Unprotecting a branch returning 403
Summary
On various occasions, users are unable to unprotect a branch from both UI and API. They are getting a 403 when they try to do that. In UI the unprotect branch button is disabled (greyed out) and on clicking it triggers a 403 page. From our initial investigation, it looks like the problem is related to the unprotect_access_levels
setting. In both cases, it is set to 0 (means “no one can change it”). So probably we enforce this rule literally. As a result, users can lock this setting but cannot unlock it back.
Steps to reproduce
- These steps are just assumptions. I wasn't able to reproduce this but based on the tickets we have received created this:
- Import a project from GitHub with a single branch and a user that doesn't exist within GitLab
- Try to protect and unprotect a branch created by that user.
What is the current bug behavior?
In UI the unprotect branch button is disabled (greyed out) and on clicking it triggers a 403 page
What is the expected correct behavior?
An owner or maintainer should be able to unprotect a branch under all circumstances.
Relevant logs and/or screenshots
Tickets
cc// @sean_carroll
Edited by Sean Carroll