Manage protected branch unprotection permissions via admin UI
In tightly controlled environments, like those that have regulatory review requirements, it is critical that only reviewed code reaches master. This can be configured using protected branches by setting 'No one' to have push permissions for master
, but this can be changed by anyone with Owner or Master permissions for the project. These organizations need a mechanism to enforce this rule and prevent it being changed or removed except by an Admin.
Added in %10.7 by https://gitlab.com/gitlab-org/gitlab-ee/issues/4800 protected branch rules can be created via the API using the unprotect_access_level
attribute to restrict who can remove/edit the protected branch rule.
The allowed settings for unprotect_access_level
are:
- Master (Default)
- Owner
- Admin
A user cannot create a rule that they will not be able edit or remove (e.g. a Master cannot create a protected branch rule with unprotect_access_level
Owner)
We should make it possible to create protected branch rules with these restrictions using the web interface, not just that API.
Proposal
-
Add a interface to allow admins
owners and masters(moved to https://gitlab.com/gitlab-org/gitlab-ee/issues/5742) to add/edit/remove protected branches and set theunprotect_access_level
-
Provide feedback to users who do not have permissions to unprotect a specific rule, who does have permissions to change the rule.
Only an Owner can unprotect
Note: Admins should not be create protect branch rules with admin
unprotect_access_level through the project UI (see https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/18344/diffs#469c7fb6d642cd0821fcce2eee1f42289cb955bd_18_22)