Allow project admin to read approval rules

even if project is archived / merge requests
not allowed.

ee/changelogs/unreleased/27934-approval-settings-api-fix.yml

+---
+title: Allow project admin to read approval rules from archived projects
+merge_request: 55929
+author:
+type: fixed

ee/lib/api/helpers/project_approval_rules_helpers.rb

@@ -28,7 +28,9 @@ module API
         requires :approval_rule_id, type: Integer, desc: 'The ID of an approval_rule'
       end
 
-      def authorize_create_merge_request_in_project
+      def authorize_read_project_approval_rule!
+        return if can?(current_user, :admin_project, user_project)
+
         authorize! :create_merge_request_in, user_project
       end
 

ee/lib/api/project_approval_rules.rb

@@ -17,7 +17,7 @@ module API
           success EE::API::Entities::ProjectApprovalRule
         end
         get do
-          authorize_create_merge_request_in_project
+          authorize_read_project_approval_rule!
 
           present user_project.visible_approval_rules, with: EE::API::Entities::ProjectApprovalRule, current_user: current_user
         end
@@ -37,7 +37,7 @@ module API
             success EE::API::Entities::ProjectApprovalRule
           end
           get do
-            authorize_create_merge_request_in_project
+            authorize_read_project_approval_rule!
 
             approval_rule = user_project.approval_rules.find(params[:approval_rule_id])
 

ee/lib/api/project_approval_settings.rb

@@ -21,7 +21,7 @@ module API
           optional :target_branch, type: String, desc: 'Branch that scoped approval rules apply to'
         end
         get do
-          authorize_create_merge_request_in_project
+          authorize_read_project_approval_rule!
 
           present(
             user_project,

ee/spec/requests/api/project_approval_rules_spec.rb

@@ -115,6 +115,31 @@ RSpec.describe API::ProjectApprovalRules do
         end
       end
     end
+
+    context 'when project is archived' do
+      let_it_be(:archived_project) { create(:project, :archived, creator: user) }
+      let(:url) { "/projects/#{archived_project.id}/approval_rules" }
+
+      context 'when user has normal permissions' do
+        it 'returns 403' do
+          archived_project.add_guest(user2)
+
+          get api(url, user2)
+
+          expect(response).to have_gitlab_http_status(:forbidden)
+        end
+      end
+
+      context 'when user has project admin permissions' do
+        it 'allows access' do
+          archived_project.add_maintainer(user2)
+
+          get api(url, user2)
+
+          expect(response).to have_gitlab_http_status(:ok)
+        end
+      end
+    end
   end
 
   describe 'POST /projects/:id/approval_rules' do

ee/spec/requests/api/project_approval_settings_spec.rb

@@ -116,6 +116,31 @@ RSpec.describe API::ProjectApprovalSettings do
         end
       end
     end
+
+    context 'when project is archived' do
+      let_it_be(:archived_project) { create(:project, :archived, creator: user) }
+      let(:url) { "/projects/#{archived_project.id}/approval_settings" }
+
+      context 'when user has normal permissions' do
+        it 'returns 403' do
+          archived_project.add_guest(user2)
+
+          get api(url, user2)
+
+          expect(response).to have_gitlab_http_status(:forbidden)
+        end
+      end
+
+      context 'when user has project admin permissions' do
+        it 'allows access' do
+          archived_project.add_maintainer(user2)
+
+          get api(url, user2)
+
+          expect(response).to have_gitlab_http_status(:ok)
+        end
+      end
+    end
   end
 
   describe 'POST /projects/:id/approval_settings/rules' do