Stash
  1. Stash
  2. STASH-2507

Add permission to disable branch and tag deletion via git push

    Details

      Description

      It would be useful to have a separate permission to disable branch and tag deletion done via git push.

      Ideally, this would be controlled independently of any permissions to delete branches and tags from the Stash web interface and is just intended to prevent accidental git push branch deletions.

        Issue Links

          Activity

          Hide
          Roy Lyons added a comment - - edited

          exactly. The concept is to allow users to have read/write access to the branches, but not allow them to remove the remote reference if it matches a particular pattern. Here is a sample entry in our gitolite installation. perhaps if will shed light on what kinds of things we are talking about. we create groups @repository_name for r/w and @repository_name_ro for readonly. The '-' after the 'RW' entry simple prevents the deletion.

             repo repository_name
               RW  master              =  @repository_name
               RW  .+[_]int$ .+[_]rel$ bugfix =  @repository_name
               -   .+[_]int$ .+[_]rel$ bugfix =  @repository_name
               RW  integration         =  @repository_name
               RW  release             =  @repository_name
               -   master integration release = @repository_name
               RW  refs/tags/          =  @repository_name
               -   refs/tags/          =  @repository_name
               -   maintenance[0-9]*[_].+ .+[_]integration$ =  @repository_name
               -   20130401_rel        =  @repository_name
               -   20130401_ECC_rel        =  @repository_name
               -   20130531_rel        =  @repository_name
               -   20130603_rel        =  @repository_name
               RW+                     =  @repository_name @configmgmt
               R                       =  gitweb @cit_global_ro @cme_global @repository_name_ro
          

          (EDIT: Added noformat block)

          Show
          Roy Lyons added a comment - - edited exactly. The concept is to allow users to have read/write access to the branches, but not allow them to remove the remote reference if it matches a particular pattern. Here is a sample entry in our gitolite installation. perhaps if will shed light on what kinds of things we are talking about. we create groups @repository_name for r/w and @repository_name_ro for readonly. The '-' after the 'RW' entry simple prevents the deletion. repo repository_name RW master = @repository_name RW .+[_]int$ .+[_]rel$ bugfix = @repository_name - .+[_]int$ .+[_]rel$ bugfix = @repository_name RW integration = @repository_name RW release = @repository_name - master integration release = @repository_name RW refs/tags/ = @repository_name - refs/tags/ = @repository_name - maintenance[0-9]*[_].+ .+[_]integration$ = @repository_name - 20130401_rel = @repository_name - 20130401_ECC_rel = @repository_name - 20130531_rel = @repository_name - 20130603_rel = @repository_name RW+ = @repository_name @configmgmt R = gitweb @cit_global_ro @cme_global @repository_name_ro (EDIT: Added noformat block)
          Hide
          Fred Hoare added a comment -

          Collabnet (are we allowed to mention competitors?) have a blog entry on this. http://blogs.collab.net/teamforge/collabnet-git-history-protection-a-new-proof-why-it-is-badly-needed

          Show
          Fred Hoare added a comment - Collabnet (are we allowed to mention competitors?) have a blog entry on this. http://blogs.collab.net/teamforge/collabnet-git-history-protection-a-new-proof-why-it-is-badly-needed
          Hide
          Jeff Mitchell added a comment -

          Gitolite's reflog has been able to help with that kind of problem for a long time, provided you try to recover before the server's next GC (I wouldn't be surprised if GitHub has the right software on the backend to allow this too, but don't expose it on the frontend) – and if you have proper backups, then the GC isn't really an issue either. Careful what you read from Collabnet, as they are really keen to point out the problems you can possibly run into with Git to promote their SVN solution. Part of this problem was their reliance on GitHub.

          That all said, because Stash isn't GitHub, it doesn't negate the need for something like this for Stash. Force pushes need to be recoverable, at least for some period of time. Even in the face of proper backups, which could require some fairly substantial time to fetch off tape and could still cost a day of work.

          Show
          Jeff Mitchell added a comment - Gitolite's reflog has been able to help with that kind of problem for a long time, provided you try to recover before the server's next GC (I wouldn't be surprised if GitHub has the right software on the backend to allow this too, but don't expose it on the frontend) – and if you have proper backups, then the GC isn't really an issue either. Careful what you read from Collabnet, as they are really keen to point out the problems you can possibly run into with Git to promote their SVN solution. Part of this problem was their reliance on GitHub. That all said, because Stash isn't GitHub, it doesn't negate the need for something like this for Stash. Force pushes need to be recoverable, at least for some period of time. Even in the face of proper backups, which could require some fairly substantial time to fetch off tape and could still cost a day of work.
          Hide
          Alan Qian added a comment -

          Hi @jhinch, do you have any update on your plugin? Is it this one?

          https://bitbucket.org/atlassianlabs/stash-refchange-settings-plugin

          Show
          Alan Qian added a comment - Hi @jhinch, do you have any update on your plugin? Is it this one? https://bitbucket.org/atlassianlabs/stash-refchange-settings-plugin
          Hide
          Kabir Kochhar added a comment -

          Is there a plugin available in marketplace to restrict branch deletion but allows to create / push changes?

          Show
          Kabir Kochhar added a comment - Is there a plugin available in marketplace to restrict branch deletion but allows to create / push changes?

            People

            • Votes:
              50 Vote for this issue
              Watchers:
              51 Start watching this issue

              Dates

              • Created:
                Updated: