Review API authorization for project_approval_rule

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Work on this issue
• Close this issue

File: ee/lib/api/project_approval_rules.rb

Authorization: authorize_create_merge_request_in_project

The following discussion from !47823 (merged) should be addressed:

• @reprazent started a discussion:

  This authorization is a bit weird, here we're checking if the user is allowed to create merge requests in order to decide if they can see an approval rule for a specific project.

  Further down the line, for creating or updating approval rules.

  I think this is somewhat confusing since we have policies for the different kinds of approval rules (ApprovalProjectRulePolicy and ApprovalMergeRequestRulePolicy).

  I understand this is not part of this MR, but would you mind creating an issue so we can discuss this with groupsource code?

If a change is made, it would need to be updated on both the index endpoint and show endpoint