Delete branch Permission shown incorrectly

Hi,

I have an active directory group which i recently downgraded the privileges from 'project creator' to 'stash user' level.  However, these users still see the option to delete branches which is something we do not want.

Here are the tests i did -

1) Deleted the group from stash - The users for the group could no longer log in to stash, so i knew they were getting the privileges because of their existence in this group

2) Created a local user and added it to this group, this local user does not have the permission to delete branches.

Any pointers? Is this a bug?

Regards,

Rahul

2 answers

1 accepted

This widget could not be displayed.

There is a difference in Stash between being able to log in and what permissions you have on a repo.

If deleting the group from Stash prevented them from logging in at all, that probably means that they lost their license due to not being a member of the group.  It doesn't necessarily mean that they might not also be a member of some other group which doesn't grant Stash licenses but does grant permissions on a particular repo.  It's easy to accidentally configure an AD user so that they have permissions on a repo but can't login to Stash.

 

I recommend using this plugin to see exactly what permissions each user has on a repo as a result of their membership in which groups: https://marketplace.atlassian.com/plugins/com.orbitz.stash.plugins.permission-viewer-plugin/versions#b100000000

However, I think that anyone with 'Write' permission on a repo can delete branches unless there are branch permissions in place.  Testing seems to confirm this.  So I'm actually more confused why the local user you created wasn't able to delete branches than anything else.

 

 

Also, deleting a (merged) branch is relatively harmless. A branch is just a pointer to a commit - deleting the branch doesn't delete the commit(s). Deleting an unmerged branch is a little more dangerous, but Stash warns you before allowing you to complete the operation. And presumably those commits would still exist on a developer's clone of the repo.

This widget could not be displayed.

Actually i had verified that but i do understand your point.

And, I seemed to have overlooked something. All users (local and A/D based) can delete branches even with the most basic privileges

The plugin was a great suggestion though. Made the issue clearer and caused more confusion. Anyone with 'write' privileges can delete any branch irrespective of branch permissions.

I completely understand that in git it can all be restored (merged or unmerged), but my concern is from a compliance perspective. We have access controls all over the place and the fact that a user can delete a branch (essentially manage a repository) with the bare minimum privileges is discomforting.

I really hoped deletion of branches and tags would require higher privileges

 

 

Not having branch permissions on a branch keeps a user from deleting it (but that also means not having permission to push to that branch, requiring the use of pull requests to have your changes merged). I don't think there's a way to be able to push to a branch and not be able to delete it.

And i am seeing it differently, EVEN IF i restrict permissions to push to 'master' branch for certain users, all users with write 'access' to the repository seem to have the capability to delete the branch.

Hrm, I just tried it on my install of Stash and it gave me a "User not permitted: You do not have permission to delete this branch." message.

Make sure you're not using an Admin account to test it...

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Aug 21, 2018 in Bitbucket

Branch Management with Bitbucket

As a project manager, I have discovered that different developers want to bring their previous branching method with them when they join the team. Some developers are used to performing individual wo...

1,320 views 8 11
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you