Uploaded image for project: 'Bitbucket Data Center'
  1. Bitbucket Data Center
  2. BSERV-9052

Don't show the Re-open button to users without access to the source repository

    XMLWordPrintable

Details

    Description

      Summary

      A user, who's a reviewer in the pull request and have access to the target repository, isn't able to re-open this pull request after it has been declined, receiving a "User not permitted" exception.

      Environment

      Pull request configuration

      • Source: bitbucket483one-userbfork / branch feature1
      • Destination: bitbucket483one / branch master
      • No merge conflict involved

      Users

      • usera
      • userb

      Repositories involved

      • bitbucket483one
        • usera is admin.
        • userb has write permission.
      • bitbucket483one-userbfork
        • Fork made by userb. Only userb has access

      Steps to Reproduce

      1. bitbucket483one is created and some code is committed to it on master.
      2. userb forks the repository, creating bitbucket483one-userbfork.
      3. userb creates the branch feature1 from master on his fork.
      4. userb commits a new file to branch feature1.
      5. userb creates a pull request from bitbucket483one-userbfork/feature1 to bitbucket483one/master, and adds usera as a reviewer.
      6. The pull request is declined.
      7. usera accessed the pull request and tries to re-open it.

      Expected Results

      • The "Re-open" button shouldn't be available to the usera, since this user doesn't have the Read permission on the source repository. The reason for that is because the branch may have been updated on the source repository, and by reopening it the usera would be essentially giving himself access to new changes he doesn't have permission to see.

      Actual Results

      • usera receives the following message:
      • The below exception is thrown in the atlassian-bitbucket.log file: 
        2016-08-10 19:05:44,507 DEBUG [http-nio-7990-exec-4] usera @666J1x1145x548x0 ujs29w 0:0:0:0:0:0:0:1 "POST /rest/api/latest/projects/PROJ/repos/bitbucket483one/pull-requests/1/reopen HTTP/1.1" c.a.s.i.r.e.ServiceExceptionMapper Mapping ServiceException to REST response 401
com.atlassian.bitbucket.AuthorisationException: You are not permitted to access this resource
	at com.atlassian.stash.internal.aop.ExceptionRewriteAdvice.afterThrowing(ExceptionRewriteAdvice.java:36) ~[bitbucket-platform-4.8.3.jar:na]
	at com.atlassian.stash.internal.pull.DefaultPullRequestService.checkRefExistsForReopen(DefaultPullRequestService.java:1130) ~[bitbucket-service-impl-4.8.3.jar:na]
	at com.atlassian.stash.internal.pull.DefaultPullRequestService.internalReopen(DefaultPullRequestService.java:1384) ~[bitbucket-service-impl-4.8.3.jar:na]
	at com.atlassian.stash.internal.pull.DefaultPullRequestService.reopen(DefaultPullRequestService.java:756) ~[bitbucket-service-impl-4.8.3.jar:na]
	at com.atlassian.plugin.util.ContextClassLoaderSettingInvocationHandler.invoke(ContextClassLoaderSettingInvocationHandler.java:26) ~[atlassian-plugins-core-4.1.8.jar:na]
	at org.eclipse.gemini.blueprint.service.importer.support.internal.aop.ServiceInvoker.doInvoke(ServiceInvoker.java:56) ~[na:na]
	at org.eclipse.gemini.blueprint.service.importer.support.internal.aop.ServiceInvoker.invoke(ServiceInvoker.java:60) ~[na:na]
	at org.eclipse.gemini.blueprint.service.util.internal.aop.ServiceTCCLInterceptor.invokeUnprivileged(ServiceTCCLInterceptor.java:70) ~[na:na]
	at org.eclipse.gemini.blueprint.service.util.internal.aop.ServiceTCCLInterceptor.invoke(ServiceTCCLInterceptor.java:53) ~[na:na]
	at org.eclipse.gemini.blueprint.service.importer.support.LocalBundleContextAdvice.invoke(LocalBundleContextAdvice.java:57) ~[na:na]
	at com.atlassian.stash.internal.rest.pull.PullRequestResource.reopen(PullRequestResource.java:549) ~[bitbucket-rest-4.8.3.jar:na]
	at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24) [applinks-plugin-5.2.2_1469663356000.jar:na]
	at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24) [applinks-plugin-5.2.2_1469663356000.jar:na]
	at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24) [applinks-plugin-5.2.2_1469663356000.jar:na]
	at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24) [applinks-plugin-5.2.2_1469663356000.jar:na]
	at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24) [applinks-plugin-5.2.2_1469663356000.jar:na]
	at com.atlassian.plugin.connect.plugin.auth.scope.ApiScopingFilter.doFilter(ApiScopingFilter.java:81) [atlassian-connect-plugin-1.1.86-bitbucket-04.jar:na]
	at com.atlassian.stash.internal.spring.security.StashAuthenticationFilter.doFilter(StashAuthenticationFilter.java:88) [classes/:na]
	at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doInsideSpringSecurityChain(BeforeLoginPluginAuthenticationFilter.java:109) [classes/:na]
	at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doFilter(BeforeLoginPluginAuthenticationFilter.java:75) [classes/:na]
	at com.atlassian.security.auth.trustedapps.filter.TrustedApplicationsFilter.doFilter(TrustedApplicationsFilter.java:94) [atlassian-trusted-apps-core-4.2.0.jar:na]
	at com.atlassian.oauth.serviceprovider.internal.servlet.OAuthFilter.doFilter(OAuthFilter.java:67) [atlassian-oauth-service-provider-plugin-2.0.3_1469663358000.jar:na]
	at com.atlassian.core.filters.ServletContextThreadLocalFilter.doFilter(ServletContextThreadLocalFilter.java:21) [atlassian-core-4.6.19.jar:na]
	at com.atlassian.core.filters.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:31) [atlassian-core-4.6.19.jar:na]
	at com.atlassian.plugin.connect.plugin.auth.user.ThreeLeggedAuthFilter.doFilter(ThreeLeggedAuthFilter.java:109) [atlassian-connect-plugin-1.1.86-bitbucket-04.jar:na]
	at com.atlassian.jwt.internal.servlet.JwtAuthFilter.doFilter(JwtAuthFilter.java:32) [jwt-plugin-1.5.11-0002_1469663358000.jar:na]
	at com.atlassian.analytics.client.filter.DefaultAnalyticsFilter.doFilter(DefaultAnalyticsFilter.java:38) [analytics-client-5.2.7_1469663356000.jar:na]
	at com.atlassian.analytics.client.filter.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:39) [analytics-client-5.2.7_1469663356000.jar:na]
	at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doBeforeBeforeLoginFilters(BeforeLoginPluginAuthenticationFilter.java:87) [classes/:na]
	at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doFilter(BeforeLoginPluginAuthenticationFilter.java:73) [classes/:na]
	at com.atlassian.stash.internal.request.DefaultRequestManager.doAsRequest(DefaultRequestManager.java:86) ~[bitbucket-service-impl-4.8.3.jar:na]
	at com.atlassian.stash.internal.hazelcast.ConfigurableWebFilter.doFilter(ConfigurableWebFilter.java:38) ~[classes/:na]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) ~[na:1.8.0_74]
	at java.lang.Thread.run(Thread.java:745) ~[na:1.8.0_74]
	... 290 frames trimmed
Caused by: org.springframework.security.access.AccessDeniedException: Access is denied
	at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83) ~[spring-security-core-3.2.7.RELEASE.jar:3.2.7.RELEASE]
	... 34 common frames omitted

      Workaround

      • Give usera at least a Read permission on the source repository.

      Attachments

        Activity

          People

            khughes@atlassian.com Kristy
            grefosco Gustavo Refosco (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: