return unauthorized for merge request that requires approval
What does this MR do and why?
This changes the HTTP response code returned for the REST API call PUT /projects/:id/merge_requests/:merge_request_iid/merge
when the MR still requires approval.
- Previously, GitLab would return
405 Method Not Allowed
if the MR requires approval - After this change, GitLab will return
403 Forbidden
if the MR requires approval
My rationale for this change: the 405 Method Not Allowed
indicates that the PUT
method itself is not allowed for this endpoint:
The HyperText Transfer Protocol (HTTP) 405 Method Not Allowed response status code indicates that the server knows the request method, but the target resource doesn't support this method.
— Source
It seems more appropriate to return 403 Forbidden
, since the user is not allowed to merge until the required approvals have been granted:
The HTTP 403 Forbidden response status code indicates that the server understands the request but refuses to authorize it.
This status is similar to
401
, but for the403 Forbidden
status code, re-authenticating makes no difference. The access is tied to the application logic, such as insufficient rights to a resource.
— Source
This addresses #196730
How to set up and validate locally
- Create an MR
- Add at least one required review from another user or group
- Attempt to merge the MR using the REST API by calling
PUT /projects/:id/merge_requests/:merge_request_iid/merge
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.