Commit 2c780291 authored by Peter Leitzen's avatar Peter Leitzen

Merge branch '239349-fix-instance-mr-approval-settings-inheritance' into 'master'

Fix permission to modify project MR rules on compliance-labeled projects

See merge request gitlab-org/gitlab!40229
parents b37571ad 86e04587
......@@ -31,9 +31,8 @@ Merge request approval rules that can be set at an instance level are:
- **Prevent approval of merge requests by merge request committers**. Prevents project
maintainers from allowing users to approve merge requests if they have submitted
any commits to the source branch.
- **Prevent users from modifying merge request approvers list**. Prevents project
maintainers from allowing users to modify the approvers list in project settings
or in individual merge requests.
- **Can override approvers and approvals required per merge request**. Allows project
maintainers to modify the approvers list in individual merge requests.
## Scope rules to compliance-labeled projects
......@@ -52,4 +51,4 @@ Maintainer role and above can modify these.
| Instance-level | Project-level |
| -------------- | ------------- |
| ![Scope MR approval settings to compliance frameworks](img/scope_mr_approval_settings_v13_1.png) | ![MR approval settings on compliance projects](img/mr_approval_settings_compliance_project_v13_1.png) |
| ![Scope MR approval settings to compliance frameworks](img/scope_mr_approval_settings_v13_5.png) | ![MR approval settings on compliance projects](img/mr_approval_settings_compliance_project_v13_5.png) |
......@@ -120,7 +120,7 @@ module EE
attrs << :merge_requests_disable_committers_approval
end
if can?(current_user, :modify_approvers_rules, project)
if can?(current_user, :modify_overriding_approvers_per_merge_request_setting, project)
attrs << :disable_overriding_approvers_per_merge_request
end
......
......@@ -227,6 +227,7 @@ module EE
enable :admin_path_locks
enable :update_approvers
enable :modify_approvers_rules
enable :modify_overriding_approvers_per_merge_request_setting
enable :modify_auto_fix_setting
enable :modify_merge_request_author_setting
enable :modify_merge_request_committer_setting
......@@ -306,7 +307,7 @@ module EE
end
rule { regulated_merge_request_approval_settings }.policy do
prevent :modify_approvers_rules
prevent :modify_overriding_approvers_per_merge_request_setting
prevent :modify_merge_request_author_setting
prevent :modify_merge_request_committer_setting
end
......
......@@ -9,6 +9,6 @@
= f.label :prevent_merge_requests_committers_approval, class: 'form-check-label' do
= _('Prevent approval of merge requests by merge request committers')
.form-check
= f.check_box :disable_overriding_approvers_per_merge_request , class: 'form-check-input'
= f.check_box :disable_overriding_approvers_per_merge_request , { class: 'form-check-input' }, false, true
= f.label :disable_overriding_approvers_per_merge_request , class: 'form-check-label' do
= _('Prevent users from modifying merge request approvers list')
= _('Can override approvers and approvals required per merge request')
- can_override_approvers = project.can_override_approvers?
- can_modify_overriding_approvers_per_merge_request_settings = can?(current_user, :modify_overriding_approvers_per_merge_request_setting, @project)
- can_modify_merge_request_author_settings = can?(current_user, :modify_merge_request_author_setting, @project)
- can_modify_merge_request_committer_settings = can?(current_user, :modify_merge_request_committer_setting, @project)
......@@ -22,7 +22,7 @@
.form-group
.form-check
= form.check_box(:disable_overriding_approvers_per_merge_request, { checked: can_override_approvers, class: 'form-check-input', disabled: !can_modify_approvers }, false, true)
= form.check_box :disable_overriding_approvers_per_merge_request, { class: 'form-check-input', disabled: !can_modify_overriding_approvers_per_merge_request_settings }, false, true
= form.label :disable_overriding_approvers_per_merge_request, class: 'form-check-label' do
%span= _('Can override approvers and approvals required per merge request')
= link_to sprite_icon('question-o'), help_page_path('user/project/merge_requests/merge_request_approvals', anchor: 'prevent-overriding-default-approvals'), target: '_blank'
......@@ -35,7 +35,7 @@
.form-group.self-approval
.form-check
= form.check_box :merge_requests_author_approval, { class: 'form-check-input', checked: !project.merge_requests_author_approval?, disabled: !can_modify_merge_request_author_settings }, false, true
= form.check_box :merge_requests_author_approval, { class: 'form-check-input', disabled: !can_modify_merge_request_author_settings }, false, true
= form.label :merge_requests_author_approval, class: 'form-check-label' do
%span= _('Prevent approval of merge requests by merge request author')
= link_to sprite_icon('question-o'), help_page_path('user/project/merge_requests/merge_request_approvals',
......
---
title: Fix permission to modify project MR rules on compliance-labeled projects
merge_request: 40229
author:
type: fixed
......@@ -13,7 +13,7 @@ module API
def filter_params(params)
params
.then { |params| filter_forbidden_param(params, :modify_merge_request_committer_setting, :merge_requests_disable_committers_approval) }
.then { |params| filter_forbidden_param(params, :modify_approvers_rules, :disable_overriding_approvers_per_merge_request) }
.then { |params| filter_forbidden_param(params, :modify_overriding_approvers_per_merge_request_setting, :disable_overriding_approvers_per_merge_request) }
.then { |params| filter_forbidden_param(params, :modify_merge_request_author_setting, :merge_requests_author_approval) }
end
end
......
......@@ -1195,7 +1195,7 @@ RSpec.describe ProjectPolicy do
end
end
shared_examples 'merge request rules' do
shared_examples 'regulated merge request approval settings' do
let(:project) { private_project }
using RSpec::Parameterized::TableSyntax
......@@ -1258,19 +1258,45 @@ RSpec.describe ProjectPolicy do
end
describe ':modify_approvers_rules' do
it_behaves_like 'merge request rules' do
let(:policy) { :modify_approvers_rules }
let(:policy) { :modify_approvers_rules }
using RSpec::Parameterized::TableSyntax
where(:role, :admin_mode, :allowed) do
:guest | nil | false
:reporter | nil | false
:developer | nil | false
:maintainer | nil | true
:owner | nil | true
:admin | false | false
:admin | true | true
end
with_them do
let(:current_user) { public_send(role) }
before do
enable_admin_mode!(current_user) if admin_mode
end
it { is_expected.to(allowed ? be_allowed(policy) : be_disallowed(policy)) }
end
end
describe ':modify_overriding_approvers_per_merge_request_setting' do
it_behaves_like 'regulated merge request approval settings' do
let(:policy) { :modify_overriding_approvers_per_merge_request_setting }
end
end
describe ':modify_merge_request_author_setting' do
it_behaves_like 'merge request rules' do
it_behaves_like 'regulated merge request approval settings' do
let(:policy) { :modify_merge_request_author_setting }
end
end
describe ':modify_merge_request_committer_setting' do
it_behaves_like 'merge request rules' do
it_behaves_like 'regulated merge request approval settings' do
let(:policy) { :modify_merge_request_committer_setting }
end
end
......
......@@ -144,7 +144,7 @@ RSpec.describe API::ProjectApprovals do
context 'updates merge requests settings' do
it_behaves_like 'updates merge requests settings when possible' do
let(:current_user) { admin }
let(:permission) { :modify_approvers_rules }
let(:permission) { :modify_overriding_approvers_per_merge_request_setting }
let(:setting) { :disable_overriding_approvers_per_merge_request }
end
......
......@@ -19843,9 +19843,6 @@ msgstr ""
msgid "Prevent users from changing their profile name"
msgstr ""
msgid "Prevent users from modifying merge request approvers list"
msgstr ""
msgid "Prevent users from performing write operations on GitLab while performing maintenance."
msgstr ""
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment