Details
-
Bug
-
Resolution: Invalid
-
Medium
Description
I am not sure if this has been reported before (and possibly patched already), or if this is the proper channel to report it.
I realized that one can self-approve a PR (at least in v 4.10.1).
Reproduction steps.
- Person A creates a branch, opens a new PR and add Person B as a reviewer.
- Person B does another commit on that PR and pushes.
- The PR now has commits from Person A and Person B.
- Person B shouldn't be able to review it anymore. Yet, he is and he can self-approve and merge.
This bug has some security implications also.