Description
Description
I want to use "Protected file patterns" to prevent normal developers with write access to the repo from creating any commits under ~/.gitea/**
so they won't be able to create or change workflows. Like mentioned under #25423 I'm using the pattern .gitea/**/*.*;.github/**/*.*
for this, which seems to work fine. When testing the protected file patterns logic I've found a way so a normal user can bypass it and can still change protected files.
Steps to reproduce:
- Create new repository
- Add file
hello
with dummy content and commit to main - Go to repository settings -> Branches and add new Branch protection rule
- Define the following Branch protection configuration:
- Protected Branch Name Pattern:
*
- Protected file patterns (separated using semicolon ';'):
hello
- Enable push
- Other settings should be with default configuration
- Save Branch protection rule
- Go to the code in the
main
branch and edit thehello
file - Commit directly to the
main
branch is not possible because of the branch protection -> that's correct - Now select "Create a new branch for this commit and start a pull request" at the bottom and "Commit Changes"
- A new branch was created with a change to
hello
, therefore bypassing the branch protection rule
Expected behavior:
I would have expected that step 8 would fail because of the branch protection I'm not allowed to edit the hello
file on any branch, even on new branches. But it created the commit without any error.
The same behavior can also be reproduced with the Git CLI when pushing a new branch with a new name to Gitea. I would have expected for the branch protection rule with file patterns to reject this new branch.
Gitea Version
1.23.1
Can you reproduce the bug on the Gitea demo site?
Yes
Log Gist
No response
Screenshots
No response
Git Version
No response
Operating System
No response
How are you running Gitea?
Downloaded version, but it can also be reproduced with https://demo.gitea.com/
Database
MySQL/MariaDB