Is it possible to set repository policies by branch?


I want to allow visibility to certain git repository branches only for a certain user group. Is that possible?
The repository is hosted by our Phabricator Server (not an observed repository).
I tried to restrict the fetch refs and the permanent refs - with the aim users only to be able to fetch develop and master branch for example. But it seems, that this option is only for observed repositories by phabricator. Is it possible to set the repository such that only certain branches are fetchable for the user group and all branches are only fetchable by admins for example?

No, it is not currently possible to prevent users from fetching some (but fewer than all) branches from a repository.

Have you seen this feature implemented anywhere?

No I haven’t seen it implemented anywhere. Thanks for the quick reply.

Because of how the Git internals and protocol work, I believe this feature would be very challenging to implement in Git. For example, the Git documentation for “git-fetch” discourages this (and outlines two protocol-level attacks):

The fetch and push protocols are not designed to prevent one side from stealing data from the other repository that was not intended to be shared. If you have private data that you need to protect from a malicious peer, your best option is to store it in another repository. This applies to both clients and servers. In particular, namespaces on a server are not effective for read access control; you should only grant read access to a namespace to clients that you would trust with read access to the entire repository.

If you want to give a set of users read-only access to a subset of branches, you can configure a second repository in Phabricator which observes the first repository, but uses “Fetch Only” to restrict which refs are fetched. Then, give the limited-access users access to this second repository. Because the second repository will never contain the privileged objects, protocol-level attacks on git fetch will fail.

However, this won’t work if you also want to let them write to the repository.

1 Like