* dont allow protect/unprotect branches for users without master permissions
* dont allow access to Repository api for guests