Allow protected branch creation via web and API

This commit includes changes to add `UserAccess#can_create_branch?`
which will check whether the user is allowed to create a branch even
if it matches a protected branch.

This is used in `Gitlab::Checks::BranchCheck` when the branch name
matches a protected branch.

A `push_to_create_protected_branch` ability in `ProjectPolicy` has been
added to allow Developers and above to create protected branches.

1 files changed, 12 insertions, 2 deletions

diff --git a/app/models/protected_branch.rb b/app/models/protected_branch.rb
index d075440b147..597431be65a 100644
--- a/app/models/protected_branch.rb
+++ b/app/models/protected_branch.rb
@@ -18,13 +18,23 @@ class ProtectedBranch < ActiveRecord::Base
   def self.protected?(project, ref_name)
     return true if project.empty_repo? && default_branch_protected?
 
-    refs = project.protected_branches.select(:name)
+    self.matching(ref_name, protected_refs: protected_refs(project)).present?
+  end
 
-    self.matching(ref_name, protected_refs: refs).present?
+  def self.any_protected?(project, ref_names)
+    protected_refs(project).any? do |protected_ref|
+      ref_names.any? do |ref_name|
+        protected_ref.matches?(ref_name)
+      end
+    end
   end
 
   def self.default_branch_protected?
     Gitlab::CurrentSettings.default_branch_protection == Gitlab::Access::PROTECTION_FULL ||
       Gitlab::CurrentSettings.default_branch_protection == Gitlab::Access::PROTECTION_DEV_CAN_MERGE
   end
+
+  def self.protected_refs(project)
+    project.protected_branches.select(:name)
+  end
 end