1. Bitbucket
  2. Public Issue Tracker
  3. master
  4. Issues

Issues

Issue #6439 resolved

API is confusing

Abril Mídia
created an issue

I'm trying to do some API accesses with an user that have admin access. I want to be able to:

  • Capture permission changes events (team_lost_access, team_gained_access, etc) to make an audit log. But API result don't show who lost or gained access, just who made the action.
  • As a team account admin user, I'm not able to access events from repositories I own. Is this correct? It seems that the feed exposed is much more complete of information, but harder to parse.

What do you suggest to solve this, I don't fully rely on the documentation, which is outdated. For example, where is the documentation of /users/{account_name}/events?

So far, I'm very frustraded with the API.

Comments (9)

  1. Abril Mídia reporter

    Just to add more details.

    I have 5 repositories, as shown in the web interface, but when I access via API /user/repositories it only shows 4 repos. Why this happen?

    My user is has full admin rights, the only diference is that this repo was transfered from another account.

  2. Abril Mídia reporter

    And now I discovered that an ADMIN only has ADMIN access to a repository when it's group is associated in the repository.

    Via API the ADMIN is one thing, via Website is other. Is that right?

    I think you don't know what the role of the Admin does. You could at least document what definition you are adopting.

  3. Abril Mídia reporter

    I think I know what's happening. The permission "have 'admin' access to this account's repositories" that is set in groups is only applied in the website. But in the API is not applied.

  4. Abril Mídia reporter

    I think I understood now. Global permissions are applied to all repositories when you change or create a group, okay. But...

    If a person go and revoke admin access from a repository, by API a administrator will lost access, but when accessing via Website, a admin can see everything.

    For me this is inconsistent, can't think of a reason to do that.

  5. Abril Mídia reporter

    Just a final question:

    • When I create a group, the permissions set will be propagated to all repositories that an account owns.
    • Let's say an another repository admin removes that group from the repository access list;
    • Next time I decide to change a group permissions, they will only be set in repositories that still have the group associated, and this go against the fact that the name of the permission is "have 'admin' access to this account's repositories".
    • The warning message even tell me that it is applying only to a subset of my account's repositories.

    Is this really the expected behavior of this feature?

    As an employee of a company that will need to distribute account administration between several project managers because we have ~930 private repositories, this sounds more like a information security flaw. Global permissions should be applied globally and this behavior should not change through time.

  6. Brian Nguyen

    Hi Abril,

    Yes, this is by design. When we change a groups default permission from read to write, only the repositories that the group has read permission to is changed. This is because permissions are managed per repository, not per group. Changing the default permission is a feature to make it easier but it is not designed to be a global setting.

    Cheers, Brian

  7. Log in to comment