I am doing some work on Bitbucket Server 6.10.1 and I'm a little confused by the personal access token permissions. I created one with Project: Read and Repo: Read access. According to the docs at https://confluence.atlassian.com/bitbucketserver/personal-access-tokens-939515499.html I was expecting that I would NOT be able to create a pull request (since this should require Repo: Write) but it looks like I am able to create one.

I am sending a POST to http://localhost:7990/bitbucket/rest/api/1.0/projects/PROJECT_1/repos/rep_1/pull-requests with a body

{
"title": "title",
"description": "desc",
"state": "OPEN",
"fromRef": {
"id": "refs/heads/basic_branching",
"repository": {
"slug": "rep_1",
"name": null,
"project": {
"key": "PROJECT_1"
}
}
},
"toRef": {
"id": "refs/heads/master",
"repository": {
"slug": "rep_1",
"name": null,
"project": {
"key": "PROJECT_1"
}
}
}
}

Instead of a 403, I am getting a 201 Created.

To sanity test the tokens themselves, I also tried testing a git push using the two different tokens. I get a

fatal: remote error: Insufficient permissions

with the repo: read access, and I get a successful push with the repo: write token. So it looks like the tokens were valid and there is some level of authorization being handled, just not where I expected.

Can anyone help explain what is happening? I'm using a local version for integration testing, so could there be some differences with the permission model than what is used in other versions?