Allow protected branch creation via web and API

This commit includes changes to add `UserAccess#can_create_branch?`
which will check whether the user is allowed to create a branch even
if it matches a protected branch.

This is used in `Gitlab::Checks::BranchCheck` when the branch name
matches a protected branch.

A `push_to_create_protected_branch` ability in `ProjectPolicy` has been
added to allow Developers and above to create protected branches.

1 files changed, 28 insertions, 0 deletions

diff --git a/spec/models/protected_branch_spec.rb b/spec/models/protected_branch_spec.rb
index 4c677200ae2..dafe7646366 100644
--- a/spec/models/protected_branch_spec.rb
+++ b/spec/models/protected_branch_spec.rb
@@ -190,4 +190,32 @@ describe ProtectedBranch do
       end
     end
   end
+
+  describe '#any_protected?' do
+    context 'existing project' do
+      let(:project) { create(:project, :repository) }
+
+      it 'returns true when any of the branch names match a protected branch via direct match' do
+        create(:protected_branch, project: project, name: 'foo')
+
+        expect(described_class.any_protected?(project, ['foo', 'production/some-branch'])).to eq(true)
+      end
+
+      it 'returns true when any of the branch matches a protected branch via wildcard match' do
+        create(:protected_branch, project: project, name: 'production/*')
+
+        expect(described_class.any_protected?(project, ['foo', 'production/some-branch'])).to eq(true)
+      end
+
+      it 'returns false when none of branches does not match a protected branch via direct match' do
+        expect(described_class.any_protected?(project, ['foo'])).to eq(false)
+      end
+
+      it 'returns false when none of the branches does not match a protected branch via wildcard match' do
+        create(:protected_branch, project: project, name: 'production/*')
+
+        expect(described_class.any_protected?(project, ['staging/some-branch'])).to eq(false)
+      end
+    end
+  end
 end