400 response when running pipeline manually for projects with Group Protected branches

Summary

When protected branches are enabled for all projects in a group, users are unable to manually run pipelines on the protected branches. They get the following error: You do not have sufficient permission to run a pipeline on '<branch_name>'. Please select a different branch or contact your administrator for assistance. This occurs for both the owner/root users and users given permission to merge or push.

This is despite the docs stating:

The following actions are allowed on protected branches only if the user is allowed to merge or push on that specific branch:

  • Run manual pipelines (using the Web UI or pipelines API).

Steps to reproduce

  1. Enable the group_protected_branches feature flag
  2. Create a protected branch rule for a group
  3. Create a manual pipeline for a project within the group
  4. Observe the You do not have sufficient permission to run a pipeline on 'master'. Please select a different branch or contact your administrator for assistance. error
  5. The logs indicate the following for the pipeline creation request:

What is the current bug behavior?

Users with the required permissions are unable to run manual pipelines for projects with inherited branch protection rules from a group.

What is the expected correct behavior?

Owners and users with Allowed to push and merge permissions should be able to run manual pipelines

Relevant logs and/or screenshots

From production_json.log:

{"method":"POST","path":"/aviato/gitlab-smoke-tests/-/pipelines","format":"json","controller":"Projects::PipelinesController","action":"create","status":400,"time":"2023-06-23T07:51:00.217Z","params":[{"key":"ref","value":"refs/heads/master"},{"key":"variables_attributes","value":"[FILTERED]"},{"key":"namespace_id","value":"aviato"},{"key":"project_id","value":"gitlab-smoke-tests"},{"key":"pipeline","value":{"ref":"refs/heads/master","variables_attributes":"[FILTERED]"}}],"correlation_id":"01H3KKRARQSJWNDG1MNVK63ZCW","meta.caller_id":"Projects::PipelinesController#create","meta.remote_ip":"x.x.x.x","meta.feature_category":"continuous_integration","meta.user":"root","meta.user_id":1,"meta.project":"aviato/gitlab-smoke-tests","meta.root_namespace":"aviato","meta.client_id":"user/1","meta.subscription_plan":"default","remote_ip":"x.x.x.x","user_id":1,"username":"root","ua":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/114.0","queue_duration_s":0.008504,"request_urgency":"low","target_duration_s":5,"gitaly_calls":1,"gitaly_duration_s":0.006876,"redis_calls":19,"redis_allowed_cross_slot_calls":1,"redis_duration_s":0.006232,"redis_read_bytes":2020,"redis_write_bytes":1541,"redis_cache_calls":9,"redis_cache_duration_s":0.004202,"redis_cache_read_bytes":1580,"redis_cache_write_bytes":635,"redis_repository_cache_calls":6,"redis_repository_cache_duration_s":0.000936,"redis_repository_cache_read_bytes":229,"redis_repository_cache_write_bytes":263,"redis_sessions_calls":3,"redis_sessions_allowed_cross_slot_calls":1,"redis_sessions_duration_s":0.000781,"redis_sessions_read_bytes":211,"redis_sessions_write_bytes":590,"redis_shared_state_calls":1,"redis_shared_state_duration_s":0.000313,"redis_shared_state_write_bytes":53,"db_count":10,"db_write_count":0,"db_cached_count":1,"db_replica_count":0,"db_primary_count":10,"db_main_count":10,"db_main_replica_count":0,"db_replica_cached_count":0,"db_primary_cached_count":1,"db_main_cached_count":1,"db_main_replica_cached_count":0,"db_replica_wal_count":0,"db_primary_wal_count":0,"db_main_wal_count":0,"db_main_replica_wal_count":0,"db_replica_wal_cached_count":0,"db_primary_wal_cached_count":0,"db_main_wal_cached_count":0,"db_main_replica_wal_cached_count":0,"db_replica_duration_s":0.0,"db_primary_duration_s":0.009,"db_main_duration_s":0.009,"db_main_replica_duration_s":0.0,"cpu_s":0.083973,"mem_objects":25163,"mem_bytes":2502280,"mem_mallocs":6507,"mem_total_bytes":3508800,"pid":246401,"worker_id":"puma_1","rate_limiting_gates":[],"db_duration_s":0.00575,"view_duration_s":0.00025,"duration_s":0.06289}

Recording:

recording.mov

Results of GitLab environment info

Expand for output related to GitLab environment info 
System information
System:		Ubuntu 20.04
Proxy:		no
Current User:	git
Using RVM:	no
Ruby Version:	3.0.6p216
Gem Version:	3.2.33
Bundler Version:2.3.15
Rake Version:	13.0.6
Redis Version:	6.2.11
Sidekiq Version:6.5.7
Go Version:	unknown

GitLab information
Version:	15.11.6-ee
Revision:	e7e15287f58
Directory:	/opt/gitlab/embedded/service/gitlab-rails
DB Adapter:	PostgreSQL
DB Version:	13.8
URL:		https://omnibus-instance.env-078f9f6d.gcp.gitlabsandbox.net
HTTP Clone URL:	https://omnibus-instance.env-078f9f6d.gcp.gitlabsandbox.net/some-group/some-project.git
SSH Clone URL:	git@omnibus-instance.env-078f9f6d.gcp.gitlabsandbox.net:some-group/some-project.git
Elasticsearch:	no
Geo:		yes
Geo node:	Primary
Using LDAP:	no
Using Omniauth:	yes
Omniauth Providers:

GitLab Shell
Version:	14.18.0
Repository storages:
- default: 	unix:/var/opt/gitlab/gitaly/gitaly.socket
GitLab Shell path:		/opt/gitlab/embedded/service/gitlab-shell

Results of GitLab application Check

Expand for output related to the GitLab application check 
Checking GitLab subtasks ...


Checking GitLab Shell ...


GitLab Shell: ... GitLab Shell version >= 14.18.0 ? ... OK (14.18.0)
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Internal API available: OK
Redis available via internal API: OK
gitlab-shell self-check successful


Checking GitLab Shell ... Finished


Checking Gitaly ...


Gitaly: ... default ... OK


Checking Gitaly ... Finished


Checking Sidekiq ...


Sidekiq: ... Running? ... yes
Number of Sidekiq processes (cluster/worker) ... 1/2


Checking Sidekiq ... Finished


Checking Incoming Email ...


Incoming Email: ... Reply by email is disabled in config/gitlab.yml


Checking Incoming Email ... Finished


Checking LDAP ...


LDAP: ... LDAP is disabled in config/gitlab.yml


Checking LDAP ... Finished


Checking GitLab App ...


Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Cable config exists? ... yes
Resque config exists? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... yes
Systemd unit files or init script exist? ... skipped (omnibus-gitlab has neither init script nor systemd units)
Systemd unit files or init script up-to-date? ... skipped (omnibus-gitlab has neither init script nor systemd units)
Projects have namespace: ...
2/1 ... yes
2/2 ... yes
8/3 ... yes
10/4 ... yes
10/5 ... yes
13/6 ... yes
15/7 ... yes
62/8 ... yes
62/9 ... yes
62/10 ... yes
62/11 ... yes
62/12 ... yes
62/13 ... yes
62/14 ... yes
62/15 ... yes
62/16 ... yes
63/17 ... yes
63/18 ... yes
63/19 ... yes
63/20 ... yes
63/21 ... yes
63/22 ... yes
63/23 ... yes
63/24 ... yes
63/25 ... yes
64/26 ... yes
64/27 ... yes
64/28 ... yes
64/29 ... yes
64/30 ... yes
65/31 ... yes
65/32 ... yes
65/33 ... yes
66/34 ... yes
66/35 ... yes
66/36 ... yes
66/37 ... yes
67/38 ... yes
67/39 ... yes
67/40 ... yes
67/41 ... yes
67/42 ... yes
67/43 ... yes
67/44 ... yes
68/45 ... yes
68/46 ... yes
68/47 ... yes
69/48 ... yes
69/49 ... yes
69/50 ... yes
69/51 ... yes
69/52 ... yes
69/53 ... yes
70/54 ... yes
70/55 ... yes
70/56 ... yes
70/57 ... yes
70/58 ... yes
71/59 ... yes
71/60 ... yes
71/61 ... yes
72/62 ... yes
72/63 ... yes
73/64 ... yes
73/65 ... yes
73/66 ... yes
73/67 ... yes
73/68 ... yes
73/69 ... yes
74/70 ... yes
74/71 ... yes
74/72 ... yes
74/73 ... yes
74/74 ... yes
75/75 ... yes
166/76 ... yes
75/77 ... yes
75/78 ... yes
75/79 ... yes
75/80 ... yes
73/81 ... yes
73/82 ... yes
73/83 ... yes
1/84 ... yes
67/85 ... yes
73/86 ... yes
73/87 ... yes
159/88 ... yes
159/89 ... yes
164/90 ... yes
73/91 ... yes
66/92 ... yes
Redis version >= 6.0.0? ... yes
Ruby version >= 2.7.2 ? ... yes (3.0.6)
Git user has default SSH configuration? ... yes
Active users: ... 45
Is authorized keys file accessible? ... skipped (authorized keys not enabled)
GitLab configured to store new projects in hashed storage? ... yes
All projects are in hashed storage? ... yes
Elasticsearch version 7.x-8.x or OpenSearch version 1.x ... skipped (Advanced Search is disabled)
All migrations must be finished before doing a major upgrade ... skipped (Advanced Search is disabled)


Checking GitLab App ... Finished


Checking Geo ...


GitLab Geo is available ...
GitLab Geo is enabled ... yes
This machine's Geo node name matches a database record ... yes, found a primary node named "primary"
HTTP/HTTPS repository cloning is enabled ... yes
Machine clock is synchronized ... yes
Git user has default SSH configuration? ... yes
OpenSSH configured to use AuthorizedKeysCommand ... yes
GitLab configured to disable writing to authorized_keys file ... yes
GitLab configured to store new projects in hashed storage? ... yes
All projects are in hashed storage? ... yes


Checking Geo ... Finished


Checking GitLab subtasks ... Finished