Uploaded image for project: 'Bitbucket Server'
  1. Bitbucket Server
  2. BSERV-10994

Users with access to repo can see admin settings for that repo

    XMLWordPrintable

    Details

      Description

      Accessing the following specific URLs as a user who has only read access to a repository can see repository settings if they specifically use the following URLs

      {BITBUCKET_URL}/projects/{PROJECT_SLUG}/repos/{REPO_SLUG}/settings/merge-checks
      {BITBUCKET_URL}/projects/{PROJECT_SLUG}/repos/{REPO_SLUG}/settings/hooks
      {BITBUCKET_URL}/projects/{PROJECT_SLUG}/settings/merge-checks
      {BITBUCKET_URL}/projects/{PROJECT_SLUG}/settings/hooks
      

      Expected Outcome:
      Users receive a 401

      Actual Outcome:
      Users can see the checks and hooks. When you attempt to change them you receive a permissions error

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              khughes@atlassian.com Kristy
              Reporter:
              alevinson alevinson
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: