How to restrict who can merge into specific branch?

Is it possible to restrict who can merge to a specific branch?  I would like to only allow a couple of users to be able to merge into the master branch.  Is this possible?

2 answers

1 accepted

2 votes

Hi Trent,

Yes you can do this with ScriptRunner for Bitbucket Server. Thanks for adding the correct tag to your question as well it helps us find these questions and respond to them swiftly.

You can do this by going to Admin -> Script Merge Checks -> Custom merge check and add the following code:

import com.atlassian.bitbucket.auth.AuthenticationContext
import com.atlassian.bitbucket.scm.pull.MergeRequest
import com.atlassian.sal.api.component.ComponentLocator

def authenticationContext = ComponentLocator.getComponent(AuthenticationContext)

def mergeRequest = mergeRequest as MergeRequest
def pullRequest = mergeRequest.getPullRequest()

def isMasterBranch = pullRequest.getToRef().getId() == "refs/heads/master"

// add users who can merge to master here
def allowedUserNames = ["user1", "user2", "user3"]

def currentUser = authenticationContext.currentUser

if (isMasterBranch && ! (currentUser.slug in allowedUserNames)) {
    mergeRequest.veto("Can not merge to master branch", "You are not allowed to merge to the master branch")
}

I've indicated where you can add the users who can push to the master branch.

Let us know how you get on with that.

Adam

Thanks Adam!  It is blocking merges correctly but not allowing the allowedUserNames to merge.  Is it missing the else clause that allows the users in the list to have access?

Trent

It should already be doing that. If it is the master branch and the user is not in the list of allowed user names we don't allow the merge.

It seems like "currentUser.slug" is not in the allowedUserNames.

Try adding the following to that script and refresh the pull request page to see what users you have:

log.warn currentUser.slug
log.warn allowedUserNames

I added that line to the bottom and had the user try again.  I do not see anything on the pull request tab.  What specifically am I looking for?

Thank you,

Trent

Hi Adam,

Any update on this?  I am unable to see anything in the pull request page when I add that line just below "def currentUser = authenticationContext.currentUser".

Thanks,

Trent

Hi Trent,

Apologies for the delay in responding. You should see something in the logs when you go the the pull request page which will show you the current users name and the allowed user names. That should help us to see why its not allowing the allowed users to merge.

Let us know what you get.

Thanks, Adam

Hi Adam,

This is what I see in the logs.

2017-01-25 10:52:35,157 WARN  [http-nio-127.0.0.100-7990-exec-155] E869TZ @1PNCTLEx652x820600x1 1s0a3oz 65.197.19.243,127.0.0.100 "GET /rest/api/latest/projects/ALMSS/repos/alm-jenkins/pull-requests/2/merge HTTP/1.1" c.o.s.runner.ScriptRunnerImpl e869tz
2017-01-25 10:52:35,157 WARN  [http-nio-127.0.0.100-7990-exec-155] E869TZ @1PNCTLEx652x820600x1 1s0a3oz 65.197.19.243,127.0.0.100 "GET /rest/api/latest/projects/ALMSS/repos/alm-jenkins/pull-requests/2/merge HTTP/1.1" c.o.s.runner.ScriptRunnerImpl [E1762P, E6462Y, E591NF, E869TZ]
2017-01-25 10:52:35,177 WARN  [http-nio-127.0.0.100-7990-exec-155] E869TZ @1PNCTLEx652x820600x1 1s0a3oz 65.197.19.243,127.0.0.100 "GET /rest/api/latest/projects/ALMSS/repos/alm-jenkins/pull-requests/2/merge HTTP/1.1" c.o.s.runner.ScriptRunnerImpl e869tz
2017-01-25 10:52:35,178 WARN  [http-nio-127.0.0.100-7990-exec-155] E869TZ @1PNCTLEx652x820600x1 1s0a3oz 65.197.19.243,127.0.0.100 "GET /rest/api/latest/projects/ALMSS/repos/alm-jenkins/pull-requests/2/merge HTTP/1.1" c.o.s.runner.ScriptRunnerImpl [E1762P, E6462Y, E591NF, E606MR, E765PP, E106PD, E869TZ]

 

It looks like it is working as it has the list of user who can merge to develop and master branches, including mine.  Although the merge button in the top right corner is greyed out, and it states I do not have permission to merge to either of the branches.  Not sure if this matters but I have setup the customer merge script at the global level and assigned it to the repository as there is no option for Customer Merge Script in the repo configuration level.

 

Thanks,

Trent

Hi Trent,

Ok I have spotted the problem from them logs.

The issue is that Bitbucket gives you the username lowercased where in your list of allowed ones they are uppercased. So when we compare them they are not equal, hence the user can't merge. You should convert the allowed usernames in your list to lowercase so they match exactly.

Let us know how that goes for you.

Thanks,
Adam 

It is working as expected now!  Thank you so much for your assistance Adam.

If you're on Bitbucket Server 4.5 or newer, you can do this without any add-ons using the "Branch Permissions" settings for your repo and setting the "Prevent all changes" restriction.

Screenshot here:

branch-perms.png

 

p.s. I invite you to try my add-on:  Bit-Booster for Bitbucket Server

Suggest an answer

Log in or Join to answer
Community showcase
Piotr Plewa
Published Dec 27, 2017 in Bitbucket

Recipe: Deploying AWS Lambda functions with Bitbucket Pipelines

Bitbucket Pipelines helps me manage and automate a number of serverless deployments to AWS Lambda and this is how I do it. I'm building Node.js Lambda functions using node-lambda&nbsp...

716 views 0 4
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot