Account for protected branches design

Author: kemzeb

options/locale/locale_en-US.ini

@@ -2714,6 +2714,7 @@ branch.new_branch = Create new branch
 branch.new_branch_from = Create new branch from "%s"
 branch.renamed = Branch %s was renamed to %s.
 branch.rename_default_or_protected_branch_error = Only admins can rename default or protected branches.
+branch.rename_protected_branch_failed = This branch is protected by glob-based protection rules.
 
 tag.create_tag = Create tag %s
 tag.create_tag_operation = Create tag

routers/api/v1/repo/branch.go

@@ -447,6 +447,8 @@ func UpdateBranch(ctx *context.APIContext) {
 		switch {
 		case repo_model.IsErrUserDoesNotHaveAccessToRepo(err):
 			ctx.Error(http.StatusForbidden, "", "User must be a repo or site admin to rename default or protected branches.")
+		case errors.Is(err, git_model.ErrBranchIsProtected):
+			ctx.Error(http.StatusForbidden, "", "Branch is protected by glob-based protection rules.")
 		default:
 			ctx.Error(http.StatusInternalServerError, "RenameBranch", err)
 		}

routers/web/repo/setting/protected_branch.go

@@ -4,6 +4,7 @@
 package setting
 
 import (
+	"errors"
 	"fmt"
 	"net/http"
 	"net/url"
@@ -358,6 +359,9 @@ func RenameBranchPost(ctx *context.Context) {
 		case git_model.IsErrBranchAlreadyExists(err):
 			ctx.Flash.Error(ctx.Tr("repo.branch.branch_already_exists", form.To))
 			ctx.Redirect(fmt.Sprintf("%s/branches", ctx.Repo.RepoLink))
+		case errors.Is(err, git_model.ErrBranchIsProtected):
+			ctx.Flash.Error(ctx.Tr("repo.branch.rename_protected_branch_failed"))
+			ctx.Redirect(fmt.Sprintf("%s/branches", ctx.Repo.RepoLink))
 		default:
 			ctx.ServerError("RenameBranch", err)
 		}

services/repository/branch.go

@@ -429,14 +429,15 @@ func RenameBranch(ctx context.Context, repo *repo_model.Repository, doer *user_m
 		}
 	}
 
-	isProtected, err := git_model.IsBranchProtected(ctx, repo.ID, from)
-	if err != nil {
+	// If from == rule name, admins are allowed to modify them.
+	if protectedBranch, err := git_model.GetProtectedBranchRuleByName(ctx, repo.ID, from); err != nil {
 		return "", err
-	}
-	if isProtected && !perm.IsAdmin() {
-		return "", repo_model.ErrUserDoesNotHaveAccessToRepo{
-			UserID:   doer.ID,
-			RepoName: repo.LowerName,
+	} else {
+		if protectedBranch != nil && !perm.IsAdmin() {
+			return "", repo_model.ErrUserDoesNotHaveAccessToRepo{
+				UserID:   doer.ID,
+				RepoName: repo.LowerName,
+			}
 		}
 	}
 

tests/integration/api_branch_test.go

@@ -219,7 +219,25 @@ func TestAPIUpdateBranch(t *testing.T) {
 			resp = testAPIUpdateBranch(t, "user40", "user2", "repo1", "protected-branch", "new-branch-name", http.StatusForbidden)
 			assert.Contains(t, resp.Body.String(), "User must be a repo or site admin to rename default or protected branches.")
 		})
-		t.Run("RenameBranchNormalScenario", func(t *testing.T) {
+		t.Run("UpdateBranchWithGlobedBasedProtectionRulesAndAdminAccess", func(t *testing.T) {
+			// don't allow branch that falls under glob-based protection rules to be renamed
+			token := getUserToken(t, "user2", auth_model.AccessTokenScopeWriteRepository)
+			req := NewRequestWithJSON(t, "POST", "/api/v1/repos/user2/repo1/branch_protections", &api.BranchProtection{
+				RuleName:   "protected/**",
+				EnablePush: true,
+			}).AddTokenAuth(token)
+			MakeRequest(t, req, http.StatusCreated)
+
+			from := "protected/1"
+			req = NewRequestWithJSON(t, "POST", "/api/v1/repos/user2/repo1/branches", &api.CreateBranchRepoOption{
+				BranchName: from,
+			}).AddTokenAuth(token)
+			MakeRequest(t, req, http.StatusCreated)
+
+			resp := testAPIUpdateBranch(t, "user2", "user2", "repo1", from, "new-branch-name", http.StatusForbidden)
+			assert.Contains(t, resp.Body.String(), "Branch is protected by glob-based protection rules.")
+		})
+		t.Run("UpdateBranchNormalScenario", func(t *testing.T) {
 			testAPIUpdateBranch(t, "user2", "user2", "repo1", "branch2", "new-branch-name", http.StatusNoContent)
 		})
 	})