From 505e456f26e11d4ee2f7a807a037b11b59defb1f Mon Sep 17 00:00:00 2001
From: 6543 <6543@obermui.de>
Date: Wed, 6 May 2020 13:08:45 +0200
Subject: Protect default branch against deletion (#11115)

Although default branch is not offered for deletion in the templates, we need to prevent it both at the router level and in the pre-receive hook.

Co-authored-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: Lauris BH <lauris@nix.lv>
---
 routers/private/hook.go | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'routers/private')

diff --git a/routers/private/hook.go b/routers/private/hook.go
index de2b03e0b2..4b57aff588 100644
--- a/routers/private/hook.go
+++ b/routers/private/hook.go
@@ -206,6 +206,14 @@ func HookPreReceive(ctx *macaron.Context, opts private.HookOptions) {
 		refFullName := opts.RefFullNames[i]
 
 		branchName := strings.TrimPrefix(refFullName, git.BranchPrefix)
+		if branchName == repo.DefaultBranch && newCommitID == git.EmptySHA {
+			log.Warn("Forbidden: Branch: %s is the default branch in %-v and cannot be deleted", branchName, repo)
+			ctx.JSON(http.StatusForbidden, map[string]interface{}{
+				"err": fmt.Sprintf("branch %s is the default branch and cannot be deleted", branchName),
+			})
+			return
+		}
+
 		protectBranch, err := models.GetProtectedBranchBy(repo.ID, branchName)
 		if err != nil {
 			log.Error("Unable to get protected branch: %s in %-v Error: %v", branchName, repo, err)
-- 
cgit v1.2.3