Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Deleted user
0 / 0 points
Next:
badges earned

Your Points Tracker
Challenges
Leaderboard
  • Global
  • Feed

Badge for your thoughts?

You're enrolled in our new beta rewards program. Join our group to get the inside scoop and share your feedback.

Join group
Recognition
Give the gift of kudos
You have 0 kudos available to give
Who do you want to recognize?
Why do you want to recognize them?
Kudos
Great job appreciating your peers!
Check back soon to give more kudos.

Past Kudos Given
No kudos given
You haven't given any kudos yet. Share the love above and you'll see it here.

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Security Big: Branch Permission Issue.

Hi,

I have a repository, for which I have set the master access for a specific user only. Which works fine in normal scenarios. But as I noticed, there is a workaround by which users can still commit to the master branch.

The process I followed:

1.) Let's say there is a repository with name repo-1.

2.) In Branch Permissions I have set write access to a specific user only say User1:

      master -> Write access -> User1

3.) Now there is another user Say User2. Who doesn't have access to commit to the master branch. 

Now to commit to the master branch, all he has to do is as follows:

   1.) Update the Global config File ~/.gitconfig and add User1 as user and email. No password required.

   In the repo, he can have his username as User2.  when the user will push the commit, He will be asked password as per the repo configuration. and after successful authentication. the push will be published to the master branch without any restriction.

And the most amazing part is, Even commit will be Displayed as User1.

 

 

 

 

1 comment

Hello, Yogesh,

Thanks for taking the time to make this post.

Branch Permissions are enforced based on the Bitbucket user performing the push or merge. It's possible that software like ssh-agent or git-credential-manager is caching credentials and causing unexpected results.

If you're sure User2 is able to push to the master branch, I encourage you to reach out to Atlassian support so they may diagnose the issue and help get it resolved.

To address your other concern:

And the most amazing part is, Even commit will be Displayed as User1.

The commit authorship information that Bitbucket displays is based on the name and e-mail address that are specified at the time the commit is made.

Git doesn't require proof that the committer is who they say they are, but it is possible to sign commits and tags cryptographically. Bitbucket doesn't currently have any features leveraging this signature information, but we may build something in the future to help users verify signatures.

I hope this has been helpful, and thank you again for your post!

Kavi Laud
Senior Developer, Bitbucket Cloud

Comment

Log in or Sign up to comment
TAGS
Community showcase
Published in Bitbucket

Calling any interview participants for Bitbucket Data Center

Hi everyone,  We are looking to learn more about development teams’ workflows and pain points, especially around DevOps, integrations, administration, scale, security, and the related challeng...

636 views 7 4
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you