-
Bug
-
Resolution: Fixed
-
Low
-
6.2.0, 6.8.0
-
None
-
1
-
Severity 2 - Major
-
Issue Summary
When a pull request between two repositories is merged, if the user who merges the pull request does not have at least read access to the source repository (they're only required to have access to the target repository to merge), hook scripts will not be invoked.
Steps to Reproduce
- Create a hook script, using an app like External Hooks
- Create a repository and give 2 users access
- Create a personal fork of the repository as one of the two users, and do not give the other user access to it
- Open a pull request from the fork to the canonical repository
- Merge the pull request as the user without access to the fork
Expected Results
Hook scripts are invoked.
Actual Results
Hook scripts are not invoked, and the following error appears in the logs:
2019-11-06 10:40:54,196 WARN [AtlassianEvent::thread-3] jdoe @CHSM40x640x337x0 1ks2x81 1.1.1.1 "POST /rest/api/latest/projects/key/repos/slug/pull-requests/1/merge HTTP/1.1" c.a.s.i.h.r.DefaultRepositoryHookService [KEY/slug[1]] Error calling ScriptRepositoryHook.postUpdate
com.atlassian.bitbucket.AuthorisationException: You are not permitted to access this resource
at com.atlassian.stash.internal.aop.ExceptionRewriteAdvice.afterThrowing(ExceptionRewriteAdvice.java:37)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at com.atlassian.stash.internal.hook.script.DefaultHookScriptEnvironmentProvider.cloneUrls(DefaultHookScriptEnvironmentProvider.java:161)
at com.atlassian.stash.internal.hook.script.DefaultHookScriptEnvironmentProvider.repoDetails(DefaultHookScriptEnvironmentProvider.java:198)
at com.atlassian.stash.internal.hook.script.DefaultHookScriptEnvironmentProvider.mergeVariables(DefaultHookScriptEnvironmentProvider.java:173)
at com.atlassian.stash.internal.hook.script.DefaultHookScriptEnvironmentProvider.create(DefaultHookScriptEnvironmentProvider.java:120)
at com.atlassian.stash.internal.hook.script.DefaultHookScriptInvoker.lambda$prepareEnvironment$1(DefaultHookScriptInvoker.java:286)
Workaround
Ensure the user merging cross-repository pull requests has at least read access to the source repository.
[BSERV-12045] Hook scripts may not be invoked for cross-repository pull request merges
Is this bug fixed in the latest 6.8.1 release? I cannot find it in the release notes while the fix versions say it will be fixed in 6.8.1.
This issue was originally reported for the External Hooks app: https://github.com/reconquest/atlassian-external-hooks/issues/101
tcenl,
Yes, it is. The issue wasn't marked "Closed", so it wasn't included in the release notes. Now that the release is available I've closed the issue and it's now visible on the release notes.
Best regards,
Bryan Turner
Atlassian Bitbucket