OneDev
Dashboards
Projects
Global Views
Code Search
server
Code
Pull Requests
Issues
List
Boards
Iterations
Builds
Packages
Statistics
Child Projects
Audit Log
OneDev 14.0.6
Documentation Support & Bug Report RESTful API Incompatibilities License Agreement Check Update
Projects onedev server Issues OD-2478
Branch protection rules don't seem to work properly for multiple File Protections (OD-2478)
fakoe opened 6 months ago

Hi,

We have the following File Protections defined in a branch protection rule: grafik_2.png

My intention is, that if there is a commit, that changes anything in our pom.xml files, one member of the group ldp-devops is mandatory as reviewer. Also, for all other files (except pro/e2e* paths), a member of the group ldp-dev is mandatory as reviewer.

I created a branch, that contains a change within one of our pom.xmls and one change in a separate class. Logically, that would mean I would have two mandatory reviewers, one from group ldp-dev and one from group ldp-devops to be a reviewer.

Now, when I create the pull request, I can manually add every possible user from OneDev. It seems there is no filter, that I can only select a person from one of the defined groups (that's not the issue, though).

Where we struggle is the fact, that you can remove the mandatory group member of ldp-devops by adding/deleting reviewers. Let me elaborate in an example:

We have 4 users and two of them have one of the group from above:

  • David (group ldp-devops)
  • Phil (group ldp-dev)
  • Adam (no group)
  • Eve (no group)

For my PR, I would expect to see David and Phil automatically, which initially happens. Names are blurred here: grafik_4.png

Now, if I select one additional reviewer, lets say Adam and then delete Adam again and then delete David, David gets replaced by Adam... whereas David should be a mandatory, not deletable reviewer (since he is part of the ldp-devops group).

Additionally, if I go ahead and create the pull request, David is back in the reviewer list on the right side... But I can do the same thing with the reviewers as I could do when creating the pull request: I can add another user, delete the user and then delete David and David gets replaced by the user.

That way, I can completely replace the reviewers and basically bypass the protection rule(s).

That whole process does not work, if I only have one File Protection rule. It seems to work fine with only one. It starts when I have two. I haven't tested what happens when I use more than that.

Steps to reproduce:

  • Create repo
  • Create 4 users
  • Create two groups
  • Put one user in one group and another one into the second group
  • Add two files
  • Add one File Protection like in the first picture
  • Add a second File Protection like in the first picture
  • Create a branch
  • Change both files and push
  • Setup a pull request (press the +)
  • Add a third reviewer from the two non-group users
  • Delete the third reviewer again
  • Delete a reviewer from a mandatory group
  • Create the pull request
  • Go into the pull request and add/remove reviewers in the same manner from the reviewer list on the upper right.
  • OneDev commented 6 months ago

    State changed as code fixing the issue is committed (082cd13e)

  • OneDev changed state to 'Closed' 6 months ago
    Previous Value Current Value 
    Open
    		 
    Closed
  • OneDev commented 6 months ago

    State changed as build OD-6431 is successful

  • OneDev changed state to 'Released' 6 months ago
    Previous Value Current Value 
    Closed
    		 
    Released
issue 1/1
Type
Bug
Priority
Normal
Assignee
Robin Shen
Affected Versions
11.9.5
Labels
No labels
Issue Votes (0)
Login to vote
Watchers (3)
Reference
OD-2478
Please wait...
Connection lost or session expired, reload to recover
Page is in error, reload to recover