james.m.greene1458861698, there is already a permission available to prevent branch deletion. Not sure if you knew about it, or perhaps I'm missing something in your request that it doesn't do already?

rbarnes This particular ticket (or my detailed comment on it, moreover), also mentions that the Bitbucket Server UI currently also allows the unauthorized user to delete a branch unexpectedly as well.  As this would not be covered in the "duplicate" ticket BSERV-4208 (which is only about branch creation), is there a different existing ticket that does cover that or should another new ticket be created?

We have an existing feature request open for this, which I've linked to this issue. You might want to vote and watch on it.

I was the original reporter of this issue, and I am hoping to add some clarity as to why I'm not convinced that this is a new feature rather than a bug.

With the "Prevent Changes without a Pull Request" branch permission in place, an unauthorized user is:

1. Not allowed to push new commits from their local Git environment to an existing branch (matching the naming pattern). CORRECT!
2. Allowed to merge new commits into an existing branch (matching the naming pattern) from a Pull Request. CORRECT!
3. Not allowed to create a new branch (matching the naming pattern) by pushing from their local Git environment. CORRECT!
4. Allowed to create a new branch (matching the naming pattern) from the Bitbucket Server UI. WRONG-WRONG-WRONG!
5. Not allowed to delete an existing branch (matching the naming pattern) by pushing from their local Git environment. CORRECT!
6. Allowed to delete an existing branch (matching the naming pattern) from the Bitbucket Server UI. WRONG-WRONG-WRONG!

I believe the behavior of point 4, which is the reason for this support issue originally being filed, is still a bug as creating a new branch even on the Bitbucket Server backend should, AFAIK, still require a git push to create that branch and have it become available for downstream users/editors to git pull from the remote/origin. Is that not correct?  If not, and if it is just created via git checkout -b or whatever and does not require a git push to make it available, then I understand the underlying technical reasons for why this situation came up.

That said, technical implementation details aside, I still definitely feel that this is a bug as creating a new branch on the Bitbucket Server UI (point 4) is really no more secure or approved than pushing it from a local Git environment (point 3) since this means a security hole so long as users can push a new branch of some non-matching name to the remote (which is a practical setup for a team of coworkers when we don't want to involve the forking of repos to each individual user's profile).  In such a configuration, then they can just create a new branch in the Bitbucket Server UI with a restricted name that is branched from that non-matching name and – voila – they have completely gotten around all security measures that should have been provided by the "Prevent Changes without a Pull Request" restriction.

This security hole also allows unauthorized users to delete branches that they do not have permissions to change (without a PR) in the Bitbucket Server UI (point 6), which is also bad since they would once again not be allowed to do so by pushing a branch deletion (null branch) from their local Git environment (point 5).  This secondary issue, however, can at least be prevented by using the already available "Prevent deletion" restriction coupled with the "Prevent changes without a Pull Request" restriction.