Gitlab manual label additions override approval requirements #1415
Comments
|
I am working on a PR to disable self approval (make it configurable basically), which should be out soon. I wonder if it's possible to detect who added the label, and block that in gitlab? So, if the author adds the label, dont merge ... |
|
currently the label plugin it is only checking on /label but if it listened to all webhooks it would see that a label was added and can check who added it. If it was added by someone from who is not the botuser, then it could be removed by the bot |
|
Same problem with this |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In Gitlab, you can not block label addition like you can it Github so users can add labels.
When a user adds an approved and/or lgtm label, even if they are not in the approval or lgtm list keeper still processes and merges the MR because it has the matching label.
With no permissions to the add either through chatops commands like /lgtm or /lh-approve, just adding the labels manually still makes the merge status pass and merges the MR.
This also bypasses the "user can not lgtm their own MR" requirement.
Gitlab doesn't allow editing label permissions and grants them pretty wide
Users with a permission level of Reporter or higher are able to create and edit labels.The text was updated successfully, but these errors were encountered: