Issue #3547 open

Only allow issue creator and repo writers to modify issue peoperties (BB-7765)

psiphon
created an issue

The documentation on permissions (http://confluence.atlassian.com/display/BITBUCKET/Repository+Privacy%2C+Permissions%2C+and+More) does not explicitly state the behaviour relating to modifying properties of issues.

In our public repository with a public tracker, a bitbucket user (who does not have write permissions to the repository) was able to resolve an issue. I believe this is a bug.

Comments (9)

  1. David Chambers

    This behaviour is intentional. On this issue tracker, for example, it's not uncommon for someone to raise an issue only to close it five minutes later. Were this not allowed, such users would end up writing "oops, problem was at my end, please ignore".

    I understand that there may be cases in which the current behaviour is undesirable, but on balance we believe this to be the better of the two options.

    I've updated the documentation. Thanks for highlighting this point of confusion.

  2. A Kruger

    It seems reasonable to allow the creator of an issue to modify the issue's Properties. However, allowing any bitbucket user to modify the issue's Properties seems far too lenient.

    Here is an example of a bitbucket user who (probably mistakenly) changed the Properties of some of our issues:

    https://bitbucket.org/psiphon/psiphon-circumvention-system/issue/35/split-tunnel-route-a-subset-of-traffic https://bitbucket.org/psiphon/psiphon-circumvention-system/issue/54/allow-user-to-set-protocol-preferences

    Our concern is that it is too easy for an individual to vandalize our issue tracking system. For example, an individual could resolve all of our issues, mark them all as duplicates, etc.

    I'm changing this to a feature request: allow only the creator to modify an issue's Properties if the user does not have write privileges to the Repository.

  3. Jesper Nøhr

    I understand your concern, but Bitbucket's been running like this for almost 4 years now. Anyone can edit *any* public wiki, and anyone has been able to mess with any issue on any public tracker (ours has 3500+ issues.)

    While it's certainly possible to add more configurability to our offering, I'm not a fan. If anything, I think we should be removing checkboxes/options.

    That's just my opinion, however. Please don't go write a script to prove a point. :-)

  4. Log in to comment