Hi,
We are running drone with BitBucket server (7.6.0, on-premise) and since we updated drone last week some of our users have reported the Deploy and Restart buttons have been greyed out for them, where previously they weren’t.
Can someone clarify what permissions a user needs to see these buttons in the UI, and whether something has changed?
Many thanks,
Martin.
Write access (aka push access) is required to use the restart or deploy buttons. Drone uses the Bitbucket API endpoints to determine whether or not a user has read, write or admin access.
First the system checks if the user has read access access. We know a user has read access to the repository if they can access the repository API endpoint [1] without error:
rest/api/1.0/projects/{PROJECT}/repos/{NAME}
If this fails, the user is denied access and you will see an error in the server logs:
api: repository permissions not found
Else if the user has read access, the system checks if the user also has admin access. Bitbucket does not provide a clean API for checking admin permissions, however, we know that only admin users can access repository webhooks. So to determine admin access, the system makes an API call to the webhook list endpoint to test for admin access [2].
rest/api/1.0/projects/{PROJECT}/repos/{NAME}/webhooks
If the user does not have admin access to the repository, the system checks to see if the user has write access to the repository. For write access, the system uses the list repositories endpoint [3], with a filter on write permissions:
rest/api/1.0/repos?size=1000&permission=REPO_WRITE&projectname=${PROJECT}&name=${NAME}
The above endpoint performs a wildcard search on the repository name, which means the response can include multiple repositories in the list. The system iterates through the results and checks for an entry in the list that is an exact match to the repository name. If an exact match is found, the user is granted write permissions to the repository:
repos, _, _ := s.listWrite(ctx, repo)
for _, repo := range repos {
if repo.Name == name {
return &scm.Perm{
Pull: true,
Push: true,
Admin: false,
}, nil, nil
}
}
Else the user is granted read access (aka pull access) to the repository and will not have access to the restart or deploy buttons in the user interface.
Users should be able to reproduce and verify this behavior using the above logic and endpoints.
[1] https://github.com/drone/go-scm/blob/master/scm/driver/stash/repo.go#L120
[2] https://github.com/drone/go-scm/blob/master/scm/driver/stash/repo.go#L130
[3] https://github.com/drone/go-scm/blob/master/scm/driver/stash/repo.go#L139
Many thanks for the reply. We are still getting issues with users who have write permissions on repos not seeing the deploy/restart buttons unless they are elevated to admins.
Does drone use the full project name for ${PROJECT} in the 3rd call?
It looks like from my brief glance at the code that it might be using the project key which would cause it to not work. Some of our devs have taken a look and are thinking maybe this commit might have caused the issue: https://github.com/drone/go-scm/commit/802e265b418f445ceec60827537bb5c7071cb018
We’re happy to help troubleshoot this issue - it’s a big issue for us.