Accept member_role_id in protected branches REST API

What does this MR do and why?

Add member_role_id as an accepted parameter in the allowed_to_push, allowed_to_merge, and allowed_to_unprotect arrays for the project protected branches API. The param is declared in the EE shared_params block, exposed in the EE entity for API responses, and validated at the model layer via the existing EE::ProtectedBranchAccess concern.

No change is needed in AccessLevelParams because granular_access_levels already passes through all non-deploy-key entries.

References

Relates to #594880 (closed)

How to set up and validate locally

  1. Enable the feature flag and license:

    Feature.enable(:custom_roles_for_protected_branches)
    Ensure your GDK has an Ultimate license.
  2. Create a custom member role in your project's root namespace:

    group = Project.find(<project_id>).namespace.root_ancestor 
    member_role = MemberRole.create!(namespace: group, base_access_level: 30, name: 'Custom Branch Protector')
  3. POST - Protect a branch with a custom role:

    curl --request POST \
    --header "PRIVATE-TOKEN: " \
    --url "[http://localhost:3000/api/v4/projects/](http://localhost:3000/api/v4/projects/)\<project_id\>/protected_branches" \
    --header "Content-Type: application/json" \
    --data '{ "name": "test-branch", "allowed_to_merge": \[{"member_role_id": \<member_role_id\>}\], "allowed_to_push": \[{"member_role_id": \<member_role_id\>}\] }'

    Verify the response includes member_role_id in the access level arrays.

  4. GET - Verify the protected branch returns member_role_id:

    curl --header "PRIVATE-TOKEN: " \
    --url "[http://localhost:3000/api/v4/projects/](http://localhost:3000/api/v4/projects/)\<project_id\>/protected_branches/test-branch"
  5. PATCH - Update with a custom role for unprotect:

    curl --request PATCH \
    --header "PRIVATE-TOKEN: " \
    --url "[http://localhost:3000/api/v4/projects/](http://localhost:3000/api/v4/projects/)\<project_id\>/protected_branches/test-branch" \
    --header "Content-Type: application/json" \
    --data '{"allowed_to_unprotect": \[{"member_role_id": \<member_role_id\>}\]}'
  6. Error cases - Verify these return 422:

  • Using a member_role_id from a different namespace
  • Using a member_role_id when the feature flag is disabled

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #594880 (closed)

Edited by Gavin Hinfey

Merge request reports

Loading