Cannot remove a follower (BB-13944)

Issue #6434 closed
Fun Bucket
created an issue

Someone who is a follower but is not involved in any of my repositories receives notification when I add someone else as administrator of my account. This creates a hole in privacy. Please provide the feature to remove followers.

Official response

  • Alastair Wilkes staff

    Hi everyone,

    Since the user/team following feature was originally introduced, we've made many improvements to Bitbucket designed to help professional teams collaborate. Over time, and based on usage data, we believe this feature has become less useful for helping teams ship great code quickly. As a result of this shift, today we removed the concept of user/team following from the Bitbucket UI.

    Repository, pull request, and issue following/watching will continue to work the same way.

    For those users using following, we recommend instead watching the repositories you care about to stay on top of relevant activity.

    As the original request for the ability to remove a follower is no longer valid, I am closing this issue. Let me know if you have any questions!

    Thanks,
    Alastair
    Bitbucket PM

    Note: Per our API deprecation guidelines, the full list of the accounts you follow and are followed by is still available via the API. This will be deprecated once a reasonable amount of time has passed.

Comments (63)

  1. Brian Nguyen

    Hi,

    This definitely should not be the case. When you add a user as an administrator only the added user should be notified and not any followers.

    We will look into this, but can you clarify that the problem occurs when you add a user as an administrator of a repository? Or is it when you add a user as an administrator of a team.

    Cheers, Brian

  2. Fun Bucket reporter

    To clarify, I have been invited to bitbucket by a friend who received 3 additional users to his account limit thanks to this. I created a team account and did not include my orginal friend in it. Then I invited someone else as adminsitrator of the team. When he accepted the invitation my original friend received a notification as follower. First, note that my original friend has been put as follower of the account without any explicit request. Second, I have no way to keep my relationships private as there is no way I found to remove followers.

  3. Zachary Davis

    You are correct that your friend should not have automatically followed you when you signed up. This was a bug that I'm currently working on fixing.

    However, I have been completely unable to reproduce the notification of access changes to a follower. Can you provide any additional information? When you say your friend was notified, do you mean in his newsfeed, by email, or in his Bitbucket inbox?

    Thanks.

  4. Gabe D

    In any case if you care to have a private account with no followers you should be able to remove followers or block people there is no option for either of these options. Especially as followers can see private profiles.

  5. Marcelo Zabani

    This really should be a feature! Everytime an employee leaves a company they shouldn't have access to the code anymore. This exact situation is happening right now here at our company.

  6. vexed

    We really need a way to remove followers, creating a new account/repo seems like a very silly thing to do, but, that is the only way to remove them now!

  7. Anonymous

    Hi, bitbucket. I need to remove a follower. It's a privacy issue, this person does not work with us anymore but is still a follower of the team :/

  8. Zachary Davis
    • changed status to open

    To clarify, I fixed a bug last year with automatically following users you invited.

    I was never able to reproduce the notification issue that Fun Bucket described.

    However, I'm reopening this (as I should have a while ago) as a ticket for adding the ability to remove followers from any account you have admin rights to.

  9. 1vexed NA

    Perhaps, if we knew why this seemingly trivial thing to do is taking so long, we could help out?

    This bug has been open for more than 2 years now, and yes, it is a bug when a Admin of a project can't get rid of followers, when they should have full access to do anything.

  10. hendra_motion

    This is a huge security flaw, and bitbucket still not fixing it. If the algorithm in bitbucket have a bug and the follower can see the private repository, can follow our activity, or notification in their email. You can imagine how horrible it is.

    If i were know this, i'll not recommend it to my friend.

  11. David Feldsine

    I am a paying customer and would like to be able to remove, NO NEED TO BE ABLE TO REMOVE, individuals who has left the company. This is a security issue that needs to be addressed quickly.

  12. Sean Marshall

    I have a similar issue as voiced by others. There are former developers that no longer work for my company that cannot be removed from the list of followers. Is there a way to have them manually removed if this option is not available through the interface?

  13. 1vexed NA

    It seems the ONLY way to handle this is to contact support. There is nobody that can/wants to fix this and all attempts to try to get a response from the staff in this ticket have failed.

    @zachary Davis [Atlassian] staff doesn't reply to messages about this.

  14. Michael Parker

    I too need to remove followers that are no longer with the company. This seems like a serious security issue that should be addressed. It has been 3 years now and still no update.

  15. Anonymous

    At this point I believe we should all move to GitHub or GitLab. This has been opened since 2013-02-19. They either don't know about this ticket or simply don't care.

  16. Stephan Sommer-Schulz

    Please let us block or delete followers!

    It looks like Bitbucket is not able to solve such problems/need/wishes, within 3 years and the number of comments here should tell every product-manager that it is important. Looks like we have to move to another system, maybe the churn rate will open some eyes. Same problem occurs with a search-feature within the repro-wikis :-(

    Is this symptomatic for other Atlassian tools as well?

  17. dfcooper

    I'm trying to understand what access and information a follow will receive. Do they only see when people are added to an account and new repos are made or can they also get to code even if they have been revoked from the account?

  18. Erhan Ergenekan

    I can’t say for sure what information they are receiving since they are no longer with our organization.

    Here is a list of what I feel is wrong with the current functionality:

    • There is no mechanism that allows me to remove a follower
    • There is no clarity on what kind of notifications they might be receiving as a follower

    I do not want to confuse the issue, but there is a another large bug that I am seeing. I’ve removed a user under: Manage Team > plan details > Users on this team

    Yet they are stilling showing up on the Team Landing page under Members. How is this possible? Is there another section for managing members?

    These two issues are very large concerns for me as the administrator and protecting my clients interests. Not being able to remove followers or members is a huge liability and opens my organization up to legal problems.

    Thanks for getting back to me about these issues.

    Sincerely,

  19. Alastair Wilkes staff

    Hi everyone,

    Apologies for the lack of response on this issue. I don't have any info right now about if/when you'll be able to remove followers yourselves; it seems like a reasonable request, but I'll have to get back to you about timing.

    In the meantime, I can answer @dfcooper's question about the existing functionality:

    People following you will see your public activity in their dashboard newsfeed. They don't get email notifications, and they can't see any info about private repos. They only see info that is already public (since public repos are, well, public!). As a result, there should be no concern from a security perspective. That said, I admit we could make this more usable.

    @Erhan Ergenekan - the Members tab is populated based on the team's group members, so check to see if the user is still in any groups that don't have access to any repos. Removing the user from plan details only removes that user's access to private repositories. This is a bit confusing, and we're working on making it better.

    Hope that helps clear up any confusion. Thanks,

    Alastair

  20. Alastair Wilkes staff

    Hi everyone,

    Since the user/team following feature was originally introduced, we've made many improvements to Bitbucket designed to help professional teams collaborate. Over time, and based on usage data, we believe this feature has become less useful for helping teams ship great code quickly. As a result of this shift, today we removed the concept of user/team following from the Bitbucket UI.

    Repository, pull request, and issue following/watching will continue to work the same way.

    For those users using following, we recommend instead watching the repositories you care about to stay on top of relevant activity.

    As the original request for the ability to remove a follower is no longer valid, I am closing this issue. Let me know if you have any questions!

    Thanks,
    Alastair
    Bitbucket PM

    Note: Per our API deprecation guidelines, the full list of the accounts you follow and are followed by is still available via the API. This will be deprecated once a reasonable amount of time has passed.

  21. hendra_motion

    @Alastair Stott Wilkes

    Thank you in response to this "dangerous" issue.

    From the Note: "This will be deprecated once a reasonable amount of time has passed" May i ask of how long is the "reasonable amount of time has passed" is, until the "ex-follower" really terminated?

  22. Scott Anderson

    Alastair,

    Does that mean all team followers will be removed at some point. If not, the issue is not resolved. We will still potentially have people getting information they should not. It is disturbing to have a terminated employee show up as a follower.

    Regards,

    Scott Anderson

  23. Alastair Wilkes staff

    @hendra_motion - Our typical API deprecation SLA is 180 days. The lists will be removed then.

    @Scott Anderson - Yes, after the API has been deprecated. As a reminder, people who were following you only ever saw your public activity in their dashboard newsfeed. They didn't get email notifications, and they couldn't see any info about private repos. They could only see info that was already public (public repo activity).

  24. Log in to comment