Stash Security Bug - branch permissions

bswift February 6, 2013

Stash Branch Permissions documentation:

"if there are conflicting permissions, the most permissive one applies; "

Our Stash repository is hooked up into LDAP, for access permissions.

My scenario is specific, and I can't find a way to configure it properly, to get the permissions I want.

What I want:

- I am project admin, and only I should be able to push / merge to the "master" branch.

- Anyone can create a remote branch, so that they can create a pull request.

- Pull request should use branch permissions (only I can merge to master).

Configuration Scenario 1:

Project:

I have "Contributor"

LDAP Group --> all users have "Observer"

result: no matter what I do to branch permissions, no one can commit anywhere.

Configuration Scenario 2:

Project:

LDAP Group --> all users have "Contributor".

Branch:

master: only me

(*): all users.

result: Anyone can commit.

Anyone can create a remote branch, issue a pull request, and merge that pull request into master. (FAIL).

Test case (that doesn't work) that I expect to work with Scenario 2:

1. Any user can create a remote branch.

2. No one can commit to master (except me)

3. no one can merge a branch into master (except me)

4. anyone can create a pull request to submit their code into master.

Can someone please explain if this is possible? If this is not possible I consider this a bug. We expected this behaviour to exist when we purchased Stash - hopefully I'm just missing something.


2 answers

1 accepted

0 votes
Answer accepted
seb
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 6, 2013

Branch:

master: only me
(*): all users.
result: Anyone can commit.

Anyone can create a remote branch, issue a pull request, and merge that pull request into master. (FAIL).

Hi Brett,

Seems like we may have been a little unclear in the branch permissions UI. Let me explain what this configuration does:

maser: only me

Only you can push to master (makes sense)

(*): all users.

All users can push to any branch, which overrides the previous branch permission of master, as it is less permissive.

The correct way to configure the branch permission is to set only "master: you". Any non present branch in the permission list permits any user who can write to the repository access to push to it. This also applies for creating new branches. A user can then create a pull request back to master, but won't be able to merge the pull request either via stash or manually.

Hope that helps!

Seb

bswift February 11, 2013

Hey Seb,

Had my wires crossed there. I just removed the /* and it works. The documentation is clear now, I must have mis-read it.

Thanks for your help!

Ulrich Kuhnhardt
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
February 25, 2013

Hi Seb,

this works on a newly created repo. However restricting branch permissions for master to admin in the default project_1/rep_1 in the dev environment (atlas-run) does NOT restrict commits. If stash-users in this project have contrib permissions setting master branch permissions to user admin has no effect. Are branch permissions cached?

cofarrell
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
February 25, 2013

Hi Ulrich,

This is a known issue with the way Amps unzips our home directory.

https://jira.atlassian.com/browse/STASH-2900

For now you can manually apply the executable bits of the hooks in the $HOME/data/repositories/$ID/hooks directory, or just create new repositories.

Sorry for any inconvenience.

Charles

0 votes
Ulrich Kuhnhardt
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 11, 2013

Still not finding the right permissions :(

  1. Can't find where to set repository permissions as per https://confluence.atlassian.com/display/STASH/Using+repository+permissions
  2. In branch permissions doco https://confluence.atlassian.com/display/STASH/Using+branch+permissions it is mentioned that "Note that if no branch permissions are defined then anyone with commit access can push to any branch. Also, if there are conflicting permissions, the most permissive one applies; for example if one permission restricts a particular users access but another permission allows it, then the user will be allowed commit access." - Does that include project permissions? i.e. if a user has a branch permission to write, but is only allowed read access on the project permission level, should this user be able to write or not?
jhinch _Atlassian_
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 11, 2013

Repository permissions were added in 2.4 which was only released this week. Can you confirm if you are using Stash 2.4?

To answer question 2 no the person shouldn't be able to write. The user must have write access to the repository (or project) first. Branch permissions are then applied on top of this as a restriction.

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events