Four-eyes security on Pull Requests in Bitbucket?

Hi,

We are a very small team who have just started using Bitbucket. In fact, our core team is made of only of myself and one other person, and on occasion we have one or two more temps who might work on our Bitbucket repos.

Now, for pull requests, we can of course make sure that one person is the admin of the repo and only he can merge the PR into Master, that's fine.

But what if that admin is the one submitting the PR? Security-wise they are now able to approve and merge their own pull requests.

So is there a way to configure permissions that it can't be the same person submitting a PR that also merges it into master?

That way we'd still have a two people (four-eyes) approval and review process, AND ensure that it whoever submits the PR will have to wait for someone else to approve it before it can be merged in.

Any way to do that?

Many thanks.

3 answers

1 accepted

This widget could not be displayed.

Hi Patrick,

It sounds like you want something akin to Stash's merge checks, which allow you to prevent pull requests from being merged unless certain conditions are met (including a minimum number of reviewers who have approved the review). Bitbucket doesn't have this feature yet, but there's a feature request open regarding it - I'd recommend casting your vote on the issue and adding any commentary you have there.

cheers,

Tim

This widget could not be displayed.

You can configure the amount of Repository access given to Team Admins at the Manage Groups interface. This will allow a user to be a Team Admin but not a Repository admin.

Thanks for the quick response, but that doesn't help if there are for example only two people in a team. One of the two will have to be a repo admin, and thus is god on that repo, free to merge in their own pull requests.

What I'd like to do is make sure that that repo admin cannot approve and merge his own pull request when he submits one. But he can still merge in those from other users!

I assume that's not possible then?

This widget could not be displayed.

Hi Tim,

Ok that makes sense. Thanks, I'll also look into Stash sometime then.

Cheers,

Patrick

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Aug 21, 2018 in Bitbucket

Branch Management with Bitbucket

As a project manager, I have discovered that different developers want to bring their previous branching method with them when they join the team. Some developers are used to performing individual wo...

1,310 views 8 11
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you