Give UserA "write" access, but UserB is making commits

Question

I have given UserA "write" permissions on my Git repo hosted on BitBucket using their email address.  But now I am seeing commits by UserB who has a different email address.

When I go to "User and group access" I only see UserA.

How can this be?  This has happened on two different occasions; I am hiring one person to work on my project, but they are sub-contracting out the work to someone else (which I do not want).

Answer 1

I assume "write access" only applies to pushing. Committer and author information in commits is not checked. It is static information and trivial to fake (git rebase --reset-author-date). What would you gain? If you get their work done properly, does it really matter who did it? Does it matter if they had somebody else do it?

Don't rely on the information stored in commits. If you really must do this, then force them to GPG sign all of their commits and only allow signed commits. Verify the signature in a post-receive hook or pipeline. But even then, they could fake the author information and then sign the commit.

All such attempts are futile. Look, I just authored a commit as "Alan P.":

$ GIT_AUTHOR_NAME='Alan P.' GIT_AUTHOR_EMAIL='alanp@users.stackoverflow.com' git commit -m 'I honestly wrote this code all by myself!'
[master cca77e6] I honestly wrote this code all by myself!
 Author: Alan P <alanp@users.stackoverflow.com>
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 anyfile
$ git log -1
commit cca77e63c2ac4135e65ce0a35f60d05a50e362f8 (HEAD -> master)
Author: Alan P <alanp@users.stackoverflow.com>
Date:   Wed Oct 19 19:20:05 2022 +0200

    I honestly wrote this code all by myself!

Or even simpler:

$ git commit --author='Alan P. <alanp@users.stackoverflow.com>' -m 'Another commit that definitely nobody but me authored'