I'm working on some bitbucket integrations with a custom CI system. Some support already exists, but I'm specifically adding support for pull requests across forks...
The trouble is that, for security reasons, it's not a great idea to blindly trigger CI based on new pull request from any old untrusted user's fork. I'd like to be able to differentiate between "trusted users" and everyone else, but I don't see anything in the payload that explains the relationship between the actor (user opening the pr / owning the fork) and the destination repository.
For the sake of comparison, a pull request created/updated webhook from GitHub includes a `author_association` field that describes the actor's relationship to the destination repository. It can be something like `OWNER`, `COLLABORATOR`, `NONE`, etc.
Does something similar to this exist in BB's pull request created/updated webhook payloads? I've been through all the docs and have scoured real payloads I have received and cannot find something like this. If it exists and I am overlooking it, I would be delighted to be pointed in the right direction. Otherwise, I'd love any insight anyone has on how else to differentiate trusted users and untrusted users.
