Permission Denied (403): "not permitted: create change" for Public-Contributors on refs/for/master

[Giuseppe Valente]

I am consistently hitting a 403 Permission Denied error when attempting to push new changes to gerrit-review.googlesource.com. Basic authentication succeeds, but the push is rejected at the ACL layer.

This appears to be an All-Projects ACL regression or a CLA group-sync issue, as the exact same failure occurs across multiple projects (e.g., gerrit, plugins/replication).

Steps to Reproduce:

1. Standard Git Push:

Bash

git -C /Users/gvalente/Developer/gerrit push https://gerrit-review.googlesource.com/a/gerrit HEAD:refs/for/master

Result: ```text

remote: PERMISSION_DENIED: The caller does not have permission

remote: request_id: "af134ead98864fb08d3524b327c592e9"

fatal: unable to access 'https://gerrit-review.googlesource.com/a/gerrit/': The requested URL returned error: 403

**2. REST API Isolation (to bypass Git client quirks):** ```bash # POST /a/changes/ { "project": "gerrit", "branch": "master", "subject": "Test change" }

Result:

Plaintext

"not permitted: create change on refs/heads/master"

Account & Environment Details:

To help trace the permission evaluation, here is my current account state:

• Active Groups: Public-Contributors, google/google-union:signcla

• CLA Status: Signed and active since 2018.

• Failing Projects: Confirmed on gerrit and plugins/replication.

• Recent Request IDs: 048a8651d8104d1fa40229092e535540, af134ead98864fb08d3524b327c592e9, 0d9362a77f7345b19b9761c143bbac88

Expected Behavior:

The Public-Contributors group should have the Push permission on refs/for/* or refs/for/refs/heads/* to successfully create a review.

Could someone please check the server logs against those request_ids or verify if the Public-Contributors group recently lost push rights in the All-Projects config?