Merge branch '239349-fix-instance-mr-approval-settings-inheritance' into 'master'

Fix permission to modify project MR rules on compliance-labeled projects See merge request gitlab-org/gitlab!40229

Merge branch '239349-fix-instance-mr-approval-settings-inheritance' into 'master'
Fix permission to modify project MR rules on compliance-labeled projects See merge request gitlab-org/gitlab!40229
2c780291 · Peter Leitzen · b37571ad · 86e04587 · b37571ad · 2c780291
Commit 2c780291 authored Oct 20, 2020 by Peter Leitzen
14 changed files
--- a/doc/user/admin_area/img/mr_approval_settings_compliance_project_v13_1.png
+++ b/doc/user/admin_area/img/mr_approval_settings_compliance_project_v13_1.png
--- a/doc/user/admin_area/img/mr_approval_settings_compliance_project_v13_5.png
+++ b/doc/user/admin_area/img/mr_approval_settings_compliance_project_v13_5.png
--- a/doc/user/admin_area/img/scope_mr_approval_settings_v13_1.png
+++ b/doc/user/admin_area/img/scope_mr_approval_settings_v13_1.png
--- a/doc/user/admin_area/img/scope_mr_approval_settings_v13_5.png
+++ b/doc/user/admin_area/img/scope_mr_approval_settings_v13_5.png
--- a/doc/user/admin_area/merge_requests_approvals.md
+++ b/doc/user/admin_area/merge_requests_approvals.md
@@ -31,9 +31,8 @@ Merge request approval rules that can be set at an instance level are:
 - **Prevent approval of merge requests by merge request committers**. Prevents project
  maintainers from allowing users to approve merge requests if they have submitted
  any commits to the source branch.
- **Prevent users from modifying merge request approvers list**. Prevents project
-  maintainers from allowing users to modify the approvers list in project settings
-  or in individual merge requests.
+- **Can override approvers and approvals required per merge request**. Allows project
+  maintainers to modify the approvers list in individual merge requests.

 ## Scope rules to compliance-labeled projects

@@ -52,4 +51,4 @@ Maintainer role and above can modify these.

 | Instance-level | Project-level |
 | -------------- | ------------- |
-| ![Scope MR approval settings to compliance frameworks](img/scope_mr_approval_settings_v13_1.png) | ![MR approval settings on compliance projects](img/mr_approval_settings_compliance_project_v13_1.png) |
+| ![Scope MR approval settings to compliance frameworks](img/scope_mr_approval_settings_v13_5.png) | ![MR approval settings on compliance projects](img/mr_approval_settings_compliance_project_v13_5.png) |
--- a/ee/app/controllers/ee/projects_controller.rb
+++ b/ee/app/controllers/ee/projects_controller.rb
@@ -120,7 +120,7 @@ module EE
        attrs << :merge_requests_disable_committers_approval
      end

-      if can?(current_user, :modify_approvers_rules, project)
+      if can?(current_user, :modify_overriding_approvers_per_merge_request_setting, project)
        attrs << :disable_overriding_approvers_per_merge_request
      end


--- a/ee/app/policies/ee/project_policy.rb
+++ b/ee/app/policies/ee/project_policy.rb
@@ -227,6 +227,7 @@ module EE
        enable :admin_path_locks
        enable :update_approvers
        enable :modify_approvers_rules
+        enable :modify_overriding_approvers_per_merge_request_setting
        enable :modify_auto_fix_setting
        enable :modify_merge_request_author_setting
        enable :modify_merge_request_committer_setting
@@ -306,7 +307,7 @@ module EE
      end

      rule { regulated_merge_request_approval_settings }.policy do
-        prevent :modify_approvers_rules
+        prevent :modify_overriding_approvers_per_merge_request_setting
        prevent :modify_merge_request_author_setting
        prevent :modify_merge_request_committer_setting
      end

--- a/ee/app/views/admin/push_rules/_merge_request_approvals_fields.html.haml
+++ b/ee/app/views/admin/push_rules/_merge_request_approvals_fields.html.haml
@@ -9,6 +9,6 @@
      = f.label :prevent_merge_requests_committers_approval, class: 'form-check-label' do
        = _('Prevent approval of merge requests by merge request committers')
    .form-check
-      = f.check_box :disable_overriding_approvers_per_merge_request , class: 'form-check-input'
+      = f.check_box :disable_overriding_approvers_per_merge_request , { class: 'form-check-input' }, false, true
      = f.label :disable_overriding_approvers_per_merge_request , class: 'form-check-label' do
-        = _('Prevent users from modifying merge request approvers list')
+        = _('Can override approvers and approvals required per merge request')
--- a/ee/app/views/projects/_merge_request_approvals_settings_form.html.haml
+++ b/ee/app/views/projects/_merge_request_approvals_settings_form.html.haml
- can_override_approvers = project.can_override_approvers?
+- can_modify_overriding_approvers_per_merge_request_settings = can?(current_user, :modify_overriding_approvers_per_merge_request_setting, @project)
 - can_modify_merge_request_author_settings = can?(current_user, :modify_merge_request_author_setting, @project)
 - can_modify_merge_request_committer_settings = can?(current_user, :modify_merge_request_committer_setting, @project)

@@ -22,7 +22,7 @@

 .form-group
  .form-check
-    = form.check_box(:disable_overriding_approvers_per_merge_request, { checked: can_override_approvers, class: 'form-check-input', disabled: !can_modify_approvers }, false, true)
+    = form.check_box :disable_overriding_approvers_per_merge_request, { class: 'form-check-input', disabled: !can_modify_overriding_approvers_per_merge_request_settings }, false, true
    = form.label :disable_overriding_approvers_per_merge_request, class: 'form-check-label' do
      %span= _('Can override approvers and approvals required per merge request')
      = link_to sprite_icon('question-o'), help_page_path('user/project/merge_requests/merge_request_approvals', anchor: 'prevent-overriding-default-approvals'), target: '_blank'
@@ -35,7 +35,7 @@

 .form-group.self-approval
  .form-check
-    = form.check_box :merge_requests_author_approval, { class: 'form-check-input', checked: !project.merge_requests_author_approval?, disabled: !can_modify_merge_request_author_settings }, false, true
+    = form.check_box :merge_requests_author_approval, { class: 'form-check-input', disabled: !can_modify_merge_request_author_settings }, false, true
    = form.label :merge_requests_author_approval, class: 'form-check-label' do
      %span= _('Prevent approval of merge requests by merge request author')
      = link_to sprite_icon('question-o'), help_page_path('user/project/merge_requests/merge_request_approvals',

--- a/ee/changelogs/unreleased/239349-fix-instance-mr-approval-settings-inheritance.yml
+++ b/ee/changelogs/unreleased/239349-fix-instance-mr-approval-settings-inheritance.yml
+---
+title: Fix permission to modify project MR rules on compliance-labeled projects
+merge_request: 40229
+author:
+type: fixed
--- a/ee/lib/api/project_approvals.rb
+++ b/ee/lib/api/project_approvals.rb
@@ -13,7 +13,7 @@ module API
      def filter_params(params)
        params
          .then { |params| filter_forbidden_param(params, :modify_merge_request_committer_setting, :merge_requests_disable_committers_approval) }
-          .then { |params| filter_forbidden_param(params, :modify_approvers_rules, :disable_overriding_approvers_per_merge_request) }
+          .then { |params| filter_forbidden_param(params, :modify_overriding_approvers_per_merge_request_setting, :disable_overriding_approvers_per_merge_request) }
          .then { |params| filter_forbidden_param(params, :modify_merge_request_author_setting, :merge_requests_author_approval) }
      end
    end

--- a/ee/spec/policies/project_policy_spec.rb
+++ b/ee/spec/policies/project_policy_spec.rb
@@ -1195,7 +1195,7 @@ RSpec.describe ProjectPolicy do
    end
  end

-  shared_examples 'merge request rules' do
+  shared_examples 'regulated merge request approval settings' do
    let(:project) { private_project }

    using RSpec::Parameterized::TableSyntax
@@ -1258,19 +1258,45 @@ RSpec.describe ProjectPolicy do
  end

  describe ':modify_approvers_rules' do
-    it_behaves_like 'merge request rules' do
-      let(:policy) { :modify_approvers_rules }
+    let(:policy) { :modify_approvers_rules }
+
+    using RSpec::Parameterized::TableSyntax
+
+    where(:role, :admin_mode, :allowed) do
+      :guest      | nil    | false
+      :reporter   | nil    | false
+      :developer  | nil    | false
+      :maintainer | nil    | true
+      :owner      | nil    | true
+      :admin      | false  | false
+      :admin      | true   | true
+    end
+
+    with_them do
+      let(:current_user) { public_send(role) }
+
+      before do
+        enable_admin_mode!(current_user) if admin_mode
+      end
+
+      it { is_expected.to(allowed ? be_allowed(policy) : be_disallowed(policy)) }
+    end
+  end
+
+  describe ':modify_overriding_approvers_per_merge_request_setting' do
+    it_behaves_like 'regulated merge request approval settings' do
+      let(:policy) { :modify_overriding_approvers_per_merge_request_setting }
    end
  end

  describe ':modify_merge_request_author_setting' do
-    it_behaves_like 'merge request rules' do
+    it_behaves_like 'regulated merge request approval settings' do
      let(:policy) { :modify_merge_request_author_setting }
    end
  end

  describe ':modify_merge_request_committer_setting' do
-    it_behaves_like 'merge request rules' do
+    it_behaves_like 'regulated merge request approval settings' do
      let(:policy) { :modify_merge_request_committer_setting }
    end
  end

--- a/ee/spec/requests/api/project_approvals_spec.rb
+++ b/ee/spec/requests/api/project_approvals_spec.rb
@@ -144,7 +144,7 @@ RSpec.describe API::ProjectApprovals do
      context 'updates merge requests settings' do
        it_behaves_like 'updates merge requests settings when possible' do
          let(:current_user) { admin }
-          let(:permission) { :modify_approvers_rules }
+          let(:permission) { :modify_overriding_approvers_per_merge_request_setting }
          let(:setting) { :disable_overriding_approvers_per_merge_request }
        end


--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -19843,9 +19843,6 @@ msgstr ""
 msgid "Prevent users from changing their profile name"
 msgstr ""

-msgid "Prevent users from modifying merge request approvers list"
-msgstr ""
-
 msgid "Prevent users from performing write operations on GitLab while performing maintenance."
 msgstr ""