Enforce 4-eyes approvals for all pushes (remove admin self-approval bypass) #1350
Description
Right now, the “approve push request” check prevents users from approving their own changes — except when the user is an admin. That means an admin can effectively bypass the 4-eyes principle.
We’d like to enforce 4-eyes approval on all changes pushed through git-proxy, regardless of role, so that no one can approve their own changes.
if (list[0].username.toLowerCase() === username.toLowerCase() && !list[0].admin) {
res.status(403).send({
message: `Cannot approve your own changes`,
});
return;
}
Proposal
Remove the !list[0].admin bypass so self-approval is always forbidden.
Rationale
- Keeps approvals consistent and audit-friendly across all users
- Reduces risk for privileged accounts (admins are higher-impact)
- Matches the typical expectation that “admin” shouldn’t mean “no review required”
I could make this configurable, but that feels like the wrong default (and potentially easy to misconfigure).
Question for maintainers/users
Does anyone actively rely on the admin self-approval bypass today?
If so, what’s the real-world use case that requires it?