diff --git a/config/initializers/grack_auth.rb b/config/initializers/grack_auth.rb
index 27a0a1db9037a98ac8d1f44dc60c1141d1469d62..bb34ce6dc54c266b8a0356670aa2106b3f781d21 100644
--- a/config/initializers/grack_auth.rb
+++ b/config/initializers/grack_auth.rb
@@ -18,14 +18,29 @@ module Grack
       elsif @env['REQUEST_METHOD'] == 'POST'
         if @env['REQUEST_URI'].end_with?('git-upload-pack')
           return project.dev_access_for?(user)
-        elsif @env['REQUEST_URI'].end_with?('git-upload-pack')
-          #TODO master branch protection
-          return project.dev_access_for?(user)
+        elsif @env['REQUEST_URI'].end_with?('git-receive-pack')
+          if project.protected_branches.map(&:name).include?(current_ref)
+            project.master_access_for?(user)
+          else
+            project.dev_access_for?(user)
+          end
         else
           false
         end
+      else
+        false
       end
-
     end# valid?
+
+    def current_ref
+      if @env["HTTP_CONTENT_ENCODING"] =~ /gzip/
+        input = Zlib::GzipReader.new(@request.body).string
+      else
+        input = @request.body.string
+      end
+
+      oldrev, newrev, ref = input.split(' ')
+      /refs\/heads\/([\w-]+)/.match(ref).to_a.last
+    end
   end# Auth
 end# Grack