Return forbidden status when MR approval settings are locked

Problems to solve

When users update the MR approval settings that are locked from the higher level (e.g. project settings that are locked by instance setting), the changes are discarded and the API returns 200 HTTP status. This does not give a clear indication to the client.

Proposal

When the MR approval settings are locked, the API should return 403 Forbidden.

If MR approval settings are locked at group or instance-level, updating the project-level should return 403
If MR approval settings are locked at instance-level, updating the group-level should return 403

Edited Jul 20, 2021 by Tan Le