Group-level protected branch rule not allowing specified access
Summary
In a self-managed deployment when a project-level protected branch configuration is set allowing pushing by Developers and Maintainers to branch tst
it works as expected.
When the same configuration is applied at the group level instead a Developer user cannot push to the tst
branch and receives a You are not allowed to push code to protected branches on this project.
error.
This issue was raised in support ticket (ZD internal link) and reproduced in GitLab version 16.6.0.
Steps to reproduce
- Enable group-level protected branches via the
group_protected_branches
feature flag - Create a group
group1
and a projectprotected_branch
within it - Create a branch
tst
inprotected_branch
- Invite user
user1
toprotected_branch
with Developer role - Create a group-level protected branch rule in
group1
allowing Developer+Maintainer users to push to thetst
branch - Go to the project repository protected branch settings and confirm the group-level rule is shown for branch
tst
- As
user1
clone the repo, checkout branchtst
, make a change and try to push the branch to GitLab. - The push fails with a
You are not allowed to push code to protected branches on this project.
error
You can also try setting the same protected branch rule at the project level, remove the group-level rule and retry the push, which will now succeed.
Example Project
What is the current bug behavior?
Configuring a group-level protected branch rule blocks users with the required role from pushing to the branch.
What is the expected correct behavior?
Group-level protected branch rule should function as per an identical project-level rule.
Relevant logs and/or screenshots
Group-level protect branch config:
Project protected branch config:
Push error as developer user:
Project settings after removing group-level config and adding project-level config:
Successful push:
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: \\\`sudo gitlab-rake gitlab:env:info\\\`) (For installations from source run and paste the output of: \\\`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production\\\`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of: \`sudo gitlab-rake gitlab:check SANITIZE=true\`) (For installations from source run and paste the output of: \`sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true\`) (we will only investigate if the tests are passing)