Preventing forced updates

[Simon Falsig]

We just had an issue where a new user, unfamiliar with gerrit, managed to force push our main repo back to a commit from a month ago. Luckily we realized quickly, and bringing the repo back was not a big deal. 

I'm however currently looking into how that was possible, and how to prevent it happening in the future. Currently I can see that I'm also able to force push, as long as I update to a previous commit, already existing on our develop branch. If my tree and gerrit is at the same head, then the following is allowed, which resets the main repo back one commit:

git push origin HEAD^:refs/heads/develop --force

If I then try force pushing back the original HEAD, then I correctly get an error message with "prohibited by Gerrit: not permitted: update".

I've been looking through our (admittedly, slightly overengineered and nested) permissions projects, but can't see what is currently allowing this, alternatively what permission I can set to disallow it?

We have the following push permissions set (listed from lowest base, up to repo itself):

Base1 permissions:

Push, refs/heads/*: DENY Administrators / Project owners / Registered users

Base2 permissions (inherits from Base1):

Push, refs/for/refs/*: ALLOW Registered users (no force)

Push, refs/heads/*: DENY Registered users

Base3 permissions (inherits from Base2):

Nothing related to push

Project permissions (inherits from Base3):

Push, refs/heads/*: DENY Registered users

Is there anything that I'm missing, or have misunderstood? We're on gerrit 2.16.7.

Thanks in advance!