Details
-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
Severity 3 - Minor
-
95
-
1
-
Description
Issue Summary
There is a link to view Workspace Variables in the Repository Variable Settings. This link looks like -
https://bitbucket.org/<workspace-name>/workspace/settings/addon/admin/pipelines/account-variables.
Clicking on this opens up workspace variables for every user regardless of their workspace permission. For a user who has workspace admin permissions, it does not matter and behaves as expected.
However, for a user that does not have workspace admin permissions, the expected behavior is to show a screen that says you do not have permissions since workspace variables are restricted to users with workspace admin access. However, it shows the workspace variable window -
With no other settings visible. This screen is in a read only capacity. You cannot add, edit or delete variables. However, you can see the variables. Additionally, refreshing the page results in a 403. Opening the link in a new tab or copying the link and pasting it in a different window also results in a 403 which is the expected outcome. The problem is when the link is clicked that gives permission to view workspace variables.
Steps to Reproduce
- Create a user who has a repository admin access but no workspace admin access
- Go to Repository Settings -> Repository variables
- Click on the Workspace Variables link
Expected Results
A 403 screen that says you do not have permission
Actual Results
A read only page that shows workspace variables
Workaround
Currently there is no known workaround for this behavior. A workaround will be added here when available