NoMethodError when deleting merged branches via API: `current_user` is nil

Summary

The API endpoint DELETE /projects/:id/repository/merged_branches fails with a NoMethodError when attempting to call .id on a nil current_user object.

Error Details

NoMethodError: undefined method `id' for nil:NilClass (NoMethodError)

      DeleteMergedBranchesWorker.perform_async(project.id, current_user.id)
                                                                       ^^^
  from app/services/branches/delete_merged_service.rb:6:in `async_execute'
  from lib/api/branches.rb:233:in `block (2 levels) in <class:Branches>'

Root Cause

In app/services/branches/delete_merged_service.rb, the async_execute method calls current_user.id without checking if current_user is present. This suggests the API endpoint at line 233 in lib/api/branches.rb is being called without proper authentication or the current_user context is not being set correctly.

Expected Behavior

The API should either require authentication and ensure current_user is present
Or handle the case where current_user is nil with appropriate error handling

Actual Behavior

The service crashes with a NoMethodError when current_user is nil

Affected Code

app/services/branches/delete_merged_service.rb:6
lib/api/branches.rb:233

Suggested Fix

Add a nil check for current_user in the async_execute method or ensure proper authentication is enforced at the API level.

Edited Sep 08, 2025 by 🤖 GitLab Bot 🤖

NoMethodError when deleting merged branches via API: current_user is nil