Prevent commit authors from self approvaling merge requests
There is an option https://gitlab.com/gitlab-org/gitlab-ee/issues/3349 to prevent (or allow) the merge request author (person who created the merge request) from approving their own changes, but this doesn't block the commit author from approving the changes if they are different.
Further details
A customer requests:
We currently restrict the ability for a MR author to approve their own MR. However, it's possible that the MR could contain commits from may authors. Additionally, consider that someone may come along after the MR has been created and can make a new commit to the branch and then approve their own change, bypassing these 'approval' safeguards.
Approvers feature should look at committers in addition to MR author.
There are some concerns with this - if a MR incorporates a bunch of older changes from another branch then suddenly many people could be excluded from the possible approvers.
The purpose of the logic that prevents the author of the merge request from approving their own changes is to make sure that the people who approve the change are not the people who authored the change. Using the commit author is a more comprehensive way to ensure that the reviewer is not the author of the change.
It should be noted, that the commit author can be overridden so this will not serve as a guarantee. Instead this provides a more comprehensive and expected default behavior when self approval is not allowed.
Proposal
When self approval is disabled also block approval based on commit author of the commits in the merge request
Note: if a merge request includes many older changes, like merging between two long living branches, many people could be excluded from the eligible approvers list. This would be addressed by the proposal https://gitlab.com/gitlab-org/gitlab-ee/issues/460 in a later release
What does success look like, and how can we measure that?
This change is unlikely to change the usage of self approval as disabling self approval will already be enabled for these customers. Instead this feature will improve the experience of customers who desire this behavior. We will not measure this feature.