Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Is there a way to give Stash users browse access to repo without allowing them to clone it?

mick.killianey@
mick.killianey@illumio.com June 8, 2015

We're using Stash and JIRA (integrated), and our product managers are having difficulty understanding when commits are getting merged into dev and/or release branches.

For security reasons, we don't want our product managers to be walking around with copies of the source code on their machines.  However, we want them to be able to use Stash to see the source (for example, to participate in the discussion surrounding a pull request).

Is there now (or are there future plans to have) a way to separate browsing functionality (i.e., seeing the code in the web-browser and participating in the conversations around a code review) from actual git read operations (like cloning a repo)?

Answer
Watch
Like Adam likes this
442 views

3 answers

2 votes
Boris Berenberg
Boris Berenberg
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 8, 2015

If they can see it in a browser, then they can copy it out. What you are asking for is false security. Maybe what you want is the ability to see repo metadata but not the source itself?

View More Comments
Balázs Szakmáry
Balázs Szakmáry
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 8, 2015

He explicitly mentions "seeing the code in the web-browser"

Like
mick.killianey@
mick.killianey@illumio.com June 8, 2015

Re: false security -- I think that's a narrow-minded view of security. Security isn't just about access, it's also about encouraging secure behavior by making it significantly more convenient than insecure behavior, the same way that a self-locking door is part of a "more secure" strategy than a door that must be manually locked. Our product managers have laptops, and if I give them a level of access that makes it easy to clone a repo, they'll do it, and if/when a laptop gets stolen, our intellectual property will be at risk. However, if I can give them a level of access that allows them to see the source code freely in Stash (but not clone the repo), then while yes, technically they could tediously copy each file individually to their machine, that would be so laborious and inconvenient that they'd never actually do it, because it'll be far, far more convenient for them to browse the source code in Stash. What I'm asking for is a level of access that encourages more secure behavior (accessing the code online) over less secure behavior (making an offline copy). Thoughts?

Like
Mickey Killiane
Mickey Killianey August 6, 2015

Any more thoughts about this? I assume Atlassian eats their own dogfood...if so, is there a public JIRA issue that I can follow and upvote?

Like
Boris Berenberg
Boris Berenberg
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 6, 2015

You are welcome to create a request at: https://jira.atlassian.com/ and our product managers will take it into consideration. I don't know of any existing request for something like this.

Like
Reply
1 vote
JamieA
JamieA
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 9, 2015

Mick's comments makes a lot of sense to me. I haven't tried this but you should be able to block clone/pull/fetch etc, in fact all git interactions, using an SCM request check module: https://developer.atlassian.com/stash/docs/latest/reference/plugin-module-types/scm-request-check.html

So you could block all access to a group, or maybe block all access to users that don't have WRITE permissions to the repository.

I understand the point about false security but it seems like a reasonable mitigation in the case of stolen laptops... although encrypted hard drives are also good.

View More Comments
Boris Berenberg
Boris Berenberg
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 6, 2015

Yes but you would also need to disable the ability for them to download the repo as a zip from within Stash as well.

Like
Reply
0 votes
mick.killianey@
mick.killianey@illumio.com June 8, 2015

With respect to the excellent matrix here in the documentation: https://confluence.atlassian.com/display/STASH/Using+repository+permissions I'm looking for a level with only the first and third columns (browse/comment).

Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events