Skip to content

Add a "Force authentication for approval" option for merge request approvals.

Paul Knopf requested to merge pauldotknopf/gitlab-ee:master into master

What does this MR do?

This MR adds support for forcing users to explicitly authenticate theirselves for each MR approval.

See CFR Part 11 compliance for digitally signed change requests. Specifically, this.

This is a requirement to use GitLab for documentation control in FDA regulated fields (medical, etc).

  1. Add "Force authentication for approvals" to "Settings > General > Merge request approvals".
  2. When a user clicks "Approve" on a merge request, they will be prompted with a password field.
  3. Update the POST {group}/{project}/merge_requests/{merge_request_id}/approvals API endpoint.
    • Add password field.
    • If "Force authentication for approvals", validate the supplied password against the currently logged in user.
    • If "Force authentication for approvals" and the supplied password isn't valid for the logged in user, return 401 Unauthorized.

I propose to leave the actually API endpoint, as is. See this comment for the justification.

UX

Project settings Merge request approval confirmation
image image

20190503_require_password_approvals

What are the relevant issue numbers?

See #5981 (closed)

Does this MR meet the acceptance criteria?

Edited by Joe Randazzo

Merge request reports

Loading