1 files changed, 10 insertions, 2 deletions

diff --git a/lib/api/protected_branches.rb b/lib/api/protected_branches.rb
index a50208d78d7..3d9abe23638 100644
--- a/lib/api/protected_branches.rb
+++ b/lib/api/protected_branches.rb
@@ -6,8 +6,6 @@ module API
 
     BRANCH_ENDPOINT_REQUIREMENTS = API::NAMESPACE_OR_PROJECT_REQUIREMENTS.merge(name: API::NO_SLASH_URL_PART_REGEX)
 
-    before { authorize_admin_project }
-
     feature_category :source_code_management
 
     helpers Helpers::ProtectedBranchesHelpers
@@ -33,6 +31,8 @@ module API
       end
       # rubocop: disable CodeReuse/ActiveRecord
       get ':id/protected_branches' do
+        authorize_read_code!
+
         protected_branches =
           ProtectedBranchesFinder
             .new(user_project, params)
@@ -55,6 +55,8 @@ module API
       end
       # rubocop: disable CodeReuse/ActiveRecord
       get ':id/protected_branches/:name', requirements: BRANCH_ENDPOINT_REQUIREMENTS do
+        authorize_read_code!
+
         protected_branch = user_project.protected_branches.find_by!(name: params[:name])
 
         present protected_branch, with: Entities::ProtectedBranch, project: user_project
@@ -86,6 +88,8 @@ module API
       end
       # rubocop: disable CodeReuse/ActiveRecord
       post ':id/protected_branches' do
+        authorize_admin_project
+
         protected_branch = user_project.protected_branches.find_by(name: params[:name])
 
         if protected_branch
@@ -123,6 +127,8 @@ module API
       end
       # rubocop: disable CodeReuse/ActiveRecord
       patch ':id/protected_branches/:name', requirements: BRANCH_ENDPOINT_REQUIREMENTS do
+        authorize_admin_project
+
         protected_branch = user_project.protected_branches.find_by!(name: params[:name])
 
         declared_params = declared_params(include_missing: false)
@@ -150,6 +156,8 @@ module API
       end
       # rubocop: disable CodeReuse/ActiveRecord
       delete ':id/protected_branches/:name', requirements: BRANCH_ENDPOINT_REQUIREMENTS, urgency: :low do
+        authorize_admin_project
+
         protected_branch = user_project.protected_branches.find_by!(name: params[:name])
 
         destroy_conditionally!(protected_branch) do