diff --git a/app/services/protected_branches/base_service.rb b/app/services/protected_branches/base_service.rb
index a5896587ded926275396ccd93fcfb79c9a57eaec..bdd175e8552b736e356cab24996fb5b3ce66644d 100644
--- a/app/services/protected_branches/base_service.rb
+++ b/app/services/protected_branches/base_service.rb
@@ -1,7 +1,5 @@
 module ProtectedBranches
   class BaseService < ::BaseService
-    include API::Helpers
-
     def initialize(project, current_user, params = {})
       super(project, current_user, params)
       @allowed_to_push = params[:allowed_to_push]
@@ -14,7 +12,7 @@ def set_access_levels!
       set_push_access_levels!
     end
 
-    protected
+    private
 
     def set_merge_access_levels!
       case @allowed_to_merge
@@ -56,5 +54,14 @@ def translate_api_params!
           'masters'
         end
     end
+
+    protected
+
+    def to_boolean(value)
+      return true if value =~ /^(true|t|yes|y|1|on)$/i
+      return false if value =~ /^(false|f|no|n|0|off)$/i
+
+      nil
+    end
   end
 end
diff --git a/app/services/protected_branches/create_service.rb b/app/services/protected_branches/create_service.rb
index 212c21346387d14008c87d921c49650251510bf8..3601990641628416b75fefa8dc94dc077b4773d9 100644
--- a/app/services/protected_branches/create_service.rb
+++ b/app/services/protected_branches/create_service.rb
@@ -3,6 +3,8 @@ class CreateService < ProtectedBranches::BaseService
     attr_reader :protected_branch
 
     def execute
+      raise Gitlab::Access::AccessDeniedError unless current_user.can?(:admin_project, project)
+
       ProtectedBranch.transaction do
         @protected_branch = project.protected_branches.new(name: params[:name])
         @protected_branch.save!
diff --git a/app/services/protected_branches/update_service.rb b/app/services/protected_branches/update_service.rb
index 4a2b1be9c9380e96a8addc6d09f260756226cc80..58f2f774baeddf6b3c5c4527b97a5d1ae7304e45 100644
--- a/app/services/protected_branches/update_service.rb
+++ b/app/services/protected_branches/update_service.rb
@@ -4,12 +4,13 @@ class UpdateService < ProtectedBranches::BaseService
 
     def initialize(project, current_user, id, params = {})
       super(project, current_user, params)
-      @id = id
+      @protected_branch = ProtectedBranch.find(id)
     end
 
     def execute
+      raise Gitlab::Access::AccessDeniedError unless current_user.can?(:admin_project, project)
+
       ProtectedBranch.transaction do
-        @protected_branch = ProtectedBranch.find(@id)
         set_access_levels!
       end