How can I restrict users in stash from giving access to their personal repositories or forks to other users (even read access)?

The loophole of people being able to give repository level permissions could prevent us from allowing forking - which defeats a lot of what stash is all about!  how can we prevent people from adding repository level permissions that might allow non-privileged users access to restricted code...

3 answers

1 accepted

2 votes
Accepted answer

Fire them if they do it.  Honestly, once you've given someone read access to a repo, there's nothing to prevent them from uploading it somewhere else, whether it be a personal project or on some other server altogether.  Preventing them from forking the repo would just add a couple of additional steps to what they would have to do (clone the repo, add a new remote, push the repo) to put a copy of a repo on their personal project or github, bitkeeper, etc.  If you don't trust them not to do this, they shouldn't have read access to the repo in the first place.

You can trap permissions being changed on a repository... if it's a personal repo, prevent the permissions change.

But, I agree with Tim, mostly. It depends if you want to prevent inadvertent source leaks or deliberate. If it's the latter, as Tim says, it's just trivial additional step. 

I don't really agree that Stash is about forking, I think the branching model works better, with branch permissions etc. 

If it's inadvertent leaks you're worried about you should just be able to establish a clear policy of not forking repos to personal projects (use those just for experiments, or don't; use them at all). Then it would take a pretty clear violation of policy to fork a repo there (you can fork repos to other projects, as well, so this doesn't prevent you from using forking) You can also gain some security at the network level by putting Stash behind a firewall, so at worst the repos are only being exposed to people on your internal network.

There is a tool called ScriptRunner that can be used to prevent this I believe.

See this posting for more information.


Suggest an answer

Log in or Sign up to answer
Community showcase
Published Nov 06, 2018 in Bitbucket

Upgrade Best Practices

Hello! My name is Mark Askew and I am a Premier Support Engineer for products Bitbucket Server/Data Center, Fisheye & Crucible. Today, I want to bring the discussion that Jennifer, Matt, and ...

1,961 views 7 10
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you