Skip to content

return unauthorized for merge request that requires approval

What does this MR do and why?

This changes the HTTP response code returned for the REST API call PUT /projects/:id/merge_requests/:merge_request_iid/merge when the MR still requires approval.

  • Previously, GitLab would return 405 Method Not Allowed if the MR requires approval
  • After this change, GitLab will return 403 Forbidden if the MR requires approval

My rationale for this change: the 405 Method Not Allowed indicates that the PUT method itself is not allowed for this endpoint:

The HyperText Transfer Protocol (HTTP) 405 Method Not Allowed response status code indicates that the server knows the request method, but the target resource doesn't support this method.

Source

It seems more appropriate to return 403 Forbidden, since the user is not allowed to merge until the required approvals have been granted:

The HTTP 403 Forbidden response status code indicates that the server understands the request but refuses to authorize it.

This status is similar to 401, but for the 403 Forbidden status code, re-authenticating makes no difference. The access is tied to the application logic, such as insufficient rights to a resource.

Source

This addresses #196730

How to set up and validate locally

  1. Create an MR
  2. Add at least one required review from another user or group
  3. Attempt to merge the MR using the REST API by calling PUT /projects/:id/merge_requests/:merge_request_iid/merge

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Andrew Minion

Merge request reports

Loading