Skip to content

Enforce 4-eyes approvals for all pushes (remove admin self-approval bypass) #1350

Description

@andypols

Right now, the “approve push request” check prevents users from approving their own changes — except when the user is an admin. That means an admin can effectively bypass the 4-eyes principle.

We’d like to enforce 4-eyes approval on all changes pushed through git-proxy, regardless of role, so that no one can approve their own changes.

  if (list[0].username.toLowerCase() === username.toLowerCase() && !list[0].admin) {
    res.status(403).send({
      message: `Cannot approve your own changes`,
    });
    return;
  }

Proposal

Remove the !list[0].admin bypass so self-approval is always forbidden.

Rationale

  • Keeps approvals consistent and audit-friendly across all users
  • Reduces risk for privileged accounts (admins are higher-impact)
  • Matches the typical expectation that “admin” shouldn’t mean “no review required”

I could make this configurable, but that feels like the wrong default (and potentially easy to misconfigure).

Question for maintainers/users

Does anyone actively rely on the admin self-approval bypass today?
If so, what’s the real-world use case that requires it?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions