Merge branch '59289-fix-push-to-create-protected-branches' into 'master'

Allow users to create protected branches via CLI

Closes #59289

See merge request gitlab-org/gitlab-ce!26413

app/views/projects/protected_branches/shared/_index.html.haml

@@ -12,7 +12,7 @@
     %p
       By default, protected branches are designed to:
       %ul
-        %li prevent their creation, if not already created, from everybody except users who are allowed to merge
+        %li prevent their creation, if not already created, from everybody except Maintainers
         %li prevent pushes from everybody except Maintainers
         %li prevent <strong>anyone</strong> from force pushing to the branch
         %li prevent <strong>anyone</strong> from deleting the branch

changelogs/unreleased/59289-fix-push-to-create-protected-branches.yml

+---
+title: Allow users who can push to protected branches to create protected branches
+  via CLI
+merge_request: 26413
+author:
+type: fixed

doc/user/project/protected_branches.md

@@ -10,7 +10,7 @@ created protected branches.
 By default, a protected branch does four simple things:
 
 - it prevents its creation, if not already created, from everybody except users
-  who are allowed to merge
+  with Maintainer permission
 - it prevents pushes from everybody except users with Maintainer permission
 - it prevents **anyone** from force pushing to the branch
 - it prevents **anyone** from deleting the branch

lib/gitlab/checks/branch_check.rb

@@ -59,6 +59,8 @@ module Gitlab
 
       def protected_branch_creation_checks
         logger.log_timed(LOG_MESSAGES[:protected_branch_creation_checks]) do
+          break if user_access.can_push_to_branch?(branch_name)
+
           unless user_access.can_merge_to_branch?(branch_name)
             raise GitAccess::UnauthorizedError, ERROR_MESSAGES[:create_protected_branch]
           end

spec/lib/gitlab/checks/branch_check_spec.rb

@@ -108,7 +108,28 @@ describe Gitlab::Checks::BranchCheck do
         end
 
         context 'protected branch creation feature is enabled' do
-          context 'user is not allowed to create protected branches' do
+          context 'user can push to branch' do
+            before do
+              allow(user_access)
+                .to receive(:can_push_to_branch?)
+                .with('feature')
+                .and_return(true)
+            end
+
+            it 'does not raise an error' do
+              expect { subject.validate! }.not_to raise_error
+            end
+          end
+
+          context 'user cannot push to branch' do
+            before do
+              allow(user_access)
+                .to receive(:can_push_to_branch?)
+                .with('feature')
+                .and_return(false)
+            end
+
+            context 'user cannot merge to branch' do
               before do
                 allow(user_access)
                   .to receive(:can_merge_to_branch?)
@@ -121,7 +142,7 @@ describe Gitlab::Checks::BranchCheck do
               end
             end
 
-          context 'user is allowed to create protected branches' do
+            context 'user can merge to branch' do
               before do
                 allow(user_access)
                   .to receive(:can_merge_to_branch?)
@@ -172,6 +193,7 @@ describe Gitlab::Checks::BranchCheck do
             end
           end
         end
+      end
 
       context 'branch deletion' do
         let(:newrev) { '0000000000000000000000000000000000000000' }