_commit_author: true
      remove_approvals_with_new_commit: true
      require_password_to_approve: false
    fallback_behavior:
      fail: closed
  1. Verify the policy can be created

Group member

  1. Create a new group
  2. Go to Manage > Members
  3. Invite a user with the custom role to the group
  4. Create a new project
  5. Go to Secure > Policies
  6. Click on New Policy
  7. Select Merge request approval policy
  8. Create a policy that requires approval from the custom role created on step 1
approval_policy:
  - name: mrap
    description: ''
    enabled: true
    rules:
      - type: scan_finding
        scanners: []
        vulnerabilities_allowed: 0
        severity_levels: []
        vulnerability_states: []
        branch_type: protected
    actions:
      - type: require_approval
        approvals_required: 1
        role_approvers:
          - 2
      - type: send_bot_message
        enabled: true
    approval_settings:
      block_branch_modification: true
      prevent_pushing_and_force_pushing: true
      prevent_approval_by_author: true
      prevent_approval_by_commit_author: true
      remove_approvals_with_new_commit: true
      require_password_to_approve: false
    fallback_behavior:
      fail: closed
  1. Verify the policy can be created

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Marcos Rocha

Merge request reports