It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Is there a way to give Stash users browse access to repo without allowing them to clone it?

We're using Stash and JIRA (integrated), and our product managers are having difficulty understanding when commits are getting merged into dev and/or release branches.

For security reasons, we don't want our product managers to be walking around with copies of the source code on their machines.  However, we want them to be able to use Stash to see the source (for example, to participate in the discussion surrounding a pull request).

Is there now (or are there future plans to have) a way to separate browsing functionality (i.e., seeing the code in the web-browser and participating in the conversations around a code review) from actual git read operations (like cloning a repo)?

3 answers

2 votes
Boris Berenberg Community Leader Jun 08, 2015

If they can see it in a browser, then they can copy it out. What you are asking for is false security. Maybe what you want is the ability to see repo metadata but not the source itself?

He explicitly mentions "seeing the code in the web-browser"

Re: false security -- I think that's a narrow-minded view of security. Security isn't just about access, it's also about encouraging secure behavior by making it significantly more convenient than insecure behavior, the same way that a self-locking door is part of a "more secure" strategy than a door that must be manually locked. Our product managers have laptops, and if I give them a level of access that makes it easy to clone a repo, they'll do it, and if/when a laptop gets stolen, our intellectual property will be at risk. However, if I can give them a level of access that allows them to see the source code freely in Stash (but not clone the repo), then while yes, technically they could tediously copy each file individually to their machine, that would be so laborious and inconvenient that they'd never actually do it, because it'll be far, far more convenient for them to browse the source code in Stash. What I'm asking for is a level of access that encourages more secure behavior (accessing the code online) over less secure behavior (making an offline copy). Thoughts?

Any more thoughts about this? I assume Atlassian eats their own dogfood...if so, is there a public JIRA issue that I can follow and upvote?

Boris Berenberg Community Leader Aug 06, 2015

You are welcome to create a request at: and our product managers will take it into consideration. I don't know of any existing request for something like this.

Mick's comments makes a lot of sense to me. I haven't tried this but you should be able to block clone/pull/fetch etc, in fact all git interactions, using an SCM request check module:

So you could block all access to a group, or maybe block all access to users that don't have WRITE permissions to the repository.

I understand the point about false security but it seems like a reasonable mitigation in the case of stolen laptops... although encrypted hard drives are also good.

Boris Berenberg Community Leader Aug 06, 2015

Yes but you would also need to disable the ability for them to download the repo as a zip from within Stash as well.

With respect to the excellent matrix here in the documentation: I'm looking for a level with only the first and third columns (browse/comment).

Suggest an answer

Log in or Sign up to answer
Community showcase
Published in Bitbucket Pipelines

Building a Bitbucket Pipe as a casual coder :  #!/bin/bash source "$(dirname "$0")/" enable_debug extra_args="" if [[ "${DEBUG}" == "true" ]]; then extra_args="--verbose" fi # mandatory variables R...

4,094 views 4 22
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you