pull-request-notifier-for-bitbucket icon indicating copy to clipboard operation
pull-request-notifier-for-bitbucket copied to clipboard

Published 20 hours ago verified publisher icon tomasbjerre

Project level 'Pull Request Notifications' takes users to Bitbucket Administration screen

Open dbo7260 opened this issue 6 years ago • 9 comments

Hello!

We were alerted by one of our Bitbucket project admins that when they click on 'Pull request notifications' inside their 'Project Settings' area it takes them to Bitbucket's Administration page. Fortunately, they aren't able to do anything else while they are there. According to the documentation, there doesn't seem to be any provisions for project level changes to this plugin. We are using the latest of your plugin on Bitbucket v5.16 in data center.

Thanks for your time, Dave

dbo7260 avatar Jan 29 '19 18:01 dbo7260

There is only one template that renders the admin page: https://github.com/tomasbjerre/pull-request-notifier-for-bitbucket/blob/master/src/main/resources/admin.vm

Any changes are made with the rest API provided by this plugin.

I don't see what the actual issue is that you are reporting? What is the problem?

tomasbjerre avatar Jan 29 '19 19:01 tomasbjerre

There are two issues:

  1. When a project admin (who are not system administrators) is redirected to the system Administration page when they aren't authorized to be at that page, it is a potential security issue.
  2. If the plugin only supports system administration configuration and repository level configuration, why is there a link at the project level?

dbo7260 avatar Jan 29 '19 19:01 dbo7260

  1. I don't see why this is a problem.
  2. It supports system level, project level and repo level. And the same template is used to make implementation easier.

tomasbjerre avatar Jan 29 '19 19:01 tomasbjerre

  1. You are allowing non-administrators to access the Administration page where project admins have no business being there.
  2. the project level is not actually affecting the project level. the project admin is unable to do anything on the 'project level' screen because it leaves the project and goes to the system's administration page. It is essentially useless at the project leve.

dbo7260 avatar Jan 29 '19 19:01 dbo7260

  1. Not really. It is just a view, or decorator as Atlassian calls it. I'm using the atl.admin https://developer.atlassian.com/server/framework/atlassian-sdk/using-standard-page-decorators/ I've been doing that since 2015 #25 . All security is implemented in the rest API.

  2. The system admin must configure the Admin restriction in on the global admin page of this plugin. It can be "everyone", "admin" or "system admin". Perhaps in your case it is "system admin" and that should block an admin from changing any setting.

tomasbjerre avatar Jan 29 '19 19:01 tomasbjerre

Hi Tomas, I believe I bothered you for no reason. I've dug in and read deeper into the documentation and found it appears to be working correctly. thanks for your time.

dbo7260 avatar Jan 29 '19 20:01 dbo7260

Great! Thanks for reporting anyway, could have been something serious!

tomasbjerre avatar Jan 29 '19 20:01 tomasbjerre

One last item, is that the visibility of a project admin to see 'Users, Groups, etc.' in the project level administration is very misleading. Project admins who click on those links gets 401 errors. The URL does indicate it is working at the project level. There is still something not correct with the implementation. Here is a screen snippet of what is seen by a project admin:

image

None of those settings/links are usable by a project admin, but they are visible. In addition, the left side of the project UI still goes away from the project's representation of being in a project. I believe there is still an issue with the project level implementation.

dbo7260 avatar Jan 29 '19 20:01 dbo7260

Ok. Im marking this issue as a bug.

tomasbjerre avatar Jan 29 '19 20:01 tomasbjerre