Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Stash Security Bug - branch permissions

bswift
bswift February 6, 2013

Stash Branch Permissions documentation:

"if there are conflicting permissions, the most permissive one applies; "

Our Stash repository is hooked up into LDAP, for access permissions.

My scenario is specific, and I can't find a way to configure it properly, to get the permissions I want.

What I want:

- I am project admin, and only I should be able to push / merge to the "master" branch.

- Anyone can create a remote branch, so that they can create a pull request.

- Pull request should use branch permissions (only I can merge to master).

Configuration Scenario 1:

Project:

I have "Contributor"

LDAP Group --> all users have "Observer"

result: no matter what I do to branch permissions, no one can commit anywhere.

Configuration Scenario 2:

Project:

LDAP Group --> all users have "Contributor".

Branch:

master: only me

(*): all users.

result: Anyone can commit.

Anyone can create a remote branch, issue a pull request, and merge that pull request into master. (FAIL).

Test case (that doesn't work) that I expect to work with Scenario 2:

1. Any user can create a remote branch.

2. No one can commit to master (except me)

3. no one can merge a branch into master (except me)

4. anyone can create a pull request to submit their code into master.

Can someone please explain if this is possible? If this is not possible I consider this a bug. We expected this behaviour to exist when we purchased Stash - hopefully I'm just missing something.


Answer
Watch
Like Be the first to like this
1880 views

2 answers

1 accepted

0 votes
Answer accepted
seb
seb
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 6, 2013

Branch:

master: only me
(*): all users.
result: Anyone can commit.

Anyone can create a remote branch, issue a pull request, and merge that pull request into master. (FAIL).

Hi Brett,

Seems like we may have been a little unclear in the branch permissions UI. Let me explain what this configuration does:

maser: only me

Only you can push to master (makes sense)

(*): all users.

All users can push to any branch, which overrides the previous branch permission of master, as it is less permissive.

The correct way to configure the branch permission is to set only "master: you". Any non present branch in the permission list permits any user who can write to the repository access to push to it. This also applies for creating new branches. A user can then create a pull request back to master, but won't be able to merge the pull request either via stash or manually.

Hope that helps!

Seb

View More Comments
bswift
bswift February 11, 2013

Hey Seb,

Had my wires crossed there. I just removed the /* and it works. The documentation is clear now, I must have mis-read it.

Thanks for your help!

Like
Ulrich Kuhnhardt
Ulrich Kuhnhardt
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 25, 2013

Hi Seb,

this works on a newly created repo. However restricting branch permissions for master to admin in the default project_1/rep_1 in the dev environment (atlas-run) does NOT restrict commits. If stash-users in this project have contrib permissions setting master branch permissions to user admin has no effect. Are branch permissions cached?

Like
cofarrell
cofarrell
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 25, 2013

Hi Ulrich,

This is a known issue with the way Amps unzips our home directory.

https://jira.atlassian.com/browse/STASH-2900

For now you can manually apply the executable bits of the hooks in the $HOME/data/repositories/$ID/hooks directory, or just create new repositories.

Sorry for any inconvenience.

Charles

Like
Reply
0 votes
Ulrich Kuhnhardt
Ulrich Kuhnhardt
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 11, 2013

Still not finding the right permissions :(

  1. Can't find where to set repository permissions as per https://confluence.atlassian.com/display/STASH/Using+repository+permissions
  2. In branch permissions doco https://confluence.atlassian.com/display/STASH/Using+branch+permissions it is mentioned that "Note that if no branch permissions are defined then anyone with commit access can push to any branch. Also, if there are conflicting permissions, the most permissive one applies; for example if one permission restricts a particular users access but another permission allows it, then the user will be allowed commit access." - Does that include project permissions? i.e. if a user has a branch permission to write, but is only allowed read access on the project permission level, should this user be able to write or not?
View More Comments
jhinch (Atlassian)
jhinch (Atlassian)
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 11, 2013

Repository permissions were added in 2.4 which was only released this week. Can you confirm if you are using Stash 2.4?

To answer question 2 no the person shouldn't be able to write. The user must have write access to the repository (or project) first. Branch permissions are then applied on top of this as a restriction.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.