In Bitbucket Server, can read access be restricted to a specific branch or branch pattern?

Philip Armour September 22, 2016

This question is in reference to Atlassian Documentation: Using branch permissions

Hi, I am aware that you can restrict write access to branch patterns via 'prevent all changes' and other restrictions which are mostly about what you can push to repository, but does anyone know if it is possible to restrict read access to a specific branch?

 Thanks!

1 answer

1 accepted

0 votes
Answer accepted
Rich Duncan
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
September 22, 2016

Not that I'm aware of - it would be difficult/impossible since the cloned repo has all of the commits in it and the underlying git model affords no such security.

Philip Armour September 22, 2016

Many thanks Rich,

that was my assumption also but I thought it was worth asking. I have been looking at how to translate a Gitolite configuration to Bitbucket Server permission settings.

In Gitolite it seems you can specify that a user can only read from the master branch for example. In practice, this presumably means that the remote only serves commits reachable from master, which I would have thought is quite doable technically (in fact I am sure that the client could configure that via a refspec)

Best Regards,

Philip

Rich Duncan
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
September 23, 2016

So how does that work when you clone a repository? 

Philip Armour September 23, 2016

If you have read access to master branch only, when you clone you get a repository with the master branch and all commits reachable from it, but no other branches (or commits only reachable from those other branches).

You can actually choose to do this (with any remote) by doing: 

git clone remote-url --branch master --single-branch

but I was hoping there might be a way to force that via a server permission

Rich Duncan
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
September 23, 2016

You might check to see if anyone has implemented a plugin that provides that capability, otherwise you could explore using a forking approach perhaps - this wouldn't be as straight forward of course.

Philip Armour September 23, 2016

Thanks for your ideas on this. When I looked on the Marketplace there was not anything obvious. With forking, I could create another repo which just has the master branch of the original one, but I am not sure how this could be kept in sync (fork syncing would presumably update all branches). However the answer may be to simply accept that branch based read restrictions are not supported smile

parthjar October 12, 2016

I am looking for this same exact solution. Philip, did you find a solution? I want my manufacturing team and suppliers to only be able see Main and not the development branches. This is for mistake proofing, so they don't end up downloading from the branches.

Philip Armour October 13, 2016

Hi Parth, my current assumption is that this cannot be done using standard functionality or add-ons. As discussed above I don't agree that there is some fundamental reason why this couldn't be done , since you can elect to fetch only commits of certain branches via a branch based clone or a refspec. However I do not believe there is currently an easy way to enforce it via Bitbucket Server. Thanks, Philip 

Sina Fereshteh December 23, 2017

Dear @Philip Armour

did you find the solution ? I have the same situation on my team.

cc: @parthjar@Rich Duncan

Cheers

Philip Armour January 4, 2018

Hi @Sina Fereshteh , apologies for delay in responding. As far as I am aware, the comment I made on Oct 13 is still true: there is no way to limit repository read-access to certain branches (which really means limiting transfer of the reachable commits from branch references). 

If you really need to restrict the read-access to some branches I recommend that you use a fork of the repository for the branches which you need to restrict. You can then restrict read-access to the fork. This achieves a similar outcome.

Hope that helps,

Philip

gulshan9958 July 17, 2018

Hi @Philip Armour, I am a new user of Git.

I also want to restrict read access to a branch or folder in a repository. When I fork a repository, then entire repo will be copied to the new repo. Then what's next?

Can you please expaing it more details so user's like me will be able to understand.

Philip Armour July 17, 2018

Hi @gulshan9958

first I would consider carefully whether you really do need to restrict read-access to certain branches, because any solution comes with overheads and this is a non-standard pattern in git.

The idea with the fork is you have another copy of the repo which contains only the branches you want to restrict access to. After forking, you delete these branches in the original repository (so they now only exist in the fork).

Then by controlling read-access to the fork you are controlling read-access to the branches.

Hope that is a bit clearer,

Philip

jash1th January 27, 2019

Hi @Philip Armour

Is it possible to write hooks script for restricting read and write access to specific branch in bitbucket?

Philip Armour January 28, 2019

Hi @jash1th,

It's quite common for server hooks to restrict pushes (write access) based on properties of the push, which could include blocking based on branch. There would not be much point to that though, because bitbucket already has built-in functionality to control branch-based write access, so no need for a hook.

Read-access, which is what the original question was about, is a different matter entirely. This is about the commits which are downloaded to your repo when you do a clone or fetch. It's more about Git's server behaviour (not Bitbucket), and AFAIK you can't control which branches are transferred during clone or fetch by hooks or any built-in Bitbucket features.

Hope that is helpful

Like jash1th likes this

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events