I have an active directory group which i recently downgraded the privileges from 'project creator' to 'stash user' level. However, these users still see the option to delete branches which is something we do not want.
Here are the tests i did -
1) Deleted the group from stash - The users for the group could no longer log in to stash, so i knew they were getting the privileges because of their existence in this group
2) Created a local user and added it to this group, this local user does not have the permission to delete branches.
Any pointers? Is this a bug?
There is a difference in Stash between being able to log in and what permissions you have on a repo.
If deleting the group from Stash prevented them from logging in at all, that probably means that they lost their license due to not being a member of the group. It doesn't necessarily mean that they might not also be a member of some other group which doesn't grant Stash licenses but does grant permissions on a particular repo. It's easy to accidentally configure an AD user so that they have permissions on a repo but can't login to Stash.
I recommend using this plugin to see exactly what permissions each user has on a repo as a result of their membership in which groups: https://marketplace.atlassian.com/plugins/com.orbitz.stash.plugins.permission-viewer-plugin/versions#b100000000
However, I think that anyone with 'Write' permission on a repo can delete branches unless there are branch permissions in place. Testing seems to confirm this. So I'm actually more confused why the local user you created wasn't able to delete branches than anything else.
Also, deleting a (merged) branch is relatively harmless. A branch is just a pointer to a commit - deleting the branch doesn't delete the commit(s). Deleting an unmerged branch is a little more dangerous, but Stash warns you before allowing you to complete the operation. And presumably those commits would still exist on a developer's clone of the repo.
Actually i had verified that but i do understand your point.
And, I seemed to have overlooked something. All users (local and A/D based) can delete branches even with the most basic privileges
The plugin was a great suggestion though. Made the issue clearer and caused more confusion. Anyone with 'write' privileges can delete any branch irrespective of branch permissions.
I completely understand that in git it can all be restored (merged or unmerged), but my concern is from a compliance perspective. We have access controls all over the place and the fact that a user can delete a branch (essentially manage a repository) with the bare minimum privileges is discomforting.
I really hoped deletion of branches and tags would require higher privileges
Not having branch permissions on a branch keeps a user from deleting it (but that also means not having permission to push to that branch, requiring the use of pull requests to have your changes merged). I don't think there's a way to be able to push to a branch and not be able to delete it.
As a project manager, I have discovered that different developers want to bring their previous branching method with them when they join the team. Some developers are used to performing individual wo...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs