From 1c8481a18fc7fddcda08963176c7189e2f07e872 Mon Sep 17 00:00:00 2001
From: Barak Amar <barak.amar@treeverse.io>
Date: Thu, 23 Feb 2023 16:04:25 +0200
Subject: [PATCH] Branch protection status code should be 403 (#5273)

* Branch protection status code should be 403

* apply code review changes

* fix indent

* fix dup Forbidden message type
---
 api/swagger.yml                               | 24 ++++++---
 clients/java/api/openapi.yaml                 | 50 ++++++++++++++++---
 clients/java/docs/BranchesApi.md              |  1 +
 clients/java/docs/CommitsApi.md               |  1 +
 clients/java/docs/ImportApi.md                |  2 +-
 clients/java/docs/ObjectsApi.md               |  3 ++
 clients/java/docs/RefsApi.md                  |  1 +
 .../io/lakefs/clients/api/BranchesApi.java    |  4 ++
 .../io/lakefs/clients/api/CommitsApi.java     |  4 ++
 .../java/io/lakefs/clients/api/ImportApi.java |  8 +--
 .../io/lakefs/clients/api/ObjectsApi.java     | 12 +++++
 .../java/io/lakefs/clients/api/RefsApi.java   |  4 ++
 clients/python/docs/BranchesApi.md            |  1 +
 clients/python/docs/CommitsApi.md             |  1 +
 clients/python/docs/ImportApi.md              |  2 +-
 clients/python/docs/ObjectsApi.md             |  3 ++
 clients/python/docs/RefsApi.md                |  1 +
 docs/assets/js/swagger.yml                    | 24 ++++++---
 pkg/api/controller.go                         |  3 +-
 pkg/api/controller_test.go                    | 23 +++++++--
 pkg/graveler/errors.go                        |  5 +-
 21 files changed, 145 insertions(+), 32 deletions(-)

diff --git a/api/swagger.yml b/api/swagger.yml
index bc0b8aaf7c3..870d1380870 100644
--- a/api/swagger.yml
+++ b/api/swagger.yml
@@ -79,12 +79,6 @@ components:
         application/json:
           schema:
             $ref: "#/components/schemas/Error"
-    Forbidden:
-      description: Access is forbidden
-      content:
-        application/json:
-          schema:
-            $ref: "#/components/schemas/Error"
     NotFound:
       description: Resource Not Found
       content:
@@ -103,6 +97,12 @@ components:
         application/json:
           schema:
             $ref: "#/components/schemas/Error"
+    Forbidden:
+      description: Forbidden
+      content:
+        application/json:
+          schema:
+            $ref: "#/components/schemas/Error"
     ValidationError:
       description: Validation Error
       content:
@@ -2592,6 +2592,8 @@ paths:
           $ref: "#/components/responses/ValidationError"
         401:
           $ref: "#/components/responses/Unauthorized"
+        403:
+          $ref: "#/components/responses/Forbidden"
         404:
           $ref: "#/components/responses/NotFound"
         default:
@@ -2643,6 +2645,8 @@ paths:
           description: branch deleted successfully
         401:
           $ref: "#/components/responses/Unauthorized"
+        403:
+          $ref: "#/components/responses/Forbidden"
         404:
           $ref: "#/components/responses/NotFound"
         default:
@@ -2749,6 +2753,8 @@ paths:
           $ref: "#/components/responses/ValidationError"
         401:
           $ref: "#/components/responses/Unauthorized"
+        403:
+          $ref: "#/components/responses/Forbidden"
         404:
           $ref: "#/components/responses/NotFound"
         409:
@@ -3286,6 +3292,8 @@ paths:
           $ref: "#/components/responses/ValidationError"
         401:
           $ref: "#/components/responses/Unauthorized"
+        403:
+          $ref: "#/components/responses/Forbidden"
         404:
           $ref: "#/components/responses/NotFound"
         412:
@@ -3302,6 +3310,8 @@ paths:
           description: object deleted successfully
         401:
           $ref: "#/components/responses/Unauthorized"
+        403:
+          $ref: "#/components/responses/Forbidden"
         404:
           $ref: "#/components/responses/NotFound"
         default:
@@ -3339,6 +3349,8 @@ paths:
                 $ref: "#/components/schemas/ObjectErrorList"
         401:
           $ref: "#/components/responses/Unauthorized"
+        403:
+          $ref: "#/components/responses/Forbidden"
         404:
           $ref: "#/components/responses/NotFound"
         default:
diff --git a/clients/java/api/openapi.yaml b/clients/java/api/openapi.yaml
index f04a1b6ecbf..7f153e25415 100644
--- a/clients/java/api/openapi.yaml
+++ b/clients/java/api/openapi.yaml
@@ -2447,6 +2447,12 @@ paths:
               schema:
                 $ref: '#/components/schemas/Error'
           description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Error'
+          description: Forbidden
         "404":
           content:
             application/json:
@@ -2497,6 +2503,12 @@ paths:
               schema:
                 $ref: '#/components/schemas/Error'
           description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Error'
+          description: Forbidden
         "404":
           content:
             application/json:
@@ -2721,6 +2733,12 @@ paths:
               schema:
                 $ref: '#/components/schemas/Error'
           description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Error'
+          description: Forbidden
         "404":
           content:
             application/json:
@@ -3405,7 +3423,7 @@ paths:
             application/json:
               schema:
                 $ref: '#/components/schemas/Error'
-          description: Access is forbidden
+          description: Forbidden
         "404":
           content:
             application/json:
@@ -3511,6 +3529,12 @@ paths:
               schema:
                 $ref: '#/components/schemas/Error'
           description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Error'
+          description: Forbidden
         "404":
           content:
             application/json:
@@ -3600,6 +3624,12 @@ paths:
               schema:
                 $ref: '#/components/schemas/Error'
           description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Error'
+          description: Forbidden
         "404":
           content:
             application/json:
@@ -3727,6 +3757,12 @@ paths:
               schema:
                 $ref: '#/components/schemas/Error'
           description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Error'
+          description: Forbidden
         "404":
           content:
             application/json:
@@ -5012,12 +5048,6 @@ components:
           schema:
             $ref: '#/components/schemas/Error'
       description: Internal Server Error
-    Forbidden:
-      content:
-        application/json:
-          schema:
-            $ref: '#/components/schemas/Error'
-      description: Access is forbidden
     NotFound:
       content:
         application/json:
@@ -5036,6 +5066,12 @@ components:
           schema:
             $ref: '#/components/schemas/Error'
       description: Precondition Failed
+    Forbidden:
+      content:
+        application/json:
+          schema:
+            $ref: '#/components/schemas/Error'
+      description: Forbidden
     ValidationError:
       content:
         application/json:
diff --git a/clients/java/docs/BranchesApi.md b/clients/java/docs/BranchesApi.md
index 0bd87ed340b..76e9cbd84dc 100644
--- a/clients/java/docs/BranchesApi.md
+++ b/clients/java/docs/BranchesApi.md
@@ -185,6 +185,7 @@ null (empty response body)
 |-------------|-------------|------------------|
 **204** | branch deleted successfully |  -  |
 **401** | Unauthorized |  -  |
+**403** | Forbidden |  -  |
 **404** | Resource Not Found |  -  |
 **0** | Internal Server Error |  -  |
 
diff --git a/clients/java/docs/CommitsApi.md b/clients/java/docs/CommitsApi.md
index 8ad44b04737..35fead4916c 100644
--- a/clients/java/docs/CommitsApi.md
+++ b/clients/java/docs/CommitsApi.md
@@ -98,6 +98,7 @@ Name | Type | Description  | Notes
 **201** | commit |  -  |
 **400** | Validation Error |  -  |
 **401** | Unauthorized |  -  |
+**403** | Forbidden |  -  |
 **404** | Resource Not Found |  -  |
 **412** | Precondition Failed (e.g. a pre-commit hook returned a failure) |  -  |
 **0** | Internal Server Error |  -  |
diff --git a/clients/java/docs/ImportApi.md b/clients/java/docs/ImportApi.md
index bc80ba388de..cc46f2d80b0 100644
--- a/clients/java/docs/ImportApi.md
+++ b/clients/java/docs/ImportApi.md
@@ -93,7 +93,7 @@ Name | Type | Description  | Notes
 **201** | metarange metadata |  -  |
 **400** | Validation Error |  -  |
 **401** | Unauthorized |  -  |
-**403** | Access is forbidden |  -  |
+**403** | Forbidden |  -  |
 **404** | Resource Not Found |  -  |
 **0** | Internal Server Error |  -  |
 
diff --git a/clients/java/docs/ObjectsApi.md b/clients/java/docs/ObjectsApi.md
index 75dcafebfde..d364be13fe9 100644
--- a/clients/java/docs/ObjectsApi.md
+++ b/clients/java/docs/ObjectsApi.md
@@ -193,6 +193,7 @@ null (empty response body)
 |-------------|-------------|------------------|
 **204** | object deleted successfully |  -  |
 **401** | Unauthorized |  -  |
+**403** | Forbidden |  -  |
 **404** | Resource Not Found |  -  |
 **0** | Internal Server Error |  -  |
 
@@ -282,6 +283,7 @@ Name | Type | Description  | Notes
 |-------------|-------------|------------------|
 **200** | Delete objects response |  -  |
 **401** | Unauthorized |  -  |
+**403** | Forbidden |  -  |
 **404** | Resource Not Found |  -  |
 **0** | Internal Server Error |  -  |
 
@@ -942,6 +944,7 @@ Name | Type | Description  | Notes
 **201** | object metadata |  -  |
 **400** | Validation Error |  -  |
 **401** | Unauthorized |  -  |
+**403** | Forbidden |  -  |
 **404** | Resource Not Found |  -  |
 **412** | Precondition Failed |  -  |
 **0** | Internal Server Error |  -  |
diff --git a/clients/java/docs/RefsApi.md b/clients/java/docs/RefsApi.md
index 98111788cd4..a410ae9ae38 100644
--- a/clients/java/docs/RefsApi.md
+++ b/clients/java/docs/RefsApi.md
@@ -382,6 +382,7 @@ Name | Type | Description  | Notes
 **200** | merge completed |  -  |
 **400** | Validation Error |  -  |
 **401** | Unauthorized |  -  |
+**403** | Forbidden |  -  |
 **404** | Resource Not Found |  -  |
 **409** | Conflict Deprecated: content schema will return Error format and not an empty MergeResult  |  -  |
 **412** | precondition failed (e.g. a pre-merge hook returned a failure) |  -  |
diff --git a/clients/java/src/main/java/io/lakefs/clients/api/BranchesApi.java b/clients/java/src/main/java/io/lakefs/clients/api/BranchesApi.java
index 71dfbeadae5..6a6b01c2187 100644
--- a/clients/java/src/main/java/io/lakefs/clients/api/BranchesApi.java
+++ b/clients/java/src/main/java/io/lakefs/clients/api/BranchesApi.java
@@ -213,6 +213,7 @@ public okhttp3.Call createBranchAsync(String repository, BranchCreation branchCr
         <tr><td> Status Code </td><td> Description </td><td> Response Headers </td></tr>
         <tr><td> 204 </td><td> branch deleted successfully </td><td>  -  </td></tr>
         <tr><td> 401 </td><td> Unauthorized </td><td>  -  </td></tr>
+        <tr><td> 403 </td><td> Forbidden </td><td>  -  </td></tr>
         <tr><td> 404 </td><td> Resource Not Found </td><td>  -  </td></tr>
         <tr><td> 0 </td><td> Internal Server Error </td><td>  -  </td></tr>
      </table>
@@ -279,6 +280,7 @@ private okhttp3.Call deleteBranchValidateBeforeCall(String repository, String br
         <tr><td> Status Code </td><td> Description </td><td> Response Headers </td></tr>
         <tr><td> 204 </td><td> branch deleted successfully </td><td>  -  </td></tr>
         <tr><td> 401 </td><td> Unauthorized </td><td>  -  </td></tr>
+        <tr><td> 403 </td><td> Forbidden </td><td>  -  </td></tr>
         <tr><td> 404 </td><td> Resource Not Found </td><td>  -  </td></tr>
         <tr><td> 0 </td><td> Internal Server Error </td><td>  -  </td></tr>
      </table>
@@ -299,6 +301,7 @@ public void deleteBranch(String repository, String branch) throws ApiException {
         <tr><td> Status Code </td><td> Description </td><td> Response Headers </td></tr>
         <tr><td> 204 </td><td> branch deleted successfully </td><td>  -  </td></tr>
         <tr><td> 401 </td><td> Unauthorized </td><td>  -  </td></tr>
+        <tr><td> 403 </td><td> Forbidden </td><td>  -  </td></tr>
         <tr><td> 404 </td><td> Resource Not Found </td><td>  -  </td></tr>
         <tr><td> 0 </td><td> Internal Server Error </td><td>  -  </td></tr>
      </table>
@@ -321,6 +324,7 @@ public ApiResponse<Void> deleteBranchWithHttpInfo(String repository, String bran
         <tr><td> Status Code </td><td> Description </td><td> Response Headers </td></tr>
         <tr><td> 204 </td><td> branch deleted successfully </td><td>  -  </td></tr>
         <tr><td> 401 </td><td> Unauthorized </td><td>  -  </td></tr>
+        <tr><td> 403 </td><td> Forbidden </td><td>  -  </td></tr>
         <tr><td> 404 </td><td> Resource Not Found </td><td>  -  </td></tr>
         <tr><td> 0 </td><td> Internal Server Error </td><td>  -  </td></tr>
      </table>
diff --git a/clients/java/src/main/java/io/lakefs/clients/api/CommitsApi.java b/clients/java/src/main/java/io/lakefs/clients/api/CommitsApi.java
index 6a2d152686f..d136b34fa85 100644
--- a/clients/java/src/main/java/io/lakefs/clients/api/CommitsApi.java
+++ b/clients/java/src/main/java/io/lakefs/clients/api/CommitsApi.java
@@ -72,6 +72,7 @@ public void setApiClient(ApiClient apiClient) {
         <tr><td> 201 </td><td> commit </td><td>  -  </td></tr>
         <tr><td> 400 </td><td> Validation Error </td><td>  -  </td></tr>
         <tr><td> 401 </td><td> Unauthorized </td><td>  -  </td></tr>
+        <tr><td> 403 </td><td> Forbidden </td><td>  -  </td></tr>
         <tr><td> 404 </td><td> Resource Not Found </td><td>  -  </td></tr>
         <tr><td> 412 </td><td> Precondition Failed (e.g. a pre-commit hook returned a failure) </td><td>  -  </td></tr>
         <tr><td> 0 </td><td> Internal Server Error </td><td>  -  </td></tr>
@@ -152,6 +153,7 @@ private okhttp3.Call commitValidateBeforeCall(String repository, String branch,
         <tr><td> 201 </td><td> commit </td><td>  -  </td></tr>
         <tr><td> 400 </td><td> Validation Error </td><td>  -  </td></tr>
         <tr><td> 401 </td><td> Unauthorized </td><td>  -  </td></tr>
+        <tr><td> 403 </td><td> Forbidden </td><td>  -  </td></tr>
         <tr><td> 404 </td><td> Resource Not Found </td><td>  -  </td></tr>
         <tr><td> 412 </td><td> Precondition Failed (e.g. a pre-commit hook returned a failure) </td><td>  -  </td></tr>
         <tr><td> 0 </td><td> Internal Server Error </td><td>  -  </td></tr>
@@ -177,6 +179,7 @@ public Commit commit(String repository, String branch, CommitCreation commitCrea
         <tr><td> 201 </td><td> commit </td><td>  -  </td></tr>
         <tr><td> 400 </td><td> Validation Error </td><td>  -  </td></tr>
         <tr><td> 401 </td><td> Unauthorized </td><td>  -  </td></tr>
+        <tr><td> 403 </td><td> Forbidden </td><td>  -  </td></tr>
         <tr><td> 404 </td><td> Resource Not Found </td><td>  -  </td></tr>
         <tr><td> 412 </td><td> Precondition Failed (e.g. a pre-commit hook returned a failure) </td><td>  -  </td></tr>
         <tr><td> 0 </td><td> Internal Server Error </td><td>  -  </td></tr>
@@ -204,6 +207,7 @@ public ApiResponse<Commit> commitWithHttpInfo(String repository, String branch,
         <tr><td> 201 </td><td> commit </td><td>  -  </td></tr>
         <tr><td> 400 </td><td> Validation Error </td><td>  -  </td></tr>
         <tr><td> 401 </td><td> Unauthorized </td><td>  -  </td></tr>
+        <tr><td> 403 </td><td> Forbidden </td><td>  -  </td></tr>
         <tr><td> 404 </td><td> Resource Not Found </td><td>  -  </td></tr>
         <tr><td> 412 </td><td> Precondition Failed (e.g. a pre-commit hook returned a failure) </td><td>  -  </td></tr>
         <tr><td> 0 </td><td> Internal Server Error </td><td>  -  </td></tr>
diff --git a/clients/java/src/main/java/io/lakefs/clients/api/ImportApi.java b/clients/java/src/main/java/io/lakefs/clients/api/ImportApi.java
index d4bb2a24b8b..e254367fd44 100644
--- a/clients/java/src/main/java/io/lakefs/clients/api/ImportApi.java
+++ b/clients/java/src/main/java/io/lakefs/clients/api/ImportApi.java
@@ -71,7 +71,7 @@ public void setApiClient(ApiClient apiClient) {
         <tr><td> 201 </td><td> metarange metadata </td><td>  -  </td></tr>
         <tr><td> 400 </td><td> Validation Error </td><td>  -  </td></tr>
         <tr><td> 401 </td><td> Unauthorized </td><td>  -  </td></tr>
-        <tr><td> 403 </td><td> Access is forbidden </td><td>  -  </td></tr>
+        <tr><td> 403 </td><td> Forbidden </td><td>  -  </td></tr>
         <tr><td> 404 </td><td> Resource Not Found </td><td>  -  </td></tr>
         <tr><td> 0 </td><td> Internal Server Error </td><td>  -  </td></tr>
      </table>
@@ -139,7 +139,7 @@ private okhttp3.Call createMetaRangeValidateBeforeCall(String repository, MetaRa
         <tr><td> 201 </td><td> metarange metadata </td><td>  -  </td></tr>
         <tr><td> 400 </td><td> Validation Error </td><td>  -  </td></tr>
         <tr><td> 401 </td><td> Unauthorized </td><td>  -  </td></tr>
-        <tr><td> 403 </td><td> Access is forbidden </td><td>  -  </td></tr>
+        <tr><td> 403 </td><td> Forbidden </td><td>  -  </td></tr>
         <tr><td> 404 </td><td> Resource Not Found </td><td>  -  </td></tr>
         <tr><td> 0 </td><td> Internal Server Error </td><td>  -  </td></tr>
      </table>
@@ -162,7 +162,7 @@ public MetaRangeCreationResponse createMetaRange(String repository, MetaRangeCre
         <tr><td> 201 </td><td> metarange metadata </td><td>  -  </td></tr>
         <tr><td> 400 </td><td> Validation Error </td><td>  -  </td></tr>
         <tr><td> 401 </td><td> Unauthorized </td><td>  -  </td></tr>
-        <tr><td> 403 </td><td> Access is forbidden </td><td>  -  </td></tr>
+        <tr><td> 403 </td><td> Forbidden </td><td>  -  </td></tr>
         <tr><td> 404 </td><td> Resource Not Found </td><td>  -  </td></tr>
         <tr><td> 0 </td><td> Internal Server Error </td><td>  -  </td></tr>
      </table>
@@ -187,7 +187,7 @@ public ApiResponse<MetaRangeCreationResponse> createMetaRangeWithHttpInfo(String
         <tr><td> 201 </td><td> metarange metadata </td><td>  -  </td></tr>
         <tr><td> 400 </td><td> Validation Error </td><td>  -  </td></tr>
         <tr><td> 401 </td><td> Unauthorized </td><td>  -  </td></tr>
-        <tr><td> 403 </td><td> Access is forbidden </td><td>  -  </td></tr>
+        <tr><td> 403 </td><td> Forbidden </td><td>  -  </td></tr>
         <tr><td> 404 </td><td> Resource Not Found </td><td>  -  </td></tr>
         <tr><td> 0 </td><td> Internal Server Error </td><td>  -  </td></tr>
      </table>
diff --git a/clients/java/src/main/java/io/lakefs/clients/api/ObjectsApi.java b/clients/java/src/main/java/io/lakefs/clients/api/ObjectsApi.java
index 67317d5d1d4..000c3dbb2be 100644
--- a/clients/java/src/main/java/io/lakefs/clients/api/ObjectsApi.java
+++ b/clients/java/src/main/java/io/lakefs/clients/api/ObjectsApi.java
@@ -235,6 +235,7 @@ public okhttp3.Call copyObjectAsync(String repository, String branch, String des
         <tr><td> Status Code </td><td> Description </td><td> Response Headers </td></tr>
         <tr><td> 204 </td><td> object deleted successfully </td><td>  -  </td></tr>
         <tr><td> 401 </td><td> Unauthorized </td><td>  -  </td></tr>
+        <tr><td> 403 </td><td> Forbidden </td><td>  -  </td></tr>
         <tr><td> 404 </td><td> Resource Not Found </td><td>  -  </td></tr>
         <tr><td> 0 </td><td> Internal Server Error </td><td>  -  </td></tr>
      </table>
@@ -311,6 +312,7 @@ private okhttp3.Call deleteObjectValidateBeforeCall(String repository, String br
         <tr><td> Status Code </td><td> Description </td><td> Response Headers </td></tr>
         <tr><td> 204 </td><td> object deleted successfully </td><td>  -  </td></tr>
         <tr><td> 401 </td><td> Unauthorized </td><td>  -  </td></tr>
+        <tr><td> 403 </td><td> Forbidden </td><td>  -  </td></tr>
         <tr><td> 404 </td><td> Resource Not Found </td><td>  -  </td></tr>
         <tr><td> 0 </td><td> Internal Server Error </td><td>  -  </td></tr>
      </table>
@@ -332,6 +334,7 @@ public void deleteObject(String repository, String branch, String path) throws A
         <tr><td> Status Code </td><td> Description </td><td> Response Headers </td></tr>
         <tr><td> 204 </td><td> object deleted successfully </td><td>  -  </td></tr>
         <tr><td> 401 </td><td> Unauthorized </td><td>  -  </td></tr>
+        <tr><td> 403 </td><td> Forbidden </td><td>  -  </td></tr>
         <tr><td> 404 </td><td> Resource Not Found </td><td>  -  </td></tr>
         <tr><td> 0 </td><td> Internal Server Error </td><td>  -  </td></tr>
      </table>
@@ -355,6 +358,7 @@ public ApiResponse<Void> deleteObjectWithHttpInfo(String repository, String bran
         <tr><td> Status Code </td><td> Description </td><td> Response Headers </td></tr>
         <tr><td> 204 </td><td> object deleted successfully </td><td>  -  </td></tr>
         <tr><td> 401 </td><td> Unauthorized </td><td>  -  </td></tr>
+        <tr><td> 403 </td><td> Forbidden </td><td>  -  </td></tr>
         <tr><td> 404 </td><td> Resource Not Found </td><td>  -  </td></tr>
         <tr><td> 0 </td><td> Internal Server Error </td><td>  -  </td></tr>
      </table>
@@ -378,6 +382,7 @@ public okhttp3.Call deleteObjectAsync(String repository, String branch, String p
         <tr><td> Status Code </td><td> Description </td><td> Response Headers </td></tr>
         <tr><td> 200 </td><td> Delete objects response </td><td>  -  </td></tr>
         <tr><td> 401 </td><td> Unauthorized </td><td>  -  </td></tr>
+        <tr><td> 403 </td><td> Forbidden </td><td>  -  </td></tr>
         <tr><td> 404 </td><td> Resource Not Found </td><td>  -  </td></tr>
         <tr><td> 0 </td><td> Internal Server Error </td><td>  -  </td></tr>
      </table>
@@ -451,6 +456,7 @@ private okhttp3.Call deleteObjectsValidateBeforeCall(String repository, String b
         <tr><td> Status Code </td><td> Description </td><td> Response Headers </td></tr>
         <tr><td> 200 </td><td> Delete objects response </td><td>  -  </td></tr>
         <tr><td> 401 </td><td> Unauthorized </td><td>  -  </td></tr>
+        <tr><td> 403 </td><td> Forbidden </td><td>  -  </td></tr>
         <tr><td> 404 </td><td> Resource Not Found </td><td>  -  </td></tr>
         <tr><td> 0 </td><td> Internal Server Error </td><td>  -  </td></tr>
      </table>
@@ -473,6 +479,7 @@ public ObjectErrorList deleteObjects(String repository, String branch, PathList
         <tr><td> Status Code </td><td> Description </td><td> Response Headers </td></tr>
         <tr><td> 200 </td><td> Delete objects response </td><td>  -  </td></tr>
         <tr><td> 401 </td><td> Unauthorized </td><td>  -  </td></tr>
+        <tr><td> 403 </td><td> Forbidden </td><td>  -  </td></tr>
         <tr><td> 404 </td><td> Resource Not Found </td><td>  -  </td></tr>
         <tr><td> 0 </td><td> Internal Server Error </td><td>  -  </td></tr>
      </table>
@@ -497,6 +504,7 @@ public ApiResponse<ObjectErrorList> deleteObjectsWithHttpInfo(String repository,
         <tr><td> Status Code </td><td> Description </td><td> Response Headers </td></tr>
         <tr><td> 200 </td><td> Delete objects response </td><td>  -  </td></tr>
         <tr><td> 401 </td><td> Unauthorized </td><td>  -  </td></tr>
+        <tr><td> 403 </td><td> Forbidden </td><td>  -  </td></tr>
         <tr><td> 404 </td><td> Resource Not Found </td><td>  -  </td></tr>
         <tr><td> 0 </td><td> Internal Server Error </td><td>  -  </td></tr>
      </table>
@@ -1523,6 +1531,7 @@ public okhttp3.Call statObjectAsync(String repository, String ref, String path,
         <tr><td> 201 </td><td> object metadata </td><td>  -  </td></tr>
         <tr><td> 400 </td><td> Validation Error </td><td>  -  </td></tr>
         <tr><td> 401 </td><td> Unauthorized </td><td>  -  </td></tr>
+        <tr><td> 403 </td><td> Forbidden </td><td>  -  </td></tr>
         <tr><td> 404 </td><td> Resource Not Found </td><td>  -  </td></tr>
         <tr><td> 412 </td><td> Precondition Failed </td><td>  -  </td></tr>
         <tr><td> 0 </td><td> Internal Server Error </td><td>  -  </td></tr>
@@ -1617,6 +1626,7 @@ private okhttp3.Call uploadObjectValidateBeforeCall(String repository, String br
         <tr><td> 201 </td><td> object metadata </td><td>  -  </td></tr>
         <tr><td> 400 </td><td> Validation Error </td><td>  -  </td></tr>
         <tr><td> 401 </td><td> Unauthorized </td><td>  -  </td></tr>
+        <tr><td> 403 </td><td> Forbidden </td><td>  -  </td></tr>
         <tr><td> 404 </td><td> Resource Not Found </td><td>  -  </td></tr>
         <tr><td> 412 </td><td> Precondition Failed </td><td>  -  </td></tr>
         <tr><td> 0 </td><td> Internal Server Error </td><td>  -  </td></tr>
@@ -1644,6 +1654,7 @@ public ObjectStats uploadObject(String repository, String branch, String path, S
         <tr><td> 201 </td><td> object metadata </td><td>  -  </td></tr>
         <tr><td> 400 </td><td> Validation Error </td><td>  -  </td></tr>
         <tr><td> 401 </td><td> Unauthorized </td><td>  -  </td></tr>
+        <tr><td> 403 </td><td> Forbidden </td><td>  -  </td></tr>
         <tr><td> 404 </td><td> Resource Not Found </td><td>  -  </td></tr>
         <tr><td> 412 </td><td> Precondition Failed </td><td>  -  </td></tr>
         <tr><td> 0 </td><td> Internal Server Error </td><td>  -  </td></tr>
@@ -1673,6 +1684,7 @@ public ApiResponse<ObjectStats> uploadObjectWithHttpInfo(String repository, Stri
         <tr><td> 201 </td><td> object metadata </td><td>  -  </td></tr>
         <tr><td> 400 </td><td> Validation Error </td><td>  -  </td></tr>
         <tr><td> 401 </td><td> Unauthorized </td><td>  -  </td></tr>
+        <tr><td> 403 </td><td> Forbidden </td><td>  -  </td></tr>
         <tr><td> 404 </td><td> Resource Not Found </td><td>  -  </td></tr>
         <tr><td> 412 </td><td> Precondition Failed </td><td>  -  </td></tr>
         <tr><td> 0 </td><td> Internal Server Error </td><td>  -  </td></tr>
diff --git a/clients/java/src/main/java/io/lakefs/clients/api/RefsApi.java b/clients/java/src/main/java/io/lakefs/clients/api/RefsApi.java
index d3ada7bf987..7b8e4230566 100644
--- a/clients/java/src/main/java/io/lakefs/clients/api/RefsApi.java
+++ b/clients/java/src/main/java/io/lakefs/clients/api/RefsApi.java
@@ -560,6 +560,7 @@ public okhttp3.Call logCommitsAsync(String repository, String ref, String after,
         <tr><td> 200 </td><td> merge completed </td><td>  -  </td></tr>
         <tr><td> 400 </td><td> Validation Error </td><td>  -  </td></tr>
         <tr><td> 401 </td><td> Unauthorized </td><td>  -  </td></tr>
+        <tr><td> 403 </td><td> Forbidden </td><td>  -  </td></tr>
         <tr><td> 404 </td><td> Resource Not Found </td><td>  -  </td></tr>
         <tr><td> 409 </td><td> Conflict Deprecated: content schema will return Error format and not an empty MergeResult  </td><td>  -  </td></tr>
         <tr><td> 412 </td><td> precondition failed (e.g. a pre-merge hook returned a failure) </td><td>  -  </td></tr>
@@ -638,6 +639,7 @@ private okhttp3.Call mergeIntoBranchValidateBeforeCall(String repository, String
         <tr><td> 200 </td><td> merge completed </td><td>  -  </td></tr>
         <tr><td> 400 </td><td> Validation Error </td><td>  -  </td></tr>
         <tr><td> 401 </td><td> Unauthorized </td><td>  -  </td></tr>
+        <tr><td> 403 </td><td> Forbidden </td><td>  -  </td></tr>
         <tr><td> 404 </td><td> Resource Not Found </td><td>  -  </td></tr>
         <tr><td> 409 </td><td> Conflict Deprecated: content schema will return Error format and not an empty MergeResult  </td><td>  -  </td></tr>
         <tr><td> 412 </td><td> precondition failed (e.g. a pre-merge hook returned a failure) </td><td>  -  </td></tr>
@@ -664,6 +666,7 @@ public MergeResult mergeIntoBranch(String repository, String sourceRef, String d
         <tr><td> 200 </td><td> merge completed </td><td>  -  </td></tr>
         <tr><td> 400 </td><td> Validation Error </td><td>  -  </td></tr>
         <tr><td> 401 </td><td> Unauthorized </td><td>  -  </td></tr>
+        <tr><td> 403 </td><td> Forbidden </td><td>  -  </td></tr>
         <tr><td> 404 </td><td> Resource Not Found </td><td>  -  </td></tr>
         <tr><td> 409 </td><td> Conflict Deprecated: content schema will return Error format and not an empty MergeResult  </td><td>  -  </td></tr>
         <tr><td> 412 </td><td> precondition failed (e.g. a pre-merge hook returned a failure) </td><td>  -  </td></tr>
@@ -692,6 +695,7 @@ public ApiResponse<MergeResult> mergeIntoBranchWithHttpInfo(String repository, S
         <tr><td> 200 </td><td> merge completed </td><td>  -  </td></tr>
         <tr><td> 400 </td><td> Validation Error </td><td>  -  </td></tr>
         <tr><td> 401 </td><td> Unauthorized </td><td>  -  </td></tr>
+        <tr><td> 403 </td><td> Forbidden </td><td>  -  </td></tr>
         <tr><td> 404 </td><td> Resource Not Found </td><td>  -  </td></tr>
         <tr><td> 409 </td><td> Conflict Deprecated: content schema will return Error format and not an empty MergeResult  </td><td>  -  </td></tr>
         <tr><td> 412 </td><td> precondition failed (e.g. a pre-merge hook returned a failure) </td><td>  -  </td></tr>
diff --git a/clients/python/docs/BranchesApi.md b/clients/python/docs/BranchesApi.md
index 9b5b6ea5df3..9eadc05c3a1 100644
--- a/clients/python/docs/BranchesApi.md
+++ b/clients/python/docs/BranchesApi.md
@@ -215,6 +215,7 @@ void (empty response body)
 |-------------|-------------|------------------|
 **204** | branch deleted successfully |  -  |
 **401** | Unauthorized |  -  |
+**403** | Forbidden |  -  |
 **404** | Resource Not Found |  -  |
 **0** | Internal Server Error |  -  |
 
diff --git a/clients/python/docs/CommitsApi.md b/clients/python/docs/CommitsApi.md
index 288e5f70dd9..2cab7e1843a 100644
--- a/clients/python/docs/CommitsApi.md
+++ b/clients/python/docs/CommitsApi.md
@@ -127,6 +127,7 @@ Name | Type | Description  | Notes
 **201** | commit |  -  |
 **400** | Validation Error |  -  |
 **401** | Unauthorized |  -  |
+**403** | Forbidden |  -  |
 **404** | Resource Not Found |  -  |
 **412** | Precondition Failed (e.g. a pre-commit hook returned a failure) |  -  |
 **0** | Internal Server Error |  -  |
diff --git a/clients/python/docs/ImportApi.md b/clients/python/docs/ImportApi.md
index f69c0c82224..cfdb16f6fa0 100644
--- a/clients/python/docs/ImportApi.md
+++ b/clients/python/docs/ImportApi.md
@@ -117,7 +117,7 @@ Name | Type | Description  | Notes
 **201** | metarange metadata |  -  |
 **400** | Validation Error |  -  |
 **401** | Unauthorized |  -  |
-**403** | Access is forbidden |  -  |
+**403** | Forbidden |  -  |
 **404** | Resource Not Found |  -  |
 **0** | Internal Server Error |  -  |
 
diff --git a/clients/python/docs/ObjectsApi.md b/clients/python/docs/ObjectsApi.md
index 55b425a4090..e19b36d99a4 100644
--- a/clients/python/docs/ObjectsApi.md
+++ b/clients/python/docs/ObjectsApi.md
@@ -224,6 +224,7 @@ void (empty response body)
 |-------------|-------------|------------------|
 **204** | object deleted successfully |  -  |
 **401** | Unauthorized |  -  |
+**403** | Forbidden |  -  |
 **404** | Resource Not Found |  -  |
 **0** | Internal Server Error |  -  |
 
@@ -333,6 +334,7 @@ Name | Type | Description  | Notes
 |-------------|-------------|------------------|
 **200** | Delete objects response |  -  |
 **401** | Unauthorized |  -  |
+**403** | Forbidden |  -  |
 **404** | Resource Not Found |  -  |
 **0** | Internal Server Error |  -  |
 
@@ -1147,6 +1149,7 @@ Name | Type | Description  | Notes
 **201** | object metadata |  -  |
 **400** | Validation Error |  -  |
 **401** | Unauthorized |  -  |
+**403** | Forbidden |  -  |
 **404** | Resource Not Found |  -  |
 **412** | Precondition Failed |  -  |
 **0** | Internal Server Error |  -  |
diff --git a/clients/python/docs/RefsApi.md b/clients/python/docs/RefsApi.md
index ca3bc589202..080cd298528 100644
--- a/clients/python/docs/RefsApi.md
+++ b/clients/python/docs/RefsApi.md
@@ -478,6 +478,7 @@ Name | Type | Description  | Notes
 **200** | merge completed |  -  |
 **400** | Validation Error |  -  |
 **401** | Unauthorized |  -  |
+**403** | Forbidden |  -  |
 **404** | Resource Not Found |  -  |
 **409** | Conflict Deprecated: content schema will return Error format and not an empty MergeResult  |  -  |
 **412** | precondition failed (e.g. a pre-merge hook returned a failure) |  -  |
diff --git a/docs/assets/js/swagger.yml b/docs/assets/js/swagger.yml
index bc0b8aaf7c3..870d1380870 100644
--- a/docs/assets/js/swagger.yml
+++ b/docs/assets/js/swagger.yml
@@ -79,12 +79,6 @@ components:
         application/json:
           schema:
             $ref: "#/components/schemas/Error"
-    Forbidden:
-      description: Access is forbidden
-      content:
-        application/json:
-          schema:
-            $ref: "#/components/schemas/Error"
     NotFound:
       description: Resource Not Found
       content:
@@ -103,6 +97,12 @@ components:
         application/json:
           schema:
             $ref: "#/components/schemas/Error"
+    Forbidden:
+      description: Forbidden
+      content:
+        application/json:
+          schema:
+            $ref: "#/components/schemas/Error"
     ValidationError:
       description: Validation Error
       content:
@@ -2592,6 +2592,8 @@ paths:
           $ref: "#/components/responses/ValidationError"
         401:
           $ref: "#/components/responses/Unauthorized"
+        403:
+          $ref: "#/components/responses/Forbidden"
         404:
           $ref: "#/components/responses/NotFound"
         default:
@@ -2643,6 +2645,8 @@ paths:
           description: branch deleted successfully
         401:
           $ref: "#/components/responses/Unauthorized"
+        403:
+          $ref: "#/components/responses/Forbidden"
         404:
           $ref: "#/components/responses/NotFound"
         default:
@@ -2749,6 +2753,8 @@ paths:
           $ref: "#/components/responses/ValidationError"
         401:
           $ref: "#/components/responses/Unauthorized"
+        403:
+          $ref: "#/components/responses/Forbidden"
         404:
           $ref: "#/components/responses/NotFound"
         409:
@@ -3286,6 +3292,8 @@ paths:
           $ref: "#/components/responses/ValidationError"
         401:
           $ref: "#/components/responses/Unauthorized"
+        403:
+          $ref: "#/components/responses/Forbidden"
         404:
           $ref: "#/components/responses/NotFound"
         412:
@@ -3302,6 +3310,8 @@ paths:
           description: object deleted successfully
         401:
           $ref: "#/components/responses/Unauthorized"
+        403:
+          $ref: "#/components/responses/Forbidden"
         404:
           $ref: "#/components/responses/NotFound"
         default:
@@ -3339,6 +3349,8 @@ paths:
                 $ref: "#/components/schemas/ObjectErrorList"
         401:
           $ref: "#/components/responses/Unauthorized"
+        403:
+          $ref: "#/components/responses/Forbidden"
         404:
           $ref: "#/components/responses/NotFound"
         default:
diff --git a/pkg/api/controller.go b/pkg/api/controller.go
index e10ce302d5e..ad6e1876e51 100644
--- a/pkg/api/controller.go
+++ b/pkg/api/controller.go
@@ -1828,7 +1828,8 @@ func (c *Controller) handleAPIErrorCallback(ctx context.Context, w http.Response
 		cb(w, r, http.StatusNotFound, err)
 
 	case errors.Is(err, store.ErrForbidden),
-		errors.Is(err, local.ErrForbidden):
+		errors.Is(err, local.ErrForbidden),
+		errors.Is(err, graveler.ErrProtectedBranch):
 		cb(w, r, http.StatusForbidden, err)
 
 	case errors.Is(err, graveler.ErrDirtyBranch),
diff --git a/pkg/api/controller_test.go b/pkg/api/controller_test.go
index d1718ac6511..444fad59f53 100644
--- a/pkg/api/controller_test.go
+++ b/pkg/api/controller_test.go
@@ -22,11 +22,8 @@ import (
 	"text/template"
 	"time"
 
-	"github.com/deepmap/oapi-codegen/pkg/securityprovider"
-
-	tablediff "github.com/treeverse/lakefs/pkg/plugins/diff"
-
 	"github.com/davecgh/go-spew/spew"
+	"github.com/deepmap/oapi-codegen/pkg/securityprovider"
 	"github.com/go-openapi/swag"
 	"github.com/go-test/deep"
 	"github.com/hashicorp/go-multierror"
@@ -42,6 +39,7 @@ import (
 	"github.com/treeverse/lakefs/pkg/graveler"
 	"github.com/treeverse/lakefs/pkg/httputil"
 	"github.com/treeverse/lakefs/pkg/ingest/store"
+	tablediff "github.com/treeverse/lakefs/pkg/plugins/diff"
 	"github.com/treeverse/lakefs/pkg/stats"
 	"github.com/treeverse/lakefs/pkg/testutil"
 	"github.com/treeverse/lakefs/pkg/upload"
@@ -868,6 +866,23 @@ func TestController_CommitHandler(t *testing.T) {
 			t.Errorf("creation date expected %d, got: %d", date, resp.JSON201.CreationDate)
 		}
 	})
+
+	t.Run("protected branch", func(t *testing.T) {
+		repo := testUniqueRepoName()
+		_, err := deps.catalog.CreateRepository(ctx, repo, onBlock(deps, repo), "main")
+		testutil.MustDo(t, "create repository", err)
+		err = deps.catalog.CreateBranchProtectionRule(ctx, repo, "main", []graveler.BranchProtectionBlockedAction{graveler.BranchProtectionBlockedAction_COMMIT})
+		testutil.MustDo(t, "protection rule", err)
+		err = deps.catalog.CreateEntry(ctx, repo, "main", catalog.DBEntry{Path: "foo/bar", PhysicalAddress: "pa", CreationDate: time.Now(), Size: 666, Checksum: "cs", Metadata: nil})
+		testutil.MustDo(t, "commit to protected branch", err)
+		resp, err := clt.CommitWithResponse(ctx, repo, "main", &api.CommitParams{}, api.CommitJSONRequestBody{
+			Message: "committed to protected branch",
+		})
+		testutil.Must(t, err)
+		if resp.JSON403 == nil {
+			t.Fatalf("Commit to protected branch should be forbidden (403), got %s", resp.Status())
+		}
+	})
 }
 
 func TestController_CreateRepositoryHandler(t *testing.T) {
diff --git a/pkg/graveler/errors.go b/pkg/graveler/errors.go
index a3b19b8015b..40ce30f9eed 100644
--- a/pkg/graveler/errors.go
+++ b/pkg/graveler/errors.go
@@ -17,9 +17,10 @@ var (
 	ErrNotFound                     = wrapError(kv.ErrNotFound, "not found")
 	ErrNotUnique                    = wrapError(ErrUserVisible, "not unique")
 	ErrPreconditionFailed           = errors.New("precondition failed")
-	ErrWriteToProtectedBranch       = wrapError(ErrUserVisible, "cannot write to protected branch")
+	ErrProtectedBranch              = errors.New("protected branch")
+	ErrWriteToProtectedBranch       = wrapError(ErrProtectedBranch, "cannot write to protected branch")
 	ErrReadingFromStore             = errors.New("cannot read from store")
-	ErrCommitToProtectedBranch      = wrapError(ErrUserVisible, "cannot commit to protected branch")
+	ErrCommitToProtectedBranch      = wrapError(ErrProtectedBranch, "cannot commit to protected branch")
 	ErrInvalidValue                 = fmt.Errorf("invalid value: %w", ErrInvalid)
 	ErrInvalidMergeBase             = fmt.Errorf("only 2 commits allowed in FindMergeBase: %w", ErrInvalidValue)
 	ErrNoCommitGeneration           = errors.New("no commit generation")