Approval rule shows ineligible approvers
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Problem: Users with Guest role are displayed in merge request approval lists even though they cannot actually view or approve the MR.
Root Cause: The approver list for an approval rule uses the group_users association (source), which includes all group members, not just those with approve_merge_request permission.
Impact: Confusing UX - developers see "approvers" who can't actually approve.
Reproduction Steps
- Create an approval rule with group-based approvers (see docs)
- Add a Guest user to that group
- Create MR targeting the protected branch → Guest appears in approver list
- Impersonate Guest → 404 on MR page
Edited by 🤖 GitLab Bot 🤖