Skip to content

Prevent creation of audit events for invalid approval rules

What does this MR do and why?

This MR addresses issue described in #409469 (closed), where audit events would be created even if the corresponding approval rule failed the validation and wasn't persisted.

The problem is mitigated by Add schema validation for approvals_required (!124766 - merged), where we prevent a policy with invalid required approvals from being created in the first place, but could in fact happen if any existing validation fails. We don't have such invalid policies on GitLab.com, but we can't know for self-managed instances.

If such invalid policy exists, it would result in audit events being added stating "Added User X to approval group on Y rule", even though no approval rules would be created.

How to set up and validate locally

Example below:

  1. Create a project, invite another user to it
  2. Create a scan result policy under Secure -> Policies, requiring approval from the invited user
  3. Configure with merge request and merge
  4. Go to the created repo for the security project and overwrite approvals_required to a value greater than 100.
  actions:
  - type: require_approval
    approvals_required: 101
  1. Go back to the original project and create a merge request that would require approvals from the policy
  2. There should be no approval rules in the MR and Approval is optional should be visible
  3. There should be no audit events created under -/audit_events

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #409469 (closed)

Merge request reports

Loading