Details
-
Suggestion
-
Resolution: Unresolved
-
None
-
None
-
0
-
Description
Currently when adding a user to either a project or repository via the GUI you are not able to add an unlicensed users because those users don't show up when typing usernames.
However, when using the REST API there is no restriction and unlicensed users can be added to either projects or repositories. This is considered a security risk and an audit failure.
The request is to make this something that is configurable. We would like to have the ability to disable adding unlicensed users to projects or repositories via the REST API.
A GUI based checkbox that doesn't require a system restart would be the best option but the ability to add an option to bitbucket.properties is second best.
We are unable to create custom plugins so the suggestion from Support to develop a plugin that squashes requests to RepositoryPermissionGrantRequestedEvent and ProjectPermissionGrantRequestedEvent when the user is not licensed is not possible for us.