Drone

How to restrict user access for Bitbucket?

I’ve recently set up drone.io on my home server using bitbucket cloud and everything appears to work. The only issue I have is that regardless of the fact that I thought I’d locked it down with Oauth and some environment variables meaning it’s a closed system, I can still visit it with my other bitbucket cloud account where a secret hasn’t been set up and it allows that account to link to repos and execute deployments on the device.

Is there something I’m missing to ensure that only the account authenticated with Oauth can link to drone?

Is there something I’m missing to ensure that only the account authenticated with Oauth can link to drone?

This is not how oauth works. Any user can authorize access to an oauth application.

If you want to lock down user registration you need to follow this guide. Locking down user registration is provider agnostic, meaning it is the same for GitHub, GitLab, etc.

Thank you for this. I presume from reading that documentation that I simply put my bitbucket username into the filter?

correct, this will prevent new accounts from being created in the drone database. It will not impact existing accounts.

So, I’ve just tried this and have found that it still does not prevent anyone from creating a new account. I’ve still managed to create an account with a user not in the list

I just tested and cannot reproduce any issues with DRONE_USER_FILTER. This setting prevents a new user (with no entry in the database) from authenticating. It does not prevent an existing user from authenticating, and it does not prevent an admin from manually creating a user account via the command line tools or api.

With bitbucket cloud, you don’t seem to manage user accounts in the same way. I’ve been able to simply log in as a bitbucket user not included in the filter and navigate to my drone server URL. It then allows me to auth with the server and link to any bitbucket account

The logic for managing accounts is provider-agnostic, so there is no difference between bitbucket / github / gogs / gitea / gitlab. Since neither Brad or I appear to be able to reproduce any issues with this functionality when properly configured, I recommend sending a patch if you think you have found an issue with Drone itself.

Here are links to the relevant code and unit tests: