As I understand from documentation, code promotion are allowed to anyone with git repository push permission.
To restrict promotion right only to chosen users, administrator can use Drone extension, like this one Promote auth extension.
But, as I suggest, this is widely used/required feature and it will be great if you implement it in core server code.
It can be done by adding to repository settings in Web UI the field where repository administrator can add usernames for whom promotions are allowed.
Or probably it can be defined in pipeline
Something like this
trigger: event: - promote target: - production allowed: [user1, user2, user3]
And Drone server when executes this pipeline, check if current user is in the list. And if not - hide ‘Deploy’ button in Web UI and return error message if user run pipeline from command line.