A protected branch can only have a single access level for a given group.

1. Builds on dd26f4e7fa418df7baeb8de057b28554c29ea826

app/models/concerns/protected_branch_access.rb

@@ -2,8 +2,12 @@ module ProtectedBranchAccess
   extend ActiveSupport::Concern
 
   included do
-    validates :user_id, uniqueness: { scope: :protected_branch, allow_nil: true }
-    validates :access_level, uniqueness: { scope: :protected_branch, unless: :user_id?, conditions: -> { where(user_id: nil) } }
+    validates_uniqueness_of :group_id, scope: :protected_branch, allow_nil: true
+    validates_uniqueness_of :user_id, scope: :protected_branch, allow_nil: true
+    validates_uniqueness_of :access_level,
+                            scope: :protected_branch,
+                            unless: Proc.new { |access_level| access_level.user_id? || access_level.group_id? },
+                            conditions: -> { where(user_id: nil, group_id: nil) }
   end
 
   def type

spec/factories/protected_branches/merge_access_levels.rb

 FactoryGirl.define do
   factory :protected_branch_merge_access_level, class: ProtectedBranch::MergeAccessLevel do
     user nil
+    group nil
     protected_branch
     access_level { Gitlab::Access::DEVELOPER }
   end

spec/factories/protected_branches/push_access_levels.rb

 FactoryGirl.define do
   factory :protected_branch_push_access_level, class: ProtectedBranch::PushAccessLevel do
     user nil
+    group nil
     protected_branch
     access_level { Gitlab::Access::DEVELOPER }
   end

spec/models/protected_branch_spec.rb

@@ -38,6 +38,16 @@ describe ProtectedBranch, models: true do
 
           expect(protected_branch).to be_valid
         end
+
+        it "does not count a group-based #{human_association_name} with an `access_level` set" do
+          group = create(:group)
+          protected_branch = create(:protected_branch, :remove_default_access_levels)
+
+          protected_branch.send(association_name) << build(factory_name, group: group, access_level: Gitlab::Access::MASTER)
+          protected_branch.send(association_name) << build(factory_name, access_level: Gitlab::Access::MASTER)
+
+          expect(protected_branch).to be_valid
+        end
       end
 
       context "while checking uniqueness of a user-based #{human_association_name}" do
@@ -65,6 +75,34 @@ describe ProtectedBranch, models: true do
           expect(protected_branch).to be_valid
         end
       end
+
+      context "while checking uniqueness of a group-based #{human_association_name}" do
+        let(:group) { create(:group) }
+
+        it "allows a single #{human_association_name} for a group (per protected branch)" do
+          first_protected_branch = create(:protected_branch, :remove_default_access_levels)
+          second_protected_branch = create(:protected_branch, :remove_default_access_levels)
+
+          first_protected_branch.send(association_name) << build(factory_name, group: group)
+          second_protected_branch.send(association_name) << build(factory_name, group: group)
+
+          expect(first_protected_branch).to be_valid
+          expect(second_protected_branch).to be_valid
+
+          first_protected_branch.send(association_name) << build(factory_name, group: group)
+          expect(first_protected_branch).to be_invalid
+          expect(first_protected_branch.errors.full_messages.first).to match("group has already been taken")
+        end
+
+        it "ignores the `access_level` while validating a group-based #{human_association_name}" do
+          protected_branch = create(:protected_branch, :remove_default_access_levels)
+
+          protected_branch.send(association_name) << build(factory_name, access_level: Gitlab::Access::MASTER)
+          protected_branch.send(association_name) << build(factory_name, group: group, access_level: Gitlab::Access::MASTER)
+
+          expect(protected_branch).to be_valid
+        end
+      end
     end
   end