Merge branch '324948-aqualls-settings-page' into 'master'

Initial revision of merge request approval settings page for CTRT See merge request gitlab-org/gitlab!60859

Merge branch '324948-aqualls-settings-page' into 'master'
Initial revision of merge request approval settings page for CTRT See merge request gitlab-org/gitlab!60859
4c5f70fa · Craig Norris · f444c092 · ba4ba049 · 4c5f70fa · 4c5f70fa
Commit 4c5f70fa authored May 19, 2021 by Craig Norris
6 changed files
--- a/doc/api/merge_request_approvals.md
+++ b/doc/api/merge_request_approvals.md
@@ -1068,7 +1068,7 @@ POST /projects/:id/merge_requests/:merge_request_iid/approve
 | `id`                | integer | yes      | The ID of a project     |
 | `merge_request_iid` | integer | yes      | The IID of MR           |
 | `sha`               | string  | no       | The HEAD of the MR      |
-| `approval_password` **(PREMIUM)** | string  | no      | Current user's password. Required if [**Require user password to approve**](../user/project/merge_requests/approvals/settings.md#require-authentication-when-approving-a-merge-request) is enabled in the project settings. |
+| `approval_password` **(PREMIUM)** | string  | no      | Current user's password. Required if [**Require user password to approve**](../user/project/merge_requests/approvals/settings.md#require-authentication-for-approvals) is enabled in the project settings. |
 The `sha` parameter works in the same way as
 when [accepting a merge request](merge_requests.md#accept-mr): if it is passed, then it must

--- a/doc/user/compliance/compliance_dashboard/index.md
+++ b/doc/user/compliance/compliance_dashboard/index.md
@@ -9,7 +9,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/36524) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.8.
-The Compliance Dashboard gives you the ability to see a group's Merge Request activity
+The Compliance Dashboard gives you the ability to see a group's merge request activity
 by providing a high-level view for all projects in the group. For example, code approved
 for merging into production.
@@ -28,10 +28,10 @@ This feature is for people who care about the compliance status of projects with
 You can use the dashboard to:
- Get an overview of the latest Merge Request for each project.
+- Get an overview of the latest merge request for each project.
- See if Merge Requests were approved and by whom.
+- See if merge requests were approved and by whom.
- See Merge Request authors.
+- See merge request authors.
- See the latest [CI Pipeline](../../../ci/pipelines/index.md) result for each Merge Request.
+- See the latest [CI Pipeline](../../../ci/pipelines/index.md) result for each merge request.
 ## Permissions
@@ -42,25 +42,25 @@ You can use the dashboard to:
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/217939) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.3.
-We support a separation of duties policy between users who create and approve Merge Requests.
+We support a separation of duties policy between users who create and approve merge requests.
 The approval status column can help you identify violations of this policy.
 Our criteria for the separation of duties is as follows:
- [A Merge Request author is **not** allowed to approve their Merge Request](../../project/merge_requests/approvals/settings.md#allowing-merge-request-authors-to-approve-their-own-merge-requests)
+- [A merge request author is **not** allowed to approve their merge request](../../project/merge_requests/approvals/settings.md#prevent-authors-from-approving-their-own-work)
- [A Merge Request committer is **not** allowed to approve a Merge Request they have added commits to](../../project/merge_requests/approvals/settings.md#prevent-approval-of-merge-requests-by-their-committers)
+- [A merge request committer is **not** allowed to approve a merge request they have added commits to](../../project/merge_requests/approvals/settings.md#prevent-committers-from-approving-their-own-work)
- [The minimum number of approvals required to merge a Merge Request is **at least** two](../../project/merge_requests/approvals/rules.md)
+- [The minimum number of approvals required to merge a merge request is **at least** two](../../project/merge_requests/approvals/rules.md)
-The "Approval status" column shows you, at a glance, whether a Merge Request is complying with the above.
+The "Approval status" column shows you, at a glance, whether a merge request is complying with the above.
 This column has four states:
 | State | Description |
 |:------|:------------|
-| Empty | The Merge Request approval status is unknown |
+| Empty | The merge request approval status is unknown |
-| ![Failed](img/failed_icon_v13_3.png) | The Merge Request **does not** comply with any of the above criteria |
+| ![Failed](img/failed_icon_v13_3.png) | The merge request **does not** comply with any of the above criteria |
-| ![Warning](img/warning_icon_v13_3.png) | The Merge Request complies with **some** of the above criteria |
+| ![Warning](img/warning_icon_v13_3.png) | The merge request complies with **some** of the above criteria |
-| ![Success](img/success_icon_v13_3.png) | The Merge Request complies with **all** of the above criteria |
+| ![Success](img/success_icon_v13_3.png) | The merge request complies with **all** of the above criteria |
-If you do not see the success icon in your Compliance dashboard; please review the above criteria for the Merge Requests
+If you do not see the success icon in your Compliance dashboard; please review the above criteria for the merge requests
 project to make sure it complies with the separation of duties described above.
 ## Chain of Custody report **(ULTIMATE)**

--- a/doc/user/project/merge_requests/approvals/index.md
+++ b/doc/user/project/merge_requests/approvals/index.md
@@ -26,19 +26,20 @@ rules to define what types of users can approve work. Some examples of rules you
 - Users with specific permissions can always approve work.
 - [Code owners](../../code_owners.md) can approve work for files they own.
- Users with specific permissions can approve work, even if they don't have merge rights
+- Users with specific permissions can approve work,
+  [even if they don't have merge rights](rules.md#merge-request-approval-segregation-of-duties)
  to the repository.
 - Users with specific permissions can be allowed or denied the ability
-  to override approval rules on a specific merge request.
+  to [override approval rules on a specific merge request](rules.md#edit-or-override-merge-request-approval-rules).
 You can also configure additional [settings for merge request approvals](settings.md)
 for more control of the level of oversight and security your project needs, including:
- Prevent users from overriding a merge request approval rule.
+- [Prevent users from overriding a merge request approval rule.](settings.md#prevent-overrides-of-default-approvals)
- Reset approvals when new code is pushed.
+- [Reset approvals when new code is pushed.](settings.md#reset-approvals-on-push)
- Allow (or disallow) authors and committers to approve their own merge requests.
+- Allow (or disallow) [authors and committers](settings.md) to approve their own merge requests.
- Require password authentication when approving.
+- [Require password authentication when approving.](settings.md#require-authentication-for-approvals)
- Require security team approval.
+- [Require security team approval.](settings.md#security-approvals-in-merge-requests)
 You can configure your merge request approval rules and settings through the GitLab
 user interface or [with the API](../../../../api/merge_request_approvals.md).
@@ -63,10 +64,10 @@ such as merge conflicts, [pending discussions](../../../discussions/index.md#onl
 or a [failed CI/CD pipeline](../merge_when_pipeline_succeeds.md).
 To prevent merge request authors from approving their own merge requests,
-enable [**Prevent author approval**](settings.md#allowing-merge-request-authors-to-approve-their-own-merge-requests)
+enable [**Prevent author approval**](settings.md#prevent-authors-from-approving-their-own-work)
 in your project's settings.
-If you enable [approval rule overrides](settings.md#prevent-overriding-default-approvals),
+If you enable [approval rule overrides](settings.md#prevent-overrides-of-default-approvals),
 merge requests created before a change to default approval rules are not affected.
 The only exceptions are changes to the [target branch](rules.md#approvals-for-protected-branches)
 of the rule.
@@ -118,7 +119,7 @@ You can modify your external approval rules
 The lack of an external approval doesn't block the merging of a merge request.
-When [approval rule overrides](settings.md#prevent-overriding-default-approvals) are allowed,
+When [approval rule overrides](settings.md#prevent-overrides-of-default-approvals) are allowed,
 changes to default approval rules will **not** be applied to existing
 merge requests, except for changes to the [target branch](rules.md#approvals-for-protected-branches)
 of the rule.

--- a/doc/user/project/merge_requests/approvals/rules.md
+++ b/doc/user/project/merge_requests/approvals/rules.md
@@ -49,7 +49,7 @@ Users of GitLab Premium and higher tiers can create [additional approval rules](
 Your configuration for approval rule overrides determines if the new rule is applied
 to existing merge requests:
- If [approval rule overrides](settings.md#prevent-overriding-default-approvals) are allowed,
+- If [approval rule overrides](settings.md#prevent-overrides-of-default-approvals) are allowed,
  changes to these default rules are not applied to existing merge requests, except for
  changes to the [target branch](#approvals-for-protected-branches) of the rule.
 - If approval rule overrides are not allowed, all changes to default rules
@@ -138,10 +138,10 @@ approve in these ways:
  counts as one approver, and not two.
 - Merge request authors do not count as eligible approvers on their own merge requests by default.
  To change this behavior, disable the
-  [**Prevent author approval**](settings.md#allowing-merge-request-authors-to-approve-their-own-merge-requests)
+  [**Prevent author approval**](settings.md#prevent-authors-from-approving-their-own-work)
  project setting.
 - Committers to merge requests can approve a merge request. To change this behavior, enable the
-  [**Prevent committers approval**](settings.md#prevent-approval-of-merge-requests-by-their-committers)
+  [**Prevent committers approval**](settings.md#prevent-committers-from-approving-their-own-work)
  project setting.
 ### Code owners as eligible approvers
@@ -200,7 +200,7 @@ on a merge request, you can either add or remove approvers:
   1. Add or remove your desired approval rules.
   1. Select **Save changes**.
-Administrators can change the [merge request approvals settings](settings.md#prevent-overriding-default-approvals)
+Administrators can change the [merge request approvals settings](settings.md#prevent-overrides-of-default-approvals)
 to prevent users from overriding approval rules for merge requests.
 ## Configure optional approval rules

--- a/doc/user/project/merge_requests/approvals/settings.md
+++ b/doc/user/project/merge_requests/approvals/settings.md
@@ -7,91 +7,119 @@ type: reference, concepts
 # Merge request approval settings
-The settings for merge request approvals are found by going to
+You can configure the settings for [merge request approvals](index.md) to
-**Settings > General** and expanding **Merge request (MR) approvals**.
+ensure the approval rules meet your use case. You can also configure
+[approval rules](rules.md), which define the number and type of users who must
+approve work before it's merged. Merge request approval settings define how
+those rules are applied as a merge request moves toward completion.
-## Prevent overriding default approvals
+## Edit merge request approval settings
-Regardless of the approval rules you choose for your project, users can edit them in every merge
+To view or edit merge request approval settings:
-request, overriding the [rules you set as default](rules.md#add-an-approval-rule).
-To prevent that from happening:
-1. Select the **Prevent users from modifying MR approval rules in merge requests.** checkbox.
+1. Go to your project and select **Settings > General**.
-1. Click **Save changes**.
+1. Expand **Merge request (MR) approvals**.
-### Resetting approvals on push
+In this section of general settings, you can configure the settings described
+on this page.
-You can force all approvals on a merge request to be removed when new commits are
+## Prevent overrides of default approvals
-pushed to the source branch of the merge request. If disabled, approvals persist
-even if there are changes added to the merge request. To enable this feature:
-1. Check the **Require new approvals when new commits are added to an MR.**
+By default, users can override the approval rules you [create for a project](rules.md)
-   checkbox.
+on a per-merge request basis. If you don't want users to change approval rules
-1. Click **Save changes**.
+on merge requests, you can disable this setting:
-NOTE:
+1. Go to your project and select **Settings > General**.
-Approvals do not get reset when [rebasing a merge request](../fast_forward_merge.md)
+1. Expand **Merge request (MR) approvals**.
-from the UI. However, approvals are reset if the target branch is changed.
+1. Select the **Prevent users from modifying MR approval rules in merge requests** checkbox.
+1. Select **Save changes**.
-### Allowing merge request authors to approve their own merge requests **(PREMIUM)**
+TODO This change affects all open merge requests.
+## Reset approvals on push
+By default, an approval on a merge request remains in place, even if you add more changes
+after the approval. If you want to remove all existing approvals on a merge request
+when more changes are added to it:
+1. Go to your project and select **Settings > General**.
+1. Expand **Merge request (MR) approvals**.
+1. Select the **Require new approvals when new commits are added to an MR** checkbox.
+1. Select **Save changes**.
+Approvals aren't reset when a merge request is [rebased from the UI](../fast_forward_merge.md)
+However, approvals are reset if the target branch is changed.
+## Prevent authors from approving their own work **(PREMIUM)**
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/3349) in GitLab 11.3.
 > - Moved to GitLab Premium in 13.9.
-By default, projects are configured to prevent merge requests from being approved by
+By default, the author of a merge request cannot approve it. To change this setting:
-their own authors. To change this setting:
-1. Go to your project's **Settings > General**, expand **Merge request (MR) approvals**.
+1. Go to your project and select **Settings > General**.
-1. Uncheck the **Prevent MR approval by the author.** checkbox.
+1. Expand **Merge request (MR) approvals**.
-1. Click **Save changes**.
+1. Clear the **Prevent MR approval by the author** checkbox.
+1. Select **Save changes**.
-Note that users can edit the approval rules in every merge request and override pre-defined settings unless it's set [**not to allow** overrides](#prevent-overriding-default-approvals).
+Authors can edit the approval rule in an individual merge request and override
+this setting, unless you configure one of these options:
-You can prevent authors from approving their own merge requests
+- [Prevent overrides of default approvals](#prevent-overrides-of-default-approvals) at
-[at the instance level](../../../admin_area/merge_requests_approvals.md). When enabled,
+  the project level.
-this setting is disabled on the project level, and not editable.
+- *(Self-managed instances only)* Prevent overrides of default approvals
+  [at the instance level](../../../admin_area/merge_requests_approvals.md). When configured
+  at the instance level, you can't edit this setting at the project or individual
+  merge request levels.
-### Prevent approval of merge requests by their committers **(PREMIUM)**
+## Prevent committers from approving their own work **(PREMIUM)**
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10441) in GitLab 11.10.
 > - Moved to GitLab Premium in 13.9.
-You can prevent users who have committed to a merge request from approving it,
+By default, users who commit to a merge request can still approve it. At both
-though code authors can still approve. You can enable this feature
+the project level or [instance level](../../../admin_area/merge_requests_approvals.md)
-[at the instance level](../../../admin_area/merge_requests_approvals.md), which
+you can prevent committers from approving merge requests that are partially
-disables changes to this feature at the project level. If you prefer to manage
+their own. To do this:
-this feature at the project level, you can:
-1. Check the **Prevent MR approvals from users who make commits to the MR.** checkbox.
+1. Go to your project and select **Settings > General**.
-   If this check box is disabled, this feature has been disabled
+1. Expand **Merge request (MR) approvals**.
-   [at the instance level](../../../admin_area/merge_requests_approvals.md).
+1. Select the **Prevent MR approvals from users who make commits to the MR** checkbox.
-1. Click **Save changes**.
+   If this checkbox is cleared, an administrator has disabled it
+   [at the instance level](../../../admin_area/merge_requests_approvals.md), and
+   it can't be changed at the project level.
+1. Select **Save changes**.
-Read the official Git documentation for an explanation of the
+Even with this configuration, [code owners](../../code_owners.md) who contribute
-[differences between authors and committers](https://git-scm.com/book/en/v2/Git-Basics-Viewing-the-Commit-History).
+to a merge request can approve merge requests that affect files they own.
-### Require authentication when approving a merge request
+To learn more about the [differences between authors and committers](https://git-scm.com/book/en/v2/Git-Basics-Viewing-the-Commit-History),
+read the official Git documentation for an explanation.
+## Require authentication for approvals
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/5981) in GitLab 12.0.
 > - Moved to GitLab Premium in 13.9.
-NOTE:
+You can force potential approvers to first authenticate with a password. This
-To require authentication when approving a merge request, you must enable
+permission enables an electronic signature for approvals, such as the one defined by
-**Password authentication enabled for web interface** under [sign-in restrictions](../../../admin_area/settings/sign_in_restrictions.md#password-authentication-enabled).
+[Code of Federal Regulations (CFR) Part 11](https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?CFRPart=11&showFR=1&subpartNode=21:1.0.1.1.8.3)):
-in the Admin Area.
-You can force the approver to enter a password in order to authenticate before adding
-the approval. This enables an Electronic Signature for approvals such as the one defined
-by [CFR Part 11](https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?CFRPart=11&showFR=1&subpartNode=21:1.0.1.1.8.3)).
-To enable this feature:
-1. Check the **Require user password for approvals.** checkbox.
+1. Enable password authentication for the web interface, as described in the
-1. Click **Save changes**.
+   [sign-in restrictions documentation](../../../admin_area/settings/sign_in_restrictions.md#password-authentication-enabled).
+1. Go to your project and select **Settings > General**.
+1. Expand **Merge request (MR) approvals**.
+1. Select the **Require user password for approvals** checkbox.
+1. Select **Save changes**.
 ## Security approvals in merge requests **(ULTIMATE)**
-Merge request approvals can be configured to require approval from a member
+You can require that a member of your security team approves a merge request if a
-of your security team when a vulnerability would be introduced by a merge request.
+merge request could introduce a vulnerability. To learn more, see
-For more information, see
 [Security approvals in merge requests](../../../application_security/index.md#security-approvals-in-merge-requests).
+## Related links
+- [Instance-level merge request approval settings](../../../admin_area/merge_requests_approvals.md)
+- [Compliance Dashboard](../../../compliance/compliance_dashboard/index.md)
+- [Merge request approvals API](../../../../api/merge_request_approvals.md)
--- a/ee/app/views/projects/_merge_request_approvals_settings_form.html.haml
+++ b/ee/app/views/projects/_merge_request_approvals_settings_form.html.haml
@@ -27,7 +27,7 @@
      = form.check_box(:disable_overriding_approvers_per_merge_request, { class: 'custom-control-input', disabled: !can_modify_approvers })
      = form.label :disable_overriding_approvers_per_merge_request, class: 'custom-control-label' do
        %span= _('Prevent users from modifying MR approval rules in merge requests.')
-        = link_to sprite_icon('question-o'), help_page_path('user/project/merge_requests/approvals/settings', anchor: 'prevent-overriding-default-approvals'), target: '_blank'
+        = link_to sprite_icon('question-o'), help_page_path('user/project/merge_requests/approvals/settings', anchor: 'prevent-overrides-of-default-approvals'), target: '_blank'
    .gl-form-checkbox.custom-control.custom-checkbox
      = form.check_box :reset_approvals_on_push, class: 'custom-control-input'
@@ -40,14 +40,14 @@
        %span= _('Prevent MR approvals by the author.')
        = link_to sprite_icon('question-o'), help_page_path('user/project/merge_requests/approvals/settings',
-          anchor: 'allowing-merge-request-authors-to-approve-their-own-merge-requests'), target: '_blank'
+          anchor: 'prevent-authors-from-approving-their-own-work'), target: '_blank'
    .gl-form-checkbox.custom-control.custom-checkbox
      = form.check_box :merge_requests_disable_committers_approval, { disabled: !can_modify_merge_request_committer_settings, class: 'custom-control-input' }
      = form.label :merge_requests_disable_committers_approval, class: 'custom-control-label' do
        %span= _('Prevent MR approvals from users who make commits to the MR.')
        = link_to sprite_icon('question-o'), help_page_path('user/project/merge_requests/approvals/settings',
-          anchor: 'allowing-merge-request-authors-to-approve-their-own-merge-requests'), target: '_blank'
+          anchor: 'prevent-committers-from-approving-their-own-work'), target: '_blank'
    - if password_authentication_enabled_for_web?
      .gl-form-checkbox.custom-control.custom-checkbox
@@ -55,4 +55,4 @@
        = form.label :require_password_to_approve, class: 'custom-control-label' do
          %span= _('Require user password for approvals.')
          = link_to sprite_icon('question-o'), help_page_path('user/project/merge_requests/approvals/settings',
-            anchor: 'require-authentication-when-approving-a-merge-request'), target: '_blank'
+            anchor: 'require-authentication-for-approvals'), target: '_blank'