Branch permissions bypassed on Bitbucket: Pull request requires approval, but merges anyways?

Question

We plan to have only admins able to make changes to our repo’s master branch. Developers can clone the repo and then create their own dev branch off of master to work on. When developers feel ready, they can merge their development branch onto the master branch using a pull request. However, they will not be able to merge their dev branch into master until the admins have approved the changes.

On Bitbucket, I set branch permissions as: + Write Access: Rachel and Jamie. + Merge via pull request: Rachel, Jamie, and team:developers. + Merge checks: check for at least 2 approvals.

Next, we had a developer (not Rachel or Jamie) make changes on their own dev branch. They then committed and pushed the changes to their remote dev branch--worked as expected.

Last, they initiated a pull request to merge the remote dev branch into master. A warning that two approvals was needed popped up, but the developer was still able to just click "Merge" and the dev branch merged into the master branch, despite 0 approvals.

I expected that the developer would not be able to merge with 0 approvals. How do I set permissions so that this is the case?

Answer 1

We've created a plugin to prevent this situation. You can inspect it on marketplace:

https://marketplace.atlassian.com/apps/1219882/prevent-merge-when-needs-work

Answer 2

Two things:

1. You explicitly granted "merge via pull request" access to the developers. They're therefore able to merge pull requests. If you never want them to merge PRs to that branch, then revoke that. (They'll still be able to create PRs, just not merge them.)
2. You didn't mention whether you've enabled "Prevent a merge with unresolved merge checks", under the premium features.