1 files changed, 65 insertions, 27 deletions

diff --git a/lib/gitlab/checks/change_access.rb b/lib/gitlab/checks/change_access.rb
index c85f79127bc..c984eb20606 100644
--- a/lib/gitlab/checks/change_access.rb
+++ b/lib/gitlab/checks/change_access.rb
@@ -1,24 +1,25 @@
 module Gitlab
   module Checks
     class ChangeAccess
-      # protocol is currently used only in EE
       attr_reader :user_access, :project, :skip_authorization, :protocol
 
       def initialize(
-        change, user_access:, project:, env: {}, skip_authorization: false,
+        change, user_access:, project:, skip_authorization: false,
         protocol:
       )
         @oldrev, @newrev, @ref = change.values_at(:oldrev, :newrev, :ref)
         @branch_name = Gitlab::Git.branch_name(@ref)
+        @tag_name = Gitlab::Git.tag_name(@ref)
         @user_access = user_access
         @project = project
-        @env = env
         @skip_authorization = skip_authorization
         @protocol = protocol
       end
 
       def exec
-        error = push_checks || tag_checks || protected_branch_checks
+        return GitAccessStatus.new(true) if skip_authorization
+
+        error = push_checks || branch_checks || tag_checks
 
         if error
           GitAccessStatus.new(false, error)
@@ -29,58 +30,95 @@ module Gitlab
 
       protected
 
-      def protected_branch_checks
-        return if skip_authorization
+      def push_checks
+        if user_access.cannot_do_action?(:push_code)
+          "You are not allowed to push code to this project."
+        end
+      end
+
+      def branch_checks
         return unless @branch_name
-        return unless project.protected_branch?(@branch_name)
+
+        if deletion? && @branch_name == project.default_branch
+          return "The default branch of a project cannot be deleted."
+        end
+
+        protected_branch_checks
+      end
+
+      def protected_branch_checks
+        return unless ProtectedBranch.protected?(project, @branch_name)
 
         if forced_push?
           return "You are not allowed to force push code to a protected branch on this project."
-        elsif Gitlab::Git.blank_ref?(@newrev)
-          return "You are not allowed to delete protected branches from this project."
         end
 
+        if deletion?
+          protected_branch_deletion_checks
+        else
+          protected_branch_push_checks
+        end
+      end
+
+      def protected_branch_deletion_checks
+        unless user_access.can_delete_branch?(@branch_name)
+          return 'You are not allowed to delete protected branches from this project. Only a project master or owner can delete a protected branch.'
+        end
+
+        unless protocol == 'web'
+          'You can only delete protected branches using the web interface.'
+        end
+      end
+
+      def protected_branch_push_checks
         if matching_merge_request?
-          if user_access.can_merge_to_branch?(@branch_name) || user_access.can_push_to_branch?(@branch_name)
-            return
-          else
+          unless user_access.can_merge_to_branch?(@branch_name) || user_access.can_push_to_branch?(@branch_name)
             "You are not allowed to merge code into protected branches on this project."
           end
         else
-          if user_access.can_push_to_branch?(@branch_name)
-            return
-          else
+          unless user_access.can_push_to_branch?(@branch_name)
             "You are not allowed to push code to protected branches on this project."
           end
         end
       end
 
       def tag_checks
-        return if skip_authorization
+        return unless @tag_name
 
-        tag_ref = Gitlab::Git.tag_name(@ref)
-
-        if tag_ref && protected_tag?(tag_ref) && user_access.cannot_do_action?(:admin_project)
-          "You are not allowed to change existing tags on this project."
+        if tag_exists? && user_access.cannot_do_action?(:admin_project)
+          return "You are not allowed to change existing tags on this project."
         end
+
+        protected_tag_checks
       end
 
-      def push_checks
-        return if skip_authorization
+      def protected_tag_checks
+        return unless ProtectedTag.protected?(project, @tag_name)
 
-        if user_access.cannot_do_action?(:push_code)
-          "You are not allowed to push code to this project."
+        return "Protected tags cannot be updated." if update?
+        return "Protected tags cannot be deleted." if deletion?
+
+        unless user_access.can_create_tag?(@tag_name)
+          return "You are not allowed to create this tag as it is protected."
         end
       end
 
       private
 
-      def protected_tag?(tag_name)
-        project.repository.tag_exists?(tag_name)
+      def tag_exists?
+        project.repository.tag_exists?(@tag_name)
       end
 
       def forced_push?
-        Gitlab::Checks::ForcePush.force_push?(@project, @oldrev, @newrev, env: @env)
+        Gitlab::Checks::ForcePush.force_push?(@project, @oldrev, @newrev)
+      end
+
+      def update?
+        !Gitlab::Git.blank_ref?(@oldrev) && !deletion?
+      end
+
+      def deletion?
+        Gitlab::Git.blank_ref?(@newrev)
       end
 
       def matching_merge_request?