Skip to content

Branch protection does not prevent deletion through the web interface #4601

Closed
@jjsat

Description

@jjsat

My understanding of the branch protection mechanism is that it prevents deletion of and force pushing to a branch. Also it is possible to explicitly allow certain users or groups to do a regular, non-forced push to the branch.

The issue is that a whitelisted user (either through group permission or explicitly set) can delete a protected branch through the web interface. I believe this is an error not only because it allows deletion (which was explicitly forbidden), but also because deleting the branch causes a 404 error when trying to view the branch protection settings for the deleted branch. The web interface clearly does not expect a protected branch to be missing.

I also tried this in version 1.5.0 and there it will actually do an internal server error when trying to view the branch settings if there is a deleted and protected branch: "[Macaron] 2018-08-02 19:53:09: Completed GET /Test/testtest/settings/branches 500 Internal Server Error in 198.4688ms"

Screenshots

Settings for example branch "protected_branch":
grafik

Branch listing (note that the branch can be deleted):
grafik

What happens when clicking on "protected_branch_deleted", which has the same protection settings as "protected_branch" and was deleted through the branch list:
grafik

Metadata

Metadata

Assignees

No one assigned

    Labels

    issue/criticalThis issue should be fixed ASAP. If it is a PR, the PR should be merged ASAPtopic/securitySomething leaks user information or is otherwise vulnerable. Should be fixed!type/bug

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions