"GitLab: You are not allowed to access master!"

Summary

When pushing from a repository satellite back to the bare repo, it fails with the error:

GitLab: You are not allowed to access master!

That also causes the web editor to fail with the error "Your changes could not be committed". Pushing from SSH works fine.

Steps to reproduce

1. Go to a repo satellite (on the server).
2. Run sudo -u git git push.

Expected behavior

Pushing should work completely fine.

Observed behavior

Pushing fails with the following output:

Counting objects: 3, done.
Delta compression using up to 8 threads.
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 1.56 KiB | 0 bytes/s, done.
Total 3 (delta 2), reused 0 (delta 0)
remote: GitLab: You are not allowed to access master!
remote: error: hook declined to update refs/heads/master
To /home/git/repositories/leo/itframe.git
 ! [remote rejected] master -> master (hook declined)
error: failed to push some refs to '/home/git/repositories/leo/itframe.git'

Investigation

After digging through GitLab's code, I found out that the API call that determines if you're allowed to push is (always) returning false.

Here's the URL being called: https://example.com/api/v3/internal/allowed?action=git-receive-pack&ref=master&project=leo%2Fitframe&forced_push=false&oldrev=aabbcc&newrev=0123456

You can notice that the parameter user_id or key_id is missing from the URL.

It should be: https://example.com/api/v3/internal/allowed?user_id=1&action=git-receive-pack&ref=master&project=leo%2Fitframe&forced_push=false&oldrev=aabbcc&newrev=0123456

That is causing the @actor variable in the gitlab-shell hook to be nil. As it hasn't been passed to the API, that in turn results in always getting false.

Checks

Everything is normal; all tests are passing.

Version

6.9.2, commit e46b644

Setup

System information
System:         Debian 7.5
Current User:   git
Using RVM:      no
Ruby Version:   2.0.0p451
Gem Version:    2.0.14
Bundler Version:1.5.2
Rake Version:   10.3.1
Sidekiq Version:2.17.0

GitLab information
Version:        6.9.2
Revision:       e46b644
Directory:      /opt/gitlab-ce
DB Adapter:     postgresql
URL:            https://git.shoutca.st
HTTP Clone URL: https://git.shoutca.st/some-project.git
SSH Clone URL:  git@git.shoutca.st:some-project.git
Using LDAP:     no
Using Omniauth: no

GitLab Shell
Version:        1.9.6
Repositories:   /home/git/repositories/
Hooks:          /home/git/gitlab-shell/hooks/
Git:            /usr/bin/git

Workaround

Only run the permission check if we're over SSH. This allows the web editor to work, but removes the permission check.

anybody knows how this issue goes????? i have the same error in veriosn 7.0 , 7.1 gitlab-shell 1.9.6

I have the same issue with fresh install on CentOs 7 using gitlab master. I try with "admin" account too and same issue

Hello

I think the problem is with the 'prtected branches' feature. while the project is fresh, it has none protected branches yet and maybe it just defaults to master?

I have the same problem with gitlab 7.1

I encounter a similar problem, new install, trying to make the first push to a brand new repository and getting:

remote: GitLab: You are not allowed to access some of the refs!

I do not see any workaround.

System information
System:         Debian 7.6
Current User:   git
Using RVM:      no
Ruby Version:   2.1.2p95
Gem Version:    2.2.1
Bundler Version:1.5.3
Rake Version:   10.3.2
Sidekiq Version:2.17.0

GitLab information
Version:        7.3.1
Revision:       1660aa2
Directory:      /opt/gitlab/embedded/service/gitlab-rails
DB Adapter:     postgresql
URL:            http://gitlab.citrite.net
HTTP Clone URL: http://gitlab.citrite.net/some-project.git
SSH Clone URL:  git@gitlab.citrite.net:some-project.git
Using LDAP:     yes
Using Omniauth: no

GitLab Shell
Version:        2.0.0
Repositories:   /var/opt/gitlab/git-data/repositories
Hooks:          /opt/gitlab/embedded/service/gitlab-shell/hooks/
Git:            /opt/gitlab/embedded/bin/git

Same here:

Counting objects: 6, done.
Delta compression using up to 8 threads.
Compressing objects: 100% (4/4), done.
Writing objects: 100% (6/6), 1.21 KiB | 0 bytes/s, done.
Total 6 (delta 1), reused 0 (delta 0)
remote: GitLab: You are not allowed to access master!
remote: error: hook declined to update refs/heads/master

I've just resolved my issues — in my case, I ran the upgrade checks, and gitlab-shell had not been updated correctly. Following the instructions in the upgrade and install documents made everything work again. YMMV.

I guess your are not using the omnibus version, my impression is that omnibus one does not have the upgrade option that is specified at https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/update/upgrader.md

Hey all, is this still an issue?

I can't tell for sure now, since I've commented out the code that was causing the issue.

I can confirm that I have just encountered the same issue as Sorin Ionuț Sbârnea after a recent omnibus upgrade to 7.4.3.

Oddly enough I managed to get the initial commit in but all future pushes result in the 'You are not allowed to access some of the refs!' issue.

Probably related is that when trying to view the files tab of this repository it gives me a nice 500 error in return:

ActionView::Template::Error (undefined method `[]' for nil:NilClass):
    1: - tree, commit = submodule_links(submodule_item)
    2: %tr{ class: "tree-item" }
    3:   %td.tree-item-file-name
    4:     %i.fa.fa-archive
  app/models/repository.rb:162:in `method_missing'
  app/models/repository.rb:228:in `submodule_url_for'
  app/helpers/submodule_helper.rb:6:in `submodule_links'
  app/views/projects/tree/_submodule_item.html.haml:1:in `_app_views_projects_tree__submodule_item_html_haml__4384640364409349176_105165540'
  app/helpers/tree_helper.rb:19:in `render_tree'
  app/views/projects/tree/_tree.html.haml:42:in `_app_views_projects_tree__tree_html_haml___2988518462822513681_38432520'
  app/views/projects/tree/show.html.haml:9:in `_app_views_projects_tree_show_html_haml___4436045749640239496_37867800'
  app/controllers/projects/tree_controller.rb:13:in `show'

@akeynes That looks like it is a completely different error than described in this issue. The error you pasted seems related to #714 (closed) which is a problem with submodules in a repository.

@marin Hmm, that does seem like a similar error although this repository doesn't have any submodules.

In my case it turned out the repository master was a 'protected branch' - turning that off made my 'You are not allowed to access some of the refs!' issue go away.

Not sure how that got activated or if it's on by default now as I definitely didn't activate it.

mentioned in merge request !14 (merged)

mentioned in commit d6c3928e

Seems that the errors described here have all been fixed or were because of the protected branch feature.
I will close this for now.
If you're still encountering this problem, please create a new issue and reference this one in the description.

#community-weekend-feb-2015

Status changed to closed

mentioned in commit b41c488b

mentioned in issue #15296 (closed)

mentioned in issue #20962 (closed)

mentioned in issue #25701 (closed)

mentioned in issue #30431 (closed)