<!--IssueSummary start--> <details> <summary> Everyone can contribute. [Help move this issue forward](https://handbook.gitlab.com/handbook/marketing/developer-relations/contributor-success/community-contributors-workflows/#contributor-links) while earning points, leveling up and collecting rewards. </summary> - [Close this issue](https://contributors.gitlab.com/manage-issue?action=close&projectId=278964&issueIid=324151) </details> <!--IssueSummary end--> <!--- Please read this! Before opening a new issue, make sure to search for keywords in the issues filtered by the "regression" or "bug" label: - https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=regression - https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=bug and verify the issue you're about to submit isn't a duplicate. ---> ### Summary <!-- Summarize the bug encountered concisely. --> When the push rule `Reject unverified users` is set to `true` in the subgroup, doing an api call to change this on the project level fails with a `{"message":"403 Forbidden"}` error. Happened to a customer on this ticket [internal link](https://gitlab.zendesk.com/agent/tickets/193947). ### Steps to reproduce * Create a group gold/premium (push rules is a premium feature) * Create a subgroup with `Reject unverified users` set to `true` in push rules * Create a project in this subgroup * Try this api call on the project ``` curl --location --request PUT 'https://gitlab.com/api/v4/projects/PROJECT_ID/push_rule' \ --header 'Private-Token: TOKEN' \ --header 'Content-Type: application/json' \ --data-raw '{ "commit_committer_check": true, "reject_unsigned_commits": false }' ``` ### Example Project https://gitlab.com/olivier_test_193947 (ping me on slack to have access to it if needed) ### What is the current *bug* behavior? The api call fails with a `{"message":"403 Forbidden"}` error. ### What is the expected *correct* behavior? Ideally, the error message should lead to the push rules error, something like `the Reject Unverified Users push rules is already set on the subgroup level` or `cannot override the push rules of the subgroup`. I spent couple of hours trying to figure out if that was a user authorization issue, token issue, etc. Having a clear error message would drastically reduce troubleshooting time. ### Relevant logs and/or screenshots With `Reject unverified users` at true: ``` olivier@onemoz-laptop ~ $ curl --location --request PUT 'https://gitlab.com/api/v4/projects/PROJECT/push_rule' --header 'Private-Token: TOKEN' --header 'Content-Type: application/json' --data-raw '{ "commit_committer_check": true, "reject_unsigned_commits": false }' {"message":"403 Forbidden"} ``` With `Reject unverified users` at false: ``` olivier@onemoz-laptop ~ $ curl --location --request PUT 'https://gitlab.com/api/v4/projects/PROJECT/push_rule' --header 'Private-Token: <TOKEN>' --header 'Content-Type: application/json' --data-raw '{ "commit_committer_check": true, "reject_unsigned_commits": false }' {"id":9952881,"project_id":24888569,"created_at":"2021-03-05T07:32:45.063Z","commit_message_regex":"","commit_message_negative_regex":"","branch_name_regex":"","deny_delete_tag":false,"member_check":false,"prevent_secrets":false,"author_email_regex":"","file_name_regex":"","max_file_size":0,"commit_committer_check":true,"reject_unsigned_commits":null}olivier@onemoz-laptop ~ $ ``` ### Output of checks This bug happens on GitLab.com 13.10.0-pre 9a85e8ba726