Details
-
Bug
-
Resolution: Fixed
-
Low
-
4.8.3
-
Severity 3 - Minor
-
2
-
Description
Summary
A user, who's a reviewer in the pull request and have access to the target repository, isn't able to re-open this pull request after it has been declined, receiving a "User not permitted" exception.
Environment
Pull request configuration
- Source: bitbucket483one-userbfork / branch feature1
- Destination: bitbucket483one / branch master
- No merge conflict involved
Users
- usera
- userb
Repositories involved
- bitbucket483one
- usera is admin.
- userb has write permission.
- bitbucket483one-userbfork
- Fork made by userb. Only userb has access
Steps to Reproduce
- bitbucket483one is created and some code is committed to it on master.
- userb forks the repository, creating bitbucket483one-userbfork.
- userb creates the branch feature1 from master on his fork.
- userb commits a new file to branch feature1.
- userb creates a pull request from bitbucket483one-userbfork/feature1 to bitbucket483one/master, and adds usera as a reviewer.
- The pull request is declined.
- usera accessed the pull request and tries to re-open it.
Expected Results
- The "Re-open" button shouldn't be available to the usera, since this user doesn't have the Read permission on the source repository. The reason for that is because the branch may have been updated on the source repository, and by reopening it the usera would be essentially giving himself access to new changes he doesn't have permission to see.
Actual Results
- usera receives the following message:
- The below exception is thrown in the atlassian-bitbucket.log file:
2016-08-10 19:05:44,507 DEBUG [http-nio-7990-exec-4] usera @666J1x1145x548x0 ujs29w 0:0:0:0:0:0:0:1 "POST /rest/api/latest/projects/PROJ/repos/bitbucket483one/pull-requests/1/reopen HTTP/1.1" c.a.s.i.r.e.ServiceExceptionMapper Mapping ServiceException to REST response 401 com.atlassian.bitbucket.AuthorisationException: You are not permitted to access this resource at com.atlassian.stash.internal.aop.ExceptionRewriteAdvice.afterThrowing(ExceptionRewriteAdvice.java:36) ~[bitbucket-platform-4.8.3.jar:na] at com.atlassian.stash.internal.pull.DefaultPullRequestService.checkRefExistsForReopen(DefaultPullRequestService.java:1130) ~[bitbucket-service-impl-4.8.3.jar:na] at com.atlassian.stash.internal.pull.DefaultPullRequestService.internalReopen(DefaultPullRequestService.java:1384) ~[bitbucket-service-impl-4.8.3.jar:na] at com.atlassian.stash.internal.pull.DefaultPullRequestService.reopen(DefaultPullRequestService.java:756) ~[bitbucket-service-impl-4.8.3.jar:na] at com.atlassian.plugin.util.ContextClassLoaderSettingInvocationHandler.invoke(ContextClassLoaderSettingInvocationHandler.java:26) ~[atlassian-plugins-core-4.1.8.jar:na] at org.eclipse.gemini.blueprint.service.importer.support.internal.aop.ServiceInvoker.doInvoke(ServiceInvoker.java:56) ~[na:na] at org.eclipse.gemini.blueprint.service.importer.support.internal.aop.ServiceInvoker.invoke(ServiceInvoker.java:60) ~[na:na] at org.eclipse.gemini.blueprint.service.util.internal.aop.ServiceTCCLInterceptor.invokeUnprivileged(ServiceTCCLInterceptor.java:70) ~[na:na] at org.eclipse.gemini.blueprint.service.util.internal.aop.ServiceTCCLInterceptor.invoke(ServiceTCCLInterceptor.java:53) ~[na:na] at org.eclipse.gemini.blueprint.service.importer.support.LocalBundleContextAdvice.invoke(LocalBundleContextAdvice.java:57) ~[na:na] at com.atlassian.stash.internal.rest.pull.PullRequestResource.reopen(PullRequestResource.java:549) ~[bitbucket-rest-4.8.3.jar:na] at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24) [applinks-plugin-5.2.2_1469663356000.jar:na] at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24) [applinks-plugin-5.2.2_1469663356000.jar:na] at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24) [applinks-plugin-5.2.2_1469663356000.jar:na] at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24) [applinks-plugin-5.2.2_1469663356000.jar:na] at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:24) [applinks-plugin-5.2.2_1469663356000.jar:na] at com.atlassian.plugin.connect.plugin.auth.scope.ApiScopingFilter.doFilter(ApiScopingFilter.java:81) [atlassian-connect-plugin-1.1.86-bitbucket-04.jar:na] at com.atlassian.stash.internal.spring.security.StashAuthenticationFilter.doFilter(StashAuthenticationFilter.java:88) [classes/:na] at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doInsideSpringSecurityChain(BeforeLoginPluginAuthenticationFilter.java:109) [classes/:na] at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doFilter(BeforeLoginPluginAuthenticationFilter.java:75) [classes/:na] at com.atlassian.security.auth.trustedapps.filter.TrustedApplicationsFilter.doFilter(TrustedApplicationsFilter.java:94) [atlassian-trusted-apps-core-4.2.0.jar:na] at com.atlassian.oauth.serviceprovider.internal.servlet.OAuthFilter.doFilter(OAuthFilter.java:67) [atlassian-oauth-service-provider-plugin-2.0.3_1469663358000.jar:na] at com.atlassian.core.filters.ServletContextThreadLocalFilter.doFilter(ServletContextThreadLocalFilter.java:21) [atlassian-core-4.6.19.jar:na] at com.atlassian.core.filters.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:31) [atlassian-core-4.6.19.jar:na] at com.atlassian.plugin.connect.plugin.auth.user.ThreeLeggedAuthFilter.doFilter(ThreeLeggedAuthFilter.java:109) [atlassian-connect-plugin-1.1.86-bitbucket-04.jar:na] at com.atlassian.jwt.internal.servlet.JwtAuthFilter.doFilter(JwtAuthFilter.java:32) [jwt-plugin-1.5.11-0002_1469663358000.jar:na] at com.atlassian.analytics.client.filter.DefaultAnalyticsFilter.doFilter(DefaultAnalyticsFilter.java:38) [analytics-client-5.2.7_1469663356000.jar:na] at com.atlassian.analytics.client.filter.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:39) [analytics-client-5.2.7_1469663356000.jar:na] at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doBeforeBeforeLoginFilters(BeforeLoginPluginAuthenticationFilter.java:87) [classes/:na] at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doFilter(BeforeLoginPluginAuthenticationFilter.java:73) [classes/:na] at com.atlassian.stash.internal.request.DefaultRequestManager.doAsRequest(DefaultRequestManager.java:86) ~[bitbucket-service-impl-4.8.3.jar:na] at com.atlassian.stash.internal.hazelcast.ConfigurableWebFilter.doFilter(ConfigurableWebFilter.java:38) ~[classes/:na] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) ~[na:1.8.0_74] at java.lang.Thread.run(Thread.java:745) ~[na:1.8.0_74] ... 290 frames trimmed Caused by: org.springframework.security.access.AccessDeniedException: Access is denied at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83) ~[spring-security-core-3.2.7.RELEASE.jar:3.2.7.RELEASE] ... 34 common frames omitted
Workaround
- Give usera at least a Read permission on the source repository.