This would let a user change their own merge request status to "open" (e.g. after it was rejected). This is unlikely since there's not a form to do that, but it is possible someone could construct an http request to do it, so we should protect against it.
Here's the logic that I think would capture what we want: require write access, or if the user is the creator they can set it to "rejected". No other checks needed:
This would let a user change their own merge request status to "open" (e.g. after it was rejected). This is unlikely since there's not a form to do that, but it is possible someone could construct an http request to do it, so we should protect against it.
Here's the logic that I think would capture what we want: require write access, or if the user is the creator they can set it to "rejected". No other checks needed:
Thanks @Dave for helping me out.