Allow MR approvals API endpoint for auditors

Allow auditor users to access the merge request approvals get
configuration API endpoint for projects.

Changelog: changed
EE: true

ee/app/policies/ee/project_policy.rb

@@ -249,6 +249,7 @@ module EE
       rule { can?(:maintainer_access) }.policy do
         enable :push_code_to_protected_branches
         enable :admin_path_locks
+        enable :read_approvers
         enable :update_approvers
         enable :modify_approvers_rules
         enable :modify_auto_fix_setting
@@ -273,6 +274,7 @@ module EE
         enable :read_cluster
         enable :read_terraform_state
         enable :read_project_merge_request_analytics
+        enable :read_approvers
       end
       rule { ~security_and_compliance_disabled & auditor }.policy do

ee/lib/api/project_approvals.rb

@@ -30,7 +30,7 @@ module API
         end
         get '/', urgency: :low do
           # If the project is archived, the project admin should still be able to read the approvers
-          authorize!(:update_approvers, user_project) unless can?(current_user, :admin_project, user_project)
+          authorize!(:read_approvers, user_project) unless can?(current_user, :admin_project, user_project)
           present user_project.present(current_user: current_user), with: EE::API::Entities::ApprovalSettings
         end

ee/spec/policies/project_policy_spec.rb

@@ -2022,5 +2022,31 @@ RSpec.describe ProjectPolicy do
       expect_disallowed(*maintainer_permissions)
       expect_disallowed(*owner_permissions)
     end
+
+    describe ':read_approvers' do
+      using RSpec::Parameterized::TableSyntax
+
+      let(:policy) { :read_approvers }
+
+      where(:role, :allowed) do
+        :guest      | false
+        :reporter   | false
+        :developer  | false
+        :maintainer | true
+        :auditor    | true
+        :owner      | true
+        :admin      | true
+      end
+
+      with_them do
+        let(:current_user) { public_send(role) }
+
+        before do
+          enable_admin_mode!(current_user) if role == :admin
+        end
+
+        it { is_expected.to(allowed ? be_allowed(policy) : be_disallowed(policy)) }
+      end
+    end
   end
 end

ee/spec/requests/api/project_approvals_spec.rb

@@ -9,6 +9,7 @@ RSpec.describe API::ProjectApprovals do
   let_it_be(:admin)    { create(:user, :admin) }
   let_it_be(:project)  { create(:project, :public, :repository, creator: user, namespace: user.namespace, only_allow_merge_if_pipeline_succeeds: false) }
   let_it_be(:approver) { create(:user) }
+  let_it_be(:auditor)  { create(:user, :auditor) }
   let(:url) { "/projects/#{project.id}/approvals" }
@@ -46,6 +47,14 @@ RSpec.describe API::ProjectApprovals do
       expect(json_response["approver_groups"]).to be_empty
     end
+    context 'when user is an auditor' do
+      it 'allows access' do
+        get api(url, auditor)
+
+        expect(response).to have_gitlab_http_status(:ok)
+      end
+    end
+
     context 'when project is archived' do
       let_it_be(:archived_project) { create(:project, :archived, creator: user) }
@@ -70,6 +79,14 @@ RSpec.describe API::ProjectApprovals do
           expect(response).to have_gitlab_http_status(:ok)
         end
       end
+
+      context 'when user is an auditor' do
+        it 'allows access' do
+          get api(url, auditor)
+
+          expect(response).to have_gitlab_http_status(:ok)
+        end
+      end
     end
   end
@@ -202,5 +219,13 @@ RSpec.describe API::ProjectApprovals do
         expect(response).to have_gitlab_http_status(:forbidden)
       end
     end
+
+    context 'as a auditor user making changes' do
+      it 'returns 403' do
+        post api(url, auditor), params: { approvals_before_merge: 4 }
+
+        expect(response).to have_gitlab_http_status(:forbidden)
+      end
+    end
   end
 end