fix(backend): remove project-level permission call from Bitbucket Server repo-driven sync

brendan-kellam · claude · brendan-kellam · commit 2e3039559bb4 · 2026-02-25T14:15:09.000-08:00
Repo-driven syncing for Bitbucket Server now only covers users with direct
repo-level grants. Project-level and group-level access remains covered by
account-driven syncing, consistent with the Bitbucket Cloud approach.

This avoids redundant API calls (one per repo for the same project) that
could cause rate limiting issues at scale.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/docs/docs/connections/bitbucket-data-center.mdx b/docs/docs/connections/bitbucket-data-center.mdx
@@ -71,7 +71,7 @@ If you're not familiar with Sourcebot [connections](/docs/connections/overview),
 In order to index private repositories, you'll need to provide a [HTTP Access Token](https://confluence.atlassian.com/bitbucketserver/http-access-tokens-939515499.html). Tokens can be scoped to a user account, a project, or an individual repository. Only repositories visible to the token will be able to be indexed by Sourcebot.
 
 <Note>
-  If [permission syncing](/docs/features/permission-syncing#bitbucket-data-center) is enabled, the token must have **Repository Admin** and **Project Admin** permissions so Sourcebot can read repository and project-level user permissions.
+  If [permission syncing](/docs/features/permission-syncing#bitbucket-data-center) is enabled, the token must have **Repository Admin** permissions so Sourcebot can read repository-level user permissions.
 </Note>
 
 <Tabs>
diff --git a/docs/docs/features/permission-syncing.mdx b/docs/docs/features/permission-syncing.mdx
@@ -113,16 +113,19 @@ Prerequisites:
 Permission syncing works with **Bitbucket Data Center**. OAuth tokens must assume the `PUBLIC_REPOS` and `REPO_READ` scopes.
 
 <Warning>
-**Partial coverage for repo-driven syncing.** Bitbucket Data Center's permissions APIs only return users who have been **directly and explicitly** granted access at the repository or project level. Users who have access via group membership are **not** captured by repo-driven syncing.
+**Partial coverage for repo-driven syncing.** Repo-driven syncing only captures users who have been **directly and explicitly** granted access to the repository. Users who have access via any of the following are **not** captured by repo-driven syncing:
+
+- Project-level permissions (inherited by all repos in the project)
+- Group membership
 
 These users **will** still gain access via [user-driven syncing](/docs/features/permission-syncing#how-it-works), which fetches all repositories accessible to each authenticated user using the `REPO_READ` scope. However, there may be a delay between when access is granted and when affected users see the repository in Sourcebot (up to the `experiment_userDrivenPermissionSyncIntervalMs` interval, which defaults to 24 hours).
 
-If your instance relies heavily on group-level permissions, we recommend reducing the `experiment_userDrivenPermissionSyncIntervalMs` interval to limit the window of delay.
+If your instance relies heavily on project or group-level permissions, we recommend reducing the `experiment_userDrivenPermissionSyncIntervalMs` interval to limit the window of delay.
 </Warning>
 
 **Notes:**
 - A Bitbucket Data Center [external identity provider](/docs/configuration/idp#bitbucket-server) must be configured to (1) correlate a Sourcebot user with a Bitbucket Data Center user, and (2) to list repositories that the user has access to for [User driven syncing](/docs/features/permission-syncing#how-it-works).
-- The connection token must have **Repository Admin** and **Project Admin** permissions so Sourcebot can read repository and project-level user permissions for [Repo driven syncing](/docs/features/permission-syncing#how-it-works).
+- The connection token must have **Repository Read** permissions so Sourcebot can read repository-level user permissions for [Repo driven syncing](/docs/features/permission-syncing#how-it-works).
 - OAuth tokens require the `REPO_READ` scope to list accessible repositories during [User driven syncing](/docs/features/permission-syncing#how-it-works).
 
 # How it works
diff --git a/packages/backend/src/bitbucket.ts b/packages/backend/src/bitbucket.ts
@@ -697,24 +697,20 @@ export const getReposForAuthenticatedBitbucketServerUser = async (
 };
 
 /**
- * Returns the user IDs of users who have been explicitly granted permission on a Bitbucket Server repository
- * at the repo level (direct grants) or project level (inherited by all repos in the project).
+ * Returns the user IDs of users who have been explicitly granted direct access to a Bitbucket Server repository.
  *
- * @note This does NOT include users who have access via groups. As a result, permission syncing
- * may under-grant access for instances that rely heavily on group-level permissions. Those users
- * will still gain access through account-driven syncing (accountPermissionSyncer).
+ * @note This only covers direct user-to-repo grants. It does NOT include users who have access via:
+ *   - Project-level permissions (inherited by all repos in the project)
+ *   - Group membership
+ * These users will still gain access through account-driven syncing (accountPermissionSyncer).
  *
  * @see https://developer.atlassian.com/server/bitbucket/rest/v906/api-group-repository/#api-rest-api-latest-projects-projectkey-repos-reposlug-permissions-users-get
- * @see https://developer.atlassian.com/server/bitbucket/rest/v906/api-group-project/#api-rest-api-latest-projects-projectkey-permissions-users-get
  */
 export const getUserPermissionsForServerRepo = async (
     client: BitbucketClient,
     projectKey: string,
     repoSlug: string,
 ): Promise<Array<{ userId: string }>> => {
-    const userIdSet = new Set<string>();
-
-    // Fetch repo-level permissions
     const repoUsers = await fetchWithRetry(() => getPaginatedServer<{ user: { id: number } }>(
         `/rest/api/1.0/projects/${projectKey}/repos/${repoSlug}/permissions/users` as ServerGetRequestPath,
         async (url, start) => {
@@ -728,31 +724,8 @@ export const getUserPermissionsForServerRepo = async (
             return data;
         }
     ), `repo-level permissions for ${projectKey}/${repoSlug}`, logger);
-    for (const entry of repoUsers) {
-        if (entry.user?.id != null) {
-            userIdSet.add(String(entry.user.id));
-        }
-    }
-
-    // Fetch project-level permissions (inherited by all repos in the project)
-    const projectUsers = await fetchWithRetry(() => getPaginatedServer<{ user: { id: number } }>(
-        `/rest/api/1.0/projects/${projectKey}/permissions/users` as ServerGetRequestPath,
-        async (url, start) => {
-            const response = await client.apiClient.GET(url, {
-                params: { query: { limit: 100, start } },
-            });
-            const { data, error } = response;
-            if (error) {
-                throw new Error(`Failed to fetch project-level permissions for ${projectKey}: ${JSON.stringify(error)}`);
-            }
-            return data;
-        }
-    ), `project-level permissions for ${projectKey}`, logger);
-    for (const entry of projectUsers) {
-        if (entry.user?.id != null) {
-            userIdSet.add(String(entry.user.id));
-        }
-    }
 
-    return Array.from(userIdSet).map(userId => ({ userId }));
+    return repoUsers
+        .filter(entry => entry.user?.id != null)
+        .map(entry => ({ userId: String(entry.user.id) }));
 };
