I created a simple project, committed and clicked the main branch, and then defended it. After that, I added the user to the project as a developer, and this user was allowed to click on the wizard.
So admin = master, user1 = developer.
When I changed and clicked as user1, I was allowed to click on the wizard. This is strange because I have a production instance that does not allow this.
I used a stray installation to set up a development environment. After stray ssh:
cd /vagrant/gitlabhq && git pull --ff origin master
put me on commit a8b544ed770cf172b09feb6ffee14b1814b66ad4, gitlab-shell v1.5.0
cd /vagrant/gitlabhq && bundle exec foreman start -p 3000
gitlab is now running.
I logged in as admin@local.host
Added key "admin"
Created project "master-protected"
in the shell, I created a repo, added a file and committed and clicked.
As "user1", I added my key to the shell cloned by "master-protected", in which user1 has a developer role.
When I changed and clicked the wizard, gitlab accepted the click and the commit is displayed directly in gitlab. He had to deny it. In fact, when you go to the branch section and see that the main branch is protected, the last commit is a "user1" commit, which only has developer permissions.
Any ideas on where I can look further to try to figure out why this is happening in the development environment? The same goes for the v5.3.0 tag, and I'm sure this does not happen in v5.3.0.
This is ridiculous because I tried to replicate another error, I thought I found that protected branches are not protected by merge requests and developer roles, but I ended up in a block with this.