Commit 86e04587 authored by Tan Le's avatar Tan Le

Fix permission to modify project-level MR rules

This change fixes issue where modification of project-level MR rules is
locked due to the instance-level settings. The permission to edit
project-level MR rules will no longer be controlled by instance-level
setting until MR rules are introduced at instance-level in upcoming
release.

The label of the instance-level setting is also updated to be on-par
with the one of project-level.
parent 7e2ff88b
...@@ -31,9 +31,8 @@ Merge request approval rules that can be set at an instance level are: ...@@ -31,9 +31,8 @@ Merge request approval rules that can be set at an instance level are:
- **Prevent approval of merge requests by merge request committers**. Prevents project - **Prevent approval of merge requests by merge request committers**. Prevents project
maintainers from allowing users to approve merge requests if they have submitted maintainers from allowing users to approve merge requests if they have submitted
any commits to the source branch. any commits to the source branch.
- **Prevent users from modifying merge request approvers list**. Prevents project - **Can override approvers and approvals required per merge request**. Allows project
maintainers from allowing users to modify the approvers list in project settings maintainers to modify the approvers list in individual merge requests.
or in individual merge requests.
## Scope rules to compliance-labeled projects ## Scope rules to compliance-labeled projects
...@@ -52,4 +51,4 @@ Maintainer role and above can modify these. ...@@ -52,4 +51,4 @@ Maintainer role and above can modify these.
| Instance-level | Project-level | | Instance-level | Project-level |
| -------------- | ------------- | | -------------- | ------------- |
| ![Scope MR approval settings to compliance frameworks](img/scope_mr_approval_settings_v13_1.png) | ![MR approval settings on compliance projects](img/mr_approval_settings_compliance_project_v13_1.png) | | ![Scope MR approval settings to compliance frameworks](img/scope_mr_approval_settings_v13_5.png) | ![MR approval settings on compliance projects](img/mr_approval_settings_compliance_project_v13_5.png) |
...@@ -120,7 +120,7 @@ module EE ...@@ -120,7 +120,7 @@ module EE
attrs << :merge_requests_disable_committers_approval attrs << :merge_requests_disable_committers_approval
end end
if can?(current_user, :modify_approvers_rules, project) if can?(current_user, :modify_overriding_approvers_per_merge_request_setting, project)
attrs << :disable_overriding_approvers_per_merge_request attrs << :disable_overriding_approvers_per_merge_request
end end
......
...@@ -227,6 +227,7 @@ module EE ...@@ -227,6 +227,7 @@ module EE
enable :admin_path_locks enable :admin_path_locks
enable :update_approvers enable :update_approvers
enable :modify_approvers_rules enable :modify_approvers_rules
enable :modify_overriding_approvers_per_merge_request_setting
enable :modify_auto_fix_setting enable :modify_auto_fix_setting
enable :modify_merge_request_author_setting enable :modify_merge_request_author_setting
enable :modify_merge_request_committer_setting enable :modify_merge_request_committer_setting
...@@ -306,7 +307,7 @@ module EE ...@@ -306,7 +307,7 @@ module EE
end end
rule { regulated_merge_request_approval_settings }.policy do rule { regulated_merge_request_approval_settings }.policy do
prevent :modify_approvers_rules prevent :modify_overriding_approvers_per_merge_request_setting
prevent :modify_merge_request_author_setting prevent :modify_merge_request_author_setting
prevent :modify_merge_request_committer_setting prevent :modify_merge_request_committer_setting
end end
......
...@@ -9,6 +9,6 @@ ...@@ -9,6 +9,6 @@
= f.label :prevent_merge_requests_committers_approval, class: 'form-check-label' do = f.label :prevent_merge_requests_committers_approval, class: 'form-check-label' do
= _('Prevent approval of merge requests by merge request committers') = _('Prevent approval of merge requests by merge request committers')
.form-check .form-check
= f.check_box :disable_overriding_approvers_per_merge_request , class: 'form-check-input' = f.check_box :disable_overriding_approvers_per_merge_request , { class: 'form-check-input' }, false, true
= f.label :disable_overriding_approvers_per_merge_request , class: 'form-check-label' do = f.label :disable_overriding_approvers_per_merge_request , class: 'form-check-label' do
= _('Prevent users from modifying merge request approvers list') = _('Can override approvers and approvals required per merge request')
- can_override_approvers = project.can_override_approvers? - can_modify_overriding_approvers_per_merge_request_settings = can?(current_user, :modify_overriding_approvers_per_merge_request_setting, @project)
- can_modify_merge_request_author_settings = can?(current_user, :modify_merge_request_author_setting, @project) - can_modify_merge_request_author_settings = can?(current_user, :modify_merge_request_author_setting, @project)
- can_modify_merge_request_committer_settings = can?(current_user, :modify_merge_request_committer_setting, @project) - can_modify_merge_request_committer_settings = can?(current_user, :modify_merge_request_committer_setting, @project)
...@@ -22,7 +22,7 @@ ...@@ -22,7 +22,7 @@
.form-group .form-group
.form-check .form-check
= form.check_box(:disable_overriding_approvers_per_merge_request, { checked: can_override_approvers, class: 'form-check-input', disabled: !can_modify_approvers }, false, true) = form.check_box :disable_overriding_approvers_per_merge_request, { class: 'form-check-input', disabled: !can_modify_overriding_approvers_per_merge_request_settings }, false, true
= form.label :disable_overriding_approvers_per_merge_request, class: 'form-check-label' do = form.label :disable_overriding_approvers_per_merge_request, class: 'form-check-label' do
%span= _('Can override approvers and approvals required per merge request') %span= _('Can override approvers and approvals required per merge request')
= link_to sprite_icon('question-o'), help_page_path('user/project/merge_requests/merge_request_approvals', anchor: 'prevent-overriding-default-approvals'), target: '_blank' = link_to sprite_icon('question-o'), help_page_path('user/project/merge_requests/merge_request_approvals', anchor: 'prevent-overriding-default-approvals'), target: '_blank'
...@@ -35,7 +35,7 @@ ...@@ -35,7 +35,7 @@
.form-group.self-approval .form-group.self-approval
.form-check .form-check
= form.check_box :merge_requests_author_approval, { class: 'form-check-input', checked: !project.merge_requests_author_approval?, disabled: !can_modify_merge_request_author_settings }, false, true = form.check_box :merge_requests_author_approval, { class: 'form-check-input', disabled: !can_modify_merge_request_author_settings }, false, true
= form.label :merge_requests_author_approval, class: 'form-check-label' do = form.label :merge_requests_author_approval, class: 'form-check-label' do
%span= _('Prevent approval of merge requests by merge request author') %span= _('Prevent approval of merge requests by merge request author')
= link_to sprite_icon('question-o'), help_page_path('user/project/merge_requests/merge_request_approvals', = link_to sprite_icon('question-o'), help_page_path('user/project/merge_requests/merge_request_approvals',
......
---
title: Fix permission to modify project MR rules on compliance-labeled projects
merge_request: 40229
author:
type: fixed
...@@ -13,7 +13,7 @@ module API ...@@ -13,7 +13,7 @@ module API
def filter_params(params) def filter_params(params)
params params
.then { |params| filter_forbidden_param(params, :modify_merge_request_committer_setting, :merge_requests_disable_committers_approval) } .then { |params| filter_forbidden_param(params, :modify_merge_request_committer_setting, :merge_requests_disable_committers_approval) }
.then { |params| filter_forbidden_param(params, :modify_approvers_rules, :disable_overriding_approvers_per_merge_request) } .then { |params| filter_forbidden_param(params, :modify_overriding_approvers_per_merge_request_setting, :disable_overriding_approvers_per_merge_request) }
.then { |params| filter_forbidden_param(params, :modify_merge_request_author_setting, :merge_requests_author_approval) } .then { |params| filter_forbidden_param(params, :modify_merge_request_author_setting, :merge_requests_author_approval) }
end end
end end
......
...@@ -1195,7 +1195,7 @@ RSpec.describe ProjectPolicy do ...@@ -1195,7 +1195,7 @@ RSpec.describe ProjectPolicy do
end end
end end
shared_examples 'merge request rules' do shared_examples 'regulated merge request approval settings' do
let(:project) { private_project } let(:project) { private_project }
using RSpec::Parameterized::TableSyntax using RSpec::Parameterized::TableSyntax
...@@ -1258,19 +1258,45 @@ RSpec.describe ProjectPolicy do ...@@ -1258,19 +1258,45 @@ RSpec.describe ProjectPolicy do
end end
describe ':modify_approvers_rules' do describe ':modify_approvers_rules' do
it_behaves_like 'merge request rules' do let(:policy) { :modify_approvers_rules }
let(:policy) { :modify_approvers_rules }
using RSpec::Parameterized::TableSyntax
where(:role, :admin_mode, :allowed) do
:guest | nil | false
:reporter | nil | false
:developer | nil | false
:maintainer | nil | true
:owner | nil | true
:admin | false | false
:admin | true | true
end
with_them do
let(:current_user) { public_send(role) }
before do
enable_admin_mode!(current_user) if admin_mode
end
it { is_expected.to(allowed ? be_allowed(policy) : be_disallowed(policy)) }
end
end
describe ':modify_overriding_approvers_per_merge_request_setting' do
it_behaves_like 'regulated merge request approval settings' do
let(:policy) { :modify_overriding_approvers_per_merge_request_setting }
end end
end end
describe ':modify_merge_request_author_setting' do describe ':modify_merge_request_author_setting' do
it_behaves_like 'merge request rules' do it_behaves_like 'regulated merge request approval settings' do
let(:policy) { :modify_merge_request_author_setting } let(:policy) { :modify_merge_request_author_setting }
end end
end end
describe ':modify_merge_request_committer_setting' do describe ':modify_merge_request_committer_setting' do
it_behaves_like 'merge request rules' do it_behaves_like 'regulated merge request approval settings' do
let(:policy) { :modify_merge_request_committer_setting } let(:policy) { :modify_merge_request_committer_setting }
end end
end end
......
...@@ -144,7 +144,7 @@ RSpec.describe API::ProjectApprovals do ...@@ -144,7 +144,7 @@ RSpec.describe API::ProjectApprovals do
context 'updates merge requests settings' do context 'updates merge requests settings' do
it_behaves_like 'updates merge requests settings when possible' do it_behaves_like 'updates merge requests settings when possible' do
let(:current_user) { admin } let(:current_user) { admin }
let(:permission) { :modify_approvers_rules } let(:permission) { :modify_overriding_approvers_per_merge_request_setting }
let(:setting) { :disable_overriding_approvers_per_merge_request } let(:setting) { :disable_overriding_approvers_per_merge_request }
end end
......
...@@ -19825,9 +19825,6 @@ msgstr "" ...@@ -19825,9 +19825,6 @@ msgstr ""
msgid "Prevent users from changing their profile name" msgid "Prevent users from changing their profile name"
msgstr "" msgstr ""
msgid "Prevent users from modifying merge request approvers list"
msgstr ""
msgid "Prevent users from performing write operations on GitLab while performing maintenance." msgid "Prevent users from performing write operations on GitLab while performing maintenance."
msgstr "" msgstr ""
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment