Is there a way to give Stash users browse access to repo without allowing them to clone it?

We're using Stash and JIRA (integrated), and our product managers are having difficulty understanding when commits are getting merged into dev and/or release branches.

For security reasons, we don't want our product managers to be walking around with copies of the source code on their machines.  However, we want them to be able to use Stash to see the source (for example, to participate in the discussion surrounding a pull request).

Is there now (or are there future plans to have) a way to separate browsing functionality (i.e., seeing the code in the web-browser and participating in the conversations around a code review) from actual git read operations (like cloning a repo)?

3 answers

2 votes
Boris Berenberg Community Champion Jun 08, 2015

If they can see it in a browser, then they can copy it out. What you are asking for is false security. Maybe what you want is the ability to see repo metadata but not the source itself?

He explicitly mentions "seeing the code in the web-browser"

Re: false security -- I think that's a narrow-minded view of security. Security isn't just about access, it's also about encouraging secure behavior by making it significantly more convenient than insecure behavior, the same way that a self-locking door is part of a "more secure" strategy than a door that must be manually locked. Our product managers have laptops, and if I give them a level of access that makes it easy to clone a repo, they'll do it, and if/when a laptop gets stolen, our intellectual property will be at risk. However, if I can give them a level of access that allows them to see the source code freely in Stash (but not clone the repo), then while yes, technically they could tediously copy each file individually to their machine, that would be so laborious and inconvenient that they'd never actually do it, because it'll be far, far more convenient for them to browse the source code in Stash. What I'm asking for is a level of access that encourages more secure behavior (accessing the code online) over less secure behavior (making an offline copy). Thoughts?

Any more thoughts about this? I assume Atlassian eats their own dogfood...if so, is there a public JIRA issue that I can follow and upvote?

Boris Berenberg Community Champion Aug 06, 2015

You are welcome to create a request at: https://jira.atlassian.com/ and our product managers will take it into consideration. I don't know of any existing request for something like this.

1 votes

Mick's comments makes a lot of sense to me. I haven't tried this but you should be able to block clone/pull/fetch etc, in fact all git interactions, using an SCM request check module: https://developer.atlassian.com/stash/docs/latest/reference/plugin-module-types/scm-request-check.html

So you could block all access to a group, or maybe block all access to users that don't have WRITE permissions to the repository.

I understand the point about false security but it seems like a reasonable mitigation in the case of stolen laptops... although encrypted hard drives are also good.

Boris Berenberg Community Champion Aug 06, 2015

Yes but you would also need to disable the ability for them to download the repo as a zip from within Stash as well.

With respect to the excellent matrix here in the documentation: https://confluence.atlassian.com/display/STASH/Using+repository+permissions I'm looking for a level with only the first and third columns (browse/comment).

Suggest an answer

Log in or Join to answer
Community showcase
Piotr Plewa
Published Dec 27, 2017 in Bitbucket

Recipe: Deploying AWS Lambda functions with Bitbucket Pipelines

Bitbucket Pipelines helps me manage and automate a number of serverless deployments to AWS Lambda and this is how I do it. I'm building Node.js Lambda functions using node-lambda&nbsp...

631 views 0 4
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot