Add a "Force authentication for approval" option for merge request approvals.
What does this MR do?
This MR adds support for forcing users to explicitly authenticate theirselves for each MR approval.
See CFR Part 11 compliance for digitally signed change requests. Specifically, this.
This is a requirement to use GitLab for documentation control in FDA regulated fields (medical, etc).
- Add "Force authentication for approvals" to "Settings > General > Merge request approvals".
- When a user clicks "Approve" on a merge request, they will be prompted with a password field.
- Update the
POST {group}/{project}/merge_requests/{merge_request_id}/approvalsAPI endpoint.- Add
passwordfield. - If "Force authentication for approvals", validate the supplied
passwordagainst the currently logged in user. - If "Force authentication for approvals" and the supplied password isn't valid for the logged in user, return
401 Unauthorized.
- Add
I propose to leave the actually API endpoint, as is. See this comment for the justification.
UX
| Project settings | Merge request approval confirmation |
|---|---|
 |
 |
What are the relevant issue numbers?
See #5981 (closed)
Does this MR meet the acceptance criteria?
-
Changelog entry added, if necessary -
Documentation created/updated via this MR -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Tested in all supported browsers -
Conforms to the code review guidelines -
Conforms to the merge request performance guidelines -
Conforms to the style guides -
Conforms to the database guides -
Link to e2e tests MR added if this MR has Requires e2e tests label. See the Test Planning Process. -
EE specific content should be in the top level /eefolder -
For a paid feature, have we considered GitLab.com plans, how it works for groups, and is there a design for promoting it to users who aren't on the correct plan? -
Security reports checked/validated by reviewer
Edited by Joe Randazzo