In order to protect maintenance and release branches in Stash from being deleted via git push using refspecs, we used the ref-change-settings plugin. This restricted the ability to delete branches only to administrators.

Unfortunately, with release 2.8, Stash offers anyone with the REPO_WRITE permission on a repository to delete any branch in that repository from the Branches tab in the Stash UI. (see STASH-3347).

This was followed by the new REST API offered by the Branch Utilities Plugin, which also allowed anyone with the REPO_WRITE permission on a repository to delete any branch in that repository.

The ref-change-settings plugin does not get called here and thus cannot help us protect these branches anymore.

It would be a good idea to restrict such destructive actions (as was the intent of the ref-change-settings plugin) to a smaller group of people (e.g. people with the REPO_ADMIN permission)