Ability to merge the MR even if we have approval rules

Summary

Seems like security issue. Fast enough users are able to merge the MR, when it's not fully loaded, even if repository has approval rules, but this option is not available after short time, for example if you refresh the page or commit changes were loaded. It happen from time to time.

Steps to reproduce

Open a MR in repository with approval rules and check if you have button to merge.

What is the current bug behavior?

Fast enough users are able to merge the MR even if repository has approval rules, but this option is not available after short time. It happen from time to time.

What is the expected correct behavior?

Users shouldn't see merge button after creating the MR while you have approval rules in place.

Relevant logs and/or screenshots

Output of checks

This bug happens on GitLab.com

Solution

The proposed solution is to introduce a 'checking' state to the mergeability framework. This allows us to show the user when checks are still evaluating.

This will require frontend and backend changes.

• Introduce a new 'checking' return value for the mergeability framework
• Handle this new 'checking' value in the frontend
• Introduce a new mergeabilty class for managing when checks are checking. I think we should use Redis rather than the database here. For example, when the merge request is created/pushed to, it calls this service to say this mr is checking approvals. Once the approvals are created, we update it to be checked or removed from the checking list.
• Use the checking service for the approvals