Supports wildcard protected branch (#20825)

This PR introduce glob match for protected branch name. The separator is `/` and you can use `*` matching non-separator chars and use `**` across separator. It also supports input an exist or non-exist branch name as matching condition and branch name condition has high priority than glob rule. Should fix #2529 and #15705 screenshots <img width="1160" alt="image" src="https://user-images.githubusercontent.com/81045/205651179-ebb5492a-4ade-4bb4-a13c-965e8c927063.png"> Co-authored-by: zeripath <art27@cantab.net>
2025-07-22 18:28:37 +00:00 · 2023-01-16 16:00:22 +08:00
parent cc1f8cbe96
commit 2782c14396
39 changed files with 1222 additions and 819 deletions
--- a/services/repository/branch.go
+++ b/services/repository/branch.go
@@ -149,8 +149,7 @@ func RenameBranch(repo *repo_model.Repository, doer *user_model.User, gitRepo *g

 // enmuerates all branch related errors
 var (
-	ErrBranchIsDefault   = errors.New("branch is default")
-	ErrBranchIsProtected = errors.New("branch is protected")
+	ErrBranchIsDefault = errors.New("branch is default")
 )

 // DeleteBranch delete branch
@@ -159,13 +158,12 @@ func DeleteBranch(doer *user_model.User, repo *repo_model.Repository, gitRepo *g
 		return ErrBranchIsDefault
 	}

-	isProtected, err := git_model.IsProtectedBranch(db.DefaultContext, repo.ID, branchName)
+	isProtected, err := git_model.IsBranchProtected(db.DefaultContext, repo.ID, branchName)
 	if err != nil {
 		return err
 	}
-
 	if isProtected {
-		return ErrBranchIsProtected
+		return git_model.ErrBranchIsProtected
 	}

 	commit, err := gitRepo.GetBranchCommit(branchName)
--- a/services/repository/files/patch.go
+++ b/services/repository/files/patch.go
@@ -66,13 +66,16 @@ func (opts *ApplyDiffPatchOptions) Validate(ctx context.Context, repo *repo_mode
 			return err
 		}
 	} else {
-		protectedBranch, err := git_model.GetProtectedBranchBy(ctx, repo.ID, opts.OldBranch)
+		protectedBranch, err := git_model.GetFirstMatchProtectedBranchRule(ctx, repo.ID, opts.OldBranch)
 		if err != nil {
 			return err
 		}
-		if protectedBranch != nil && !protectedBranch.CanUserPush(ctx, doer.ID) {
-			return models.ErrUserCannotCommit{
-				UserName: doer.LowerName,
+		if protectedBranch != nil {
+			protectedBranch.Repo = repo
+			if !protectedBranch.CanUserPush(ctx, doer) {
+				return models.ErrUserCannotCommit{
+					UserName: doer.LowerName,
+				}
 			}
 		}
 		if protectedBranch != nil && protectedBranch.RequireSignedCommits {
--- a/services/repository/files/update.go
+++ b/services/repository/files/update.go
@@ -463,17 +463,18 @@ func CreateOrUpdateRepoFile(ctx context.Context, repo *repo_model.Repository, do

 // VerifyBranchProtection verify the branch protection for modifying the given treePath on the given branch
 func VerifyBranchProtection(ctx context.Context, repo *repo_model.Repository, doer *user_model.User, branchName, treePath string) error {
-	protectedBranch, err := git_model.GetProtectedBranchBy(ctx, repo.ID, branchName)
+	protectedBranch, err := git_model.GetFirstMatchProtectedBranchRule(ctx, repo.ID, branchName)
 	if err != nil {
 		return err
 	}
 	if protectedBranch != nil {
+		protectedBranch.Repo = repo
 		isUnprotectedFile := false
 		glob := protectedBranch.GetUnprotectedFilePatterns()
 		if len(glob) != 0 {
 			isUnprotectedFile = protectedBranch.IsUnprotectedFile(glob, treePath)
 		}
-		if !protectedBranch.CanUserPush(ctx, doer.ID) && !isUnprotectedFile {
+		if !protectedBranch.CanUserPush(ctx, doer) && !isUnprotectedFile {
 			return models.ErrUserCannotCommit{
 				UserName: doer.LowerName,
 			}