1 files changed, 11 insertions, 5 deletions

diff --git a/app/models/concerns/protected_ref.rb b/app/models/concerns/protected_ref.rb
index 65195a8d5aa..cf23a27244c 100644
--- a/app/models/concerns/protected_ref.rb
+++ b/app/models/concerns/protected_ref.rb
@@ -40,20 +40,26 @@ module ProtectedRef
     end
 
     def protected_ref_accessible_to?(ref, user, project:, action:, protected_refs: nil)
-      access_levels_for_ref(ref, action: action, protected_refs: protected_refs).any? do |access_level|
+      all_matching_rules_allow?(ref, action: action, protected_refs: protected_refs) do |access_level|
         access_level.check_access(user)
       end
     end
 
     def developers_can?(action, ref, protected_refs: nil)
-      access_levels_for_ref(ref, action: action, protected_refs: protected_refs).any? do |access_level|
+      all_matching_rules_allow?(ref, action: action, protected_refs: protected_refs) do |access_level|
         access_level.access_level == Gitlab::Access::DEVELOPER
       end
     end
 
-    def access_levels_for_ref(ref, action:, protected_refs: nil)
-      self.matching(ref, protected_refs: protected_refs)
-        .flat_map(&:"#{action}_access_levels")
+    def all_matching_rules_allow?(ref, action:, protected_refs: nil, &block)
+      access_levels_groups =
+        self.matching(ref, protected_refs: protected_refs).map(&:"#{action}_access_levels")
+
+      return false if access_levels_groups.blank?
+
+      access_levels_groups.all? do |access_levels|
+        access_levels.any?(&block)
+      end
     end
 
     # Returns all protected refs that match the given ref name.