"Push access levels user must be blank" error when using Group-level protected branches API

Summary

When trying to use the Group-level protected branches API to allow one user to push to a protected branch, it fails with Push access levels user must be blank

Steps to reproduce current bug behavior

• Create a new group
• Use the example API call
• It fails with Push access levels user must be blank

Currently testing on a SM 18.0 instance:

~ on ☁️  onemoz@gitlab.com
❯ curl --request POST --header "PRIVATE-TOKEN: $GLTOKEN" --url "MY_URL/api/v4/groups/69/protected_branches?name=*-stable&allowed_to_push%5B%5D%5Buser_id%5D=1"
{"message":["Push access levels user must be blank"]}%

If I use this group api call with access_level instead of user_id, that works fine:

~ on ☁️  onemoz@gitlab.com
❯ curl --request POST --header "PRIVATE-TOKEN: $GLTOKEN" --url "MY_URL/api/v4/groups/69/protected_branches?name=*-stable&allowed_to_push%5B%5D%5Baccess_level%5D=30"
{"id":4,"name":"*-stable","push_access_levels":[{"id":4,"access_level":30,"access_level_description":"Developers + Maintainers","deploy_key_id":null,"user_id":null,"group_id":null}],"merge_access_levels":[{"id":4,"access_level":40,"access_level_description":"Maintainers","user_id":null,"group_id":null}],"allow_force_push":false,"unprotect_access_levels":[{"id":3,"access_level":40,"access_level_description":"Maintainers","user_id":null,"group_id":null}],"code_owner_approval_required":false}%

And if I use the user_id with the project api rather than the group it works too:

curl -L --request POST --header "PRIVATE-TOKEN: $GLTOKEN" "MY_URL/api/v4/projects/2/protected_branches?name=*-stable&allowed_to_push%5B%5D%5Buser_id%5D=1"
{"id":3,"name":"*-stable","push_access_levels":[{"id":3,"access_level":40,"access_level_description":"Administrator","deploy_key_id":null,"user_id":1,"group_id":null}],"merge_access_levels":[{"id":3,"access_level":40,"access_level_description":"Maintainers","user_id":null,"group_id":null}],"allow_force_push":false,"unprotect_access_levels":[{"id":2,"access_level":40,"access_level_description":"Maintainers","user_id":null,"group_id":null}],"code_owner_approval_required":false,"inherited":false}%

What is the expected correct behavior?

From the documentation I'm not sure if

• user_id is a supported parameter for the group-level protected branch api (the example in the documentation incline me to believe so) and this is a bug as this is failing
• If user_id is not supported. In this case the error message should probably be a bit more explicit than Push access levels user must be blank and the documentation should states the limitation

Having someone giving us more insight on this would be helpful!