I’ve recently set up drone.io on my home server using bitbucket cloud and everything appears to work. The only issue I have is that regardless of the fact that I thought I’d locked it down with Oauth and some environment variables meaning it’s a closed system, I can still visit it with my other bitbucket cloud account where a secret hasn’t been set up and it allows that account to link to repos and execute deployments on the device.
Is there something I’m missing to ensure that only the account authenticated with Oauth can link to drone?
Is there something I’m missing to ensure that only the account authenticated with Oauth can link to drone?
This is not how oauth works. Any user can authorize access to an oauth application.
If you want to lock down user registration you need to follow this guide. Locking down user registration is provider agnostic, meaning it is the same for GitHub, GitLab, etc.
So, I’ve just tried this and have found that it still does not prevent anyone from creating a new account. I’ve still managed to create an account with a user not in the list
I just tested and cannot reproduce any issues with DRONE_USER_FILTER. This setting prevents a new user (with no entry in the database) from authenticating. It does not prevent an existing user from authenticating, and it does not prevent an admin from manually creating a user account via the command line tools or api.
With bitbucket cloud, you don’t seem to manage user accounts in the same way. I’ve been able to simply log in as a bitbucket user not included in the filter and navigate to my drone server URL. It then allows me to auth with the server and link to any bitbucket account
The logic for managing accounts is provider-agnostic, so there is no difference between bitbucket / github / gogs / gitea / gitlab. Since neither Brad or I appear to be able to reproduce any issues with this functionality when properly configured, I recommend sending a patch if you think you have found an issue with Drone itself.
Here are links to the relevant code and unit tests:
@kibblator I ran into a similar issue just a couple of days ago (albeit with GitHub)—the filter won’t work if your user has already been created before and is stored in the database. Have you tried to completely remove your drone database (located in /var/lib/drone if you’re using the default mappings) and restart the server container?