Description
- Gitea version (or commit ref): 1.4.3 (64 bit)
- Git version: 2.16.2.windows.1
- Operating system: Windows 10 64 bit
- Database:
- PostgreSQL
- MySQL
- MSSQL
- SQLite
- Can you reproduce the bug at https://try.gitea.io:
- Yes (provide example URL): https://try.gitea.io/jjsat_test/branch_protection_test
- No
- Not relevant
- Log gist:
My understanding of the branch protection mechanism is that it prevents deletion of and force pushing to a branch. Also it is possible to explicitly allow certain users or groups to do a regular, non-forced push to the branch.
The issue is that a whitelisted user (either through group permission or explicitly set) can delete a protected branch through the web interface. I believe this is an error not only because it allows deletion (which was explicitly forbidden), but also because deleting the branch causes a 404 error when trying to view the branch protection settings for the deleted branch. The web interface clearly does not expect a protected branch to be missing.
I also tried this in version 1.5.0 and there it will actually do an internal server error when trying to view the branch settings if there is a deleted and protected branch: "[Macaron] 2018-08-02 19:53:09: Completed GET /Test/testtest/settings/branches 500 Internal Server Error in 198.4688ms"
Screenshots
Settings for example branch "protected_branch":
Branch listing (note that the branch can be deleted):
What happens when clicking on "protected_branch_deleted", which has the same protection settings as "protected_branch" and was deleted through the branch list: