Prevent editing approval rules not enforced on project level
### Summary The instance level setting `Prevent editing approval rules in projects and merge requests` greys out the `Approvals required` approval rule attribute, but does not prevent editing of approval rules via the API. A simple CSS edit of the page enables a `Maintainer` to still change `Approvals required`. The group level setting `Prevent editing approval rules in projects and merge requests` does not grey out the `Approvals required` approval rule attribute and does not seem to have any effect at all. ### Steps to reproduce * Configure `Prevent editing approval rules in projects and merge requests` on the instance * Open a project as a `Maintainer` * Access the Merge Request approval rule settings * Right click the `Approvals required` field and enable it via CSS * Change `Approvals required`. The change is sent to the API and performed * Using the group level setting, there does not seem to be any effect at all and settings can be edited freely on project level ### Example video ![Changing_MR_approvals_not_prevented](/uploads/519515ffb5380b0e6ef243da2a0989d1/Changing_MR_approvals_not_prevented.mp4) ### What is the current *bug* behavior? `Prevent editing approval rules in projects and merge requests` does not prevent editing approval rules in projects. ### What is the expected *correct* behavior? `Prevent editing approval rules in projects and merge requests` prevents editing approval rules in projects. ### Output of checks #### Results of GitLab environment info <!-- Input any relevant GitLab environment information if needed. --> <details> <summary>Expand for output related to GitLab environment info</summary> <pre> System information System: Ubuntu 18.04 Proxy: no Current User: git Using RVM: no Ruby Version: 2.7.5p203 Gem Version: 3.1.4 Bundler Version:2.2.33 Rake Version: 13.0.6 Redis Version: 6.2.6 Sidekiq Version:6.4.0 Go Version: unknown GitLab information Version: 14.10.0-ee Revision: ad109bc62af Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 12.7 URL: http://gitlab.here HTTP Clone URL: http://gitlab.here/some-group/some-project.git SSH Clone URL: git@gitlab.here:some-group/some-project.git Elasticsearch: no Geo: no Using LDAP: no Using Omniauth: yes Omniauth Providers: gitlab GitLab Shell Version: 13.25.1 Repository storage paths: - default: /var/opt/gitlab/git-data/repositories GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell </pre> </details> #### Results of GitLab application Check <!-- Input any relevant GitLab application check information if needed. --> <details> <summary>Expand for output related to the GitLab application check</summary> <pre> Checking GitLab subtasks ... Checking GitLab Shell ... GitLab Shell: ... GitLab Shell version >= 13.25.1 ? ... OK (13.25.1) Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Internal API available: OK Redis available via internal API: OK gitlab-shell self-check successful Checking GitLab Shell ... Finished Checking Gitaly ... Gitaly: ... default ... OK Checking Gitaly ... Finished Checking Sidekiq ... Sidekiq: ... Running? ... yes Number of Sidekiq processes (cluster/worker) ... 1/1 Checking Sidekiq ... Finished Checking Incoming Email ... Incoming Email: ... Reply by email is disabled in config/gitlab.yml Checking Incoming Email ... Finished Checking LDAP ... LDAP: ... LDAP is disabled in config/gitlab.yml Checking LDAP ... Finished Checking GitLab App ... Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Systemd unit files or init script exist? ... skipped (omnibus-gitlab has neither init script nor systemd units) Systemd unit files or init script up-to-date? ... skipped (omnibus-gitlab has neither init script nor systemd units) Projects have namespace: ... 2/1 ... yes 4/2 ... yes 1/3 ... yes 25/4 ... yes 4/5 ... yes 6/7 ... yes 9/8 ... yes 4/9 ... yes 4/10 ... yes 1/11 ... yes 41/12 ... yes Redis version >= 5.0.0? ... yes Ruby version >= 2.7.2 ? ... yes (2.7.5) Git user has default SSH configuration? ... yes Active users: ... 5 Is authorized keys file accessible? ... yes GitLab configured to store new projects in hashed storage? ... yes All projects are in hashed storage? ... yes Elasticsearch version 7.x (6.4 - 6.x deprecated to be removed in 13.8)? ... skipped (elasticsearch is disabled) Checking GitLab App ... Finished Checking GitLab subtasks ... Finished </pre> </details>
issue