Issue #7342 resolved

Read Only Users Can Decline and Edit Pull Requests from Other Users

Devin Schwab
created an issue

We have a repository with a number of read only users. However, these users appear to be able to edit and decline pull requests. The only difference between a user with commit access and a user without commit access appears to be the ability to merge. This seems counter-intuitive.

I would expect read only users to be able to approve of a pull request, comment on a pull request and edit/decline their own pull requests. I would not expect a read only user to be able to edit or decline other users pull requests.

Some additional information:

  • The repository was a transfer from a user account to a newly created bitbucket team
  • The team is listed as the owner of the repository
  • The users have been added as members to the bitbucket team with read only access
  • The users are also listed as read only access on the specific repositories access management page
  • The overview page of the repository shows read permissions for the user

Comments (9)

  1. Michael Frauenholtz staff

    Hi Devin,

    Read only users should only be able to approve pull requests, and we are not seeing otherwise right now. We are looking into this and we'll let you know when we've found anything.

  2. Michael Frauenholtz staff

    Also, it would be helpful to know which repository and which users are affected. Could you please email support@bitbucket.org with this information to help us resolve this issue?

  3. Brian Nguyen staff

    Hi Devin,

    As Michael noted earlier, we are not able to reproduce this issue. I suspect that the users in question actually have write access, that was carried over when the repository was transferred.

    To help us investigate, could you tell us what repository(s) this is affecting and what users have erroneous access. If you do not feel comfortable giving us this information send us an email to support@bitbucket.org.

    Cheers, Brian

  4. Devin Schwab reporter

    Sorry about the delay. I thought I had email notifications on but I guess I didn't. So I didn't realize anyone had responded to this.

    Anyways, I don't think I have the authority to reveal our repository's name and who is working on it. So I will email your support team with the link to this bug.

    Thank you for your help.

  5. Marcus Bertrand staff

    To clarify. The issue here wad that the user who could edit/reject was an administrator on the source repository. Any user who has write/admin on the source repo can edit any Pull requests from that repo, as they are technically supposed to be able to.

  6. Log in to comment