Approval policy configured with custom role populates users as approvers when their role in the project differs
Summary
Approval policy configured with custom role populates users as approvers when their role in the project differs. They are assigned the custom role elsewhere, but not in the project.
Related:
Steps to reproduce
- Create a custom role in either the instance or a top-level group
- Base: Guest
- Permission: Approve merge request
- In a top-level group, create MR approval policy
- Require approval from the custom role
- Create a subgroup and invite a user with the custom role
- Create a project in the top-level group and invite the user with a
Reporterrole - Create an MR
Example Project
https://gitlab.com/jcastillo_ultimate_group/test-project/-/merge_requests/2
What is the current bug behavior?
The existence of a membership with the custom role somewhere allows it to populate the user as an approver even when their role in the project differs.
What is the expected correct behavior?
User is populated as an approver only if they are assigned the custom role in the project.
Relevant logs and/or screenshots
Example policy:
Click to expand
approval_policy:
- name: MR-Approval-Policy
description: ''
enabled: true
policy_scope:
compliance_frameworks:
- id: 2021583
actions:
- type: require_approval
approvals_required: 1
role_approvers:
- 2004895
- type: send_bot_message
enabled: true
rules:
- type: any_merge_request
branch_type: protected
commits: any
approval_settings:
block_branch_modification: true
block_group_branch_modification: true
prevent_pushing_and_force_pushing: true
prevent_approval_by_author: true
prevent_approval_by_commit_author: true
remove_approvals_with_new_commit: true
require_password_to_approve: false
fallback_behavior:
fail: closed
Possible fixes
Edited by 🤖 GitLab Bot 🤖