Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.
request #27538
Fine grained permissions are not checked when creating a branch with REST API