Actually this can be done by protecting your Master branch. Anyone with 'developer' access can make merge requests, and only masters can accept and merge the final merge request! Developers can't touch master branch at all. This of course can be done with other branches as well.
How to protect a branch:
- Go to your project page
- Click on 'Commits'
- Click on Branches
- Click on Protected
- Now you can select any branch and press 'Protect' to protect it.
Gitlab's inline help actually explains this feature quite elegantly:
Protected branches designed to prevent push for all except masters.
This ability allows:
- keep stable branches secured - forced code review before merge to protected branches
Read more about project permissions here