Cannot make protected branches work

[netsuo]

Hi,

Everything seems to work accordingly, I can push branches with my authorized users, the config file seems to be updating correctly i n .gitolite/conf, but I tried everything, I just added the branch "master" restricted to only one user and I can still push from any user.

here's how my gitolite.conf looks:

repo    xxx/xxx/xxx2015/xxx2010
  RW+   master                   = redmine_xxx_1140
  RW+   refs/heads/testProtected = redmine_xxx_1097
  RW+   personal/USER/           = redmine_xxx_851 redmine_xxx_1140 redmine_xxx_1038 
  RW+                            = redmine_xxx_851 redmine_xxx_1038 redmine_xxx_855
  RW                             = redmine_xxx_1140 redmine_xxx_1144 redmine_xxx_1097
  config redminegitolite.projectid = xxx2015
  config redminegitolite.repositoryid =xxx2010
  config redminegitolite.repositorykey = 2TGVEzEQX1rYJfLOP5TqlqJiql7EytbAAf6YmYlodtuxe71g367s0uADimRA7la
  config http.uploadpack = true
  config http.receivepack = true
  config multimailhook.enabled = false

repo    gitolite-admin
  RW+                            = redmine_gitolite_admin_id_rsa

repo    testing
  RW+                            = @all

Can you please help me in figuring out how to make it work and/or what I've done that's wrong ?

[amelentjev]

I've faced the same problem, and found following workaround : don't give write permissions to repo for that group, that you need to be restricted. Then add protected branch (dev, for example), and add RW access to this branch for users from restricted group.

[netsuo]

I tested your solution and it seems to work BUT, it is far from ideal.
Isn't the "normal" workflow creating a "developer" group in redmine and giving it commit access, then, only for the projects where you need protected branches, add some "branches" managers and only give them push access ?

With your solution, if I understood correctly, I would need to manually add every branches to protected branches and add every users, rendering the goal of redmine managing user access obsolete ?

[netsuo]

I sent the developer an email requesting information on this and it happens to be because the feature is not finished yet. It is however available on the "dev" branch so I will test it now.

[n-rodriguez]

Can you please try with the latest release? (https://github.com/jbox-web/redmine_git_hosting/releases/tag/1.2.0)

[netsuo]

I tested the last version and - while it works like a charm - I still think the way protected branches work is not ideal. Here's an explanation with a simple use case (this is related to what I said in #534)

Suppose you have a Role "developers" in Redmine. Naturally, you will give this role the "commit" ability on repositories.

Every time you create a standard project, everything works fine: your developers can commit code and only them, you don't have to worry about checking access if you add a new developer to the team or a new project. You could have 100s of projects/developers, no worries.

Now, for a particular project, you need to have a "branch manager" or whatever you want to call it: only this guy (guys) would have the permission to push to the branch "master", this is what protected branches are for.
You just go to the project's repository config, add the master branch as protected with your guy or group that have access to it.

Now, this is where I don't understand the way it works: every other developers from the "developer" role, can't push to ANY branch.
Suppose you have 50 developers, you have 2 options:

• you add every individual developer to a new line on protected branch with access to every other branches
• you create a group for theses developers

This is a bit ridiculous because your role is now obsolete for this project. And if you have 50s of projects and protected branches everywhere, it becomes a nightmare to manage.

What I said in my other ticket #534 is I think a better way of doing this would be to automatically add every users with "commit" role to 2 new lines, one with the name of the protected branch and "-" and another without specified branch with all user. You answered in the other ticket that you can't guess which user should be able or not to commit to a protected branch but I think that yes, you can: everyone that would be able to commit if you didn't setup a protected branch becomes denied and only the names you entered with RW or RW+ can commit. By using the way I explained in the other ticket, you just change the way access are defined on the branch you protected and not the others.

I understand that would add a new thing to do in your code: every time you would add some user to the "commit" role, you would have to redo gitolite.conf to add the new users.

And don't know if I'm mistaken or not about how protected branch should work, but this is ideally how we would like to work. In fact, I allready tested adding custom code to the devel version several days ago to adapt the way gitolite.conf was generated and it works perfectly with just 3 or 4 new lines of code.

Btw it's me that contacted you via e-mail in French the other day, so if you want to discuss about this in french or by e-mail, don't hesitate, I would love to understand exactly how you would work if you had the same use case as us.

[n-rodriguez]

Btw it's me that contacted you via e-mail in French the other day, so if you want to discuss about this in french or by e-mail, don't hesitate, I would love to understand exactly how you would work if you had the same use case as us.

Why not, maybe on Skype? Tell me when you're available to talk about it.

[SergeyBear]

Hello!
Have same problem with many projects in Redmine.
An news about this question?

[PowerKiKi]

As discussed in #732 (comment), issues related to Redmine < 4.0 or severely outdated issues are being closed to help clean up the issue tracker.

If this issue is still relevant to you and you are running Redmine >= 4.0, please open a new issue including all new relevant information.