-
Suggestion
-
Resolution: Fixed
When adding a new user in JIRA, the DVCS connector is configured to add users to the Developers group of a new OnDemand Bitbucket team by default. This behavior is confusing and causes uses concern over the security of the add-on. Please default to not adding any users to Bitbucket groups without ample explanation that this will happen.
How to change the default
https://confluence.atlassian.com/display/BITBUCKET/Configure+Automatic+Team+Invites
The link above shows you have to change the default.
![[Extranet] Page](/images/icons/generic_link_16.png "[Extranet] Page"){kind=icon}
[JSWSERVER-14464] Disable adding users to Bitbucket teams by default.
Here's the scenario:
- You trust you repository to Bitbucket
- You have JIRA OnDemand
- You have public projects, and private projects
- Somebody wants to submit an issue, so you give him access to JIRA OnDemand
- Unbeknownst to you, he gets a nice invitation to join your Bitbucket's repository
- And bingo, he gets access!
- When you notice? when you run out of users in your Bitbucket plan
Am I missing something?
Are you guys bloody serious!!!!!!! Severity minor?
The feature is totally hidden, there is no warning or notification?
Are you guys aware of how important is for small dev companies not getting their code exposed?
Can somebody from atlassian escalate this?
matt.mcclure There is! It can be configured from the plugin under the Gear icon next to any account name. https://confluence.atlassian.com/display/BITBUCKET/Configure+Automatic+Team+Invites
Matt McClure
added a comment - Is there an option in JIRA or the DVCS connector to disable adding Bitbucket users? I ask because the ticket says "by default", suggesting there might be configuration that I could change to disable it now, before this issue is addressed.
Matt McClure
added a comment - Is there an option in JIRA or the DVCS connector to disable adding Bitbucket users? I ask because the ticket says "by default", suggesting there might be configuration that I could change to disable it now, before this issue is addressed. 
Shane A. Stillwell
added a comment - I would have to agree for two reasons.
1. Having weird people show up in Bitbucket is very disconcerting. I had to remove 3 different users thinking that there may be a security issue with Bitbucket, I'm was not privy to everyone that was being added to Jira.
2. It pushed us over our limit and broke git pushes. As you can imagine, not being able to push new code breaks our work processes.
Shane A. Stillwell
added a comment - I would have to agree for two reasons.
1. Having weird people show up in Bitbucket is very disconcerting. I had to remove 3 different users thinking that there may be a security issue with Bitbucket, I'm was not privy to everyone that was being added to Jira.
2. It pushed us over our limit and broke git pushes. As you can imagine, not being able to push new code breaks our work processes.
https://support.atlassian.com/browse/BBS-2752
Yeah, I'd call that scenario a security failure, by design oversight. But still, ouch