Which permissions needed for a regular user to know to which groups he/she belongs?

RingoDeSmet · February 1, 2021, 12:35pm

Hello,

We are using the Bitbucket Cloud users & groups to authenticate via OAuth to a third party system. So BB Cloud is our identity provider. We are in the situation where workspace admins can login correctly but regular users not.

At the time of writing, there is no V2 counterpart API yet for user group management, see ticket BCLOUD-17103.

So, retrieving the groups needs to be done with this legacy V1 API:

This is indeed the call which happens in the OAuth connector:

github.com

concourse/dex/blob/master/connector/bitbucketcloud/bitbucketcloud.go#L423-L437


      
          func (b *bitbucketConnector) userTeamGroups(ctx context.Context, client *http.Client, teamName string) ([]string, error) {
          	apiURL := b.legacyAPIURL + "/groups/" + teamName
          
          	var response []group
          	if err := get(ctx, client, apiURL, &response); err != nil {
          		return nil, fmt.Errorf("get user team %q groups: %v", teamName, err)
          	}
          
          	teamGroups := make([]string, 0, len(response))
          	for _, group := range response {
          		teamGroups = append(teamGroups, teamName+"/"+group.Slug)
          	}
          
          	return teamGroups, nil
          }

As a Workspace Admin user, if I test this call with curl, using an App Password, I can successfully retrieve the list of groups.

Now the docs of the legacy V1 API mentions this:

The caller must authenticate with administrative rights on the workspace or as a group member to view a group.

Every of our developers, who have accepted the workspace invite, is added to a group developers which has READ access to a few basic repositories and is added to a group linked to their team. Via the team group, they have WRITE access to some more repositories.

Being member in two groups, I would assume this is enough for the or as a group member part as defined in the docs.

However, any of these developers are not able to invoke the legacy API call. They get a 403 Forbidden.

Should the account and team auth scopes be enough for a regular user to find out about the groups he/she is a member of?
Are more auth scopes required?
Does this even work for a regular user?

Thanks,

Ringo

aagrawal2 · February 26, 2021, 8:00am

Hi @RingoDeSmet

I have reached out to our product team. They should get back to you soon.

Thanks.

DavisLee · March 1, 2021, 11:46pm

Hi @RingoDeSmet!

In short, yes, there are more auth scopes required. If you look at a group page you can see near the top, one of the workspace permissions is “Administer workspace Can update workspace settings and administer repositories” This is the permission level necessary in order to retrieve the list of groups for a workspace. This endpoint is not meant to be accessible if a user is part of a group with only read or write access to certain repositories. To further clarify on the wording “The caller must authenticate with administrative rights on the workspace or as a group member to view a group.” The second part pertaining to the group member should be read as “The caller must authenticate with administrative rights as a group member to view a group.” Meaning they still need administrative rights on the workspace given as a group permission.

Hope that helps,
Davis