Admins count as masters too.

1. In the context of protected branches.

2. Test this behaviour.

app/models/project_team.rb

@@ -120,6 +120,14 @@ class ProjectTeam
     max_member_access(user.id) == Gitlab::Access::MASTER
   end
 
+  def master_or_greater?(user)
+    master?(user) || user.is_admin?
+  end
+
+  def developer_or_greater?(user)
+    master_or_greater?(user) || developer?(user)
+  end
+
   def member?(user, min_member_access = nil)
     member = !!find_member(user.id)
 

app/models/protected_branch/merge_access_level.rb

@@ -13,9 +13,9 @@ class ProtectedBranch::MergeAccessLevel < ActiveRecord::Base
 
   def check_access(user)
     if masters?
-      user.can?(:push_code, project) if project.team.master?(user)
+      user.can?(:push_code, project) if project.team.master_or_greater?(user)
     elsif developers?
-      user.can?(:push_code, project) if project.team.master?(user) || project.team.developer?(user)
+      user.can?(:push_code, project) if project.team.developer_or_greater?(user)
     end
   end
 

app/models/protected_branch/push_access_level.rb

@@ -14,9 +14,9 @@ class ProtectedBranch::PushAccessLevel < ActiveRecord::Base
 
   def check_access(user)
     if masters?
-      user.can?(:push_code, project) if project.team.master?(user)
+      user.can?(:push_code, project) if project.team.master_or_greater?(user)
     elsif developers?
-      user.can?(:push_code, project) if project.team.master?(user) || project.team.developer?(user)
+      user.can?(:push_code, project) if project.team.developer_or_greater?(user)
     elsif no_one?
       false
     end

spec/lib/gitlab/git_access_spec.rb

@@ -167,7 +167,13 @@ describe Gitlab::GitAccess, lib: true do
     def self.run_permission_checks(permissions_matrix)
       permissions_matrix.keys.each do |role|
         describe "#{role} access" do
-          before { project.team << [user, role] }
+          before do
+            if role == :admin
+              user.update_attribute(:admin, true)
+            else
+              project.team << [user, role]
+            end
+          end
 
           permissions_matrix[role].each do |action, allowed|
             context action do
@@ -181,6 +187,17 @@ describe Gitlab::GitAccess, lib: true do
     end
 
     permissions_matrix = {
+      admin: {
+        push_new_branch: true,
+        push_master: true,
+        push_protected_branch: true,
+        push_remove_protected_branch: false,
+        push_tag: true,
+        push_new_tag: true,
+        push_all: true,
+        merge_into_protected_branch: true
+      },
+
       master: {
         push_new_branch: true,
         push_master: true,
@@ -246,7 +263,7 @@ describe Gitlab::GitAccess, lib: true do
           context "when the merge request is in progress" do
             before do
               create(:merge_request, source_project: project, source_branch: unprotected_branch, target_branch: 'feature',
-                                     state: 'locked', in_progress_merge_commit_sha: merge_into_protected_branch)
+                     state: 'locked', in_progress_merge_commit_sha: merge_into_protected_branch)
             end
 
             context "when the merge request is not in progress" do
@@ -278,7 +295,8 @@ describe Gitlab::GitAccess, lib: true do
         before { create(:protected_branch, :no_one_can_push, name: protected_branch_name, project: project) }
 
         run_permission_checks(permissions_matrix.deep_merge(developer: { push_protected_branch: false, push_all: false, merge_into_protected_branch: false },
-                                                            master: { push_protected_branch: false, push_all: false, merge_into_protected_branch: false }))
+                                                            master: { push_protected_branch: false, push_all: false, merge_into_protected_branch: false },
+                                                            admin: { push_protected_branch: false, push_all: false, merge_into_protected_branch: false }))
       end
     end