## Problem Statement GitLab currently has a setting "Prevent approvals by users who add commits" that only considers commit **committers** when determining approval restrictions. However, Git commits have two distinct identities: - **Commit Author**: The person who originally wrote the code - **Commit Committer**: The person who last applied the commit (often different after rebases, cherry-picks, etc.) ### Current Issue When a merge request is rebased (especially by a service account), the original commit authors are no longer listed as committers in the latest diff version, allowing them to approve their own code. Organizations seeking stricter approval controls may want the ability to prevent approvals based on commit authorship in addition to the existing committer restrictions. ## Proposed Solutions ### Option 1: New Setting - "Prevent approvals by commit authors" (Recommended) Add a new setting: **"Prevent approvals by commit authors"** **Benefits:** - Provides granular control for different workflows - No breaking changes to existing behavior - Clear separation of concerns between authors and committers **Considerations:** - Adds another configuration option to the UI - Requires distinction education for users **Note:** Consider that preventing approvals by authors only makes logical sense when also preventing approvals by committers, since committers are typically a subset of people who have touched the code. This setting should only be enabled when "Prevent approvals by users who add commits" is also enabled. ### Option 2: Expand Existing Setting Scope Modify "Prevent approvals by users who add commits" to include both committers AND authors **Benefits:** - Simpler UI with fewer settings - More comprehensive protection by default - No additional configuration complexity **Considerations:** - Breaking change for existing users - May be too restrictive for some workflows - Less granular control ## Technical Implementation Requirements - Track commit authors in the latest merge request diff version - Add new approval rule parameters to APIs - Support group-level cascading and instance-level administration - Include audit event logging for new approval restrictions