Allow granting approval permissions for Planner role

Eugenia Grieffrequested to merge
556903-allow-enabling-approval-permissions-for-users-with-the-planner-role into master

What does this MR do and why?

Extend "Enable approval permissions for users with the Reporter role" to users with the Planner role.

Also, this MR will fixes #492467 (closed) by modifying the rule merge_request_group_approver to include roles higher than Reporter (see !200230 (comment 2679475858) for more context).

References

Related to #556903 (closed)

Relevant discussion: https://gitlab.com/groups/gitlab-org/-/epics/13770#note_2038932643

Screenshots or screen recordings

Users who were granted approval permissions for a protected branch can be added as reviewers and approve the MR when their role is Planner or higher:

assign reviewers approve MR
Screen_Recording_2025-08-08_at_13.56.56 Screen_Recording_2025-08-08_at_14.00.43

How to set up and validate locally

  1. Create six users, one for each role:
guest, planner, reporter, developer, maintainer, owner = %w[guest planner reporter developer maintainer owner].map do |username|
  FactoryBot.create(:user, username: username, email: "#{username}@example.com", name: "#{username.capitalize} User", password: 'pass12345678')
end
  1. Create a new group (e.g Approvers Group) and add the users with the corresponding role
  2. In a separate group, create a project (e.g, Project A) and invite the group Approvers Group with the Reporter role
  3. Add a protected branch to the Project A and create an MR targeting the protected branch
  4. Add an approval rule for the protected branch (follow the steps 5+ from enable-approval-permissions-for-users-with-the-reporter-role)
  5. Verify that all roles, except Guest, can approve the MR
  6. Optionally, verify via console that the permission approve_merge_request is allowed for the roles Planner and higher:
mr = MergeRequest.last

# before

guest.can?(:approve_merge_request, mr) #=> false
planner.can?(:approve_merge_request, mr) #=> false
reporter.can?(:approve_merge_request, mr) #=> true
developer.can?(:approve_merge_request, mr) #=> false
maintainer.can?(:approve_merge_request, mr) #=> false
owner.can?(:approve_merge_request, mr) #=> false

# after

guest.can?(:approve_merge_request, mr) #=> false
planner.can?(:approve_merge_request, mr) #=> true
reporter.can?(:approve_merge_request, mr) #=> true
developer.can?(:approve_merge_request, mr) #=> true
maintainer.can?(:approve_merge_request, mr) #=> true
owner.can?(:approve_merge_request, mr) #=> true

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Eugenia Grieff

Merge request reports