In Bitbucket Server, can read access be restricted to a specific branch or branch pattern?

This question is in reference to Atlassian Documentation: Using branch permissions

Hi, I am aware that you can restrict write access to branch patterns via 'prevent all changes' and other restrictions which are mostly about what you can push to repository, but does anyone know if it is possible to restrict read access to a specific branch?

 Thanks!

1 answer

1 accepted

Not that I'm aware of - it would be difficult/impossible since the cloned repo has all of the commits in it and the underlying git model affords no such security.

Many thanks Rich,

that was my assumption also but I thought it was worth asking. I have been looking at how to translate a Gitolite configuration to Bitbucket Server permission settings.

In Gitolite it seems you can specify that a user can only read from the master branch for example. In practice, this presumably means that the remote only serves commits reachable from master, which I would have thought is quite doable technically (in fact I am sure that the client could configure that via a refspec)

Best Regards,

Philip

So how does that work when you clone a repository? 

If you have read access to master branch only, when you clone you get a repository with the master branch and all commits reachable from it, but no other branches (or commits only reachable from those other branches).

You can actually choose to do this (with any remote) by doing: 

git clone remote-url --branch master --single-branch

but I was hoping there might be a way to force that via a server permission

You might check to see if anyone has implemented a plugin that provides that capability, otherwise you could explore using a forking approach perhaps - this wouldn't be as straight forward of course.

Thanks for your ideas on this. When I looked on the Marketplace there was not anything obvious. With forking, I could create another repo which just has the master branch of the original one, but I am not sure how this could be kept in sync (fork syncing would presumably update all branches). However the answer may be to simply accept that branch based read restrictions are not supported smile

I am looking for this same exact solution. Philip, did you find a solution? I want my manufacturing team and suppliers to only be able see Main and not the development branches. This is for mistake proofing, so they don't end up downloading from the branches.

Hi Parth, my current assumption is that this cannot be done using standard functionality or add-ons. As discussed above I don't agree that there is some fundamental reason why this couldn't be done , since you can elect to fetch only commits of certain branches via a branch based clone or a refspec. However I do not believe there is currently an easy way to enforce it via Bitbucket Server. Thanks, Philip 

Dear @Philip Armour

did you find the solution ? I have the same situation on my team.

cc: @Parth Jariwala@Rich Duncan

Cheers

Hi @Sina Fereshteh , apologies for delay in responding. As far as I am aware, the comment I made on Oct 13 is still true: there is no way to limit repository read-access to certain branches (which really means limiting transfer of the reachable commits from branch references). 

If you really need to restrict the read-access to some branches I recommend that you use a fork of the repository for the branches which you need to restrict. You can then restrict read-access to the fork. This achieves a similar outcome.

Hope that helps,

Philip

Gulshan Singh I'm New Here Tuesday

Hi @Philip Armour, I am a new user of Git.

I also want to restrict read access to a branch or folder in a repository. When I fork a repository, then entire repo will be copied to the new repo. Then what's next?

Can you please expaing it more details so user's like me will be able to understand.

Hi @Gulshan Singh

first I would consider carefully whether you really do need to restrict read-access to certain branches, because any solution comes with overheads and this is a non-standard pattern in git.

The idea with the fork is you have another copy of the repo which contains only the branches you want to restrict access to. After forking, you delete these branches in the original repository (so they now only exist in the fork).

Then by controlling read-access to the fork you are controlling read-access to the branches.

Hope that is a bit clearer,

Philip

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Posted Jun 12, 2018 in Bitbucket

Do you use any Atlassian products for your personal projects?

After spinning my wheels trying to get organized enough to write a book for National Novel Writing Month (NaNoWriMo) I took my affinity for Atlassian products from my work life and decided to tr...

29,457 views 26 12
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you