Four-eyes security on Pull Requests in Bitbucket?

Patrick Metzdorf July 23, 2014

Hi,

We are a very small team who have just started using Bitbucket. In fact, our core team is made of only of myself and one other person, and on occasion we have one or two more temps who might work on our Bitbucket repos.

Now, for pull requests, we can of course make sure that one person is the admin of the repo and only he can merge the PR into Master, that's fine.

But what if that admin is the one submitting the PR? Security-wise they are now able to approve and merge their own pull requests.

So is there a way to configure permissions that it can't be the same person submitting a PR that also merges it into master?

That way we'd still have a two people (four-eyes) approval and review process, AND ensure that it whoever submits the PR will have to wait for someone else to approve it before it can be merged in.

Any way to do that?

Many thanks.

3 answers

1 accepted

0 votes
Answer accepted
TimP
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
July 24, 2014

Hi Patrick,

It sounds like you want something akin to Stash's merge checks, which allow you to prevent pull requests from being merged unless certain conditions are met (including a minimum number of reviewers who have approved the review). Bitbucket doesn't have this feature yet, but there's a feature request open regarding it - I'd recommend casting your vote on the issue and adding any commentary you have there.

cheers,

Tim

0 votes
Patrick Metzdorf July 24, 2014

Hi Tim,

Ok that makes sense. Thanks, I'll also look into Stash sometime then.

Cheers,

Patrick

0 votes
John Garcia
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
July 23, 2014

You can configure the amount of Repository access given to Team Admins at the Manage Groups interface. This will allow a user to be a Team Admin but not a Repository admin.

Patrick Metzdorf July 24, 2014

Thanks for the quick response, but that doesn't help if there are for example only two people in a team. One of the two will have to be a repo admin, and thus is god on that repo, free to merge in their own pull requests.

What I'd like to do is make sure that that repo admin cannot approve and merge his own pull request when he submits one. But he can still merge in those from other users!

I assume that's not possible then?

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events