Merge branch '21393-allow-deletion-of-protected-branches' into 'master'

Add confirm delete protected branch modal

Closes #21393

See merge request !11000

8 files changed, 204 insertions, 77 deletions

diff --git a/spec/features/projects/branches_spec.rb b/spec/features/projects/branches_spec.rb
index 8e0306ce83b..7668ce5f8be 100644
--- a/spec/features/projects/branches_spec.rb
+++ b/spec/features/projects/branches_spec.rb
@@ -4,7 +4,13 @@ describe 'Branches', feature: true do
   let(:project) { create(:project, :public) }
   let(:repository) { project.repository }
 
-  context 'logged in' do
+  def set_protected_branch_name(branch_name)
+    find(".js-protected-branch-select").click
+    find(".dropdown-input-field").set(branch_name)
+    click_on("Create wildcard #{branch_name}")
+  end
+
+  context 'logged in as developer' do
     before do
       login_as :user
       project.team << [@user, :developer]
@@ -38,6 +44,83 @@ describe 'Branches', feature: true do
         expect(find('.all-branches')).to have_selector('li', count: 1)
       end
     end
+
+    describe 'Delete unprotected branch' do
+      it 'removes branch after confirmation', js: true do
+        visit namespace_project_branches_path(project.namespace, project)
+
+        fill_in 'branch-search', with: 'fix'
+
+        find('#branch-search').native.send_keys(:enter)
+
+        expect(page).to have_content('fix')
+        expect(find('.all-branches')).to have_selector('li', count: 1)
+        find('.js-branch-fix .btn-remove').trigger(:click)
+
+        expect(page).not_to have_content('fix')
+        expect(find('.all-branches')).to have_selector('li', count: 0)
+      end
+    end
+
+    describe 'Delete protected branch' do
+      before do
+        project.add_user(@user, :master)
+        visit namespace_project_protected_branches_path(project.namespace, project)
+        set_protected_branch_name('fix')
+        click_on "Protect"
+
+        within(".protected-branches-list") { expect(page).to have_content('fix') }
+        expect(ProtectedBranch.count).to eq(1)
+        project.add_user(@user, :developer)
+      end
+
+      it 'does not allow devleoper to removes protected branch', js: true do
+        visit namespace_project_branches_path(project.namespace, project)
+
+        fill_in 'branch-search', with: 'fix'
+        find('#branch-search').native.send_keys(:enter)
+
+        expect(page).to have_css('.btn-remove.disabled')
+      end
+    end
+  end
+
+  context 'logged in as master' do
+    before do
+      login_as :user
+      project.team << [@user, :master]
+    end
+
+    describe 'Delete protected branch' do
+      before do
+        visit namespace_project_protected_branches_path(project.namespace, project)
+        set_protected_branch_name('fix')
+        click_on "Protect"
+
+        within(".protected-branches-list") { expect(page).to have_content('fix') }
+        expect(ProtectedBranch.count).to eq(1)
+      end
+
+      it 'removes branch after modal confirmation', js: true do
+        visit namespace_project_branches_path(project.namespace, project)
+
+        fill_in 'branch-search', with: 'fix'
+        find('#branch-search').native.send_keys(:enter)
+
+        expect(page).to have_content('fix')
+        expect(find('.all-branches')).to have_selector('li', count: 1)
+        page.find('[data-target="#modal-delete-branch"]').trigger(:click)
+
+        expect(page).to have_css('.js-delete-branch[disabled]')
+        fill_in 'delete_branch_input', with: 'fix'
+        click_link 'Delete protected branch'
+
+        fill_in 'branch-search', with: 'fix'
+        find('#branch-search').native.send_keys(:enter)
+
+        expect(page).to have_content('No branches to show')
+      end
+    end
   end
 
   context 'logged out' do
diff --git a/spec/lib/gitlab/checks/change_access_spec.rb b/spec/lib/gitlab/checks/change_access_spec.rb
index 959ae02c222..8d81ed5856e 100644
--- a/spec/lib/gitlab/checks/change_access_spec.rb
+++ b/spec/lib/gitlab/checks/change_access_spec.rb
@@ -96,40 +96,77 @@ describe Gitlab::Checks::ChangeAccess, lib: true do
       end
     end
 
-    context 'protected branches check' do
-      before do
-        allow(ProtectedBranch).to receive(:protected?).with(project, 'master').and_return(true)
-      end
-
-      it 'returns an error if the user is not allowed to do forced pushes to protected branches' do
-        expect(Gitlab::Checks::ForcePush).to receive(:force_push?).and_return(true)
+    context 'branches check' do
+      context 'trying to delete the default branch' do
+        let(:newrev) { '0000000000000000000000000000000000000000' }
+        let(:ref) { 'refs/heads/master' }
 
-        expect(subject.status).to be(false)
-        expect(subject.message).to eq('You are not allowed to force push code to a protected branch on this project.')
+        it 'returns an error' do
+          expect(subject.status).to be(false)
+          expect(subject.message).to eq('The default branch of a project cannot be deleted.')
+        end
       end
 
-      it 'returns an error if the user is not allowed to merge to protected branches' do
-        expect_any_instance_of(Gitlab::Checks::MatchingMergeRequest).to receive(:match?).and_return(true)
-        expect(user_access).to receive(:can_merge_to_branch?).and_return(false)
-        expect(user_access).to receive(:can_push_to_branch?).and_return(false)
+      context 'protected branches check' do
+        before do
+          allow(ProtectedBranch).to receive(:protected?).with(project, 'master').and_return(true)
+          allow(ProtectedBranch).to receive(:protected?).with(project, 'feature').and_return(true)
+        end
 
-        expect(subject.status).to be(false)
-        expect(subject.message).to eq('You are not allowed to merge code into protected branches on this project.')
-      end
+        it 'returns an error if the user is not allowed to do forced pushes to protected branches' do
+          expect(Gitlab::Checks::ForcePush).to receive(:force_push?).and_return(true)
 
-      it 'returns an error if the user is not allowed to push to protected branches' do
-        expect(user_access).to receive(:can_push_to_branch?).and_return(false)
+          expect(subject.status).to be(false)
+          expect(subject.message).to eq('You are not allowed to force push code to a protected branch on this project.')
+        end
 
-        expect(subject.status).to be(false)
-        expect(subject.message).to eq('You are not allowed to push code to protected branches on this project.')
-      end
+        it 'returns an error if the user is not allowed to merge to protected branches' do
+          expect_any_instance_of(Gitlab::Checks::MatchingMergeRequest).to receive(:match?).and_return(true)
+          expect(user_access).to receive(:can_merge_to_branch?).and_return(false)
+          expect(user_access).to receive(:can_push_to_branch?).and_return(false)
 
-      context 'branch deletion' do
-        let(:newrev) { '0000000000000000000000000000000000000000' }
+          expect(subject.status).to be(false)
+          expect(subject.message).to eq('You are not allowed to merge code into protected branches on this project.')
+        end
+
+        it 'returns an error if the user is not allowed to push to protected branches' do
+          expect(user_access).to receive(:can_push_to_branch?).and_return(false)
 
-        it 'returns an error if the user is not allowed to delete protected branches' do
           expect(subject.status).to be(false)
-          expect(subject.message).to eq('You are not allowed to delete protected branches from this project.')
+          expect(subject.message).to eq('You are not allowed to push code to protected branches on this project.')
+        end
+
+        context 'branch deletion' do
+          let(:newrev) { '0000000000000000000000000000000000000000' }
+          let(:ref) { 'refs/heads/feature' }
+
+          context 'if the user is not allowed to delete protected branches' do
+            it 'returns an error' do
+              expect(subject.status).to be(false)
+              expect(subject.message).to eq('You are not allowed to delete protected branches from this project. Only a project master or owner can delete a protected branch.')
+            end
+          end
+
+          context 'if the user is allowed to delete protected branches' do
+            before do
+              project.add_master(user)
+            end
+
+            context 'through the web interface' do
+              let(:protocol) { 'web' }
+
+              it 'allows branch deletion' do
+                expect(subject.status).to be(true)
+              end
+            end
+
+            context 'over SSH or HTTP' do
+              it 'returns an error' do
+                expect(subject.status).to be(false)
+                expect(subject.message).to eq('You can only delete protected branches using the web interface.')
+              end
+            end
+          end
         end
       end
     end
diff --git a/spec/lib/gitlab/git_access_spec.rb b/spec/lib/gitlab/git_access_spec.rb
index d8b72615fab..25769977f24 100644
--- a/spec/lib/gitlab/git_access_spec.rb
+++ b/spec/lib/gitlab/git_access_spec.rb
@@ -1,7 +1,7 @@
 require 'spec_helper'
 
 describe Gitlab::GitAccess, lib: true do
-  let(:access) { Gitlab::GitAccess.new(actor, project, 'web', authentication_abilities: authentication_abilities) }
+  let(:access) { Gitlab::GitAccess.new(actor, project, 'ssh', authentication_abilities: authentication_abilities) }
   let(:project) { create(:project, :repository) }
   let(:user) { create(:user) }
   let(:actor) { user }
diff --git a/spec/lib/gitlab/user_access_spec.rb b/spec/lib/gitlab/user_access_spec.rb
index 2b27ff66c09..0d87cf25dbb 100644
--- a/spec/lib/gitlab/user_access_spec.rb
+++ b/spec/lib/gitlab/user_access_spec.rb
@@ -5,7 +5,7 @@ describe Gitlab::UserAccess, lib: true do
   let(:project) { create(:project) }
   let(:user) { create(:user) }
 
-  describe 'can_push_to_branch?' do
+  describe '#can_push_to_branch?' do
     describe 'push to none protected branch' do
       it 'returns true if user is a master' do
         project.team << [user, :master]
@@ -143,7 +143,7 @@ describe Gitlab::UserAccess, lib: true do
     end
   end
 
-  describe 'can_create_tag?' do
+  describe '#can_create_tag?' do
     describe 'push to none protected tag' do
       it 'returns true if user is a master' do
         project.add_user(user, :master)
@@ -211,4 +211,48 @@ describe Gitlab::UserAccess, lib: true do
       end
     end
   end
+
+  describe '#can_delete_branch?' do
+    describe 'delete unprotected branch' do
+      it 'returns true if user is a master' do
+        project.add_user(user, :master)
+
+        expect(access.can_delete_branch?('random_branch')).to be_truthy
+      end
+
+      it 'returns true if user is a developer' do
+        project.add_user(user, :developer)
+
+        expect(access.can_delete_branch?('random_branch')).to be_truthy
+      end
+
+      it 'returns false if user is a reporter' do
+        project.add_user(user, :reporter)
+
+        expect(access.can_delete_branch?('random_branch')).to be_falsey
+      end
+    end
+
+    describe 'delete protected branch' do
+      let(:branch) { create(:protected_branch, project: project, name: "test") }
+
+      it 'returns true if user is a master' do
+        project.add_user(user, :master)
+
+        expect(access.can_delete_branch?(branch.name)).to be_truthy
+      end
+
+      it 'returns false if user is a developer' do
+        project.add_user(user, :developer)
+
+        expect(access.can_delete_branch?(branch.name)).to be_falsey
+      end
+
+      it 'returns false if user is a reporter' do
+        project.add_user(user, :reporter)
+
+        expect(access.can_delete_branch?(branch.name)).to be_falsey
+      end
+    end
+  end
 end
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index 064847ee3dc..0d3af1f4499 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -43,7 +43,7 @@ describe ProjectPolicy, models: true do
 
   let(:master_permissions) do
     %i[
-      push_code_to_protected_branches update_project_snippet update_environment
+      delete_protected_branch update_project_snippet update_environment
       update_deployment admin_milestone admin_project_snippet
       admin_project_member admin_note admin_wiki admin_project
       admin_commit_status admin_build admin_container_image
diff --git a/spec/requests/api/branches_spec.rb b/spec/requests/api/branches_spec.rb
index 7eaa89837c8..c64499fc8c0 100644
--- a/spec/requests/api/branches_spec.rb
+++ b/spec/requests/api/branches_spec.rb
@@ -406,19 +406,6 @@ describe API::Branches do
       delete api("/projects/#{project.id}/repository/branches/foobar", user)
       expect(response).to have_http_status(404)
     end
-
-    it "removes protected branch" do
-      create(:protected_branch, project: project, name: branch_name)
-      delete api("/projects/#{project.id}/repository/branches/#{branch_name}", user)
-      expect(response).to have_http_status(405)
-      expect(json_response['message']).to eq('Protected branch cant be removed')
-    end
-
-    it "does not remove HEAD branch" do
-      delete api("/projects/#{project.id}/repository/branches/master", user)
-      expect(response).to have_http_status(405)
-      expect(json_response['message']).to eq('Cannot remove HEAD branch')
-    end
   end
 
   describe "DELETE /projects/:id/repository/merged_branches" do
diff --git a/spec/requests/api/v3/branches_spec.rb b/spec/requests/api/v3/branches_spec.rb
index 72f8fbe71fb..c88f7788697 100644
--- a/spec/requests/api/v3/branches_spec.rb
+++ b/spec/requests/api/v3/branches_spec.rb
@@ -47,19 +47,6 @@ describe API::V3::Branches do
       delete v3_api("/projects/#{project.id}/repository/branches/foobar", user)
       expect(response).to have_http_status(404)
     end
-
-    it "removes protected branch" do
-      create(:protected_branch, project: project, name: branch_name)
-      delete v3_api("/projects/#{project.id}/repository/branches/#{branch_name}", user)
-      expect(response).to have_http_status(405)
-      expect(json_response['message']).to eq('Protected branch cant be removed')
-    end
-
-    it "does not remove HEAD branch" do
-      delete v3_api("/projects/#{project.id}/repository/branches/master", user)
-      expect(response).to have_http_status(405)
-      expect(json_response['message']).to eq('Cannot remove HEAD branch')
-    end
   end
 
   describe "DELETE /projects/:id/repository/merged_branches" do
diff --git a/spec/services/delete_merged_branches_service_spec.rb b/spec/services/delete_merged_branches_service_spec.rb
index 7b921f606f8..cae74df9c90 100644
--- a/spec/services/delete_merged_branches_service_spec.rb
+++ b/spec/services/delete_merged_branches_service_spec.rb
@@ -6,33 +6,22 @@ describe DeleteMergedBranchesService, services: true do
   let(:project) { create(:project, :repository) }
 
   context '#execute' do
-    context 'unprotected branches' do
-      before do
-        service.execute
-      end
+    it 'deletes a branch that was merged' do
+      service.execute
 
-      it 'deletes a branch that was merged' do
-        expect(project.repository.branch_names).not_to include('improve/awesome')
-      end
+      expect(project.repository.branch_names).not_to include('improve/awesome')
+    end
 
-      it 'keeps branch that is unmerged' do
-        expect(project.repository.branch_names).to include('feature')
-      end
+    it 'keeps branch that is unmerged' do
+      service.execute
 
-      it 'keeps "master"' do
-        expect(project.repository.branch_names).to include('master')
-      end
+      expect(project.repository.branch_names).to include('feature')
     end
 
-    context 'protected branches' do
-      before do
-        create(:protected_branch, name: 'improve/awesome', project: project)
-        service.execute
-      end
+    it 'keeps "master"' do
+      service.execute
 
-      it 'keeps protected branch' do
-        expect(project.repository.branch_names).to include('improve/awesome')
-      end
+      expect(project.repository.branch_names).to include('master')
     end
 
     context 'user without rights' do