How to disable file content editing in 4.13

The "edit in browser" feature was added in 4.13 but can be disabled by setting the following property in your bitbucket.properties file:

feature.file.editor=false

See the Bitbucket Server config properties for a full list of all configuration options

With respect to the issues you mentioned:

I have an 'update' hook enabled on the repository to validate commit messages.  The 'update' hook does not appear to be invoked.  I was unable to reject commits for invalid commit message.

I think you're referring to a pre-receive hook? Anyway, pre-receive hooks only get called when people push to a repository and not a branch or tag is updated through the browser or REST api (for example, merging a pull request, creating/deleting a branch or tag, or now editing a file in the browser). There is still a way for plugins to block these update attempts though.

If your plugin adds an event listener for the FileEditRequestedEvent, you'll get a callback just before the change is committed. Your event listener can validate the proposed change and call event.cancel(message) to prevent the change from going through.

I attempted to disable the file edit feature by setting content.upload.max.size=0.  This caused the "commit" button to be disabled, but did not disable the "edit" button.  I expected to see the "edit" button disabled.

As mentioned above, you can use the feature.file.editor flag to completely disable the feature

I was able to commit directly to the master branch.

The file edit feature should take your branch permissions into account. If you're able to directly push to the master branch, you will be able to directly commit on the master branch. The same permissions will apply if you create the commit in Bitbucket directly or you do it locally and push it up to Bitbucket. 

We are setting up branch permissions using scriptRunner because it gives us more flexibility and to my understanding is only possible way for our needs. In our setup we have two repositories one is the clone of another. We first set up plugin which does auto-push from first repo(simple mirror) to the second repo. In the second repo we wanted to disallow branch modifications that are originated from the first repo e.g. master, etc, because after any modification push from first repo will not work anymore if changes happen on the same branch. In the second repo people are supposed to only create branches in a special namespace : gg/feature/xxxx. So, with scriptRunner we could in an easy way setup who is allowed to change refs from the original repo and who is allowed to create other branches. With branch permissions supported by bitbucket that would not be possible. unless our first repo also uses some namespace for refs by which we could do the pattern matching. So, commit from editor is not following our permissions , because it is not done via push, but a normal commit. I don't see pre-commit hook in bit-bucket repo. So, I cannot use it. ScripRunner is of no use, because it also only reacts on pre-recieve. What could work thought is more advanced branch name matching in branch permissions section. Where I could say - not for branches that match "gg/*". In other words for all branches that do not match "gg/*", and later say except user.

Edit:  It is provided by core Bitbucket as of 4.13! I expected to see a ticket in the Bitbucket 4.13 release notes, and didn't notice the huge new section at the top of the release notes called, "Edit files from the browser."  Oops!

@Michael Heemskerk - why no mention at all of this new feature in BSERV-3032 ?   

I think this feature is provided by the "Editor for Bitbucket (Stash)" add-on and does not come included in the core Bitbucket offering (otherwise BSERV-3032 would not be an open ticket!).

You should be able to disable direct pushes through the add-on's own configuration menu (repository --> settings --> add-ons --> editor for bitbucket).

p.s. Don't forget to try my add-on!  Bit-Booster for Bitbucket Server