From 12e68d621512ea65f110081fc2d8ed1f385e6cfa Mon Sep 17 00:00:00 2001
From: Bob Van Landuyt <bob@vanlanduyt.co>
Date: Thu, 8 Mar 2018 00:08:52 +0100
Subject: Validate `:push_code` before checking protected branches

---
 lib/gitlab/user_access.rb | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/lib/gitlab/user_access.rb b/lib/gitlab/user_access.rb
index fd68b9f2b48..24393f96d96 100644
--- a/lib/gitlab/user_access.rb
+++ b/lib/gitlab/user_access.rb
@@ -63,15 +63,12 @@ module Gitlab
 
     request_cache def can_push_to_branch?(ref)
       return false unless can_access_git?
+      return false unless user.can?(:push_code, project) || project.branch_allows_maintainer_push?(user, ref)
 
       if protected?(ProtectedBranch, project, ref)
-        return true if project.user_can_push_to_empty_repo?(user)
-
-        protected_branch_accessible_to?(ref, action: :push)
-      elsif user.can?(:push_code, project)
-        true
+        project.user_can_push_to_empty_repo?(user) || protected_branch_accessible_to?(ref, action: :push)
       else
-        project.branch_allows_maintainer_push?(user, ref)
+        true
       end
     end
 
-- 
cgit v1.2.1