Details
-
Bug
-
Resolution: Fixed
-
Highest
-
7.3.0, 7.6.0, 7.5.2
-
5
-
Severity 2 - Major
-
263
-
Description
Problem
User has access to project and repository after global permission has been removed.
Conversely, a user in this affected state will be greeted with "permission denied" even after the global permission has been re-granted to the user.
Environment
- Tested on 7.5 and 7.3
Steps to Reproduce
- Create group
- Create project and add the new group to write to it
- Create repo in project and push a file to it
- Add user to group and make sure the user can see a file
- Remove user from group
- Refresh page to see that file. Initially you'll get 403s but after trying a few times you get a 200 and are able to view the file
Expected Results
- the user should not have access when removed from the group
- the user should have access when added to the group
Actual Results
- The user can click the refresh buttons enough times until a pop up is displayed that states "User not permitted - You are not permitted to access this resource"
- The pop up has a "back to dashboard" button and a "close" hyperlink
- The user can click the "close" hyperlink and now has access to the repo
Workaround
Add the following to bitbucket.properties and restart
- http.scmrequest.async.enabled=false