Details
-
Suggestion
-
Resolution: Answered
-
None
-
None
-
None
Description
Summary
When 3.10.0 was released the logic of branch permissions was changed so that "Restrictions should always be applied to achieve the most restrictive subset." A subsequent bug was created BSERV-7597, and the permissions were switched back to the way they were originally. Currently you just need permission from any pattern that matches. If one of the patterns denies permission and another one allows it, access is allowed.
Problem
There are certain cases in which the branch logic that was fixed are necessary. For instance:
You have 3 groups of users:
- Contractors: who only are allowed to commit to bugfix branches.
- Developers: who are allowed to write anywhere in the repository, except when a release branch is locked down in preparation for release.
- Admins: Have full permissions and manage release branches.
Ideally you would want branch permissions set up so that Admins and Developers have the following branch permissions for read and write: release/**.
When a branch is frozen for a release a new branch permission would be created for a specific release branch like release/2.2.0 that are assigned to admins only.
Workarounds
- Currently to achieve permissions that are this granular your best option would be to fork a repository within the same project. Contractors can commit to this fork and create pull requests into the original repo. You will only need to set one branch permission on the original repo for the release branch that is frozen and disallow write permission to the original repo for the Contractors.
- Another option would be to manually add branch permissions to your Developers for each release branch like this:
release/2.2.0.0: Admins master: Developers release/2.1.*: Developers release/2.0.*: Developers release/2.3.*: Developers release/1.*: Developers
This is not ideal, because branch permissions have to be set every time a branch is created to prevent the contractors from committing to it.
Solution:
A way to toggle the logic used by branch permissions. If the default was to the current setting, long time customers wouldn't be affected by upgrades and those that need granular branch permissions could have it when they need it, on a repository by repository basis.
Attachments
Issue Links
- is related to
-
BSERV-7597 Branch Permissions should not prevent push if multiple Restrictions match the target branch, and at least one allows write access to the current user or group
- Closed