Azure DevOps - Default permissions for force push on a branch
This error caught me by surprise today:
C:\dev\git\project [feature ↓1 ↑2 +1 ~0 -0 !]> git push --force-with-lease Enumerating objects: 22, done. Counting objects: 100% (22/22), done. Delta compression using up to 8 threads Compressing objects: 100% (5/5), done. Writing objects: 100% (12/12), 1.61 KiB | 824.00 KiB/s, done. Total 12 (delta 6), reused 8 (delta 4) remote: Analyzing objects... (12/12) (8 ms) remote: Storing packfile... done (115 ms) remote: Storing index... done (81 ms) To https://mytenancy.visualstudio.com/repo/_git/project ! [remote rejected] feature -> feature (TF401027: You need the Git 'ForcePush' permission to perform this action. Details: identity '93086622-abb9-4886-b994-502e7f2afc21\[email protected]', scope 'branch'.) error: failed to push some refs to 'https://mytenancy.visualstudio.com/repo/_git/project'
I was trying to push a change to a Git branch in Azure DevOps Repos. I’d just done an interactive rebase to update history on the branch and was trying to force push my changes - something I’ve done countless times before.
Reviewing the permissions for this repository, the Force push (rewrite history, delete branches and tags) permission was Not Set (eg. neither explicitly allowed nor denied). Checking other projects and repositories, this was also the case, so what’s different?
Well one thing that’s different is that I didn’t create this branch - it was created by another developer. Force pushing to a shared branch is generally frowned upon (as if it isn’t coordinated it can cause all kinds of problems), and so it seems DevOps helps guard against this problem by defaulting to granting the Force Push permission just to the branch creator (and also to users who are the Project administrator - as set in the Project details page of Project Settings).
Because I didn’t create the original branch and I was not a project administrator in this particular project, no push for me!