How can I give a single user access to just to specific branches on BitBucket?

Question

We want to give read/write access to some repos to some people but to avoid then reading some branches which have sensitive data.

We properly understand that when we allow some user to access a branch he will access all commits from the highest leaf to the greater ancestor, and that's right. We just want to avoid access to all unmerged commits (leafs) from other branches. Or to avoid access to branches with an unrelated history.

We have seen the "branch permissions" option but we don't seem to understand it completely. Do I have to give an user read access to the full repository and then add stricter rights through that feature? It seems that we can't add more restrictive permissions through that...

Answer 1

This is not possible. Git does not enforce ownership or permissions on tracked files, so any user who can read a repo can read any file in that repo (on any branch). Additionally, the branch permissions you mention only apply to Bitbucket itself, not to local clones, so even if Bitbucket did somehow let you restrict reads on a given branch the user could just clone the repo and read all the forbidden things locally. (And since this is not possible in Git, it also isn't possible on hosts other than Bitbucket.)

It's also a terrible idea to keep passwords and API keys in repositories for this precise reason - even if you have everything tightly controlled on Bitbucket (et al.), you still have to deal with security implications of everybody's local systems. (Have they kept up with OS updates? Are they using strong passwords to sign onto their stuff? What do you do if their computer is stolen? etc.)

If there's something you truly must share with this user, then you can use a private fork that doesn't include the sensitive details. Otherwise, though, you will do better to re-evaluate how your repositories are structured.