Unprotecting a branch returning 403

Summary

On various occasions, users are unable to unprotect a branch from both UI and API. They are getting a 403 when they try to do that. In UI the unprotect branch button is disabled (greyed out) and on clicking it triggers a 403 page. From our initial investigation, it looks like the problem is related to the unprotect_access_levels setting. In both cases, it is set to 0 (means “no one can change it”). So probably we enforce this rule literally. As a result, users can lock this setting but cannot unlock it back.

Steps to reproduce

• These steps are just assumptions. I wasn't able to reproduce this but based on the tickets we have received created this:
• Import a project from GitHub with a single branch and a user that doesn't exist within GitLab
• Try to protect and unprotect a branch created by that user.

What is the current bug behavior?

In UI the unprotect branch button is disabled (greyed out) and on clicking it triggers a 403 page

What is the expected correct behavior?

An owner or maintainer should be able to unprotect a branch under all circumstances.

Relevant logs and/or screenshots

Tickets

• https://gitlab.zendesk.com/agent/tickets/244241
• https://gitlab.zendesk.com/agent/tickets/249478

cc// @sean_carroll