Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Enforce personal-only personal projects

Robert Obuch
Robert Obuch May 19, 2016

I need help understanding how to reject pushes to personal projects if the project isn't owned by the user who pushed the changes. e.g. I can push to my own personal project but I'm not permitted to push to a colleague's project.

I have ScriptRunner available to help facilitate these changes.

Watch
Like JamieA likes this
1182 views

3 answers

1 accepted

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

1 vote
Answer accepted
JamieA
JamieA
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 20, 2016

There are a couple of ways to do this with SR4BB... you could have a pre-receive hook that does the block. But I think it's better that the personal repo owner knows that they can't open up their personal repos to pushes from elsewhere, so I would do it by blocking changes to the permissions.

Admin -> Script Event Handlers, add Custom Event Handler:

image2016-5-20 12:16:30.png

The script contains:

import com.atlassian.bitbucket.auth.AuthenticationContext
import com.atlassian.bitbucket.event.CancelableEvent
import com.atlassian.bitbucket.event.permission.RepositoryPermissionEvent
import com.atlassian.bitbucket.event.permission.RepositoryPermissionGrantRequestedEvent
import com.atlassian.bitbucket.permission.Permission
import com.atlassian.bitbucket.permission.PermissionService
import com.atlassian.bitbucket.project.ProjectType
import com.atlassian.sal.api.component.ComponentLocator

def event = event as RepositoryPermissionEvent
def authContext = ComponentLocator.getComponent(AuthenticationContext)
def permissionService = ComponentLocator.getComponent(PermissionService)

if (event.repository.project.type == ProjectType.PERSONAL) {
    if (! permissionService.hasGlobalPermission(authContext.getCurrentUser(), Permission.ADMIN)) {
        if (event instanceof RepositoryPermissionGrantRequestedEvent && event.permission == Permission.REPO_READ) {
            return // allow users to grant read access
        }

        (event as CancelableEvent).cancel("You cannot change permissions on personal repositories")
    }
}

I've made it so that global admins can change personal repo perms, and I've allowed users to grant and revoke READ perms but none other.

Oh - unfortunately BBS does not display the cancel message, it just displays some generic message. This is a bit annoying, probably a BBS RFE:

image2016-5-20 12:31:15.png

View More Comments
Robert Obuch
Robert Obuch May 20, 2016

Thank you for the detailed response. 

The remaining step would be to remove existing permissions for personal projects and repositories. I guess this would be using the script console?

Like
JamieA
JamieA
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 20, 2016

yep, several examples of bulk modifying perms here: https://scriptrunner.adaptavist.com/latest/bitbucket/ScriptConsole.html#_bulk_project_permissions_update

Like
JamieA
JamieA
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 20, 2016

Needs minor changes to make it work for repos rather than projects...

Like
Reply
0 votes
Robert Obuch
Robert Obuch May 19, 2016

Yes sure

Currently, users can create a personal repository and assign repository permissions to other users to allow access. I am asking how to block users from pushing to somebody else's personal repository even if they have permissions to do so.

Reply
0 votes
JamieA
JamieA
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 19, 2016

Hi Robert... 

Can you expand a little... by default, according to the docs, personal repos should not be accessible to other users. It's possible to expand the permissions to make them accessible to other users - are you saying you want to prevent them doing that? Or is something else going on here...

Reply
Atlassian logo
Answers Developer Questions
TAGS
AUG Leaders

Atlassian Community Events

    See all events