Wildcard Protected branch setting overrides existing specific protected branch setting
Summary
If master protected branch setting exists and there's also a wildcard protected branch that includes the master protected branch, the wild card protected branch will override the specific master branch push rule. Which should have been the other way around.
This would also allow the users to bypass Merge Request Approval rules and merge the MR without any approval:
https://gitlab.com/gitlab-gold/rabbit-hole-1/cicd/-/merge_requests/12
Steps to reproduce
- Create a project
- Go to the project Settings > Repository > Protected Branches
- Set
masterprotected branch toAllow to Merge: MaintainersandAllow to push: No one - Set
*protected branch toAllow to Merge: MaintainersandAllow to push: Developers+Maintainers - Try to execute git push to master branch with a
Developeraccount - Observe Developer
Example Project
https://gitlab.com/gitlab-gold/rabbit-hole-1/cicd
What is the current bug behavior?
Wildcard protected branch setting overrides specific protected branch setting.
What is the expected correct behavior?
Specific protected branch should take priority over wildcard.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com; GitLab Enterprise Edition 13.8.0-pre 1194e3e3
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)(we will only investigate if the tests are passing)
Possible fixes
Designs
Activity
added typebug label
added devopsplan groupproject management sectiondev labels
added severity3 label
added reproduced on GitLab.com label
Affecting Large Silver customer: https://gitlab.zendesk.com/agent/tickets/187893 (internal)
added customer label
mentioned in issue gitlab-org/quality/triage-reports#1690 (closed)
mentioned in issue gitlab-org/quality/triage-reports#1793 (closed)
mentioned in issue gitlab-org/quality/triage-reports#1886 (closed)
mentioned in issue gitlab-org/quality/triage-reports#1987 (closed)
Affecting SMB Bronze customer: https://gitlab.zendesk.com/agent/tickets/194670 (internal)
This is also affecting my company. We intentionally wildcard-deny all our release branches and then add rules for specific branches and specific users. This bug means that wildcards do not work for us at all. We'd have to manually exclude all our release branches and then keep that up-to-date as branches are created.
Edited by Aaron Bentleymentioned in issue gitlab-org/quality/triage-reports#2047 (closed)
mentioned in issue gitlab-org/quality/triage-reports#2143 (closed)
mentioned in issue gitlab-org/quality/triage-reports#2267 (closed)
mentioned in issue gitlab-org/quality/triage-reports#2338 (closed)
mentioned in issue #321564 (closed)
Marking as duplicate. It appears that this is perhaps groupsource code devopscreate according to the other issue.
marked this issue as a duplicate of #321564 (closed)
marked this issue as related to #321564 (closed)
added devopscreate groupsource code labels and removed devopsplan groupproject management labels
mentioned in issue #358910
