Stash Security Bug - branch permissions

Stash Branch Permissions documentation:

"if there are conflicting permissions, the most permissive one applies; "

Our Stash repository is hooked up into LDAP, for access permissions.

My scenario is specific, and I can't find a way to configure it properly, to get the permissions I want.

What I want:

- I am project admin, and only I should be able to push / merge to the "master" branch.

- Anyone can create a remote branch, so that they can create a pull request.

- Pull request should use branch permissions (only I can merge to master).

Configuration Scenario 1:

Project:

I have "Contributor"

LDAP Group --> all users have "Observer"

result: no matter what I do to branch permissions, no one can commit anywhere.

Configuration Scenario 2:

Project:

LDAP Group --> all users have "Contributor".

Branch:

master: only me

(*): all users.

result: Anyone can commit.

Anyone can create a remote branch, issue a pull request, and merge that pull request into master. (FAIL).

Test case (that doesn't work) that I expect to work with Scenario 2:

1. Any user can create a remote branch.

2. No one can commit to master (except me)

3. no one can merge a branch into master (except me)

4. anyone can create a pull request to submit their code into master.

Can someone please explain if this is possible? If this is not possible I consider this a bug. We expected this behaviour to exist when we purchased Stash - hopefully I'm just missing something.


2 answers

1 accepted

This widget could not be displayed.
Seb Ruiz Atlassian Team Feb 06, 2013

Branch:

master: only me
(*): all users.
result: Anyone can commit.

Anyone can create a remote branch, issue a pull request, and merge that pull request into master. (FAIL).

Hi Brett,

Seems like we may have been a little unclear in the branch permissions UI. Let me explain what this configuration does:

maser: only me

Only you can push to master (makes sense)

(*): all users.

All users can push to any branch, which overrides the previous branch permission of master, as it is less permissive.

The correct way to configure the branch permission is to set only "master: you". Any non present branch in the permission list permits any user who can write to the repository access to push to it. This also applies for creating new branches. A user can then create a pull request back to master, but won't be able to merge the pull request either via stash or manually.

Hope that helps!

Seb

Hey Seb,

Had my wires crossed there. I just removed the /* and it works. The documentation is clear now, I must have mis-read it.

Thanks for your help!

Hi Seb,

this works on a newly created repo. However restricting branch permissions for master to admin in the default project_1/rep_1 in the dev environment (atlas-run) does NOT restrict commits. If stash-users in this project have contrib permissions setting master branch permissions to user admin has no effect. Are branch permissions cached?

Hi Ulrich,

This is a known issue with the way Amps unzips our home directory.

https://jira.atlassian.com/browse/STASH-2900

For now you can manually apply the executable bits of the hooks in the $HOME/data/repositories/$ID/hooks directory, or just create new repositories.

Sorry for any inconvenience.

Charles

This widget could not be displayed.

Still not finding the right permissions :(

  1. Can't find where to set repository permissions as per https://confluence.atlassian.com/display/STASH/Using+repository+permissions
  2. In branch permissions doco https://confluence.atlassian.com/display/STASH/Using+branch+permissions it is mentioned that "Note that if no branch permissions are defined then anyone with commit access can push to any branch. Also, if there are conflicting permissions, the most permissive one applies; for example if one permission restricts a particular users access but another permission allows it, then the user will be allowed commit access." - Does that include project permissions? i.e. if a user has a branch permission to write, but is only allowed read access on the project permission level, should this user be able to write or not?
Jason Hinch Atlassian Team May 11, 2013

Repository permissions were added in 2.4 which was only released this week. Can you confirm if you are using Stash 2.4?

To answer question 2 no the person shouldn't be able to write. The user must have write access to the repository (or project) first. Branch permissions are then applied on top of this as a restriction.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Aug 21, 2018 in Bitbucket

Branch Management with Bitbucket

As a project manager, I have discovered that different developers want to bring their previous branching method with them when they join the team. Some developers are used to performing individual wo...

1,545 views 9 11
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you