Vulnerability Overview Vulnerability Title: Override approvers and approvals required per merge request despite no permissions Status: Complete Report Source: HackerOne report #544756 by ashish_r_padelkar Creation Date: 2019-05-02 Key Tags: security, severity 3 Vulnerability Description Main Issue: Project owner/maintainer may prevent overriding of approvers and approvals required per merge request by having the below settings in project settings. Unresolved Issue: Developer users can still create new approval rules per merge request, even when the "Can override approvers and approvals required per merge request" option is unchecked. Reproduction Steps 1. As a project owner, set a setting like below for merge request approval rule. 2. Check the "Can override approvers and approvals required per merge request" option. 3. As a developer, create new approval rules per merge request. Additional Information Assigned To: Patrick Bajao Related Tags: create (DEPRECATED), Deliverable, Enterprise Edition, HackerOne, backend, devops, source code, priority 3, workflow, in review Due Milestone: 12.2 (expired)