Uploaded image for project: 'Bitbucket Data Center'
  1. Bitbucket Data Center
  2. BSERV-7976

Toggle branch permission logic

    XMLWordPrintable

Details

    • Suggestion
    • Resolution: Answered
    • None
    • None
    • None
    • We collect Bitbucket feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

    Description

      Summary

      When 3.10.0 was released the logic of branch permissions was changed so that "Restrictions should always be applied to achieve the most restrictive subset." A subsequent bug was created BSERV-7597, and the permissions were switched back to the way they were originally. Currently you just need permission from any pattern that matches. If one of the patterns denies permission and another one allows it, access is allowed.

      Problem

      There are certain cases in which the branch logic that was fixed are necessary. For instance:

      You have 3 groups of users:

      • Contractors: who only are allowed to commit to bugfix branches.
      • Developers: who are allowed to write anywhere in the repository, except when a release branch is locked down in preparation for release.
      • Admins: Have full permissions and manage release branches.

      Ideally you would want branch permissions set up so that Admins and Developers have the following branch permissions for read and write: release/**.

      When a branch is frozen for a release a new branch permission would be created for a specific release branch like release/2.2.0 that are assigned to admins only.

      Workarounds

      1. Currently to achieve permissions that are this granular your best option would be to fork a repository within the same project. Contractors can commit to this fork and create pull requests into the original repo. You will only need to set one branch permission on the original repo for the release branch that is frozen and disallow write permission to the original repo for the Contractors.
      2. Another option would be to manually add branch permissions to your Developers for each release branch like this: 
        release/2.2.0.0: Admins
master: Developers
release/2.1.*: Developers
release/2.0.*: Developers
release/2.3.*: Developers
release/1.*: Developers

        This is not ideal, because branch permissions have to be set every time a branch is created to prevent the contractors from committing to it.

      Solution:

      A way to toggle the logic used by branch permissions. If the default was to the current setting, long time customers wouldn't be affected by upgrades and those that need granular branch permissions could have it when they need it, on a repository by repository basis.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. BSERV-7597 Branch Permissions should not prevent push if multiple Restrictions match the target branch, and at least one allows write access to the current user or group

          • High - High priority issues
          • Closed

          Activity

            People

              Unassigned Unassigned
              bstuart Ben Stuart
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: