Uploaded image for project: 'Bitbucket Server'
  1. Bitbucket Server
  2. BSERV-12045

Hook scripts may not be invoked for cross-repository pull request merges

    XMLWordPrintable

    Details

      Description

      Issue Summary

      When a pull request between two repositories is merged, if the user who merges the pull request does not have at least read access to the source repository (they're only required to have access to the target repository to merge), hook scripts will not be invoked.

      Steps to Reproduce

      1. Create a hook script, using an app like External Hooks
      2. Create a repository and give 2 users access
      3. Create a personal fork of the repository as one of the two users, and do not give the other user access to it
      4. Open a pull request from the fork to the canonical repository
      5. Merge the pull request as the user without access to the fork

      Expected Results

      Hook scripts are invoked.

      Actual Results

      Hook scripts are not invoked, and the following error appears in the logs:

      2019-11-06 10:40:54,196 WARN  [AtlassianEvent::thread-3] jdoe @CHSM40x640x337x0 1ks2x81 1.1.1.1 "POST /rest/api/latest/projects/key/repos/slug/pull-requests/1/merge HTTP/1.1" c.a.s.i.h.r.DefaultRepositoryHookService [KEY/slug[1]] Error calling ScriptRepositoryHook.postUpdate
      com.atlassian.bitbucket.AuthorisationException: You are not permitted to access this resource
              at com.atlassian.stash.internal.aop.ExceptionRewriteAdvice.afterThrowing(ExceptionRewriteAdvice.java:37)
              at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
              at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at com.atlassian.stash.internal.hook.script.DefaultHookScriptEnvironmentProvider.cloneUrls(DefaultHookScriptEnvironmentProvider.java:161)
              at com.atlassian.stash.internal.hook.script.DefaultHookScriptEnvironmentProvider.repoDetails(DefaultHookScriptEnvironmentProvider.java:198)
              at com.atlassian.stash.internal.hook.script.DefaultHookScriptEnvironmentProvider.mergeVariables(DefaultHookScriptEnvironmentProvider.java:173)
              at com.atlassian.stash.internal.hook.script.DefaultHookScriptEnvironmentProvider.create(DefaultHookScriptEnvironmentProvider.java:120)
              at com.atlassian.stash.internal.hook.script.DefaultHookScriptInvoker.lambda$prepareEnvironment$1(DefaultHookScriptInvoker.java:286)
      

      Workaround

      Ensure the user merging cross-repository pull requests has at least read access to the source repository.

        Attachments

          Activity

            People

            Assignee:
            bturner Bryan Turner
            Reporter:
            bturner Bryan Turner
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: