Uploaded image for project: 'Bitbucket Data Center'
  1. Bitbucket Data Center
  2. BSERV-20096

UI Lacks Visibility for Verifying project_admin Permission Granted by API

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Medium Medium
    • None
    • 9.5.0
    • Projects - Permissions
    • None

      Issue Summary

      Bitbucket does not offer the Project_Admin privilege as a default option from the UI. However, using the Grant project permission API, admin users can assign this permission. Currently, there is no way to check from the project settings page if this permission has already been granted and causing the confusion.

      Steps to Reproduce

      1. Go to Project settings > Project permissions and check the Default permission dropdown. You will not find the PROJECT_ADMIN permission listed there.
      2. Use the following API to grant PROJECT_ADMIN permission to all licensed users. Despite the API action, this permission is not reflected in the project settings, causing confusion as to why all users have admin privileges by default on a project. 
        curl -u <admin-user>  --request POST   --url 'http://{baseurl}/rest/api/latest/projects/{projectKey}/permissions/PROJECT_ADMIN/all?allow=true'

      Expected Results

      There should be no discrepancy between the UI and API capabilities. If such a permission cannot be added through the UI, it should also be restricted via the API, or if it is allowed via the API, it should be allowed through the UI so that other users can also see what's the default permission.

      Actual Results

      Users can set the PROJECT_ADMIN permission via the API, but since it is not visible in the UI, other admins who are unaware of this modification cannot track it through the UI, causing confusion as to why all users have admin privileges by default on a project.

      Workaround

      • Substitute the <Project-key> in the query below and run it to determine if the suspected project has the PROJECT_ADMIN permission configured via the API. 
        select s.id, s.perm_id, s.project_id, s.group_name, s.user_id, p.project_key
from project p
         join sta_project_permission s on p.id = s.project_id
where s.perm_id = 4
  and p.project_key = '<Project-key>';
      • If a user has mistakenly set the PROJECT_ADMIN permission and wants to remove it, they can execute the same API with the option allow=false to revoke the PROJECT_ADMIN permission as the default for that project. 
        curl -u <admin-user>  --request POST   --url 'http://{baseurl}/rest/api/latest/projects/{projectKey}/permissions/PROJECT_ADMIN/all?allow=false'

              Unassigned Unassigned
              83b3279fad28 Aman Shrivastava
              Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: