1 files changed, 33 insertions, 5 deletions

diff --git a/lib/gitlab/protocol_access.rb b/lib/gitlab/protocol_access.rb
index efeb1e07d49..5bcbf7b5cca 100644
--- a/lib/gitlab/protocol_access.rb
+++ b/lib/gitlab/protocol_access.rb
@@ -2,14 +2,42 @@
 
 module Gitlab
   module ProtocolAccess
-    def self.allowed?(protocol)
-      if protocol == 'web'
-        true
-      elsif Gitlab::CurrentSettings.enabled_git_access_protocol.blank?
+    class << self
+      def allowed?(protocol, project: nil)
+        # Web is always allowed
+        return true if protocol == "web"
+
+        # System settings
+        return false unless instance_allowed?(protocol)
+
+        # Group-level settings
+        return false unless namespace_allowed?(protocol, namespace: project&.root_namespace)
+
+        # Default to allowing all protocols
         true
-      else
+      end
+
+      private
+
+      def instance_allowed?(protocol)
+        # If admin hasn't configured this setting, default to true
+        return true if Gitlab::CurrentSettings.enabled_git_access_protocol.blank?
+
         protocol == Gitlab::CurrentSettings.enabled_git_access_protocol
       end
+
+      def namespace_allowed?(protocol, namespace: nil)
+        # If the namespace parameter was nil, we default to true here
+        return true if namespace.nil?
+
+        # Return immediately if all protocols are allowed
+        return true if namespace.enabled_git_access_protocol == "all"
+
+        # If the setting is somehow nil, such as in an unsaved state, we default to allow
+        return true if namespace.enabled_git_access_protocol.blank?
+
+        protocol == namespace.enabled_git_access_protocol
+      end
     end
   end
 end