1. Bitbucket
  2. Public Issue Tracker
  3. master
  4. Issues

Issues

Issue #8472 resolved

The consumer not access to private or public repo from own users.

samuel hints
created an issue

Request : GET /api/1.0/repositories/oauth_user/public_repo

Response: HTTP/1.1 403 FORBIDDEN


but owner consumer have access to private / public repo from own.


Request : GET /api/1.0/repositories/owner/private_repo

Response: HTTP/1.1 200 OK

Comments (47)

  1. samuel hints reporter

    on the version 2.0 this return empty value for authenticated users( not owner ).


    Request: GET /api/2.0/repositories/oauth_user


    Response:

    HTTP/1.1 200 OK
    
    
    {
      "pagelen": 10,
      "values": [],
      "page": 1
    }
    
  2. Erik van Zijst staff

    I'm unable to reproduce this. Can you give the actual URLs you're using, as well as the user you are authenticating as?

    As you seem to be using OAuth, can you run another test using Basic Auth, to rule out issues with the OAuth signing process?

  3. samuel hints reporter

    Erik van Zijst thanks a lot for your helps. :)

    • Owner = khosroblog
    • OAuth_user = rss_samuel
    • application-name = khosroblog

    1. rss_samuel is authenticated user from khosroblog application.
    2. khosroblog is authenticated user from khosroblog application.
    3. khosroblog account not access to public / private repository from rss_samuel account.

    I have create a plugin for wordpress and answer to this issue very important for me. also I speak english very hard . :(

  4. Erik van Zijst staff

    I'm afraid I'm having trouble understanding the scenario. Am I correct in understanding that user khosroblog is hitting /1.0/repositories/rss_samuel/{some-public-repo}, authenticating with OAuth and getting a 403?

    In that case, what repo is he hitting exactly? What's the actual URL?

    Also, can you try with Basic HTTP Auth to test whether there's something wrong with the OAuth credentials?

    Now if Basic Auth also doesn't work, then the problem must lie somewhere else. However, if Basic Auth does work, then please send me the complete wire-level capture of the request and in particular the OAuth Authorization request header (or query string, if your OAuth library doesn't use HTTP headers.

    Again, since this is a support issue, but this issue tracker is for tracking bugs and new features, let's move this to the appropriate channel by emailing support@bitbucket.org

  5. samuel hints reporter

    thanks Erik van Zijst for reply. Yesterday I sent an email to support@bitbucket.org, But they have not replied yet.


    I create an application by facebook api and users authenticating by facebook app. so i have access to users info ( include public or private info ).

    but on the bitbucket app this not work. bitbucket app only gives access to which user created application and not all users.

  6. samuel hints reporter

    How? By Basic OAuth only i can have to access my repositories, not another user repositories.

    I want my user authenticate by my bitbucket application and next i get public / private user data. :)

    this is first and most important issue for me.

  7. Erik van Zijst staff

    rss_samuel/my_repo is a private repo that has no users on it. It does have the group rss_samuel:my_group that has read access on it, but that group is empty.

    So nobody except yourself can view rss_samuel/my_repo. So khosroblog won't be able to see it either.

    I'm happy to look into this further if you can provide me with a full wire-level dump of your request and particularly our OAuth authorization header. Can you provide that? That will reveal who you are trying to authenticate as. If that is any user other than rss_samuel, then you will get a 403.

  8. samuel hints reporter

    1. GET /!api/2.0/repositories/khosroblog HTTP/1.1

    X-HostCommonName: bitbucket.org
    Authorization: OAuth oauth_consumer_key="0000000000",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1385190966",oauth_nonce="607766038",oauth_version="1.0",oauth_signature="f3Y%2FwPJjTLWreBCYMNt9u4xNp8k%3D"
    Host: bitbucket.org
    X-Target-URI: https://bitbucket.org
    Connection: Keep-Alive
    

    2.GET /!api/2.0/repositories/rss_samuel HTTP/1.1

    X-HostCommonName: bitbucket.org
    Authorization: OAuth oauth_consumer_key="0000000000",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1385191410",oauth_nonce="1128835124",oauth_version="1.0",oauth_signature="CPn930TcqcyRQQdJ%2F3TWMLKAWk8%3D"
    Host: bitbucket.org
    X-Target-URI: https://bitbucket.org
    Connection: Keep-Alive
    

    Erik van Zijst Please be faster. :)

  9. Erik van Zijst staff

    Did you edit these values? Consumer Key is not really all zeros, is it?

    If you don't want to leave that here on the issue tracker, you can you please mail the full, raw, unchanged header dump to me at evzijst@atlassian.com?

  10. samuel hints reporter

    I sent email to you. please check your inbox.

    Also I check again the rss_samuel account repositories. the "public_repository" not was public, I change repository setting to public.

    so now one issue resolved.

  11. samuel hints reporter

    Now, problem is to private repositories, bitbucket_app have access to public repositories even without authenticate , for example bitbucket_app have access to the hello repo of evzijst account .

    .

    Request : GET /!api/2.0/repositories/evzijst/hello

    Response: HTTP/1.1 200 OK

  12. Erik van Zijst staff

    bitbucket_app have access to public repositories even without authenticate

    That is intentional.

    Public repos are public and so accessible by everyone, including anonymous requests.

  13. Erik van Zijst staff

    Thanks for the OAuth header details you sent through email. I have rerun every scenario I think you described, but I am not able to reproduce any of it.

    https://bitbucket.org/api/1.0/repositories/rss_samuel/my_repo

    This is not a public repo. It is private. Nor has rss_samuel added any users to it and so nobody except rss_samuel will even be able to access it (group rss_samuel:my_group has read access to it, but the group has no members).

    To make it public, click the "Access level" checkbox on https://bitbucket.org/rss_samuel/my_repo/admin and click save.

    Using 2-Legged OAuth, I correctly get back all public repositories of rss_samuel (https://bitbucket.org/rss_samuel/public_repository).

    Using 2-Legged OAuth, I correctly get back all public and private repositories of khosroblog. This is because your OAuth consumer is owned by user khosroblog and so as long as you're not using any Access Tokens, you will authenticate as the owner of the consumer, khosroblog in this case.

    I'm sorry if I fail to understand exactly what you mean, but I cannot see anything wrong.

  14. Erik van Zijst staff

    Have you seen this comment and or this image ?!

    I have indeed and I don't see what request is giving you problems. Or rather, I cannot reproduce any anomalies.

    The 2-Legged requests you made through the restbrowser do not exhibit any problems.

    If there is any step in that image that you want me to look at further, can you please provide me with the exact steps, URL and auth headers so I can reply the case locally?

    N.B.
    Your image seems to indicate 3-Legged workflows, yet the restbrowser is strictly 2-Legged. Is this where the disconnect is? If so, again please provide me with the full authorization headers that your app sends to bitbucket, including full URLs so I can replay things.

  15. samuel hints reporter

    You can develop an application that uses Bitbucket service through its REST API. For example, you can write a web application that access Bitbucket issue resources. Bitbucket cards is an example of this kind of application.

    Bitbucket authenticates your application and authorizes access using the OAuth 1.0a with HMAC-SHA1 (shared secret) signatures. We support both 3-Legged and 2-Legged OAuth. Read More...

    I authorizes by Bitbucket cards, then bitbucketcards have access to my repositories( public / private ). Even I can create my repository in bitbucketcards.

    I want create an application like bitbucketcards, but with wordpress. Is this possible? :)

  16. Erik van Zijst staff

    Again though, if there is any request that is failing to do what you expect, can you please provide the full raw details so I can reproduce the issue?

    The 2 URLs that you provided earlier do not exhibit any problems. If there is anything specific that I can look into, I'm happy to investigate further.

  17. samuel hints reporter

    The 2 URLs that you provided earlier do not exhibit any problems.

    I'm sorry, I forgot to change url image. now you can to see this image.


    bitbucketcards.com uses 3-Legged OAuth. The restbrowser uses 2-Legged. This means that you cannot simulate or test the workflows that bitbucketcards (or any external Bitbucket OAuth client) in it.

    But my wordpress plugin use 3-Legged OAuth. I just sometimes I use the restbrowser, when rss_samuel and khosroblog authorized by my wordpress plugin.


    Problem is simple, the khosroblog account not have access to private repo from the rss_samuel account. Despite the rss_samuel is authenticated by bitbucket_application.

  18. Erik van Zijst staff

    I'm sorry, I forgot to change url image. now you can to see this image.

    I'm really sorry to have to hammer on about this, but I really need to know exactly what request you are attempting and how you are authenticating it. The image does not make that clear. Also, there is no evzijst/private_repo.

    What request are you making? Please provide the exact URL (did you really hit evzijst/private_repo?) and provide all headers that were sent (specifically the Authorization request header).

  19. Erik van Zijst staff

    Problem is simple, the khosroblog account not have access to private repo from the rss_samuel account. Despite the rss_samuel is authenticated by bitbucket_application.

    rss_samuel/private_repo does not have any users on it (and again, group rss_samuel:my_group is empty) and so nobody except rss_samuel can access it.

    You say "rss_samuel is authenticated by bitbucket_application", but all the information you have sent me so far has been 2-Legged OAuth requests. In 2-LO there is no delegation. For rss_samuel to grant bitbucket_application (khosroblog) access to rss_samuel/private_repo, you will have to create and authorize an Access Token. That Access Token then needs to be used in the OAuth Authentication header.

    If you claim you are making proper 3-LO requests (this cannot be done with the restbrowser), please send me the actual request. The image does not contain that level of information.

  20. samuel hints reporter

    there is no evzijst/private_repo.

    The private_repo is only one example.I mean is all private repositories of all bitbucket users.

    .................................................................................................

    rss_samuel/private_repo does not have any users on it (and again, group rss_samuel:my_group is empty).

    We talk about bitbucket integrated applications and Authentication by they, not about groups, teams and or the users access management list.

    .................................................................................................

    You say rss_samuel is authenticated by bitbucket_application, but all the information you have sent me so far has been 2-Legged OAuth requests. In 2-LO there is no delegation. For rss_samuel to grant bitbucket_application (khosroblog) access to rss_samuel/private_repo.

    This image shows bitbucket_app there is in the Integrated applications list , just like bitbucket cards. So authentication on my wordPress plugin to work properly.

    ................................................................................................

    If you claim you are making proper 3-LO requests (this cannot be done with the restbrowser).

    The first i authenticate by myself wordpress plugin and then I receive the information by restbrowser or my wordpress plugin.

    .................................................................................................

    please send me the actual request. The image does not contain that level of information.

    I think the first, it is essential to understand my scenario.

    ................................................................................................

    Repository Resource

    You can use these calls with public or private repositories. Private repositories require the caller to authenticate with an account that has the appropriate authorization. Read More ...

    rss_samuel is authenticate by bitbucket_app, so should not be a problem. but bitbucket_app only have access to private repositories from khosroblog account.

    .

  21. Erik van Zijst staff

    Can you please give me the actual request you are making? Without it, I cannot reproduce the problem.

    I need the full URL and all headers (especially the Authentication header).

  22. samuel hints reporter

    # Which the requests are important to you?

    1. /!api/2.0/repositories/khosroblog/private_repo

    2. /!api/2.0/repositories/rss_samuel/private_repo

    3. /!api/1.0/oauth/request_token/

    4. /!api/1.0/oauth/access_token/

    5. /!api/1.0/oauth/authenticate/

    # Do you need the response headers?

  23. Erik van Zijst staff

    Which the requests are important to you?

    I'm interested in the 1 and 2 (assuming those are the real URLs you are hitting).

    Do you need the response headers?

    Yes, as mentioned, I absolutely need the headers. It's the only way for me to reproduce anything.

  24. samuel hints reporter

    Both accounts( khosroblog , rss_samuel ) authenticated by bitbucket_app. so you can now to recieve the request headers and the response headers by Restbrowser.

    Both URLs ( 1, 2 ) are real URLs.

    Again, I send the consumer key's to your email.

    .

  25. Erik van Zijst staff

    The restbrowser does not support 3-Legged OAuth, while you have indicated that your application does. As a result there is no way for me to reproduce your 3-LO problem with the restbrowser.

    Even having your OAuth Consumer and Secret, I still don't have the Access Token you obtained and authorized.

    I really need the actual request that you made, not just the URL. I will need the full capture that includes all HTTP request headers. That is the only way for me to reproduce what you are seeing.

    Again, can you please provide me with the actual request that you are making?

    Again, I send the consumer key's to your email.

    You had already sent me that before. What I need are the request headers.

  26. samuel hints reporter

    The restbrowser does not support 3-Legged OAuth.

    Erik van Zijst , not require to 3-Legged OAuth in restbrowser. bitbucket_app is confirmed on the khosroblog account & rss_samuel account by my plugin.

    Please, Please, Please only you put consumer key's and url's on the restbrowser then click the submit button.

    URLs :

    1. https://bitbucket/api/2.0/repositories/khosroblog/private_repo

    2. https://bitbucket/api/2.0/repositories/rss_samuel/private_repo

    ........................................................................

    My problem is not only that URLs, but more URLs have problem. for example:

    1. /api/2.0/repositories/rss_samuel/private_repo/watchers

    2. /api/2.0/repositories/rss_samuel/private_repo/forks

    3. /api/2.0/repositories/rss_samuel/private_repo/diff/{spec}

    and more.

    So, only you can to analysis the headers and only you can to help me. :)

    .

  27. Erik van Zijst staff

    I suspect you might be confused about OAuth workflows.

    You say you aim to build an external application (Wordpress plugin) that integrates with Bitbucket in a way similar to bitbucketcards.com. Applications like these can make API calls to Bitbucket under the name of an end user. Any enduser that authorizes your application, allows you to access Bitbucket as if you had the user's own password.

    This is 3-Legged OAuth.

    When an end user authorizes your application, you obtain an Access Token. This token is like a temporary password that gives you access to an end user's Bitbucket account.

    To use it, you must send this token along with your API request. It is this token that allows Bitbucket to recognize which Bitbucket account (end user) you want to authenticate as.

    If you don't send this Access Token, you cannot authenticate as an end user.

    As mentioned several times, the restbrowser does not support the use of Access Tokens. As a consequence, you cannot replay, imitate, or test the workflow of an application like bitbucketcards.com.

    Now when you continue to omit the Access Token and instead only send the Consumer Key, what happens is that Bitbucket will instead authenticate you as the user who created the Consumer Key (in your case this will always be user khosroblog, no matter how many times you have user rss_samuel authorize your app).

    This is crucial to understand. This "fallback" workflow is commonly referred to as 1-Legged, or 2-Legged OAuth and it is absolutely useless when you want to build anything like bitbucketcards.com. You will never be able to access any user's private repos like that.

    In the database I can see 5 Access Tokens on rss_samuel's account, but the lack of timestamps seems to suggest you have never used them.

    For your app to be able to access rss_samuel's private repos, you MUST use 3-Legged OAuth. It is IMPOSSIBLE to simulate any scenario using the restbrowser.

    Again, it is crucial to understand this as you keep pointing to the restbrowser: it cannot help you or me understand why your 3-Legged requests don't work.

    Now if we instead assume that you are in fact making proper 3-Legged requests (again, this is the only way in which your app can ever access rss_samuel's private repos!) and you claim that it's not working, even though you are sending rss_samuel's Access Token, then I'm happy to investigate that.

    The only way for me to figure out what is going wrong, is for you to capture the request on the wire and to send me all of it:

    Let me stress one more time: no, I cannot do this myself using the restbrowser. And even if the restbrowser had 2-LO support, I still wouldn't have rss_samuel's Access Token.

    I'm not familiar with your OAuth client library, but to capture the contents of the request, you might need to look for debug switches in the library, or modify the library to print the Authorization header before it sends the request over the network. However, I'm strongly beginning to suspect you might simply be forgetting to supply the Access Token to your OAuth library when you are making requests.

  28. Erik van Zijst staff

    But my wordpress plugin use 3-Legged OAuth. I just sometimes I use the restbrowser, when rss_samuel and khosroblog authorized by my wordpress plugin.

    This makes me think you really don't fully appreciate the difference between 2-LO and 3-LO.

    No matter how many users have authorized your app, you will never be able to use that through 2-LO.

  29. samuel hints reporter

    Erik van Zijst Thanks a lot for details. Excuse me if I offend you. I realy love bitbucket.

    In the past I've used oauth_token and oauth_token_secret only for khosroblog requests. but that returned a 403 error. I did not test with rss_samuel requests.

    In the past above parameters was helpful only for access_token and authenticate requests for me.

    Now rss_samuel by oauth_token and oauth_token_secret parameters work very well. Again, thanks a lot. Now I'm very Happy. :)

    khosroblog without above parameters work perfectly. But with above parameters return a 403 error yet. Is this normal?

    I have a question:

    How I can to receive all authenticated users?

  30. samuel hints reporter

    But with above parameters return a 403 error yet. Is this normal?

    Problem resolved, I was using one oauth_token and one oauth_token_secret for two accounts. :D

    Bitbucket is Amazing. :)

  31. Erik van Zijst staff

    That's good to hear.

    For next time though: please just provide the raw request details right away. Had you provided the Authentication header, we would have been able to tell that your signature was wrong a week ago.

  32. samuel hints reporter

    For next time though: please just provide the raw request details right away.

    OK. :)

    Had you provided the Authentication header, we would have been able to tell that your signature was wrong a week ago.

    Ahh, you're right. :(

  33. Log in to comment