Users allowed to force push to protected branches
I'd like to report a fairly serious bug. A user accidentally force pushed to a protected branch and removed some history. This technically should never have happened because:
- The user only had Developer access to the project
- As of GitLab v6.8 and GitLab Shell v1.9.3, no user is ever allowed to force push to a protected branch regardless of access level
Here is the version of GitLab I'm running:
System information
System: CentOS 6.4
Current User: git
Using RVM: yes
RVM Version: 1.25.27
Ruby Version: 2.1.2p95
Gem Version: 2.2.2
Bundler Version:1.6.2
Rake Version: 10.3.2
Sidekiq Version:2.17.0
GitLab information
Version: 7.5.2
Revision: 57d0209
Directory: /home/git/gitlab
DB Adapter: mysql2
Using Omniauth: no
GitLab Shell
Version: 2.2.0
Repositories: /home/git/repositories/
Hooks: /home/git/gitlab-shell/hooks/
Git: /usr/bin/git