Restrict branch naming when new change matches with protection rules (#36405)

Resolves #36381 by only allowing admins to perform branch renames that match to branch protection rules. --------- Co-authored-by: Giteabot <teabot@gitea.io>
2026-02-15 07:26:19 +00:00 · 2026-01-23 02:42:24 -08:00
parent e42a1dbb6b
commit 56c5d5e819
4 changed files with 45 additions and 3 deletions
--- a/services/repository/branch.go
+++ b/services/repository/branch.go
@@ -442,6 +442,15 @@ func RenameBranch(ctx context.Context, repo *repo_model.Repository, doer *user_m
 		}
 	}

+	// We also need to check if "to" matches with a protected branch rule.
+	rule, err := git_model.GetFirstMatchProtectedBranchRule(ctx, repo.ID, to)
+	if err != nil {
+		return "", err
+	}
+	if rule != nil && !rule.CanUserPush(ctx, doer) {
+		return "", git_model.ErrBranchIsProtected
+	}
+
 	if err := git_model.RenameBranch(ctx, repo, from, to, func(ctx context.Context, isDefault bool) error {
 		err2 := gitrepo.RenameBranch(ctx, repo, from, to)
 		if err2 != nil {